1 / 21

Module 13

Module 13. Wireless ips Enhanced Wireless Protection. Objectives. Identify the basic aspects of WIPS Describe the advanced functionality of WIPS Identify the key considerations of WIPS. Introduction. Introduction.

necia
Download Presentation

Module 13

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 13 Wireless ips Enhanced Wireless Protection

  2. Objectives • Identify the basic aspects of WIPS • Describe the advanced functionality of WIPS • Identify the key considerations of WIPS

  3. Introduction

  4. Introduction • WiNG5 supports Basic WIPS and Advanced WIPS services as well as various enhancements: • Basic WIPS supports more events as well as user-defined Signatures • New AP radio scanning modes • New Advanced WIPS engine (licensed) Basic WIPS Advanced WIPS • Advanced WIPS Policy • Event Logs • Advanced WIPS License • Event Detection • Device Classification • Termination Policies • Wireless Controller • Event Logs • Device Classification Mgmt / Control Mgmt / Control HTTPS (8443) HTTPS (8443) • Dependent AP • Event Detection • AP Detection • Black Listing • Independent AP • Event Detection • AP Detection • Black Listing • Dependent AP • AP Detection • Terminations • Independent AP • AP Detection • Terminations

  5. Basic WIPS

  6. Introduction Device • Enabled through WIPS Policies that are assigned via • RF Domains: groups of Access Points • Overrides: individual Access Points • Each WIPS policy supports 37 events categorized as: • Excessive: Events are triggered from DoS type attacks • AP Anomaly: Events are triggered when neighboring Access Points send suspicious frames • Wireless Client: Events are triggered when a Wireless Client performs suspicious activities • Each WING5 WIPS policy supports customizable signatures • Supports basic AP detection and classification RF Domain WIPS Policy Events Customized Signatures

  7. Detected Events • Each WIPS event can be individually enabled or disabled in the WIPS policy • When a WIPS event is detected by an Access Point, a log entry will be generated on the Access Point where the attack was detected

  8. Event Mitigation • Excessive events include per Client and per Radio thresholds which define the number of events which must occur within a 60 second window before the event is triggered • Client Threshold: number of violations from a single Wireless Client across one or more radios (within a 60 second time interval) • Radio Threshold: total number of violations from all Wireless Clients on a single radio (within a 60 second time interval) – i.e. distributed attacks • Client Thresholds support a filtering option • When enabled will blacklist an offending Wireless Clients MAC address for a specified amount of time

  9. Signatures • WiNG5 adds new support for customized signatures which can identify frames based specified match conditions and payload content: • Source MAC Address – XX:XX:XX:XX:XX:XX • Destination MAC Address – XX:XX:XX:XX:XX:XX • 802.11 Frame-Type – All, Association, Auth, Beacon, Data, De-Auth, Disassociate, Management, Probe Request, Probe Response & Re-Associate • BSSID MAC Address – XX:XX:XX:XX:XX:XX • SSID Name – String • SSID Length – 1 – 32 Characters • Payload – Three entries using HEX or String • Each signature supports configurable Wireless Client and Radio thresholds that can trigger mitigation when exceeded

  10. AP Scanning and Unsanctioned Access Point Detection • Each radio on Access Point can be configured to perform: • On-Channel Scanning (default): Radios detect neighbouring Access Points on the channel they are assigned while servicing Wireless Clients • Off-Channel Scanning: Radios periodically go off-channel and scan all channels in both bands (or a defined range of channels) while servicing Wireless Clients • Sensor: Radios scan all channels and bands within the Access Points configured regulatory domain, but cannot service Wireless Clients • Provides basic Access Point detection which can detect Access Points and Ad-Hoc devices • Does not detect if the suspicious Access Point is on the wired network • Does not support air terminations • Unsanctioned Access Point detection is enabled within the WIPS policy AP-650 Access Points AP-7131 Access Points

