Wireless IPS (WIPS)

About this task

The access point supports Wireless Intrusion Protection Systems (WIPS) to provide continuous protection against wireless threats and act as an additional layer of security complementing wireless VPNs and encryption and authentication policies. An access point supports WIPS through the use of dedicated sensor devices designed to actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block the devices by manual termination, air lockdown, or port suppression.

Unauthorized APs are untrusted and unsanctioned access points connected to a LAN that accept client associations. They can be deployed for illegal wireless access to a corporate network, implanted with malicious intent by an attacker, or could just be misconfigured access points that do not adhere to corporate policies. An attacker can install a unauthorized AP with the same ESSID as the authorized WLAN, causing a nearby client to associate to it. The unauthorized AP can then steal user credentials from the client, launch a man-in-the middle attack or take control of wireless clients to launch denial-of-service attacks.

A WIPS server can be deployed as a dedicated solution within a separate enclosure. When used with associated access point radios, a WIPS deployment provides the following enterprise class security management features:

  • Threat Detection - Threat detection is central to a wireless security solution. Threat detection must be robust enough to correctly detect threats and swiftly help protect the wireless network.
  • Rogue Detection and Segregation - A WIPS supported network distinguishes itself by both identifying and categorizing nearby access points. WIPS identifies threatening versus non-threatening access points by segregating access points attached to the network (unauthorized APs) from those not attached to the network (neighboring access points). The correct classification of potential threats is critical for administrators to act promptly against rogues and not invest in a manual search of thousands of neighboring access points.
  • Locationing - Administrators can define the location of wireless clients as they move throughout a site. This allows for the removal of potential rogues though the identification and removal of their connected access points.
  • WEP Cloaking - WEP Cloaking protects organizations using the Wired Equivalent Privacy (WEP) security standard to protect networks from common attempts used to crack encryption keys.

To define an access point‘s WIPS configuration:

Procedure

  1. Select the Configuration tab from the Web user interface. 2 3
  2. Select Security.
  3. Select Wireless IPS to display existing Wireless Intrusion Protection policies.
    The Wireless IPS screen displays the Settings tab by default.
    Click to expand in new window
    Wireless IPS Screen - Settings Tab
    GUID-553FD389-089F-465C-A4B9-3EDC75E26622-low.png
  4. Select the Activate Wireless IPS Policy option on the upper left-hand side of the screen to enable the screen‘s parameters for configuration.
    Ensure that this option stays selected to apply the configuration to the access point profile.
  5. In the Wireless IPS Status field, select either Enabled or Disabled to activate or deactivate WIPS.
    The default setting is Enabled.
  6. Enter an Interval to Throttle Duplicates in either Seconds (1 - 86,400), Minutes (1 - 1,400), Hours (1 - 24) or Days (1).
    This interval represents the duration event duplicates are not stored in history. The default setting is 120 seconds.
  7. Refer to the Rogue AP Detection field to define the following detection settings for this WIPS policy:
    Enable Rogue AP Detection Select the check box to enable the detection of unsanctioned APs from this WIPS policy. The default setting is disabled.
    Wait Time to Determine AP Status Define a wait time in either Seconds (10 - 600) or Minutes (0 - 10) before a detected AP is interpreted as a rogue (unsanctioned) device, and potentially removed. The default interval is 1 minute.
    Ageout for AP Entries Set the interval the WIPS policy uses to ageout rogue devices. Set the policy in either Seconds (30 - 86,400), Minutes (0- 1,440), Hours (1 - 24) or Days (1). The default setting is 5 minutes.
    Interferer Threshold Specify a RSSI threshold (from -100 to -10 dBm) after which a detected access point is classified as an interferer (rogue device).
    Recurring Event Interval Set an interval that, when exceeded, duplicates a rogue AP event if the rogue devices is still active (detected) in the network. The default setting is 5 minutes.
    Air Termination Select this option to enable the termination of detected rogue AP devices. Air termination lets you terminate the connection between your wireless LAN and any access point or client associated with it. If the device is an access point, all clients dis-associated with the access point. If the device is a client, its connection with the access point is terminated. This setting is disabled by default.
    Air Termination Channel Switch Select this option to allow neighboring access point to switch channels for rogue AP termination. This setting is disabled by default.
    Air Termination Mode If termination is enabled, use the drop-down menu to specify the termination mode used on detected rogue devices. The default setting is manual.
  8. Refer to the Device Categorization field to associate a Device Categorization Policy with this Wireless IPS policy.
    Select the Add icon to create a new Device Categorization policy, or select the Edit icon to modify an existing Device Categorization policy. For more information on Device Categorization, see Device Categorization.
  9. Select OK to update the settings.
    Select Reset to revert to the last saved configuration. The WIPS policy can be invoked at any point in the configuration process by selecting Activate Wireless IPS Policy from the upper, left-hand side, of the access point user interface.
  10. Select the WIPS Events tab.
    Ensure that the Activate Wireless IPS Policy option remains selected to enable the screen‘s configuration parameters. This option needs to remain selected to apply the WIPS configuration to the access point profile.

