Cisco Adaptive Wireless IPS Software Configuration Guide

Cisco Wireless Intrusion Prevention System Configuration Guide,

Release 7.5

First Published: July 31, 2013

Last Modified: July 31, 2013

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-29331-01

CONTENTS

Preface

Preface xvii

CHAPTER 1

Overview 1

Information About wIPS 1

wIPS in a Cisco Unified Wireless Network 3

wIPS Integrated Within a Cisco Unified Wireless Network 3

wIPS Overlay Deployment in a Cisco Unified Wireless Network 3

wIPS Overlay in an Autonomous or Other Wireless Network 5

Differences Between Controller IDS and wIPS 6

Guidelines and Limitations 6

Reduction in False Positives 6

Alarm Aggregation 6

User Authentication And Encryption 7

DoS Attacks 8

Security Penetration Attacks 10

wIPS Alarm Flow 13

Performance Violation 13

Forensics 14

Rogue Detection 14

Anomaly Detection 15

Default Configuration Profiles 15

Auto MAC Learning Of Valid Clients 15

CHAPTER 2

Adding and Deleting Mobility Services Engines and Licenses 17

Licensing Requirements for MSE 17

MSE License Structure Matrix 18

Sample MSE License File 19

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 iii

Revoking and Reusing an MSE License 19

Guidelines and Limitations 20

Adding a Mobility Services Engine to the Prime Infrastructure 20

Enabling Services on the Mobility Services Engine 22

Configuring MSE Tracking and History Parameters 23

Assigning Maps to the MSE 24

Deleting an MSE License File 25

Deleting a Mobility Services Engine from the Prime Infrastructure 25

Registering Device and wIPS Product Authorization Keys 25

Installing Device and wIPS License Files 26

CHAPTER 3

Synchronizing Mobility Services Engines 29

Synchronizing the Prime Infrastructure and Mobility Services Engines 29

Prerequisites for Synchronizing Mobility Services Engine 30

Working with Third-Party Elements 30

Deleting the Elements or Marking Them as Third-Party Elements 31

Synchronizing Controllers with a Mobility Services Engine 31

Assigning and Synchronizing Network Designs, a Controller, Catalyst Switch, or Event