  11. Device Categorization Device • Each WIPS Policy can be assigned a Device Categorization policy which can mark discovered Wireless Clients and Access Points as Authorized or Neighboring • Each Wireless Client entry can include a host MAC Address or Wildcard MAC Address (ANY) • Each Access Point entry can include a BSSID MAC Address, Wildcard MAC Address (ANY), SSID Name or Wildcard SSID (ANY) • Access Points managed by the Wireless Controller or Cluster will be automatically treated as Authorized RF Domain WIPS Policy Device Categorization Policy

  12. Advanced WIPS

  13. Introduction Device Profile • Advanced WIPS operates similar to AirDefense • AP radios operate as dual-band sensors and communicate to Wireless Controllers with Advanced WIPS license • Configured through Advanced WIPS policies • Assigned to Wireless Controllers as device overrides or using Profiles • Each supports 35 additional events which can be individually triggered against: • Authorized devices • Unauthorized devices • Neighboring devices • Leverages Device Categorization Policy to flag known Wireless Clients and Access Points • known Wireless Clients and Access Points Advanced WIPS Policy Events Termination List

  14. Detected Events • 35 additional WIPS events with various threshold and mitigation options:

  15. Sensor Mode and Unsanctioned AP Detection • Radios on Access Points are configured as Sensors • Each sensor radio provides dual-band sensing services reporting information to the Advanced WIPS daemon on the Wireless Controller • Up to 3 sensor server IP addresses can be configured per AP • Communicate with the Wireless Controllers using HTTPS (8443/TCP) or a user defined port • Scan the same default channels than AirDefense • IP Address must be present on the Access Point • Access Point can still be L2 adopted! • Enhanced Unsanctioned Access Point detection • Can detect unauthorized Access Points, Ad-Hoc and Wireless Clients • Can detect if a suspicious Access Point is on the wired network • Supports manual or automatic air terminations for un-authorized Access Points and Wireless Clients HTTPS (8443)

  16. Wired Detection Wireless Controller • The Advanced WIPS engine can detect if a suspicious Access Point is on the Wired Network: • Each Sensor forwards its local MAC Address forwarding table to the Advanced WIPS Daemon on the Wireless Controller • Each Sensor only has visibility into its local VLAN(s) • For larger deployments one or more Sensors can be connected to a 802.1Q tagged port to provide visibility to all VLANs at a site VLAN 10 VLAN 11-12 VLAN 11-12 VLAN 11  Sensor Rogue Sensor

  17. Device Characterization & Termination Device Profile • Each Advanced WIPS Policy can be assigned a Device Categorization policy which can mark discovered Wireless Clients and Access Points as Authorized or Neighboring • Each Wireless Client entry can include a host MAC Address or Wildcard MAC Address (ANY) • Each Access Point entry can include a BSSID MAC Address, Wildcard MAC Address (ANY), SSID Name or Wildcard SSID (ANY) • Wireless Clients and Access Points detected on the wired network not flagged as Authorized are considered Unauthorized • Each Advanced WIPS Policy can be assigned one or more MAC Addresses that can be terminated by sensor radios • Up to 100 termination entries can be defined per Advanced WIPS Policy • Entries can be defined for both Wireless Clients and Access Points • Terminations are performed against Access Points and Wireless Clients Advanced WIPS Policy Device Categorization Policy

  18. WIPS Comparison

  19. Considerations 1 Basic WIPS is provided with WiNG5 at no additional cost! All AP Radios are configured to perform on-channel scanning by default but can support off-channel scanning as well as operate as dedicated dual-band sensors 2 Advanced WIPS requires one or more AP Radios to be configured as sensors forwarding traffic to a Wireless Controller with an Advanced WIPS license 3 Advanced WIPS requires and Advanced WIPS license to be installed on each Wireless Controller managing sensor radios 4 Air terminations require an Advanced WIPS license Access Point classifications for neighboring and known Access Points and/or Wireless Clients require Device Categorization Policies Advanced WIPS sensors require a IP address to communicate with the Advanced WIPS engine on the Wireless Controller 5 6 7

  20. LAB: Wireless ips LAB 09 IPS Features of the Wireless Firewall Basic WIPS Advanced WIPS

  21. Identify the basic aspects of WIPS • Describe the advanced functionality of WIPS • Identify the key considerations of WIPS • Module Summary

More Related