You are here: Intrusion Detection System > Configuring Wireless Intrusion Protection and Detection Levels
Previous TopicNext Topic

Configuring Wireless Intrusion Protection and Detection Levels

WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats.

Like most other security-related features of the Aruba network, the WIP can be configured on the IAP.

You can configure the following options:

Infrastructure Detection Policies— Specifies the policy for detecting wireless attacks on access points
Client Detection Policies— Specifies the policy for detecting wireless attacks on clients
Infrastructure Protection Policies— Specifies the policy for protecting access points from wireless attacks.
Client Protection Policies— Specifies the policy for protecting clients from wireless attacks.
Containment Methods— Prevents unauthorized stations from connecting to your Instant network.

Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly.

The detection levels can be configured using the IDS window. To view the IDS window, click More>IDS link at the top right corner of the Instant main window. The following levels of detection can be configured in the WIP Detection page:

Off
Low
Medium
High

Figure 1   Wireless Intrusion Detection

The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field.

Table 1: Infrastructure Detection Policies

Detection Level

Detection Policy

Off

Rogue Classification

Low

l Detect AP Spoofing
l Detect Windows Bridge
l IDS Signature— Deauthentication Broadcast
l IDS Signature— Deassociation Broadcast

Medium

l Detect Adhoc networks using VALID SSID— Valid SSID list is auto-configured based on Instant AP configuration
l Detect Malformed Frame— Large Duration

High

l Detect AP Impersonation
l Detect Adhoc Networks
l Detect Valid SSID Misuse
l Detect Wireless Bridge
l Detect 802.11 40MHz intolerance settings
l Detect Active 802.11n Greenfield Mode
l Detect AP Flood Attack
l Detect Client Flood Attack
l Detect Bad WEP
l Detect CTS Rate Anomaly
l Detect RTS Rate Anomaly
l Detect Invalid Address Combination
l Detect Malformed Frame— HT IE
l Detect Malformed Frame— Association Request
l Detect Malformed Frame— Auth
l Detect Overflow IE
l Detect Overflow EAPOL Key
l Detect Beacon Wrong Channel
l Detect devices with invalid MAC OUI

The following table describes the detection policies enabled in the Client Detection Custom settings field.

Table 2: Client Detection Policies

Detection Level

Detection Policy

Off

All detection policies are disabled.

Low

l Detect Valid Station Misassociation

Medium

l Detect Disconnect Station Attack
l Detect Omerta Attack
l Detect FATA-Jack Attack
l Detect Block ACK DOS
l Detect Hotspotter Attack
l Detect unencrypted Valid Client
l Detect Power Save DOS Attack

High

l Detect EAP Rate Anomaly
l Detect Rate Anomaly
l Detect Chop Chop Attack
l Detect TKIP Replay Attack
l IDS Signature— Air Jack
l IDS Signature— ASLEAP

The following levels of detection can be configured in the WIP Protection page:

Off
Low
High

Figure 2  Wireless Intrusion Protection

The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field.

Table 3: Infrastructure Protection Policies

Protection Level

Protection Policy

Off

All protection policies are disabled

Low

l Protect SSID – Valid SSID list should be auto derived from Instant configuration
l Rogue Containment

High

l Protect from Adhoc Networks
l Protect AP Impersonation

The following table describes the detection policies that are enabled in the Client Protection Custom settings field.

Table 4: Client Protection Policies

Protection Level

Protection Policy

Off

All protection policies are disabled

Low

Protect Valid Station

High

Protect Windows Bridge

Containment Methods

You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network.

Instant supports the following types of containment mechanisms:

Wired containment— When enabled, Instant Access Points generate ARP packets on the wired network to contain wireless attacks.
Wireless containment— When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point.
None— Disables all the containment mechanisms.
Deauthenticate only— With deauthentication containment, the Access Point or client is contained by disrupting the client association on the wireless interface.
Tarpit containment— With Tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained.

Figure 3   Containment Methods