WLAN WIDS Technology White Paper

WLAN WIDS Technology White Paper Issue 1.0 Date 2014-04-24 HUAWEI TECHNOLOGIES CO., LTD.

2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Email: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com Tel: 0755-28560000 4008302118 Fax: 0755-28560111 i

About This Document About This Document Keyword WLAN, WIDS, WIPS Abstract An 802.11 network is an open wireless network prone to various security threats, for example, attacks from rogue APs, unauthorized STAs, ad-hoc networks, spoofing APs, and DDoS attacks launched by malicious terminals. WIDS/WIPS can monitor and defend against these security threats on WLANs. Abbreviations Abbreviation Full Name Description Rogue AP An unauthorized AP. SSID Service Set Identifier Name of the WLAN access service provided by the AP. BSSID Basic Service Set Identifier MAC address of the AP. CAPWAP Control And Provisioning of Wireless Access Points IETF-defined standards for AP management and communications with the AC. WIDS Wireless Intrusion Detection System Wireless Intrusion Detection System. ii

Contents Contents About This Document... ii 1 Overview... 1... 2 2.1 Basic Concepts... 2 2.2 Rogue Device Monitoring... 3 2.2.1 AP Working Mode... 3 2.2.2 Device Type Identification... 4 2.2.3 Device Information Report... 7 2.2.4 Rogue Device Identification... 9 2.3 Rogue Device Defense and Countermeasures...10 2.4 Wireless Attack Detection...12 2.4.2 Flood Attack Detection...13 2.4.3 Spoofing Attack Detection...14 2.4.4 Weak IV Attack Detection...14 2.4.5 Defense Against Brute Force PSK Cracking...15 2.5 Wireless Attack Defense...17 2.5.1 Dynamic Blacklist...17 2.5.2 Static Blacklist...19 3 Benefits to Customers... 20 4 Typical Application Scenarios... 21 4.1 Public Places or Neighboring Companies...21 4.2 Deployment of Rogue APs in a Company...22 4.3 Attacks to WLANs...23 iii

1 Overview 1 Overview An 802.11 network is an open wireless network prone to various security threats, for example, attacks from rogue APs, unauthorized STAs, ad-hoc networks, spoofing APs, and DDoS attacks launched by malicious terminals. WIDS/WIPS can monitor and defend against these security threats on WLANs. Wireless Intrusion Detection System (WIDS): detects malicious attacks and intrusions to WLANs. Wireless Intrusion Prevention System (WIPS): protects an enterprise network against access from unauthorized devices and prevents attacks to the network system. WIDS and WIPS technologies secure a wireless network, reduce interference from unauthorized devices, and protect users from malicious attacks, delivering better user experience. WIDS and WIPS provide different functions on enterprise networks of different scales: On family networks or small enterprise networks: control access from APs and clients using blacklist and whitelist. Access control is implemented on ACs and irrelevant to APs. (For more details, see AP and user access control documents.) On small and medium enterprise networks: WIDS detects attacks from unauthorized devices. On medium and large enterprise networks: detect and identify rogue devices, and take countermeasures to protect the networks. In addition to secure WLAN access, a large-sized network requires a system that can detect rogue wireless devices and reject access from these devices to protect services of authorized users. 1

2.1 Basic Concepts The WLAN security mechanism consists of access authentication for wireless terminals, wireless link data encryption, and WIDS/WIPS, among which the access authentication process includes link authentication and user authentication. Essentially, STA blacklist and whitelist are also applied during the terminal access authentication process. In the wireless link data encryption process, WEP, TKIP, or CCMP is used to encrypt air port data to ensure data confidentiality and security. WIDS/WIPS detects and defends against intrusion from unauthorized users or APs. Figure 2-1 shows application of the WLAN security mechanism. Figure 2-1 Application of the WLAN security mechanism STA AP AC AAA Access authentication Link encryption Policy control Detect and defend against attacks WIDS/WIPS Detect and counter unauthorized devices WIDS/WIPS As shown in the figure, WIDS and WIPS are used to detect and counter unauthorized devices. WIDS: detects unauthorized APs, bridges, user terminals, ad-hoc devices, and interference APs with overlapping channels. 2

