Configuring Wlan Ids; Overview; Terminology; Attack Detection - H3C MSR Series Configuration Manual

Configuring WLAN IDS

The terms AP and fat AP in this document refer to MSR800, MSR 900, MSR900-E, MSR 930, and
MSR 20-1X routers with IEEE 802.11b/g and MSR series routers installed with a SIC WLAN module.

Overview

802.11 networks are susceptible to a wide array of threats such as unauthorized access points and
clients, ad hoc networks, and DoS attacks. Rogue devices are a serious threat to enterprise security.
Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and
intrusions on a wireless network. WIPS helps to protect enterprise networks and users from
unauthorized wireless access. The Rogue detection feature is a part of the WIDS/WIPS solution,
which detects the presence of rogue devices in a WLAN network and takes countermeasures to
prevent rogue devices operation.

Terminology

•
WIDS—WLAN IDS is designed to be deployed in an area that an existing wireless network
covers. It aids in the detection of malicious outsider attacks and intrusions through the wireless
network.
•
Rogue AP—An unauthorized or malicious access point on the network, such as an employee
setup AP, misconfigured AP, neighbor AP or an attacker operated AP. It is not authorized, so if
any vulnerability occurs on the AP, the hacker has a chance to compromise your network
security.
•
Rogue client—An unauthorized or malicious client on the network.
•
Rogue wireless bridge—Unauthorized wireless bridge on the network.
•
Monitor AP—An AP that scans or listens to 802.11 frames to detect wireless attacks in the
network.
•
Ad hoc mode—Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can
communicate directly with other stations without support from any other device.
•
Passive scanning—In passive scanning, a monitor AP listens to all the 802.11 frames over the
air in that channel.
•
Active scanning—In active scanning, a monitor AP, besides listening to all 802.11 frames,
sends a broadcast probe request and receives all probe response messages on that channel.
Each AP in the vicinity of the monitor AP replies to the probe request. This helps identify all
authorized and unauthorized APs by processing probe response frames. The monitor AP
masquerades as a client when sending the probe request.

Attack detection

The attack detection function detects intrusions or attacks on a WLAN network, and informs the
network administrator of the attacks through recording information or sending logs. At present, WIDS
detection supports detection of the following attacks:
•
Flood attack
•
Spoofing attack
•
Weak IV attack
55