ids
client-detection-level <type>
client-protection-level <type>
detect-adhoc-network
detect-ap-flood
detect-ap-impersonation
detect-ap-spoofing
detect-bad-wep
detect-beacon-wrong-channel
detect-block-ack-attack
detect-chopchop-attack
detect-client-flood
detect-cts-rate-anomaly
detect-disconnect-sta
detect-eap-rate-anomaly
detect-fatajack
detect-hotspotter-attack
detect-ht-40mhz-intolerance
detect-ht-greenfield
detect-invalid-addresscombination
detect-invalid-mac-oui
detect-malformed-assoc-req
detect-malformed-frame-auth
detect-malformed-htie
detect-malformed-large-duration
detect-omerta-attack
detect-overflow-eapol-key
detect-overflow-ie
detect-power-save-dos-attack
detect-rate-anomalies
detect-rts-rate-anomaly
detect-tkip-replay-attack
detect-unencrypted-valid
detect-valid-clientmisassociation
detect-valid-ssid-misuse
detect-windows-bridge
detect-wireless-bridge
infrastructure-detection-level <type>
infrastructure-protection-level <type>
protect-adhoc-network
protect-ap-impersonation
protect-ssid
protect-valid-sta
protect-windows-bridge
rogue-containment
signature-airjack
signature-asleap
signature-deassociation-broadcast
signature-deauth-broadcast
wired-containment
wireless-containment <type>
no…
This command configures an IDS policy for a
Parameter |
Description |
Range |
Default |
|||||||||||||||
ids | Creates an IDS policy | — | — | |||||||||||||||
client-detection-level <type> |
Sets the client detection level. | off, low, medium, high | off | |||||||||||||||
client-protection-level <type> |
Sets the client protection level. | off, low, medium, high | off | |||||||||||||||
detect-adhoc-network |
Enables detection of adhoc networks. | — | — | |||||||||||||||
detect-ap-flood |
Enables detection of flooding with fake IAP beacons to confuse the legitimate users and to increase the amount of processing needed on client operating systems. | — | — | |||||||||||||||
detect-ap-impersonation |
Enables detection of AP impersonation. In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack. | — | — | |||||||||||||||
detect-ap-spoofing |
Enables AP Spoofing detection. | — | — | |||||||||||||||
detect-bad-wep |
Enables detection of WEP initialization vectors that are known to be weak and/or repeating. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period of time and search for implementations that are still used by many legacy devices. | — | — | |||||||||||||||
detect-beacon-wrong-channel |
Enables detection of beacons advertising the incorrect channel. | — | — | |||||||||||||||
detect-block-ack-attack |
Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages. | — | — | |||||||||||||||
detect-chopchop-attack |
Enables detection of ChopChop attack. | — | — | |||||||||||||||
detect-client-flood |
Enables detection of client flood attack. | — | — | |||||||||||||||
detect-cts-rate-anomaly |
Enables detection of CTS rate anomaly. | — | — | |||||||||||||||
detect-disconnect-sta |
Enables a station disconnection attack. In a station disconnection, attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. | — | — | |||||||||||||||
detect-eap-rate-anomaly |
Enables Extensible Authentication Protocol (EAP) handshake analysis to detect an abnormal number of authentication procedures on a channel and generate an alarm when this condition is detected. | — | — | |||||||||||||||
detect-fatajack |
Enables detection of fatjack attacks. | — | — | |||||||||||||||
detect-hotspotter-attack |
Enables detection of hotspot attacks. | — | — | |||||||||||||||
detect-ht-40mhz-intolerance |
Enables detection of 802.11n 40 MHz intolerance setting, which controls whether stations and APs advertising 40 MHz intolerance will be reported. | — | — | |||||||||||||||
detect-ht-greenfield |
Enables detection of high throughput devices advertising greenfield preamble capability. | — | — | |||||||||||||||
detect-invalid-addresscombination |
Enables detection of invalid address combinations. | — | — | |||||||||||||||
detect-invalid-mac-oui |
Enables checking of the first three bytes of a MAC address, known as the organizationally unique identifier (OUI), assigned by the IEEE to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Enabling MAC OUI checking causes an alarm to be triggered if an unrecognized MAC address is in use. | — | — | |||||||||||||||
