18.11 Example for Configuring WIDS and WIPS
Networking Requirements
As shown in Figure 18-11, an enterprise connects the AC to the aggregation switch in bypass mode to manage the AP in centralized manner and provide a WLAN with the SSID huawei so that users can access the network anywhere at any time. The enterprise uses WPA2 authentication to authenticate users and CCMP encryption to ensure data security. The AC functions as the DHCP server to assign IP addresses to the APs and STAs.
Due to openness of the WLAN, there are security risks. If attackers deploy an AP with the SSID huawei on the network to forge an authorized AP, STAs may associate with the rogue AP. If wireless terminals attack the WLAN network, for example, the terminals try to crack the WAP2-PSK key or initiate flood attacks to the authorized AP, there are security risks on the network. WIDS and WIPS need to be configured on the AC to detect attacks of rogue APs and terminals.
Data Preparation
| Item | Data |
|---|---|
| Working mode of WLAN devices | Hybrid mode |
| Countermeasure against rogue devices | Counter rogue APs |
| Attack detection | Flood attack: More than 50 management packets of the same type are received within 60 seconds. WPA2-PSK brute force password cracking: An incorrect key is entered more than 20 times during WPA2-PSK authentication within 60 seconds. |
| Aging time of the dynamic blacklist | 200 seconds |
Configuration Roadmap
- When the AC provides the WLAN service normally to APs, configure WIDS and WIPS on the ACto detect unauthorized devices and counter rogue APs, disabling STAs from associating with rogue APs. Detect and add attack devices to the dynamic blacklist, so that authorized APs will discard packets from attack devices.
- Deliver the configurations to the APs.
Procedure
- Configure WIDS and WIPS.
- Choose , click Create, and then click Addfor the Select AP list to add an AP.
- The AP added is displayed in the Select AP list. Click on the right of the WIDS Configuration page. A configuration page is displayed for you to set parameters on it.
- Set thresholds for determining a flood attack and brute force cracking attack and enable the blacklist function.
- Configure the AP to work at 2.4 GHz radio. Enable the attack detection and countermeasure functions and select the types of devices to be detected. NOTE:
- To configure WIDS for a dual band AP, click New. The Radio Configuration 2 page is displayed.
- If the AP works in hybrid mode, services will be interrupted temporarily during periodic scanning, and only the channel used by the WLAN service can be countered. If you want to counter all the channels, set the AP working mode to monitor. At this mode, the WLAN service is unavailable.
- Choose , click Create, and then click Addfor the Select AP list to add an AP.
- Click Commit Configuration in the upper right corner of the page to deliver the configurations to APs.
- Verify the configuration.
Before WIDS and WIPS are configured, STAs associate with the WLAN network with the SSID huawei but connect to a rogue AP. Configure WIDS and WIPS and then verify the configuration.
After WIDS and WIPS are configured.
- Choose and set the search criteria to check countered APs.
- Click the Attack Records tab page to check detected attack devices. There might be flood attacks on the network and some STAs try to crack WPA2-PSK key.
- Click the Dynamic Blacklist tab page to check attack devices that are automatically added to the dynamic blacklist.
- Choose and set the search criteria to check countered APs.
