You are here: CLI_commands > ids
Previous TopicNext Topic

ids

ids

client-detection-level <type>

client-protection-level <type>

detect-adhoc-network

detect-ap-flood

detect-ap-impersonation

detect-ap-spoofing

detect-bad-wep

detect-beacon-wrong-channel

detect-block-ack-attack

detect-chopchop-attack

detect-client-flood

detect-cts-rate-anomaly

detect-disconnect-sta

detect-eap-rate-anomaly

detect-fatajack

detect-hotspotter-attack

detect-ht-40mhz-intolerance

detect-ht-greenfield

detect-invalid-addresscombination

detect-invalid-mac-oui

detect-malformed-assoc-req

detect-malformed-frame-auth

detect-malformed-htie

detect-malformed-large-duration

detect-omerta-attack

detect-overflow-eapol-key

detect-overflow-ie

detect-power-save-dos-attack

detect-rate-anomalies

detect-rts-rate-anomaly

detect-tkip-replay-attack

detect-unencrypted-valid

detect-valid-clientmisassociation

detect-valid-ssid-misuse

detect-windows-bridge

detect-wireless-bridge

infrastructure-detection-level <type>

infrastructure-protection-level <type>

protect-adhoc-network

protect-ap-impersonation

protect-ssid

protect-valid-sta

protect-windows-bridge

rogue-containment

signature-airjack

signature-asleap

signature-deassociation-broadcast

signature-deauth-broadcast

wired-containment

wireless-containment <type>

no…

Description

This command configures an IDS policy for an IAP.

Syntax

Parameter

Description

Range

Default

ids Creates an IDS policy

client-detection-level <type>

Sets the client detection level. off, low, medium, high off

client-protection-level <type>

Sets the client protection level. off, low, medium, high off

detect-adhoc-network

Enables detection of adhoc networks.

detect-ap-flood

Enables detection of flooding with fake IAP beacons to confuse the legitimate users and to increase the amount of processing needed on client operating systems.

detect-ap-impersonation

Enables detection of AP impersonation. In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack.

detect-ap-spoofing

Enables AP Spoofing detection.

detect-bad-wep

Enables detection of WEP initialization vectors that are known to be weak and/or repeating. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period of time and search for implementations that are still used by many legacy devices.

detect-beacon-wrong-channel

Enables detection of beacons advertising the incorrect channel.

detect-block-ack-attack

Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages.

detect-chopchop-attack

Enables detection of ChopChop attack.

detect-client-flood

Enables detection of client flood attack.

detect-cts-rate-anomaly

Enables detection of CTS rate anomaly.

detect-disconnect-sta

Enables a station disconnection attack. In a station disconnection, attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association.

detect-eap-rate-anomaly

Enables Extensible Authentication Protocol (EAP) handshake analysis to detect an abnormal number of authentication procedures on a channel and generate an alarm when this condition is detected.

detect-fatajack

Enables detection of fatjack attacks.

detect-hotspotter-attack

Enables detection of hotspot attacks.

detect-ht-40mhz-intolerance

Enables detection of 802.11n 40 MHz intolerance setting, which controls whether stations and APs advertising 40 MHz intolerance will be reported.

detect-ht-greenfield

Enables detection of high throughput devices advertising greenfield preamble capability.

detect-invalid-addresscombination

Enables detection of invalid address combinations.

detect-invalid-mac-oui

Enables checking of the first three bytes of a MAC address, known as the organizationally unique identifier (OUI), assigned by the IEEE to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Enabling MAC OUI checking causes an alarm to be triggered if an unrecognized MAC address is in use.

detect-malformed-assoc-req

Enables detection of malformed association requests.

detect-malformed-frame-auth

Enables detection of malformed authentication frames

detect-malformed-htie

Enables detection of malformed HT information elements.

detect-malformed-large-duration

Enables detection of unusually large durations in frames.

detect-omerta-attack

Enables detection of Omerta attack.

detect-overflow-eapol-key

Enables detection of overflow EAPOL key requests.

detect-overflow-ie

Enables detection of overflow Information Elements (IE).

detect-power-save-dos-attack

Enables detection of Power Save DoS attack.

detect-rate-anomalies

Enables detection of rate anomalies.

detect-rts-rate-anomaly

Enables detection of RTS rate anomaly.

detect-tkip-replay-attack

Enables detection of TKIP replay attack.

detect-unencrypted-valid

Enables detection of unencrypted valid clients.

detect-valid-clientmisassociation

Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types:

l MisassociationToRogueAP
l MisassociationToExternalAPl
l MisassociationToHoneypotAP
l MisassociationToAdhocAP
l MisassociationToHostedAP

detect-valid-ssid-misuse

Enables detection of interfering or Neighbor APs using valid or protected SSIDs.

detect-windows-bridge

Enables detection of Windows station bridging.

detect-wireless-bridge

Enables detection of wireless bridging.

infrastructure-detection-level <type>

Sets the infrastructure detection level. off, low, medium, high off
infrastructure-protection-level <type> Sets the infrastructure protection level. off, low, medium, high off

protect-adhoc-network

Enables protection from adhoc networks. When adhoc networks are detected, they are disabled using a denial of service attack

protect-ap-impersonation

Enables protection from AP impersonation attacks. When AP impersonation is detected, both the legitimate and impersonating AP are disabled using a denial of service attack.

protect-ssid

Enables use of SSID by valid IAPs only.

protect-valid-sta

Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid AP.

protect-windows-bridge

Enables protection of a windows station bridging

rogue-containment

Controls Rogue APs. When rogue APs are detected, they are not automatically disabled.