WIPS: disconnects an authorized user from a spoofing AP or disconnects unauthorized APs or ad-hoc devices, and counters unauthorized devices. Basic concepts involved in WIDS/WIPS: Rogue AP: an authorized or malicious AP. A rogue AP can be an AP that is connected to a network without permission, unconfigured AP, neighbor AP, or an AP manipulated by an attacker. Rogue client: an unauthorized or malicious client, similar to a rogue AP. Rogue wireless bridge: an unauthorized or malicious wireless bridge. Monitor AP: an AP that scans or listens on wireless channels and attempts to detect attacks to the wireless network. Ad-hoc mode: a client working mode, in which clients can communicate with each other without using any other network device. 2.2 Rogue Device Monitoring Monitor APs can be deployed on a network that needs protection to monitor the entire network. The monitor APs can periodically listen on wireless frames to detect rogue devices. 2.2.1 AP Working Mode Before configuring rogue device detection on an AP, configure the AP working mode. An AP supports three working modes: access, monitoring, and hybrid: Access mode: If background neighbor probing is not enabled on an AP, the AP only transmits data of wireless users and does not monitor wireless devices on the network. If background neighbor probing is enabled, the AP can not only transmit data of wireless users but also scan wireless devices and listen on all 802.11 frames on wireless channels. Monitoring mode: An AP scans wireless devices on the network and listens on all 802.11 frames on wireless channels. In this mode, all WLAN services on the AP are disabled and the AP cannot transmit data of wireless users. Hybrid mode: An AP can monitor wireless devices while transmitting data of wireless users. An AP can implement the WIDS or WIPS function only when it works in monitoring or hybrid mode. Compared to APs working in access or monitoring mode, APs in hybrid mode can work alternatively between the access and monitoring modes. Figure 2-2 shows the three working modes. 3

Figure 2-2 Working modes of APs The monitoring channels can be all channels of the frequency band that the AP works on or channels specified by the country code. 2.2.2 Device Type Identification On a WLAN network, APs, clients, ad-hoc STAs, and wireless bridges need to be monitored. Figure 2-3 Rogue device monitoring and identification AC IP network AP AP AP Ad-hoc devices Rogue STAs Rogue APs Rogue bridges 4

An AP working in monitoring or hybrid mode can identify types of neighboring wireless devices according to detected 802.11 management frames and data frames. The process is as follows: The AP working mode is set to monitoring or hybrid on the AC. The AC delivers the configuration to the AP. The AP listens on frames sent from neighboring wireless devices to collect information. The AP determines frame types and device types according to MAC headers in received 802.11 MAC frames. A monitor AP listens on the following frames to collect information about neighboring clients, ad-hoc STAs, and wireless bridges: Beacon Association Request Association Response Reassociation Request Reassociation Response Probe Response Data frame When the AP receives an 802.11 MAC frame, it checks the frame type and network type according to the 802.11 protocol. The Frame Control field in the MAC header of a frame indicates the frame type. Figure 2-4 and Figure 2-5 show the MAC frame header and structure of the Frame Control field. Figure 2-4 802.11 MAC frame header Figure 2-5 Frame Control field structure Protocol Version Type Subtype To DS From DS More Frag Retry More Data Protected Frame Order Bits 2 2 4 1 1 1 1 1 1 1 If the Type subfield is 00, the AP checks the Subtype subfield. The values of the Subtype subfield and corresponding frame types are as follows: 1000: Beacon 0001: Association Response 0010: Reassociation Request 0011: Reassociation Response 5