    The Excessive tab displays by default, with additional MU Anomaly and AP Anomaly tabs also available.

    Click to expand in new window
    Wireless IPS Screen - WIPS Events - Excessive Tab
    GUID-9B157624-389F-4571-8596-38F85D55288D-low.png

    The Excessive tab lists events with the potential of impacting network performance. An administrator can enable or disable event filtering and set the thresholds for the generation of the event notification and filtering action.

    An Excessive Action Event is an event where an action is performed repetitively and continuously. DoS attacks come under this category. Use the Excessive Actions Events table to select and configure the action taken when events are triggered.

  11. Set the following Excessive Action Event configurations:
    Name Displays the name of the excessive action event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
    Enable Displays whether tracking is enabled for each event. Use the drop-down menu to enable/disable events as required. A green checkmark defines the event as enabled for tracking against its threshold values. A red “X” defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default.
    Filter Expiration Set the duration an event generating client is filtered. This creates a special ACL entry, and frames coming from the client are dropped. The default setting is 0 seconds.

    This value is applicable across the RF Domain. If a station is detected performing an attack and is filtered by an access point, the information is passed to the domain controller. The domain controller then propagates this information to all the access points in the RF Domain.

    Client Threshold Set the client threshold after which the filter is triggered and an event generated.
    Radio Threshold Set the radio threshold after which an event is recorded to the event history.

    Use the Enable All button to enable all Excessive Action Events. Use Disable All to disable all Excessive Action Events.

  12. Select OK to save the updates to the to Excessive Actions configuration used by the WIPS policy.
    Select Reset to revert to the last saved configuration. The WIPS policy can be invoked at any point in the configuration process by selecting Activate Wireless IPS Policy from the upper left-hand side of the access point user interface.
  13. Select the MU Anomaly tab.
    Ensure that the Activate Wireless IPS Policy option remains selected to enable the screen‘s configuration parameters.
    Click to expand in new window
    Wireless IPS Screen - WIPS Events - MU Anomaly Tab
    GUID-9BC74245-857D-4862-89FA-A2348AAFFE0E-low.png

    MU Anomaly events are suspicious events by wireless clients that can compromise the security and stability of the network. Use the MU Anomaly screen to set the intervals clients can be filtered upon the generation of each event.

  14. Set the following MU Anomaly Event configurations:
    Name Displays the name of the excessive action event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
    Enable Displays whether tracking is enabled for each MU Anomaly event. Use the drop-down menu to enable/disable events as required. A green checkmark defines the event as enabled for tracking against its threshold. A red “X” defines the event as disabled, and not tracked by the WIPS policy. Each event is disabled by default.
    Filter Expiration Set the duration a client is filtered. This creates a special ACL entry, and frames coming from the client are silently dropped. The default setting is 0 seconds. For each violation, define a time to filter value (in seconds) which determines how long received packets are ignored from an attacking device once a violation has been triggered. Ignoring frames from an attacking device minimizes the effectiveness of the attack and the impact to the site until permanent mitigation can be performed.

    Use the Enable All button to enable all MU Anomaly rules. Use Disable All to disable all MU Anomaly rules.