detect-malformed-assoc-req |
Enables detection of malformed association requests. | — | — | |||||||||||||||
detect-malformed-frame-auth |
Enables detection of malformed authentication frames | — | — | |||||||||||||||
detect-malformed-htie |
Enables detection of malformed HT information elements. | — | — | |||||||||||||||
detect-malformed-large-duration |
Enables detection of unusually large durations in frames. | — | — | |||||||||||||||
detect-omerta-attack |
Enables detection of Omerta attack. | — | — | |||||||||||||||
detect-overflow-eapol-key |
Enables detection of overflow EAPOL key requests. | — | — | |||||||||||||||
detect-overflow-ie |
Enables detection of overflow Information Elements (IE). | — | — | |||||||||||||||
detect-power-save-dos-attack |
Enables detection of Power Save DoS attack. | — | — | |||||||||||||||
detect-rate-anomalies |
Enables detection of rate anomalies. | — | — | |||||||||||||||
detect-rts-rate-anomaly |
Enables detection of RTS rate anomaly. | — | — | |||||||||||||||
detect-tkip-replay-attack |
Enables detection of TKIP replay attack. | — | — | |||||||||||||||
detect-unencrypted-valid |
Enables detection of unencrypted valid clients. | — | — | |||||||||||||||
detect-valid-clientmisassociation |
Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types:
|
— | — | |||||||||||||||
detect-valid-ssid-misuse |
Enables detection of interfering or Neighbor APs using valid or protected SSIDs. | — | — | |||||||||||||||
detect-windows-bridge |
Enables detection of Windows station bridging. | — | — | |||||||||||||||
detect-wireless-bridge |
Enables detection of wireless bridging. | — | — | |||||||||||||||
infrastructure-detection-level <type> |
Sets the infrastructure detection level. | off, low, medium, high | off | |||||||||||||||
infrastructure-protection-level <type> | Sets the infrastructure protection level. | off, low, medium, high | off | |||||||||||||||
protect-adhoc-network |
Enables protection from adhoc networks. When adhoc networks are detected, they are disabled using a denial of service attack | — | — | |||||||||||||||
protect-ap-impersonation |
Enables protection from AP impersonation attacks. When AP impersonation is detected, both the legitimate and impersonating AP are disabled using a denial of service attack. | — | — | |||||||||||||||
protect-ssid |
Enables use of SSID by valid IAPs only. | — | — | |||||||||||||||
protect-valid-sta |
Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid AP. | — | — | |||||||||||||||
protect-windows-bridge |
Enables protection of a windows station bridging | — | — | |||||||||||||||
rogue-containment |
Controls Rogue APs. When rogue APs are detected, they are not automatically disabled. This option automatically shuts down rogue APs. When this option is enabled, clients attempting to associate to an AP classified as a rogue are disconnected through a denial of service attack. |
— | — | |||||||||||||||
signature-airjack |
Enables signature matching for the AirJack frame type. | — | — | |||||||||||||||
signature-asleap |
Enables signature matching for the ASLEAP frame type. | — | — | |||||||||||||||
signature-deassociation-broadcast |
Configures signature matching for the deassociation broadcast frame type. | — | — | |||||||||||||||
signature-deauth-broadcast |
Configures signature matching for the deauth broadcast frame type. | — | — | |||||||||||||||
wired-containment |
Controls Wired attacks. | — | — | |||||||||||||||
wireless-containment <type> |
Enable wireless containment including Tarpit Shielding. Tarpit shielding works by steering a client to a tarpit so that the client associates with it instead of the AP that is being contained.
|
deauth-only, none, tarpit-all-sta, tarpit-non-valid-sta |
deauth-only | |||||||||||||||
no… | Removes any existing configuration. | — | — |
Use this command to configure Intrusion Detection System (IDS) detection and protection policies. The IDS feature monitors the network for the presence of unauthorized IAPs and clients and enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. It also logs information about the unauthorized IAPs and clients, and generates reports based on the logged information.
