Understanding Wireless Intrusion Detection Services - Allen-Bradley Stratix 5100 User Manual

Understanding Wireless
Intrusion Detection Services
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
When you implement Wireless Intrusion Detection Services (WIDS) on your
wireless LAN, your access points, WLSE, and an optional (non-Cisco) WIDS
engine work together to detect and prevent attacks on your wireless LAN
infrastructure and associated client devices.
Working with the WLSE, access points can detect intrusions and take action to
defend the wireless LAN. This table describes the features of WIDS.
Feature Description
Switch port tracing and rogue Switch port tracing and suppression uses an RF detection method that produces the
suppression radio MAC address of an unknown radio (a potential rogue device). The WLSE derives
a wired-side MAC address from the wireless MAC address and uses it to search the
switch's BRIDGE MIB. When one or more searchable MAC addresses are available, the
WLSE uses CDP to discover any switches connected up to two hops away from the
detecting access points. The WLSE examines the BRIDGE MIB of each CDP-discovered
switch to determine if they contain any of the target MAC addresses. If CDP finds any
of the MAC addresses, WLSE suppresses the corresponding switch port number.
Excessive management frame Excessive management frames indicate an attack on your wireless LAN. An attacker
detection can carry out a denial-of-service attack by injecting excessive management frames
over the radio to overwhelm access points that have to process the frames. As part of
the WIDS feature set, access points in scanning mode and root access points monitor
radio signals and detect excessive management frames. When they detect excessive
management frames, the access points generate a fault and send it through the WDS
to the WLSE.
Authentication/protection Authentication/protection failure detection looks for attackers who are either trying
failure detection to overcome the initial authentication phase on a wireless LAN or to compromise the
ongoing link protection. These detection mechanisms address specific authentication
attacks:
• EAPOL flood detection
• MIC/encryption failures detection
• MAC spoofing detection
Frame capture mode In frame capture mode, a scanner access point collects 802.11 frames and forwards
them to the address of a WIDS engine on your network.
See the
on configuring the access point to participate in WIDS and
Frame Protection on page 396
MFP.
802.11 Management Frame Wireless is an inherently broadcast medium enabling any device to eavesdrop and
Protection (MFP) participate either as a legitimate or rogue device. Because control and management
frames are used by client stations to select and initiate a session with an AP, these
frames must be open.
While management frames cannot be encrypted, they must be protected from
forgery. MFP is a means for the 802.11 management frames can be integrity
protected. MFP WLSE for reporting intrusion events. MFP is available on the Straitx
5100 WAP. MFP is available only on 32 Mb platforms.
Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Configuring Access Points to Participate in WIDS on page 402
for instructions on configuring the access point for
Chapter 13
for instructions
Configuring Management
381