Protection

How containment works, and types of infrastructure and client containment options offered by HPE Aruba Networking Central.

WIDS offers a wide selection of protection features to protect the network against the threats detected. Device detection and classification are the first steps in securing the network environment from unauthorized wireless access. Adequate measures that quickly shut down intrusions are critical in protecting sensitive information and network resources.

Intrusion protection features support containment of an AP or a client device. In the case of an AP, all the clients that are connected or attempting to connect to the AP are disconnected. In the case of a client, the client’s association to an AP is targeted.

The following containment mechanisms are supported:

  • Wired containment - When enabled, APs generate ARP packets on the wired network to contain wireless attacks.

This feature enables containment from the wired side of the network. The basic wired containment feature isolates layer-3 APs whose wired interface MAC addresses are the same as (or one character off from) their BSSIDs. The enhanced wired containment feature can also identify and contain an AP with a preset wired MAC address that is completely different from the AP’s BSSID. In many non-HPE Aruba Networking APs, the MAC address the AP provides to wireless clients as a gateway MAC is offset by one character from its wired MAC address. This enhanced feature allows AOS to check to see if a suspected Layer-3 rogue AP’s MAC address follows this common pattern.

Recommend enable. Wired rogue detection is based on MAC pattern assumption and is a valid mechanism to protect your wired network from rogues. Both Security and Legal should be consulted and approval given before it is enabled in the network.

  • Wireless containment - When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified access point.

Infrastructure intrusion protection options

The following are the protection options that can be enabled in HPE Aruba Networking Central against infrastructure intrusion events.

Protection Against Rogue Containment

By default, rogue APs are not automatically disabled. Rogue containment automatically disables a rogue AP by preventing clients from associating to the AP.

This option is disabled by default, as this has far reaching implications regarding the FCC and possible fines. Both Security and Legal should be consulted and approval given before it is enabled in the network. Tarpitting should be the preferred method of containment.

Protecting SSIDs

Protect SSID enforces that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating to the AP.

This can be a problem for Govroam and eduroam, as just two examples. This should not be enabled as the behavior has far reaching implications regarding the local regulatory body and possible fines. Both Security and Legal should be consulted and approval given before enabling this functionality.

Protection Against AP Impersonation

Protection from AP impersonation involves containing both the legitimate and impersonating AP so that clients cannot connect to either AP.

Should not be enabled, can be disruptive. If enabled, it should only be done when all AP impersonation alerts have been verified.

Protecting Against Ad Hoc Networks

Protection from an ad hoc network involves containing the ad hoc network so that clients cannot connect to the offending device.

If needed, this feature should be enabled with caution as there could be an impact to WLAN quality as much of the airtime would be spent de-authenticating ad hoc devices.

Legacy options in AOS 8

Protecting 40 MHz 802.11n High Throughput Devices

Protection from AP(s) that support 40 MHz HT involves containing the AP such that clients cannot connect.

Recommend to disable, has HUGE implications. Is a legacy setting and should never be enabled.

Protecting 802.11n High Throughput Devices

Protection from AP(s) that support HT involves containing the AP such that clients cannot connect.

Recommend to disable, has HUGE implications. Is a legacy setting and should never be enabled.

Protection Against Misconfigured APs

Protect Misconfigured AP enforces that valid APs are configured properly. An offending AP is contained by preventing clients from associating to the AP.

Should not be enabled except in high security areas where no other BSSIDs/ESSIDs can be seen (only in isolated WLAN environments where there are no neighboring buildings). Has far-reaching implications where neighboring WLANs could be disrupted. Approved non-HPE Aruba Networking WLANs would need to be marked as Valid.

Protection Against Wireless Hosted Networks

Clients using the Windows wireless hosted network feature can act as an access point to which other wireless clients can connect, effectively becoming a Wi-Fi HotSpot. This creates a security issue for enterprises because unauthorized users can use a hosted network to gain access to the corporate network, and valid users that connect to a hosted network are vulnerable to attacks or security breaches. This feature detects a wireless hosted network, and contains the client hosting this network.

This should be disabled, as this has far reaching implications regarding the FCC and possible fines. Both Security and Legal should be consulted and approval given before this is ever enabled at any customers site.

Protecting Against Suspected Rogue Containment

By default, suspected rogue APs are not automatically contained. In combination with the suspected rogue containment confidence level, suspected rogue containment automatically disables a suspect rogue by preventing clients from associating to the rogue device.

This should be disabled, as this has far reaching implications regarding the FCC and possible fines. Both Security and Legal should be consulted and approval given before this is ever enabled at any customers site. This is the most dangerous of containment as suspect rogue alerts are only based on confidence levels and can easily be misconfigured.

Client intrusion protection options

The following are the protection options that can be enabled in HPE Aruba Networking Central against client intrusion events.

Protecting Valid Stations

Protecting a valid client involves disconnecting the client if associated to a non-valid AP.

Recommend disable. If looking to enable, Great care should be used here to make sure no valid clients that associate to the monitored WLAN could associate to another non-valid WLAN. If hotspots, restaurants, etc. are nearby, there is a good chance a valid station could go off-site and associate to the non-valid.

Protecting Windows Bridge

Protecting from a Windows Bridge involves containing the client that is forming the bridge so that the client cannot connect to the AP.

Recommend disable, unless Detect Windows Bridges are seen, and investigations show they are not false-positives.

Containment on APs vs. AMs

APs in both Access Point mode and Air Monitor mode detect and mitigate possible security threats in a wireless network.

APs can perform wireless containment, but they will prioritize client traffic over containment. This is a very important distinction and the reason why Air Monitors (AMs) are recommended if wireless containment is enabled. For example, if an AP is serving clients on Channel 36 and there is a rogue on Channel 48 the AP will not change channels to contain the rogue. If the rogue happens to be on channel 36, the AP will perform wireless containment while serving clients.

AMs in contrast will alter their scanning algorithm when containing to make sure they visit the channel where containment is occurring frequently. They will continue to scan for additional threats on other channels.

Both APs and AMs support containment of rogue APs and prevent clients from associating with rogue APs. They tarpit or deauthentication containment frames if any of the following criteria is met:

  • When an AP is marked for Denial-of-Service (DoS), a single broadcast deauthentication frame is sent for disassociation and if stations do not honor the broadcast message, two unicast deauthentication frames are sent to disassociate the station from the AP and vice versa.

  • To disassociate a valid station from the non-valid AP, a unicast deauthentication frame is sent from the station’s MAC address to the AP and vice versa.

  • AP impersonation is active, and it disassociates all stations from the invalid AP by sending unicast deauthentication frames.


Last modified: July 29, 2024 (6115eca)