0101: Probe Response A management frame carries the Capability Information field, which consists of ESS and IBSS subfields. The AP identifies ad-hoc networks or wireless bridges based on the two subfields. Figure 2-6 Capability Information field 1. Independent BSS (IBSS) indicates an ad-hoc network. 2. Extend Service Set (ESS) indicates an AP or a STA. If the IBSS subfield is 1, the device is an ad-hoc device; if the IBSS subfield is 0 and the ESS subfield is 0, the device is a wireless bridge; if the IBSS subfield is 0 and the ESS subfield is 1, the device is an AP or STA, which can be further clarified based on the management frame type. ESS and IBSS Subfields Beacon, Association Response, Reassociation Response Association Request, Reassociation Request 10 AP STA 01 Ad-hoc Ad-hoc 00 Wireless bridge Wireless bridge 11 Reserved The AP determines the types of rogue devices based on the collected management frames (Subtype field in the 802.11 frames). When the Type subfield is 10, the frame is a data frame. The To DS and From DS subfields indicate whether the data frame is sent from or to a distribution system (DS). The following table describes combinations of the two subfields. To DS From DS Meaning 0 0 Data frame sent between two stations that are not APs in a basic service set 0 1 Data frame sent from a wireless station in a basic service set 6

To DS From DS Meaning 1 0 Data frame sent to a wireless station in a basic service set 1 1 Data frame sent between two wireless bridges An AP identifies device types in the following way: When receiving a Probe Request, Association Request, or Reassociation Request frame, the AP determines whether the sender is an ad-hoc device or STA according to the network type specified in the Capability Information field in Frame Body of the 802.11 MAC frame. 1. Ad-hoc device: In Capability Information field, the ESS subfield is 0 and the IBSS subfield is 1. 2. STA: In Capability Information field, the ESS subfield is 1 and the IBSS subfield is 0. When receiving a Beacon, Probe Response, Association Response, or Reassociation Response frame, the AP determines whether the sender is an ad-hoc device or AP according to the network type specified in the Capability Information field in Frame Body of the 802.11 MAC frame. 1. Ad-hoc device: In Capability Information field, the ESS subfield is 0 and the IBSS subfield is 1. 2. AP: In Capability Information field, the ESS subfield is 1 and the IBSS subfield is 0. The AP listens on all 802.11 data frames and checks the DS subfields of the data frames to determine whether the sender is an ad-hoc device, wireless bridge, STA, or AP. 1. Ad-hoc device: In the Frame Control field of the 802.11 MAC header, both the To DS and From DS subfields are 0. 2. Wireless bridge: Both the To DS and From DS subfields are 1. 3. STA: The To DS subfield is 1 and the From DS subfield is 0. 4. AP: The To DS subfield is 0 and the From DS field is 1. 2.2.3 Device Information Report The AP listens on WLAN packets sent from neighboring devices to collect information about wireless devices. APs periodically report collected device information to an AC which determines whether the neighboring devices are rogue devices. 7

Figure 2-7 Device information report A short interval is also called a real-time report interval, in which the AP reports incremental information about neighboring devices to the AC. The short interval ranges from 10 to 3,600, in seconds. The default value is 300s. At regular long intervals, the AP reports all information about neighboring devices that is saved locally to the AC. The long interval ranges from 120 to 360 in minutes. The default value is 360 min, that is, 6 hours. The minimum report interval is 2 hours. If massive APs report a large amount of data to the AC at the same time, the AC will be overloaded and cannot process the data. To prevent this problem, an AP postpones data report for a random time (1 to 10 minutes) when a long interval is reached. Table 2-1 Information about the detected wireless devices Item MAC address BSSID Device type SSID Vendor Channel Description MAC address of the detected device. BSSID of the detected device. Type of the detected devices, including ad-hoc devices, APs, clients, and wireless bridges. SSID of an extended service set (ESS). Vendor of the detected device. It is a 4-byte Organizationally Unique Identifier (OUI). IANA-assigned "SMI Network Management Private Enterprise Codes" Channel in which the device is detected for the last time. 8

Item RSSI Beacon Interval First Detected Time Last Detected Time Description RSSI detected by the device. Interval at which the detected AP and ad-hoc device send Beacon frames. First time when the device is detected. Last time when the device is detected. 2.2.4 Rogue Device Identification After receiving the neighbor information reported by the AP, the AC determines whether the device is authorized as follows: Figure 2-8 Rogue device identification Based on the neighboring device information reported by the AP, the AC identifies rogue devices as follows: Ad-hoc devices or wireless bridges: the AC regards the devices as rogue devices. 9

