Configuring WIP and Detection Levels

WIPWireless Intrusion Protection. The WIP module provides wired and wireless AP detection, classification, and containment. It detects Denial of Service (DoS) and impersonation attacks, and prevents client and network intrusions. offers a wide selection of intrusion detection and protection features to protect the network against wireless threats.

Like most other security-related features of the Instant network, the WIPWireless Intrusion Protection. The WIP module provides wired and wireless AP detection, classification, and containment. It detects Denial of Service (DoS) and impersonation attacks, and prevents client and network intrusions. can be configured on the Instant AP.

You can configure the following options:

Infrastructure Detection Policies—Specifies the policy for detecting wireless attacks on access points.

Client Detection Policies—Specifies the policy for detecting wireless attacks on clients.

Infrastructure Protection Policies—Specifies the policy for protecting access points from wireless attacks.

Client Protection Policies—Specifies the policy for protecting clients from wireless attacks.

Containment Methods—Prevents unauthorized stations from connecting to your Instant network.

Each of these options contains several default levels that enable different sets of policies. An administrator can customize, enable, or disable these options accordingly.

You can configure the detection levels using the WebUI.

In the Old WebUI

1. Go to More > IDS. The Wireless Intrusion Protection (WIP) window is displayed.

2. In the Detection > Infrastructure section, move the slider to a desired level and configure the following levels of detection:

High

Medium

Low

Off

The following table describes the detection policies enabled in the Infrastructure Detection Custom settings section:

Table 1: Infrastructure Detection Policies

Detection Level

Detection Policy

High

Detect Instant AP Impersonation

Detect ad hoc NetworksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point.

Detect Valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. Misuse

Detect Wireless Bridge

Detect 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. 40 MHzMegahertz intolerance settings

Detect Active 802.11n802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. Greenfield Mode

Detect Instant AP Flood Attack

Detect Client Flood Attack

Detect Bad WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.

Detect CTSClear to Send. The CTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See RTS. Rate Anomaly

Detect RTSRequest to Send. RTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See CTS. Rate Anomaly

Detect Invalid Address Combination

Detect Malformed Frame—HTHigh Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands. IE

Detect Malformed Frame—Association Request

Detect Malformed Frame—Auth

Detect Overflow IE

Detect Overflow EAPOL Key

Detect Beacon Wrong Channel

Detect devices with invalid MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.

Medium

Detect ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point. using VALID SSID—Valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. list is autoconfigured based on Instant Instant AP configuration

Detect Malformed Frame—Large Duration

Low

Detect Instant AP Spoofing

Detect Windows Bridge

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—Deauthentication Broadcast

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—Deassociation Broadcast

Off

Rogue Classification

The following table describes the detection policies enabled in the Client Detection Custom settings section.

Table 2: Client Detection Policies

Detection Level

Detection Policy

High

Detect EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Rate Anomaly

Detect Rate Anomaly

Detect Chop Chop Attack

Detect TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. Replay Attack

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—Air Jack

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—ASLEAP

Medium

Detect Disconnect Station Attack

Detect Omerta Attack

Detect FATA-Jack Attack

Detect Block ACK DOS

Detect Hotspotter Attack

Detect unencrypted Valid Client

Detect Power Save DOS Attack

Low

Detect Valid Client Misassociation

Off

All detection policies are disabled.

3. Click Next.

4. In the Protection > Infrastructure section, move the slider to a desired level and configure the following levels of protection:

High

Low

Off

The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings text box:

Table 3: Infrastructure Protection Policies

Protection Level

Protection Policy

High

Protect from ad hoc NetworksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point.

Protect Instant AP Impersonation

Low

Protect SSID—Valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. list should be auto-derived from Instant configuration

Rogue Containment

Off

All protection policies are disabled

The following table describes the detection policies that are enabled in the Client Protection Custom settings text box:

Table 4: Client Protection Policies

Protection Level

Protection Policy

High

Protect Windows Bridge

Low

Protect Valid Station

Off

All protection policies are disabled

5. Click Finish.

In the New WebUI

1. Navigate to the Configuration > IDS page.

2. In the Detection > Infrastructure section, move the slider to a desired level and configure the following levels of detection:

High

Medium

Low

Off

The following table describes the detection policies enabled in the Infrastructure Detection Custom settings section:

Table 5: Infrastructure Detection Policies

Detection Level

Detection Policy

High

Detect Instant AP Impersonation

Detect ad hoc NetworksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point.

Detect Valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. Misuse

Detect Wireless Bridge

Detect 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. 40 MHzMegahertz intolerance settings

Detect Active 802.11n802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. Greenfield Mode

Detect Instant AP Flood Attack

Detect Client Flood Attack

Detect Bad WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.

Detect CTSClear to Send. The CTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See RTS. Rate Anomaly

Detect RTSRequest to Send. RTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See CTS. Rate Anomaly

Detect Invalid Address Combination

Detect Malformed Frame—HTHigh Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands. IE

Detect Malformed Frame—Association Request

Detect Malformed Frame—Auth

Detect Overflow IE

Detect Overflow EAPOL Key

Detect Beacon Wrong Channel

Detect devices with invalid MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.

Medium

Detect ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point. using VALID SSID—Valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. list is autoconfigured based on Instant Instant AP configuration

Detect Malformed Frame—Large Duration

Low

Detect Instant AP Spoofing

Detect Windows Bridge

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—Deauthentication Broadcast

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—Deassociation Broadcast

Off

Rogue Classification

The following table describes the detection policies enabled in the Client Detection Custom settings section.

Table 6: Client Detection Policies

Detection Level

Detection Policy

High

Detect EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Rate Anomaly

Detect Rate Anomaly

Detect Chop Chop Attack

Detect TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. Replay Attack

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—Air Jack

IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Signature—ASLEAP

Medium

Detect Disconnect Station Attack

Detect Omerta Attack

Detect FATA-Jack Attack

Detect Block ACK DOS

Detect Hotspotter Attack

Detect unencrypted Valid Client

Detect Power Save DOS Attack

Low

Detect Valid Client Misassociation

Off

All detection policies are disabled.

3. Click Save.

4. In the Protection > Infrastructure section, move the slider to a desired level and configure the following levels of protection:

High

Low

Off

The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings text box:

Table 7: Infrastructure Protection Policies

Protection Level

Protection Policy

High

Protect from ad hoc NetworksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point.

Protect Instant AP Impersonation

Low

Protect SSID—Valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. list should be auto-derived from Instant configuration

Rogue Containment

Off

All protection policies are disabled

The following table describes the detection policies that are enabled in the Client Protection Custom settings text box:

Table 8: Client Protection Policies

Protection Level

Protection Policy

High

Protect Windows Bridge

Low

Protect Valid Station

Off

All protection policies are disabled

5. Click Save.

Containment Methods

You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network.

Instant supports the following types of containment mechanisms:

Wired containment—When enabled, Instant APs generate ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. packets on the wired network to contain wireless attacks.

wired-containment-ap-adj-mac—Enables a wired containment to Rogue Instant APs whose wired interface MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address is offset by one from its BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..

wired-containment-susp-l3-rogue—Enables the users to identify and contain an Instant AP with a preset MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that is different from the BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of the Instant AP, if the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that the Instant AP provides is offset by one character from its wired MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

 

Enable the wired-containment-susp-l3-rogue parameter only when a specific containment is required, to avoid a false alarm.

Wireless containment—When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point.

None—Disables all the containment mechanisms.

Deauthenticate only—With deauthentication containment, the Access Point or client is contained by disrupting the client association on the wireless interface.

Tarpit containment—With Tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained.