Home > GUI > Configuration > WIPS
Logo

WIPS

WIPS

View, enable and disable, and configure WIPS (Wireless Intrusion Prevention System).

Navigation

Navigate using the tab icons. Hover over an icon to see the name of the tab.

Configure > Network Policies > policy_name  > Additional Settings > Security > WIPS

or

Configure > Common Objects > Security > WIPS Policies

About WIPS

The Extreme NetworksWIPS (Wireless Intrusion Prevention System) uses a variety of techniques for detecting unauthorized access points by checking for access points that do not conform to specified criteria and ad hoc networks;

APs scan the radio spectrum, and then check the scan results against one or more specified characteristics for a valid access point. Access points that do not comply with the specific criteria are identified as a rogues. The criteria identifying a valid access point can be one or more of the following:

Enable and Configure WIPS

Toggle the WIPS switch to ON to enable WIPS (disabled by default). When you enable WIPS, you can configure either AP-based WIPS services or advanced Extreme AirDefense WIPS services. Option 2 requires that you first install an AirDefense on-premise service.

Configure WIPS Settings

To reuse existing WIPS settings, select , choose a previously configured profile, and select Save. Otherwise, enter the following and then select Save:

Name: Enter a name for this WIPS profile.

Description: Enter an optional description for this WIPS profile.

Rogue Access Point Detection: Enable to detect unauthorized access points in the area. This feature is enabled by default.

Determine if detected rogue APs are connected to your wired (backhaul) network: This check box is selected by default. To disable it, clear the check box. Use this option in combination with other WIPS techniques to determine if a detected rogue AP is in the same network as compliant APs, which can help you determine the urgency of your response.

An Extreme Networks AP builds a MAC learning table from source MAC addresses in the broadcast traffic it receives from devices in its Layer 2 broadcast domain. When an AP running XOS 5.0r2 or later detects a rogue AP through any of the rogue detection mechanisms in the WIPS policy, it checks its MAC learning table for an entry within a 64-address range above or below the BSSID of the invalid SSID. If there is a match, it is assumed that both MAC addresses belong to the same device. Because one of its addresses is in the MAC learning table, the rogue is considered to be in the same backhaul network as the detecting AP, and "In Net" appears in the In Network column for that rogue in the list of rogue APs. You can then take appropriate steps to mitigate the rogue.

Detect rogue access points based on their MAC OUI: Select this check box to detect rogue access points by MAC OUI.

Select MAC OUIs of wireless devices that are permitted in the WLAN

To create a list of MAC OUIs that you want to allow to access the network, select to add a new MAC OUI, or select a previously defined OUI from the drop-down list, and then select Add. To remove a MAC OUI from the list, select the check box for the OUI you want you to remove, and then select .

Detect rogue access points based on hosted SSIDs and encryption type: Select this check box to detect rogue access points for SSID names that other access points advertise—along with the type of encryption they use. For example, if you have a network security policy that requires all SSIDs to use Enterprise 802.1x, then any valid SSID using Enterprise 802.1x would make the access point hosting it valid. On the other hand, an access point would be categorized as a rogue if it hosts an SSID using WEP or no encryption at all (that is, "open").

To include SSID checks in the WIPS policy, select the check box for Detect rogue access points based on hosted SSIDs and encryption type.

Select to add a previously-defined SSID, enter the following information, and then select Add:

Select SSID: Select an SSID from the drop-down list.

Enter an SSID Name: If the SSID does not appear in the drop-down list, you can enter the name in this field.

Check the type of encryption used by this SSID: Select the check box, and then choose one of the following to restrict access to this WLAN based on the encryption that the client device uses within the chosen SSID:

OPEN: Allow only devices in the chosen SSID using no encryption to access the WLAN.

WEP: Allow only devices in the chosen SSID using WEP encryption to access the WLAN.

Enterprise 802.1x: Allow only devices in the chosen SSID using a valid WPA encryption to access the WLAN.

To add more SSIDs to the list, repeat the previous two steps. You can add up 1024 SSIDs to one WIPS policy. If you enable SSID detection but do not add any SSIDs to the list, then the AP will consider all SSIDs to be rogue because no SSID is indicated as being valid.

To remove an SSID from the checklist, select the check box, and then select Remove.

Detect if wireless clients have formed an ad hoc network to identify rogue clients: Enabled by default. APs can detect if wireless clients have formed an ad hoc network. One of the dangers that an ad hoc network poses is that it can provide an unprotected (or less protected) opening to the wired network. If a rogue client joins an ad hoc network, it connects directly to a user's station. If that station is connected to the wired network and has bridging enabled, the rogue client can potentially access the wired network too.

Note

Note

When stations in an ad hoc network—or IBSS (independent basic service set)—transmit 802.11 beacons and probe responses, the ESS (extended service set) bit is set to 0 and the IBSS bit is set to 1, indicating IBSS capability. When APs scan the radio spectrum and detect these types of management frames, the APs categorize those stations transmitting them as members of an ad hoc network and are as rogue.

Enable rogue client reporting: Select this check box to report rogue clients. You can then change the duration that elapses before disconnected rogue clients are deleted from the reports.

Configure Rogue Mitigation

Configure the following information to control how you want to mitigate rogue APs and their clients:

Mitigation Mode

Manual: This is the default setting. Select it to mitigate rogue APs and their clients manually.In manual mode, you must periodically check for rogue APs and their clients on the heat map pages in your network hierarchy (on the Network 360 Plan tab).