APs: The AC first checks whether the APs are authorized APs. If the BSSIDs of the APs are managed by the AC, the AC regards the APs as authorized APs; if not, the AC checks the APs' SSIDs. If the SSIDs are in the whitelist configured by the network administrator, for example, CMCC, the AC regards the APs as authorized APs; if not, the AC regards the APs as rogue APs. STAs: The AC first checks whether the STAs are authorized STAs. If the MAC addresses belong to the STAs connected to the local AC, the AC regards the STAs as authorized STAs; if not, the AC checks the STAs' BSSIDs to determine whether the STAs connect to the SSIDs in the whitelist. If the BSSIDs belong to rogue APs, the STAs are rogue STAs. If a rogue AP is identified, the AC generates an alarm and sends an SNMP trap message to the network management platform. The AC does not generate an alarm when other types of rogue devices are detected. 2.3 Rogue Device Defense and Countermeasures The attack defense and countermeasure functions can be enabled to reject access from detected rogue devices. The attack defense function restricts access from rogue APs or clients using a blacklist. The countermeasure function prevents rogue devices from operating according to the configured countermeasure mode. Monitor APs download the countermeasure list from the AC and take countermeasures to the rogue devices. If an AC identifies a rogue AP (an AP not managed by the local AC or not in the SSID whitelist), the AC notifies the monitor AP of the rogue AP. The monitor AP then uses the rogue AP's identity information to broadcast a Deauthentication frame. After STAs associating with the rogue AP receive the Deauthentication frame, they disassociate from the rogue AP. This countermeasure prevents STAs from associating with the rogue AP. When the AC identifies an unauthorized user terminal, a bridge, or an ad-hoc device (devices not managed by the local AC), the monitor AP uses the BSSID or MAC address of the unauthorized device to unicast a Deauthentication frame to disconnect the unauthorized device. Figure 2-9 shows the process of rogue device countermeasure. Rogue device detection and identification must be configured before the countermeasure function takes effect. 10

Figure 2-9 Rogue device countermeasure The rogue device countermeasure process is as follows: 1. The countermeasure function is enabled and the countermeasure mode is specified on the AC. 2. The AC selects rogue devices from the wireless device list reported by a monitor AP and sends the rogue device list to the monitor AP. 3. The monitor AP takes countermeasure on the rogue devices in the rogue device list sent from the AC. When a rogue device is moved to the historical list, the AC sends an instruction to the monitor AP, requesting the AP to stop countering the rogue device. The countermeasure function is valid only for rogue APs, rogue clients, and ad-hoc devices. It cannot be applied to wireless bridges. Countering rogue APs: When detecting a rogue AP, a monitor AP uses the rogue AP's address to broadcast Deauthentication frames and unicast Deauthentication frames. After receiving the Deauthentication frames, STAs disassociate from the rogue AP. Countering rogue clients: After detecting a rogue client, a monitor AP uses the BSSID or MAC address of the rogue client to send unicast Deauthentication frames, preventing the rogue client from connecting to the wireless network. The rogue client countermeasure function can also prevent an authorized client from associating with rogue APs by using identity information of the rogue AP connected to the rogue client to send unicast Deauthentication frames and Disassociation frames to the authorized client. Countering ad-hoc devices: Ad-hoc devices are countered in the same way as rogue clients. Monitor APs take countermeasures periodically on rogue devices using the configured probing mode. 11

2.4 Wireless Attack Detection An AP working in access or hybrid mode detect attacks in real time. When detecting an attack, the AP adds the attacker to the dynamic blacklist to protect the security of the network. Figure 2-10 WIDS attack detection AC IP network AP AP AP Attack Attack Malicious terminal STA Malicious terminal As shown in the figure, a WLAN provides access services for terminals. WIDS is enabled on the WLAN to detect various types of attacks. Flood attack detection: Malicious users may send a large number of connection request packets to AP3. AP3 will forward these packets to the AC for processing, affecting normal network running. If flood attack detection and dynamic blacklist are enabled, WIDS can detect the flood attacks of malicious users and add these users to the dynamic blacklist. All packets from these users are discarded to protect network security. Spoofing attack detection: A spoofing attacker sends attack packets in the name of another device. For example, a malicious AP or user may send spoofing Deauthentication packets to disconnect an authorized client. Upon receipt of these packets, the AP defines these packets as spoofing attack packets and reports the attacks to the AC. Weak IV attack detection: Data packets from Client1 use WEP encryption. WIDS detects weak IV attacks based on IV security policies after IV detection is enabled. When the AP detects a packet carrying a weak IV, the AP reports it to the AC. Defense against PSK cracking: Security authentication modes for wireless users include WEP shared key, WPA/WPA2 PSK, WPA/WPA2 dot1x, WAPI certificate, and WAPI PSK. Theoretically, if a client keeps exhaustive key search, it can crack the key. Therefore, a protection mechanism is added so that when the number of authentication attempts exceeds a specified threshold, packets from the client are discarded in a specified time to prevent the user from continuous brute force attacks, reducing the adverse effects of frequent negotiations on devices and the network. 12