  15. Select OK to save the updates to the MU Anomaly configuration used by the WIPS policy.
    Select Reset to revert to the last saved configuration. The WIPS policy can be invoked at any point in the configuration process by selecting Activate Wireless IPS Policy from the upper left-hand side of the access point user interface.
  16. Select the AP Anomaly tab.
    Ensure that the Activate Wireless IPS Policy option remains selected to enable the screen‘s configuration parameters.
    Click to expand in new window
    Wireless IPS Screen - WIPS Events - AP Anomaly Tab
    GUID-1179FFF5-528D-4FAB-965C-C8377D1BA8AB-low.png

    AP Anomaly events are suspicious frames sent by neighboring APs. Use the AP Anomaly tab to enable or disable an event.

  17. Enable or disable the following AP Anomaly Events:
    Name Displays the name of the excessive action event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
    Enable Displays whether tracking is enabled for each AP Anomaly event. Use the drop-down menu to enable/disable events as required. A green check mark defines the event as enabled for tracking against its threshold values. A red “X” defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default.

    Use the Enable All button to enable all AP Anomaly events. Use Disable All to disable all AP Anomaly events.

  18. Select OK to save the updates to the AP Anomaly configuration used by the WIPS policy.
    Select Reset to revert to the last saved configuration. The WIPS policy can be invoked at any point in the configuration process by selecting Activate Wireless IPS Policy from the upper left-hand side of the access point user interface.
  19. Select the WIPS Signatures tab.
    Ensure that the Activate Wireless IPS Policy option remains selected to enable the screen‘s configuration parameters.

    A WIPS signature is the set or parameters, or pattern, used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them.

    Click to expand in new window
    Wireless IPS Screen - WIPS Signatures Tab
    GUID-4BA5C470-EE7E-4499-956C-95B21B69FB19-low.png
  20. The WIPS Signatures tab displays the following read-only configuration data:
    Name Lists the name assigned to each signature when it was created. A signature name cannot be modified as part of the edit process.
    Signature Displays whether the signature is enabled. A green checkmark defines the signature as enabled. A red “X” defines the signature as disabled. Each signature is disabled by default.
    BSSID MAC Displays each BSS ID MAC address used for matching purposes.
    Source MAC Displays each source packet MAC address for matching purposes.
    Destination MAC Displays each destination packet MAC address for matching purposes.
    Frame Type to Match Lists the frame types specified for matching with the WIPS signature.
    Match on SSID Lists each SSID used for matching purposes.
  21. Select Add to create a new WIPS signature, Edit to modify the attributes of a selected WIPS signature, or Delete to remove obsolete signatures from the list of those available.
    Click to expand in new window
    Wireless Signature Configuration Screen
    GUID-6A68EEC8-08A9-45F5-88CA-169D2C11AD0E-low.png
  22. If you are adding a new WIPS signature, define a Name to distinguish it from others with similar configurations.
    The name cannot exceed 64 characters.
  23. Set the following network address information for a new or modified WIPS Signature:
    Enable Signature Select the radio button to enable the WIPS signature for use with the profile. The default signature is enabled.
    BSSID MAC Define a BSS ID MAC address used for matching and filtering with the signature.
    Source MAC Define a source MAC address for the packet examined for matching, filtering and potential device exclusion using the signature.
    Destination MAC Set a destination MAC address for a packet examined for matching, filtering and potential device exclusion using the signature.
    Frame Type to Match Use the drop-down menu to select a frame type for matching with the WIPS signature.
    Match on SSID Sets the SSID used for matching. Ensure it is specified properly or the SSID won‘t be properly filtered.
    SSID Length Set the character length of the SSID used for matching purposes. The maximum length is 32 characters.
  24. Refer to the Thresholds field to set the thresholds used as filtering criteria.
    Wireless Client Threshold Specify the threshold limit per client that, when exceeded, signals the event. The configurable range is from 1 - 65,535.
    Radio Threshold Specify the threshold limit per radio that, when exceeded, signals the event. The configurable range is from 1 - 65,535.
  25. Set a Filter Expiration from 1 - 86,400 seconds that specifies the duration a client is excluded from radio association when responsible for triggering a WIPS event.
  26. Refer to the Payload table to set a numerical index and offset for the WIPS signature.
  27. Select OK to save the updates to the WIPS Signature configuration.
    Select Reset to revert to the last saved configuration. The WIPS policy can be invoked and applied to the access point profile by selecting Activate Wireless IPS Policy from the upper left-hand side of the access point user interface.