Configuring a WIPS Policy

About this task

Unauthorized device detection needs to be enabled for each WIPS policy (it's disabled by default). Whether currently enabled or disabled, A WIPS policy can have specific categorization policies defined and specific events enabled for detection. Once defined, a WIPS policy is available for use with controller, service platform or Access Point device profile.

To configure a WIPS policy:

Procedure

  1. Select Configuration → Security.
  2. Expand the Intrusion Prevention menu and select WIPS Policy.
    The Wireless IPS screen displays by default. It lists existing WIPS policies if any are configured. Any of these existing WIPS policies can be selected and applied.
    Click to expand in new window
    Wireless IPS Screen
  3. Refer to the following for existing WIPS policies:
    WIPS Policy Displays the name assigned to the WIPS policy when it was initially created. The name cannot be modified as part of the edit process.
    Status Displays a green check mark if the listed WIPS policy is enabled and ready for use with a profile. A red “X” designates the listed WIPS policy as disabled.
    Interval to Throttle Duplicates Displays the duration when event duplicates (redundant events) are not stored in event history.
  4. Select Add to create a new WIPS policy, Edit to modify the attributes of a selected policy, or Delete to remove obsolete policies from the list of those available.
    Use Rename to change the name of an existing policy or Copy a policy to a different location.

    If you are adding or editing an existing WIPS policy, the WIPS Policy screen displays with the Settings tab displayed by default.

    Click to expand in new window
    WIPS Policy Screen - Add/Edit - Settings Tab
  5. If you are creating a new WIPS Policy, assign it name to help differentiate it from others that may have a similar configuration.
    The policy name cannot exceed 64 characters. The name cannot be modified as part of the edit process.
  6. Within the Wireless IPS Status field, select either Enabled or Disabled to activate or deactivate the WIPS policy.
    The default setting is Enabled.
  7. Enter the Interval to Throttle Packets in either seconds (1 - 86,400), minutes (1 - 1,400), hours (1 - 24) or days (1).
    This interval represents the duration event duplicates are not stored in history. The default setting is 2 minutes.
  8. Refer to the Rogue AP Detection field to define the following detection settings for this WIPS policy:
    Enable Rogue AP Detection Select the check box to enable the detection of unauthorized (unsanctioned) devices for this WIPS policy. The default setting is Disabled.
    Wait Time to Determine AP Status Define a wait time in either seconds (10 - 600) or minutes (1 - 10) before a detected AP is interpreted as a rogue (unsanctioned) device, and potentially removed. The default interval is 1 minute.
    Ageout for AP Entries Set the interval the WIPS policy uses to age out rogue devices. Set the policy in either seconds (30 - 86,400), minutes (1- 1,440), hours (1 - 24) or days (1). The default setting is 5 minutes.
    Interferer Threshold Specify an RSSI threshold (from -100 to -10 dBm) after which a detected access point is classified as an interferer (rogue device).
    Recurring Event Interval Set an interval that, when exceeded, duplicates a rogue AP event if the rogue devices is still active (detected) in the network. The default setting is 5 minutes.
    Air Termination Select this option to enable the termination of detected rogue AP devices. Air termination lets you terminate the connection between your wireless LAN and any access point or client associated with it. If the device is an access point, all clients dis-associated with the access point. If the device is a client, its connection with the access point is terminated. This setting is disabled by default.
    Air Termination Channel Switch Select this option to allow neighboring access points to switch channels for rogue AP termination. This setting is disabled by default.
    Air Termination Mode If termination is enabled, use the drop-down menu to specify the termination mode used on detected rogue devices. The default setting is manual.
  9. Use the Device Categorization Policy drop-down menu to select a policy describing whether a device is filtered as sanctioned, a client or access point, and the MAC and SSID addresses used as filtering mechanisms.

    If a policy requires creation, select Create. If an existing policy requires modification, select Edit and update the device categorization policy as needed.

  10. Select OK to update the settings.
    Select Reset to revert to the last saved configuration.
  11. Select the WIPS Events tab to enable events, filters and threshold values for this WIPS policy.
    The Excessive tab displays by default.
    Click to expand in new window
    WIPS Events Screen - Add/Edit - Excessive Tab

    The Excessive tab lists a series of events that can impact the performance of the network. An administrator can enable or disable the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action.

    An Excessive Action Event is an event where an action is performed repetitively and continuously. DoS attacks come under this category. Use the Excessive Action Events table to select and configure the action taken when events are triggered.

    AP events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand side of the screen.
  12. Set the configurations of the following Excessive Action Events:
    Name Displays the name of the excessive action event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
    Enable Displays whether tracking is enabled for each Excessive Action Event. Use the drop-down menu to enable/disable events as required. A green check mark defines the event as enabled for tracking against its threshold values. A red “X” defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default. Events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand side of the screen.
    Filter Expiration Set the duration the anomaly causing client is filtered. This creates a special ACL entry and frames coming from the client are silently dropped. The default setting is 0 seconds.