WIDS can detect 802.11 packet flood, spoofing, and weak IV attacks. Attack information reported by an AP includes the rogue device MAC address, channel, attack type, and received signal strength indicator (RSSI). 2.4.2 Flood Attack Detection A flood attack occurs when an AP receives a large number of management packets or null data packets of the same type from a source MAC address within a short period. These attack packets consume many system resources of the AP, and therefore the AP cannot process packets from authorized STAs. Flood attack detection allows an AP to keep monitoring the traffic volume of each STA to prevent flood attacks. When the traffic received from a STA exceeds the allowed threshold (for example, more than 100 packets per second), the AP considers that the STA is initiating a flood attack and reports an alarm message to the AC. If the dynamic blacklist function is enabled, the attacking STA is added to the blacklist. The AP drops all the packets from this STA to prevent the network from a flood attack, until the dynamic blacklist entry ages. An AP can detect flood attacks of the following frames: Authentication Request Deauthentication Association Request Disassociation Probe Request Action (an extended management frame used for spectrum management, QoS, and HT mode) EAPOL Start EAPOL-Logoff PS-Poll (management frame sent by the STA when the STA transitions from the sleep mode to the active mode) 802.11 Null (data frame sent by a STA when not data frame needs to be sent to notify an AP of the changes in the power-saving state) Figure 2-11 Flood attack Attack Rogue STA 13

By default, the system considers that a flood attack is initiated when it receives 30 packets (y) of the same type from a MAC address in 60 seconds (x). The values of x and y are configurable. 2.4.3 Spoofing Attack Detection A spoofing attack is also called a man-in-the-middle attack. An attacker (a rogue AP or malicious user) uses an authorized user's identity to send spoofing packets to STAs. As a result, the STAs cannot go online. Spoofing attack packets include Disassociation frames and Deauthentication frames, which are broadcast frames. After the spoofing attack detection function is enabled, an AP checks whether the source MAC address of received Disassociation frames or Deauthentication frames is its own MAC address. If so, the WLAN is undergoing a spoofing attack of Disassociation or Deauthentication packets. The AP then sends an alarm to the AC. Figure 2-12 Spoofing attack Rogue AP Disassociation frame Normal data communication is interrupted Since a spoofing AP does not use the MAC address of its own to initiate an attack, the system cannot obtain the real MAC address of the spoofing AP when detecting the attack. Therefore, the system only generates a log and an alarm to alert the network administrator but cannot use the dynamic blacklist function to defend against the attack. 2.4.4 Weak IV Attack Detection If a potential attacker obtains the shared key, he may use it to control network resources, threatening the security of the network. WEP encryption on WLANs uses a random 3-byte IV and shared key to generate a key string which is used together with plain text encryption to encrypt every packet to be sent. Weak IV refers to IV generated in an insecure way, for example, duplicate IVs or the same IV frequently generated. Attackers can easily crack the shared key because STAs send the IV in plain text in the packet header. The attackers can then access the WLAN. If the first byte of an IV ranges from 3 to 15 and the second byte is 255, the system considers the IV as a weak IV. There is an IV of special format in the WEP encryption algorithm. The key constructed using the IV generates a pseudorandom stream of bits, initial bytes of which 14