This option automatically shuts down rogue APs. When this option is enabled, clients attempting to associate to an AP classified as a rogue are disconnected through a denial of service attack.

signature-airjack

Enables signature matching for the AirJack frame type.

signature-asleap

Enables signature matching for the ASLEAP frame type.

signature-deassociation-broadcast

Configures signature matching for the deassociation broadcast frame type.

signature-deauth-broadcast

Configures signature matching for the deauth broadcast frame type.

wired-containment

Controls Wired attacks.

wireless-containment <type>

Enable wireless containment including Tarpit Shielding.

Tarpit shielding works by steering a client to a tarpit so that the client associates with it instead of the AP that is being contained.

l deauth-only— Enables Containment using deauthentication only .
l none— Disables wireless containment.
l tarpit-all-sta—Enables wireless containment by tarpit of all stations.
l tarpit-non-valid-sta— Enables wireless containment by tarpit of non-valid clients

deauth-only, none, tarpit-all-sta, tarpit-non-valid-sta

deauth-only
no… Removes any existing configuration.

Usage Guidelines

Use this command to configure Intrusion Detection System (IDS) detection and protection policies. The IDS feature monitors the network for the presence of unauthorized IAPs and clients and enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. It also logs information about the unauthorized IAPs and clients, and generates reports based on the logged information.

Wireless Intrusion Protection (WIP) offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Aruba network, the WIP can be configured on the IAP.

You can configure the following policies:

Infrastructure Detection Policies— Specifies the policy for detecting wireless attacks on access points
Client Detection Policies— Specifies the policy for detecting wireless attacks on clients
Infrastructure Protection Policies— Specifies the policy for protecting access points from wireless attacks.
Client Protection Policies— Specifies the policy for protecting clients from wireless attacks.
Containment Methods— Prevents unauthorized stations from connecting to your Instant network.

Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly. The following levels of detection can be configured:

Off
Low
Medium
High

Example

The following example configures detection and protection policies:

(Instant AP)(config)# ids

(Instant AP)(IDS)# infrastructure-detection-level low

(Instant AP)(IDS)# client-detection-level low

(Instant AP)(IDS)# infrastructure-protection-level low

(Instant AP)(IDS)# client-protection-level low

(Instant AP)(IDS)# wireless-containment deauth-only

(Instant AP)(IDS)# wired-containment

(Instant AP)(IDS)# detect-ap-spoofing

(Instant AP)(IDS)# detect-windows-bridge

(Instant AP)(IDS)# signature-deauth-broadcast

(Instant AP)(IDS)# signature-deassociation-broadcast

(Instant AP)(IDS)# detect-adhoc-using-valid-ssid

(Instant AP)(IDS)# detect-malformed-large-duration

(Instant AP)(IDS)# detect-ap-impersonation

(Instant AP)(IDS)# detect-adhoc-network

(Instant AP)(IDS)# detect-valid-ssid-misuse

(Instant AP)(IDS)# detect-wireless-bridge

(Instant AP)(IDS)# detect-ht-40mhz-intolerance

(Instant AP)(IDS)# detect-ht-greenfield

(Instant AP)(IDS)# detect-ap-flood

(Instant AP)(IDS)# detect-client-flood

(Instant AP)(IDS)# detect-bad-wep

(Instant AP)(IDS)# detect-cts-rate-anomaly

(Instant AP)(IDS)# detect-rts-rate-anomaly

(Instant AP)(IDS)# detect-invalid-addresscombination

(Instant AP)(IDS)# detect-malformed-htie

(Instant AP)(IDS)# detect-malformed-assoc-req

(Instant AP)(IDS)# detect-malformed-frame-auth

(Instant AP)(IDS)# detect-overflow-ie

(Instant AP)(IDS)# detect-overflow-eapol-key

(Instant AP)(IDS)# detect-beacon-wrong-channel

(Instant AP)(IDS)# detect-invalid-mac-oui

(Instant AP)(IDS)# detect-valid-clientmisassociation

(Instant AP)(IDS)# detect-disconnect-sta

(Instant AP)(IDS)# detect-omerta-attack

(Instant AP)(IDS)# detect-fatajack

(Instant AP)(IDS)# detect-block-ack-attack

(Instant AP)(IDS)# detect-hotspotter-attack

(Instant AP)(IDS)# detect-unencrypted-valid

(Instant AP)(IDS)# detect-power-save-dos-attack

(Instant AP)(IDS)# detect-eap-rate-anomaly

(Instant AP)(IDS)# detect-rate-anomalies

(Instant AP)(IDS)# detect-chopchop-attack

(Instant AP)(IDS)# detect-tkip-replay-attack

(Instant AP)(IDS)# signature-airjack

(Instant AP)(IDS)# signature-asleap

(Instant AP)(IDS)# protect-ssid

(Instant AP)(IDS)# rogue-containment

(Instant AP)(IDS)# protect-adhoc-network

(Instant AP)(IDS)# protect-ap-impersonation

(Instant AP)(IDS)# protect-valid-sta

(Instant AP)(IDS)# protect-windows-bridge

(Instant AP)(IDS)# end

(Instant AP)# commit apply

Command History

Version

Description

Aruba Instant 6.2.1.0-3.3

This command is introduced.

Command Information

IAP Platform

Command Mode

All platforms

Configuration mode and IDS configuration sub-mode.