RAPIDS

Aruba Central On-Premises supports the rogue detection and classification feature that enables administrators to detect intrusion events and classify rogue devices. Rogue devices refer to the unauthorized devices in your WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network. With RAPIDS Rogue Access Point identification and Detection System. An AMP module that is designed to identify and locate wireless threats by making use of all of the information available from your existing infrastructure. , you can create a detailed defintion of what constitutes a rogue device, and act on an rogue or interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central On-Premises sends alerts to your network administrators about the possible threat and provides essential information needed to locate and manage the threat.

RAPIDS is not supported on single-node deployments.

Aruba Central On-Premises supports the following features:

Viewing the RAPIDS Page

  1. In the Aruba Central On-Premises app Short form for application. It generally refers to the application that is downloaded and used on mobile devices., set the filter to one of the options under Groups, Labels, or Sites.
    For all devices, set the filter to Global.
  2. Under Manage, click Security > RAPIDS.
    By default, the IDS page with WIDS Events table is displayed.
  3. Click Rogues tab to view the rogues details page.

Monitoring IDS WIDS Events

The Manage> Security> RAPIDS > IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. tab provides a summary of the total number of wireless attacks detected for a given duration.

The WIDS Wireless Intrusion Detection System. WIDS is an application that detects the attacks on a wireless network or wireless system. Events table displays the following information category:

  • Infrastructure attacks—Displays the number of infrastructure attacks detected in the network.
  • Client attacks—Displays the number of client attacks detected in the network.

Viewing the IDS Page

  1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites.
    For all devices, set the filter to Global.
  2. Under Manage, click Security > RAPIDS.
    By default, the IDS page with WIDS Events table is displayed.

Table 1: WIDS Events

Field

Description

Event Type

The type of the intrusion or attack detected. Click the drop-down arrow at the column heading to filter the event types based on your requirement.

Category

Category of the intrusion or attack, infrastructure, or client attack. Click the drop-down arrow at the column heading to filter the category that you want to display.

Level

The level of the intrusion or attack detected. Click the drop-down arrow at the column heading to filter the attack level.

Time

Time of the intrusion or attack.

Station MAC

MAC address of the station under attack or BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of the AP under attack.

Detecting AP

The MAC address of the device that detected the intrusion or attack.

Radio Band

Radio band Band refers to a specified range of frequencies of electromagnetic radiation. on which the intrusion was detected. There are two radio band signals available, 2.4 GHZ and 5 GHZ. Click the drop-down arrow at the column heading to filter the radio band where the intrusion was detected.

Description

Details of the attack or the intrusion.

Note the following important points:

  • Clicking icon enables you to customize the WIDS Events table or set it to the default view.
  • To view the details of each event that is generated, click the arrow against each row in the table.

  • Intrusions are displayed for the time selected in Time Range Filter. The WIDS Events displayed data for a maximum time period of 1 week only.

Monitoring Rogues

Rogue Access Point Detection System is used as a security service for detecting and classifying rogues and intruders automatically and manually as well. The Rogues tab provides a summary of the rogue APs, suspected rogue APs, interfering APs, and neighboring APs, and the total number of wireless attacks detected for a given duration.

Viewing the Rogues Page

  1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites.
    For all devices, set the filter to Global.
  2. Under Manage, click Security.
    By default, the RAPIDS > IDS tab is displayed.
  3. Click Rogues tab to view the page.

The APs in Aruba Central On-Premises are classified as one of the following:

Table 2: AP Classification in Aruba Central On-Premises

Classification

Description

Rogue AP

An unauthorized AP plugged into the wired side of the network.

Suspect Rogue AP

An unauthorized access point with a signal strength greater or equal to -75 dBm Decibel-Milliwatts. dBm is a logarithmic measurement (integer) that is typically used in place of mW to represent receive-power level. AMP normalizes all signals to dBm, so that it is easy to evaluate performance between various vendors. that might have connected to the wired network.

Interfering AP

An AP detected in the RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment with a signal strength lesser than -75 dBm but not connected to the wired network. These access points may potentially cause RF interference, but cannot be considered as a direct security threat as these devices are not connected to the wired network. For example, an interfering AP can be an access point that belongs to a neighboring office’s WLAN but is not part of your WLAN network.

Neighbor AP

A neighboring AP, for which the BSSIDs are known. Once classified, a neighboring AP does not change its state.

Manually contained

Manual classification which enables rogue containment against the selected AP.

The Security > RAPIDS > Rogues page displays the following information tabs:

  • Total—Shows the total number of rogues classified as Rogue , Suspected Rogue, or Interfering, that are detected in the network.
  • Rogues—Shows the total number of devices classified as rogue APs.
  • Suspected Rogues—Shows the total number of devices classified as suspected rogues APs.
  • Interfering—Shows the total number of devices classified as interfering APs.
  • Neighbors—Shows the total number of devices classified as neighbor APs.
  • Manually Contained—Shows the total number of devices classified as manually contained.