is correlated to the first several bytes of the key. This greatly reduces the workload in searching the RC4 key space. In other words, the IV leaks key information. Weak IV detection identifies the IV of each WEP packet to prevent attackers from cracking the shared key. When the AP detects a packet carrying a weak IV, the AP sends an alarm to the AC so that users can use other security policies to prevent STAs from using the weak IV for encryption. Figure 2-13 Password cracking through weak IVs Account, password, user information Listen on frames and crack passwords Rogue STA 1. Weak IV detection can prevent user information cracking without the need of a dynamic blacklist. 2. WEP authentication has high security risks and is randomly used. 2.4.5 Defense Against Brute Force PSK Cracking A brute force cracking, or exhaustive key search, is a cryptanalytic attack that tries every possible password combination to find the real password. For example, a password that contains only four digits may have a maximum of 10,000 combinations. The password can be cracked after a maximum of 10,000 attempts. Theoretically, attackers can use the brute force method to crack all passwords. The time taken may vary according different security mechanism and password lengths. Therefore, there are security risks of brute force attacking in all authentication modes. Link authentication security policies, including WPA/WPA2-PSK, WAPI-PSK, and WEP-Share-Key have brute force key cracking risks on air ports. User layer authentication modes, including MAC address authentication, Portal authentication, and 802.11x authentication have brute force key cracking risks, which will be described in the last chapter. 15

To improve key security, the PSK cracking defense function is enabled to prolong the password cracking time. An AP checks whether the number of key negotiation attempts during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the configured threshold. If so, the AP considers that a user is using the brute force method to initiate an attack and reports an alarm to the AC. If the dynamic blacklist function is enabled, the AP adds the user to the dynamic blacklist, drops all the packets from the user until the dynamic blacklist entry ages. PSK authentication and WEP shared key authentication are implemented on the AC and AP respectively; therefore, the brute force attack detection points are also different, as shown in the following figure. Figure 2-14 Brute force PSK cracking detection and WEP shared key cracking Defense against brute force cracking attacks is also required for user authentication modes, such as MAC address authentication, Portal authentication, and 802.1x authentication. The defense principles are as follows: MAC address authentication: The MAC address of the terminal is used as the account for RADIUS authentication. As long as the user fails the authentication, the user is "punished" and added to the blacklist. The user is denied access in the specified time (for example, 60s). Portal authentication/802.1x authentication: If a user fails the authentication for three consecutive times within 60 seconds (the number of allowed authentication attempts and the time threshold can be configured), the user is considered initiating a brute force 16

cracking attack and added to the blacklist. The user is denied access in the specified time (for example, 60s). 2.5 Wireless Attack Defense On small and medium WLAN networks, WIDS can be enabled to detect security threats, including flood, weak IV, and spoofing attacks. This function enables an AP to add attackers to the dynamic blacklist and send attacker information to the AC. The AC then sends trap messages to the network management system (NMS) to alert the network administrator. 2.5.1 Dynamic Blacklist The WIDS attack defense process is as follows: Figure 2-15 WIDS attack defense 1. The dynamic blacklist function is enabled and the blacklist entry aging time is set on the AC. 2. The AC sends the dynamic blacklist enabled flag and blacklist entry aging time to the AP. 3. The WIDS attack detection mode, detection period, and detection threshold (number of packets detected within the specified period to identify an attack) are configured on the AC. 4. The AC sends the detection mode, detection period, and detection threshold to the AP. 5. The AP performs attack detection according to the configuration. 17