Wireless Intrusion Protection (WIP) offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Aruba network, the WIP can be configured on the IAP.
You can configure the following policies:
| Infrastructure Detection Policies— Specifies the policy for detecting wireless attacks on access points |
| Client Detection Policies— Specifies the policy for detecting wireless attacks on clients |
| Infrastructure Protection Policies— Specifies the policy for protecting access points from wireless attacks. |
| Client Protection Policies— Specifies the policy for protecting clients from wireless attacks. |
| Containment Methods— Prevents unauthorized stations from connecting to your Instant network. |
Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly. The following levels of detection can be configured:
| Off |
| Low |
| Medium |
| High |
The following example configures detection and protection policies:
(Instant AP)(config)# ids
(Instant AP)(IDS)# infrastructure-detection-level low
(Instant AP)(IDS)# client-detection-level low
(Instant AP)(IDS)# infrastructure-protection-level low
(Instant AP)(IDS)# client-protection-level low
(Instant AP)(IDS)# wireless-containment deauth-only
(Instant AP)(IDS)# wired-containment
(Instant AP)(IDS)# detect-ap-spoofing
(Instant AP)(IDS)# detect-windows-bridge
(Instant AP)(IDS)# signature-deauth-broadcast
(Instant AP)(IDS)# signature-deassociation-broadcast
(Instant AP)(IDS)# detect-adhoc-using-valid-ssid
(Instant AP)(IDS)# detect-malformed-large-duration
(Instant AP)(IDS)# detect-ap-impersonation
(Instant AP)(IDS)# detect-adhoc-network
(Instant AP)(IDS)# detect-valid-ssid-misuse
(Instant AP)(IDS)# detect-wireless-bridge
(Instant AP)(IDS)# detect-ht-40mhz-intolerance
(Instant AP)(IDS)# detect-ht-greenfield
(Instant AP)(IDS)# detect-ap-flood
(Instant AP)(IDS)# detect-client-flood
(Instant AP)(IDS)# detect-bad-wep
(Instant AP)(IDS)# detect-cts-rate-anomaly
(Instant AP)(IDS)# detect-rts-rate-anomaly
(Instant AP)(IDS)# detect-invalid-addresscombination
(Instant AP)(IDS)# detect-malformed-htie
(Instant AP)(IDS)# detect-malformed-assoc-req
(Instant AP)(IDS)# detect-malformed-frame-auth
(Instant AP)(IDS)# detect-overflow-ie
(Instant AP)(IDS)# detect-overflow-eapol-key
(Instant AP)(IDS)# detect-beacon-wrong-channel
(Instant AP)(IDS)# detect-invalid-mac-oui
(Instant AP)(IDS)# detect-valid-clientmisassociation
(Instant AP)(IDS)# detect-disconnect-sta
(Instant AP)(IDS)# detect-omerta-attack
(Instant AP)(IDS)# detect-fatajack
(Instant AP)(IDS)# detect-block-ack-attack
(Instant AP)(IDS)# detect-hotspotter-attack
(Instant AP)(IDS)# detect-unencrypted-valid
(Instant AP)(IDS)# detect-power-save-dos-attack
(Instant AP)(IDS)# detect-eap-rate-anomaly
(Instant AP)(IDS)# detect-rate-anomalies
(Instant AP)(IDS)# detect-chopchop-attack
(Instant AP)(IDS)# detect-tkip-replay-attack
(Instant AP)(IDS)# signature-airjack
(Instant AP)(IDS)# signature-asleap
(Instant AP)(IDS)# protect-ssid
(Instant AP)(IDS)# rogue-containment
(Instant AP)(IDS)# protect-adhoc-network
(Instant AP)(IDS)# protect-ap-impersonation
(Instant AP)(IDS)# protect-valid-sta
(Instant AP)(IDS)# protect-windows-bridge
(Instant AP)(IDS)# end
(Instant AP)# commit apply
Version |
Description |
Aruba Instant 6.2.1.0-3.3 |
This command is introduced. |
IAP Platform |
Command Mode |
All platforms |
Configuration mode and IDS configuration sub-mode. |