The feature for enabling wireless containment under the IDS Unauthorized Device profile and IDS Impersonation profile may be in violation of certain FCC Federal Communications Commission. FCC is a regulatory body that defines standards for the interstate and international communications by radio, television, wire, satellite, and cable. regulatory statutes.

Click the respective tabs to display specific rogue information pertaining to each classification. By default, the Total information tab is selected and the Detected Access Points table displays all the detected rogue APs.

Table 3: Detected Access Points

Fields

Description

BSSID

The BSSIDs broadcast by the rogue device.

Name

Name of the rogue device detected in the network.

Classification

Classification of the rogue device (monitored device) as suspect rogue, rogues, interfering, manually contained, or neighbors. Click the drop-down arrow at the column heading to filter the rogue classification that you want to display.

SSID

The SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the rogue device.

Last Seen

The time relative to the current moment, for example, 6 minutes or an hour, at which the rogue device was last detected in the network.

Last Seen By

The AP name of the last device that reported the monitored AP.

First Seen

The time relative to the current moment (for example, 6 minutes or an hour) at which the rogue device was first detected in the network.

Signal

The signal strength of the AP that detected the rogue device.

Encryption

The type of encryption used by the device that detected the rogue device; for example, WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption., Open, WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. , Unknown. Generally, this field alone does not provide enough information to determine if a device is a rogue device, but it is a useful attribute. If a rogue is not running any encryption method, that implies you have a wider security hole than with an AP that is using encryption.

Containment Status

Details of the containment status. Click the drop-down arrow at the column heading to filter the status that you want to display.

MAC Vendor

The vendor name associated to the MAC OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. of the rogue device.

Reclassifying APs Manually

You can reclassify the rogue devices manually. To reclassify, complete the following steps:

  1. Select the device that you want to reclassify.

    Alternatively, you can also hover over the device and click the icon.

  2. Click Reclassify.

    The Reclassify dialog box appears.

  3. Select the type of classification from the drop-down list, Rogues, Neighbors, or Manually Contained.
  4. Click Reclassify.

Note the following important points:

  • VisualRF uses the heard signal information to calculate the physical location of the device.

  • Click to customize the Detected Access Points table columns or set it to the default view.
  • To view details of each rogue device, click the arrow against each row in the table.

  • Rogue devices are displayed for the time selected in Time Range Filter. The Detected Access Points displays data for a maximum time period of 1 week only.

Configuring IDS Parameters

The type and severity of Intrusion Detections raised by an AP is configurable and affects the data that is seen in Security. For more information on how to configure IDS Parameters, see Configuring IDS Parameters on IAPs.

Generating Alerts for Security Events

Aruba Central On-Premises supports configuring alerts for rogue AP detections and IDS events. To generate alerts, complete the following steps:

  1. In the Aruba Central On-Premises app, use the filter to select Global.
  2. Under Analyze, click Alerts & Events. The Alerts & Events page is displayed.
  3. In the Alerts & Events page, click the Config icon.
    The Alert Severities & Notifications page is displayed.
  4. Select Access Point to display the AP dashboard. Aruba Central On-Premises supports three alert types for identifying interfering devices:
    • Rogue AP Detected
    • Infrastructure Attacks Detected
    • Client Attack Detected
  5. Select an alert and click + to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following:
    1. Severity—Set the severity. The available options are Critical, Major, Minor, and Warning.
    2. Device Filter Options—(Optional) You can restrict the scope of an alert by setting one or more of the following parameters:

      For a few alerts, you can configure threshold value for one or more alert severities. To set the threshold value, select the alert and in the exceeds text box, enter the value. The alert is triggered when one of the threshold values exceed the duration.

      • Label—Select a label to limit the alert to a specific label.
      • Sites—Select a site to limit the alert to a specific site.
    3. Notification Options
      • Email—Select the Email check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses, separate each value with a comma.
      • Streaming—Select the Streaming check box to receive the streaming notifications when an alert is generated.
      • Webhook—Select the Webhook check box and select the Webhook from the drop-down list. For more information, see Aruba Central Help Center.
      • Syslog—Select the Syslog checkbox to receive the syslog notifications when an alert is generated.
    4. Click Save.
    5. Add Rule—(Optional) For a few alerts, the Add Rule option appears. For such alerts, you can add additional rule(s). The rule summaries appear at the top of the page.

    For more information on how to configure Alerts, see Configuring Alerts.

Generating Reports for Security Events

Aruba Central On-Premises supports generating reports for rogue AP detections and IDS events. To generate reports, complete the following steps:

  1. In the Aruba Central On-Premises app, use the filter to select Global.
  2. Under Analyze, click Reports.
  3. In the Reports page, click Create. Aruba Central On-Premises supports RAPIDS to display the report of all wireless intrusions. For more information on how to create Reports, see Creating a Report.