6. When the AP detects an attack, it reports the attack information to the AC, including the rogue device MAC address and attack type. The AC receives the attack information and adds the received information to the attack record. If the AP does not detect attacks from this rogue device again in the next three attack detection periods, it requests the AC to delete the corresponding attack record. 7. The AP determines whether to add the rogue device to the dynamic blacklist. If the AP adds the rogue device to the dynamic blacklist, the AP reports the dynamic blacklist entry to the AC. The AC adds this entry to the dynamic blacklist cache. 8. The AC records attack types and sends trap messages to report the attack types to the NMS. 9. The AP drops packets sent from blacklisted devices. 10. When the configured aging time (penalty time) is reached, dynamic blacklist entries are automatically deleted and normal access of the attacker is restored. The following figure shows how WIDS-enabled AP processes attacks. Figure 2-16 WIDS attack detection process Receive packet Is blacklist enabled? No Is the device in the blacklist? No Is flood attack detection enabled? No Does the traffic exceed upper limit? No Yes Is spoofing attack detection enabled? No Yes Report attack device information to the AC Yes Is the packet a broadcast Deauthentication frame/ Disassociation frame? No Is weak IV attack detection enabled? No Yes Yes Does the packet contain weak IV? No Is defense against WEP shared key cracking enabled? Yes Discard packet Report the attack to the AC Yes Does the number of WEP key authentication attempts exceed the uppler limit? No Normal processing After the AC receives the attacking device information reported by the AP, it adds the attacker to the attacking device list, collects attack statistics based on the attack types, and sends trap messages. The devices on the attacking device list are sequenced based on the detection time. When the number of attacking device entries reaches the maximum, the new attacking device entries overwrite the previous ones. Statistics information: Upon receipt of WIDS attack detection packets sent from the AP, the AC collects attack statistics, including the attack types and the number of attacks. 18

2.5.2 Static Blacklist Traps: The AC sends trap messages only when spoofing and flood attacks are detected. The trap message carries the AP's MAC address, attacking device's MAC address, channel, and attack type. The alarm suppression and match functions need to be enabled. If a flood attack or a PSK cracking attack is detected, the AC enabled with the dynamic blacklist adds the attacking device to the dynamic blacklist and delivers the blacklist to the AP. The AP discards packets from the attacking device. If the attacking device has associated with the AP, the AP must disassociate from the device, and the drive provides the disassociation interface. The AC needs to maintain dynamic blacklist entries and aging mechanism of the entries. After the dynamic blacklist is aged out, the AC delivers information to the AP, requesting the AP to delete the blacklist. The same attacking device may be detected by different APs. Therefore, the entry must contain list information about the AP that detects the attack. The aging mechanism takes effect only on the correct AP. If the AC cannot deliver the dynamic blacklist deletion information to the AP, the dynamic blacklist remains being effective on the AP. To prevent this problem, the AC and AP use the same dynamic blacklist aging mechanism. After detecting an attack, the device enabled with the dynamic blacklist automatically adds the attacker to the blacklist and denies access of the attacker to protect the network. The system administrator can manually add the MAC addresses of rogue terminals or APs to the static blacklist to defend against rogue devices (terminals or APs) that are already known. Devices in the static blacklist cannot access the network. The WLAN supports two types of static blacklists: STA static blacklist: The AP discards packets from terminals with MAC addresses in the STA blacklist to prevent these terminals from accessing the network. AP static blacklist: The AC discards packets from APs with MAC addresses in the AP blacklist to prevent the APs from accessing the AC through the CAPWAP tunnels. WLANs can also use the whitelist function to prohibit access of rogue devices. Huawei offers STA and AP whitelists. Huawei static STA blacklist can also be used for countering unauthorized devices. The system administrator can add devices to be countered to the STA static blacklist. When the devices are detected, the system takes countermeasures against them. 19

3 Benefits to Customers 3 Benefits to Customers WIDS and WIPS provide different functions on enterprise networks of different scales: On family networks or small enterprise networks: control access from APs and clients using blacklist and whitelist. Access control is implemented on ACs and irrelevant to APs. (For more details, see AP and user access control documents.) On small and medium enterprise networks: WIDS detects attacks from unauthorized devices. On medium and large enterprise networks: detect and identify rogue devices, and take countermeasures to protect the networks. In addition to secure WLAN access, a large-sized network requires a system that can detect rogue wireless devices and reject access from these devices to protect services of authorized users. WIDS also detects attacks such as flood attacks, weak IV attacks, spoofing attacks, WPA/WPA2/WAPI pre-shared key cracking, and WEP shared key cracking. WIDS records logs, statistics, and alarms to notify network administrators of the attacks. The AC adds devices that perform flood attacks and key cracking to the dynamic blacklist and rejects packets from these devices within the aging time of the dynamic blacklist. 20