Note

Note

Use caution when mitigating a suspected rogue AP. If your WLAN is within range of other neighboring wireless networks, the access point that might initially be considered a rogue AP—along with its clients—might be valid in someone else's WLAN.

Automatic: With this option, APs mitigate rogue APs and their clients automatically, starting and stopping the mitigation process without any administrator involvement.

Note

Note

Important: You should only use the automatic mode for rogue APs that are detected as "in-network" (in the backhaul network of your organization). Otherwise, automatic mitigation can impact the normal operation of valid APs belonging to a nearby business by blocking their wireless clients from connecting to their APs. Reference the appropriate FCC regulations that prohibit Wi-Fi blocking in these cases.

Automatically mitigate rogue APs if they are connected to your wired (backhaul) network: By default, this check box is selected. This ensures that APs only mitigate rogue APs that are in their backhaul network, not APs in external networks that happen to be within radio range.

Detect and mitigate rogue clients every: After you enable rogue detection on an AP, it scans detected rogue APs for clients during the period that you specify. If you manually start mitigation against a rogue, the AP not only continues scanning for clients during this period, it also sends deauthentication frames to the rogue AP and any detected clients during the same period. For example, if you leave this at the default setting of 1 second, the AP checks for rogues and attacks them every second.

Each time an AP checks if there are clients associated with a detected rogue, it must switch channels for about 80 milliseconds (unless it happens to be using the same channel as the rogue). To minimize channel switching, try to choose an AP that is on the same channel as the rogue to perform the mitigation. The Rogue AP list shows which channel the rogue is using. If none of the APs are using the same channel, choose the one with the fewest clients. Finally, if all the APs are busy and on different channels from the rogue, consider reducing the amount of channel switching by increasing the period so that the associated client check occurs less frequently. You can change the duration from 1 to 600 seconds (10 minutes).

Repeat mitigation for detected rogue clients: This specifies how many consecutive periods to spend attacking a rogue AP and its clients before allowing client inactivity to cause a ceasefire and commence a countdown to end the mitigation. The default setting is 60 consecutive periods.

If you use the default settings for both the length of the mitigation period and the consecutive number of periods, an attack will last for 60 seconds before entering a cease-fire period due to client inactivity. The range is from 0 to 2,592,000 seconds (30 days). A value of 0 means that mitigator APs send deauthentication frames for the entire amount time that a mitigation effort is in effect (as defined in the next setting).

Limit mitigation efforts per rogue AP to: This is the maximum amount of time that an attack against a rogue AP can last. If the length of client inactivity does not cause the attack to be suspended or if you do not manually stop the attack, the AP will stop it when this time limit elapses. The default duration is 14,400 seconds (4 hours), which means that an AP continues checking for clients of a detected rogue for up to four hours and mitigates them if it finds them. (The mitigation might stop sooner if the period of client inactivity lasts long enough to stop it.)

You can change the maximum time limit between 0 and 2,592,000 seconds (30 days). In cases where the response time to detect a rogue AP would be greater than the default duration of four hours, consider increasing the duration to allow more time to locate the AP before ending the mitigation process. A value of 0 means that the client detection and mitigation process will continue indefinitely unless the client inactivity period elapses.

You can define this setting in seconds, minutes, or hours using the drop-down list.

Stop mitigation if no client activity is detected in: Set a period of time to stop the mitigation process if the AP no longer detects that clients are associated with the rogue AP. During this time, the AP stops sending DoS attacks but continues checking if any clients form new associations with the targeted AP. If the AP detects any associated clients before this period elapses, it sends a deauthentication flood attack and resets the counter to begin the countdown again. If there are no more clients associated with the AP after this period elapses, the AP stops the mitigation process even if there is still time remaining in the maximum time limit.

The default period is 3600 seconds (1 hour). You can reduce or increase the quiet time interval from 60 to 86,400 seconds (24 hours), depending on how long you think it necessary for the AP to wait before stopping the mitigation process.

You can define this setting in seconds, minutes, or hours using the drop-down list.

Max number of mitigator APs per rogue AP: (Only applies to automatic mode.) For automatic mitigation, hive members choose one AP to be the arbitrator, which is the one to which all the detector APs send reports. The arbitrator AP also determines which detector APs perform mitigation. When they start, they become mitigator APs. Set the number of mitigator APs that the arbitrator AP can automatically assign to attack a rogue AP and its clients. The default is one mitigator AP per rogue AP. However, you can increase the number of APs to perform mitigation up to 1024. If you set the maximum as 0, all the detector APs can be assigned to perform rogue mitigation.

Configure AirDefense WIPS Settings

Extreme AirDefense (AD), a distributed WIPS solution that protects, monitors, and enforces compliance of your WLAN networks. AirDefense continuously safeguards the network from external threats 24 hours a day, 365 days a year, and automates action (mitigation, notification and information gathering) when attacks occur, enabling an immediate response. It also enables compliance with regulations such as PCI-DSS, Sarbanes-Oxley, HIPAA, and GLBA.

Extreme AD is available as a physical or virtual network appliance. You find instructions to install and configure AD in the Extreme AirDefense User Guide (9036613-00). When the 10.4 version is released, this URL needs updating.

After the AD installation is complete, invoke ExtremeCloud IQ to associate the supported access points with the AD. Manage AD and WIPS alerts from the AD interface.

Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.