    This value is applicable across the RF Domain. If a station is detected performing an attack and is filtered by one of the APs, the information is passed to the domain controller or service platform. The domain controller or service platform then propagates this information to all APs in the RF Domain.
    Client Threshold Set the client threshold after which the filter is triggered and an event generated.
    Radio Threshold Set the radio threshold after which an event is recorded to the events history.
  13. Select OK to save the updates to the to excessive actions configuration used by the WIPS policy.
    Select Reset to revert to the last saved configuration.
  14. Select the MU Anomaly tab:
    Click to expand in new window
    WIPS Events Screen - Add/Edit - MU Anomaly Tab

    MU anomaly events are suspicious events by wireless clients that can compromise the security and stability of the network. Use this MU anomaly screen to configure the intervals clients can be filtered upon the generation of each defined event.

    MU events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand side of the screen.

  15. Set the following MU Anomaly Events configurations:
    Name Displays the name of the MU anomaly event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
    Enable Displays whether tracking is enabled for each event. Use the drop-down menu to enable/disable events as required. A green check mark defines the event as enabled for tracking against its threshold values. A red “X” defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default. MU events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand side of the screen.
    Filter Expiration Set the duration the anomaly causing client is filtered. This creates a special ACL entry and frames coming from the client are silently dropped. The default setting is 0 seconds. For each violation, define a time to filter value in seconds which determines how long received packets are ignored from an attacking device once a violation has been triggered. Ignoring frames from an attacking device minimizes the effectiveness of the attack and the impact to the site until permanent mitigation can be performed.
  16. Select OK to save the updates to the MU anomaly configuration used by the WIPS policy.
    Select Reset to revert to the last saved configuration.
  17. Select the AP Anomaly tab:
    Click to expand in new window
    WIPS Events screen - Add/Edit - AP Anomaly Tab

    AP anomaly events are suspicious frames sent by a neighboring APs. Use this screen to determine whether an event is enabled for tracking.

    AP events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand side of the screen.

  18. Set the following AP Anomaly Events configurations:
    Name Displays the name of the AP anomaly event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
    Enable Displays whether tracking is enabled for each AP anomaly event. Use the drop-down menu to enable/disable events as required. A green check mark defines the event as enabled for tracking against its threshold values. A red “X” defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default. AP events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand side of the screen.
  19. Select OK to save the updates to the AP anomaly configuration used by the WIPS policy.
    Select Reset to revert to the last saved configuration.
  20. Select the WIPS Signatures tab.
    A WIPS signature is the set or parameters, or pattern, used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them.
    Click to expand in new window
    WIPS Signatures Screen
  21. The WIPS Signatures screen displays the following read-only data:
    Name Lists the name (in the top left-hand corner) assigned to each signature when it was created. A signature name cannot be modified as part of the edit process.
    Signature Displays whether the signature is enabled. A green check mark defines the signature as enabled. A red “X” defines the signature as disabled. Each signature is disabled by default.
    BSSID MAC Displays each BSS ID MAC address used for matching purposes and potential device exclusion.
    Source MAC Displays each source MAC address of the packet examined for matching purposes and potential device exclusion.
    Destination MAC Displays each destination MAC address of the packet examined for matching purposes and potential device exclusion.
    Frame Type to Match Lists the frame types specified for matching with the WIPS signature.
    Match on SSID Lists each SSID used for matching purposes.
  22. Select Add to create a new WIPS signature, Edit to modify the attributes of a selected WIPS signature or Delete to remove obsolete signatures from the list of those available.
    Click to expand in new window
    WIPS Signatures Screen - Add/Edit - Signature Screen
  23. If you are adding a new WIPS signature, define a name to distinguish it from others with similar configurations.
    The name cannot exceed 64 characters.
  24. Set the following network address information for a new or modified WIPS Signature:
    Enable Signature Select the check box to enable the WIPS signature for use with the profile. The default signature is enabled.
    BSSID MAC Define a BSS ID MAC address used for matching and filtering with the signature.
    Source MAC Define a source MAC address for packets examined for matching, filtering and potential device exclusion using the signature.
    Destination MAC Set a destination MAC address for the packet examined for matching, filtering and potential device exclusion with the signature.
    Frame Type to Match Use the drop-down menu to select a frame type for matching and filtering with the WIPS signature.
    Match on SSID Set the SSID used for matching and filtering with the signature. Ensure that it is specified properly, or the SSID will not be properly filtered.
    SSID Length Set the character length of the SSID used for matching and filtering with this signature. The maximum length is 32 characters.
  25. Refer to the Thresholds field to set signature threshold limitations used as filtering criteria.
    Wireless Client Threshold Specify the threshold limit per client that, when exceeded, signals the event. The configurable range is from 1 - 65,535.
    Radio Threshold Specify the threshold limit per radio that, when exceeded, signals the event. The configurable range is from 1 - 65,535.
  26. Set a Filter Expiration (from 1 - 86,400 seconds) that specifies the duration a client is excluded from RF Domain manager radio association when responsible for triggering a WIPS event.
  27. Refer to the Payload table to set a numerical index pattern and offset for the WIPS signature.
    Select + Add Row and provide Index, Pattern, and Offset variables for the payload.
  28. Select OK to save the updates to the WIPS Signature configuration.
    Select Reset to revert to the last saved configuration.
9036512-01 Rev AB