Security Threats
The Radar reports provide
information about security threats. Threat APs are APs that have been detected
performing one or more types of attack on the authorized network.
Each AP defined on the controller has a text location attribute that can be set using the controller's GUI, CLI, and SNMP agent. By default the location attribute is empty for all APs. It is strongly recommended that you set the location attribute of each AP. The attribute should be set so that APs at the same location have exactly the same location attribute. For example all the APs on the 3rd floor of a building could have the same location, such as "Boston/123 4th street/3rd floor". The controller's multi-edit page provides a convenient way to assign groups of APs to the same location.
The types of threat recognized by the Radar WIDS-WIPS system include:
- Ad Hoc
Device - A device in ad hoc mode can participate in direct
device-to-device wireless networks. Devices in ad hoc mode are a security threat
because they are prone to leaking information stored on file system shares and
bridging to the authorized network.
- Cracking - This refers to attempts to crack a password
or network passphrase (such as a WPA-PSK). The Chop-Chop attack on WPA-PSK and WEP
is an example of an active password cracking attack.
- Denial of Service
(DoS) attacks - DoS attacks
- External
Honeypot - An AP that is attempting to make itself a
man-in-the-middle by advertising a popular SSID, such as an SSID advertised by a
coffee shop or an airport.
- Interference
Source - A device that is generating a radio signal that is
interfering with the operation of the wireless network. An example of an
interference source is a microwave oven which can interfere with 2.4GHz
transmissions.
- Internal
Honeypot - An AP that is attempting to make itself a
man-in-the-middle by advertising an SSID belonging to the authorized network.
- Roque
AP - A rogue AP is an unauthorized AP connected to the authorized
wired or wireless network.
- Performance - Performance issues pertain to overload
conditions that cause a service impact. Performance issues aren't necessarily
security issues but many types of attack do generate performance issues.
- Prohibited
Device - A MAC address or BSSID is detected that matches an address
entered manually into the Radar database.
- Spoofed
AP - An AP that is not part of the authorized network is advertising
a BSSID (MAC address) that belongs to an authorized AP on the authorized
network.
- Surveillance - A device or application that is probing
for information about the presence and services offered by a network.
Note
Surveillance can be passive (purely listening) or active
(surveyor sends messages to speed up the process of surveillance). It is only
possible to detect active surveillance. Netstumbler and Wellenreiter are
examples of active surveillance tools.