4 Typical Application Scenarios 4 Typical Application Scenarios 4.1 Public Places or Neighboring Companies Figure 4-1 Networking in airport with multiple carrier networks ChinaNet AC CMCC AC IP network ChinaNet CMCC ChinaNet CMCC In public places, such as airports or railway stations, multiple carriers deploy WLANs to cover public areas. APs of each WLAN system can listen on WLAN signals of other carriers' APs. Signal interference between different WLAN systems cannot be avoided, but all the APs are authorized. To prevent incorrect report about rogue APs or STAs, configure the SSID whitelist on the devices. Key configuration commands are as follows: (ChinaNet is taken as an example) # Configure WIDS. [AC-wlan-view] ap 0 radio 0 [AC-wlan-radio-0/0] work-mode hybrid Warning: Modify the work mode may cause business interruption, are you sure to continue?(y/n)[n]:y [AC-wlan-radio-0/0] device detect enable # Add CMCC to the SSID whitelist. 21

4 Typical Application Scenarios [AC-wlan-view] ssid-whitelist ssid CMCC Figure 4-2 Networking for an office building shared by multiple companies Floor 5 Company A Floor 4 Company B The preceding configuration commands apply to scenarios where multiple companies share one office building. As shown in the preceding figure, company A leases offices in Floor 5 while company B leases offices in Floor 4. Devices of company B can receive signals from company A. To prevent incorrect report on rogue devices, company B needs to add company A to the SSID whitelist. 4.2 Deployment of Rogue APs in a Company To protect information security or prevent interference to the WLAN system, the company forbids employees to deploy APs without authorization. Enable WIDS to detect unauthorized devices in the surroundings. Figure 4-3 Deployment of rogue APs in a company SSID=Corp AC Company A AP AP AP SSID=Jack SSID=Corp STA C 22

4 Typical Application Scenarios As shown in the preceding figure, some employees deploy Fat APs or enable the AP function on personnel smart terminals without company authorization. The unauthorized AP on the left offers the SSID Jack to connect personnel devices, for example, pads. The signals transmitted from the AP may cause interference to the company's WLAN system or even leak company information. The AP on the right poses higher security risks. The SSID provided by the AP is the same as the company SSID. The AP pretends to be an authorized AP on the company WLAN to set up connections with company devices and intercept company information. To defend against the rogue APs, enable WIDS on the company's WLAN system to counter the APs using the spoofing SSID. After WIDS and WIPS are configured on the AC, the monitor AP collects neighbor information and reports it to the AC. When the AC identifies the rogue AP, the AC notifies the monitor AP of the rogue AP's identity information. The monitor AP then uses the rogue AP's identity information to broadcast a Deauthentication frame. After STAs associating with the rogue AP receive the Deauthentication frame, they disassociate from the rogue AP. This countermeasure prevents STAs from associating with the rogue AP. Key configuration commands are as follows: # Configure WIDS. [AC-wlan-view] ap 0 radio 0 [AC-wlan-radio-0/0] work-mode hybrid Warning: Modify the work mode may cause business interruption, are you sure to continue?(y/n)[n]:y [AC-wlan-radio-0/0] device detect enable # Configure WIPS to counter the rogue APs. [AC-wlan-radio-0/0] countermeasures enable [AC-wlan-radio-0/0] countermeasures mode rogue ap [AC-wlan-radio-0/0] quit 4.3 Attacks to WLANs Figure 4-4 Attacks to WLANs AC IP network AP AP AP Attack Attack Malicious terminal STA Malicious terminal 23

4 Typical Application Scenarios Malicious users or terminals infected with viruses may attack the system. After WIDS is enabled on the company WLAN, the WLAN devices can detect flood, spoofing, and brute force cracking attacks. After a rogue terminal is identified, the WLAN device adds the rogue terminal to the dynamic blacklist and discards packets from the terminal within the specified period to protect the system against attacks. Key configuration commands are as follows: # Configure WIDS. [AC-wlan-view] ap 0 radio 0 [AC-wlan-radio-0/0] work-mode hybrid Warning: Modify the work mode may cause business interruption, are you sure to continue?(y/n)[n]:y [AC-wlan-radio-0/0] device detect enable # Enable the dynamic blacklist function. [AC-wlan-view] ap 0 radio 0 [AC-wlan-radio-0/0] dynamic-blacklist enable 24