Group 31

Assigning an MSE to the Controller 32

Unassigning a Network Design, Wired Switch, or Event Group from MSE 33

Configuring Automatic Database Synchronization and Out-of-Sync Alerts 33

Configuring Automatic Database Synchronization 34

Smart Controller Assignment and Selection Scenarios 35

Out-of-Sync Alarms 35

Viewing the Status of Mobility Services Engine Synchronization 36

Viewing Synchronization History 36

CHAPTER 4

Configuring and Viewing System Properties 39

Licensing Requirement 39

Editing General Properties and Viewing Performance 39

Editing General Properties 40

Viewing Performance Information 42

Modifying NMSP Parameters 42

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

iv OL-29331-01

Contents

Viewing Active Sessions on a System 43

Adding and Deleting Trap Destinations 44

Adding Trap Destinations 44

Deleting Trap Destinations 46

Viewing and Configuring Advanced Parameters 46

Viewing Advanced Parameter Settings 47

Initiating Advanced Parameters 47

Configuring Advanced Parameters 48

Initiating Advanced Commands 49

Rebooting or Shutting Down a System 49

Clearing the System Database 50

CHAPTER 5

Working with Maps 51

About Maps 51

Adding a Building to a Campus Map 52

Adding Floor Areas 53

Adding Floor Areas to a Campus Building 53

Adding Floor Plans to a Standalone Building 55

Adding a Campus Map 57

Configuring Buildings 57

Adding a Building to a Campus Map 58

Adding a Standalone Building 59

Viewing a Building 60

Editing a Building 61

Deleting a Building 61

Moving a Building 62

Adding Floor Areas 62

Adding Floor Areas to a Campus Building 62

Adding Floor Plans to a Standalone Building 64

Configuring Floor Settings 66

Defining Inclusion and Exclusion Regions on a Floor 67

Cisco 1000 Series Lightweight Access Point Icons 67

Filtering Access Point Floor Settings 70

Filtering Access Point Heatmap Floor Settings 72

Filtering AP Mesh Info Floor Settings 73

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 v

Contents

Filtering Client Floor Settings 74

Filtering 802.11 Tag Floor Settings 75

Filtering Rogue AP Floor Settings 75

Filtering Rogue Adhoc Floor Settings 76

Filtering Rogue Client Floor Settings 76

Filtering Interferer Settings 77

Filtering wIPS Attacker Floor Settings 77

Import Map and AP Location Data 79

Monitoring the Floor Area 80

Planning and Zooming with Next Generation Maps 80

Adding Access Points to a Floor Area 81

Placing Access Points 82

Using the Automatic Hierarchy to Create Maps 83

Using the Map Editor 86

Guidelines for Using the Map Editor 86

Guidelines for Inclusion and Exclusion Areas on a Floor 87

Opening the Map Editor 87

Using the Map Editor to Draw Coverage Areas 87

Defining an Inclusion Region on a Floor 88

Defining an Exclusion Region on a Floor 89

Defining a Rail Line on a Floor 89

Adding an Outdoor Area 90

Using Planning Mode 91

Using Chokepoints to Enhance Tag Location Reporting 92

Adding Chokepoints to the Prime Infrastructure 93

Adding a Chokepoint to a Prime Infrastructure Map 93

Removing Chokepoints from the Prime Infrastructure 94

CHAPTER 6

Configuring wIPS and Profiles 95

Guidelines and Limitations 95

Prerequisites 95

Information About wIPS Configuration and Profile Management 96

Guidelines and Limitations 96

Configuring Access Points for wIPS Monitor Mode 97

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

vi OL-29331-01

Contents

Configuring wIPS Profiles 98

wIPS Profiles 105

Adding a Profile 106

Deleting a Profile 107

Applying a Current Profile 107

Configuring wIPS SSID Group List 108

Global SSID Group List 108

Adding a Group 109

Editing a Group 109

Deleting a Group 110

SSID Groups 110

Adding a Group 111

Adding Groups from Your Global List 111

Editing a Group 112

Deleting Group 112

Profile Configuration Using the Profile Editor 112

CHAPTER 7

Monitoring the System and Services 115

Working with Alarms 115

Guidelines and Limitations 116

Viewing Alarms 116

wIPS Alarm Consolidation 116

Monitoring Cisco Adaptive wIPS Alarm Details 117

Assigning and Unassigning Alarms 119

Deleting and Clearing Alarms 120

E-mailing Alarm Notifications 120

Working with Events 121

Displaying Location Notification Events 121

Working with Logs 121

Guidelines and Limitations 121

Configuring Logging Options 122

MAC address-based Logging 123

Downloading Log Files 123

Monitoring Access Points Details 123

General Tab 124

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 vii

Contents

General—Lightweight Access Points 124

General—Autonomous 131

Interfaces Tab 132

CDP Neighbors Tab 135

Current Associated Clients Tab 136

SSID Tab 137

Clients Over Time Tab 138

Generating Reports 138

Report Launch Pad 138

Creating and Running a New Report 139

Managing Current Reports 144

Managing Scheduled Run Results 144

Managing Saved Reports 145

Creating a Device Utilization Report 145

Viewing Saved Utilization Reports 147

Viewing Scheduled Utilization Runs 148

Client Support on the MSE 148

Searching a Wireless Client from the Prime Infrastructure on the MSE by IPv6 Address 148

Viewing the Clients Detected by the MSE 149

Monitoring Geo-Location 155

Adding a GPS Marker to a Floor Map 155

Editing a GPS Marker 156

Deleting a GPS Marker From the Floor 156

Ekahau Site Survey Integration 157

AirMagnet Survey and Planner Integration 157

Interpreting Security Dashboard 157

Viewing the Rogue APs 158

Client Classification 159

APPENDIX A

wIPS Policy Alarm Encyclopedia 161

Security IDS/IPS Overview 161

User Authentication and Encryption 162

Static WEP Encryption 162

AP with Encryption Disabled 162

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

viii OL-29331-01

Contents

Alarm Description and Possible Causes 162

wIPS Solution 162

Client with Encryption Disabled 163

Alarm Description and Possible Causes 163

wIPS Solution 163

Crackable WEP IV key used 163

Alarm Description and Possible Causes 163

wIPS Solution 163

Device Using Open Authentication 164

Alarm Description and Possible Causes 164

wIPS Solution 164

Device Using Shared Key Authentication 164

Alarm Description and Possible Causes 164

wIPS Solution 164

WEP IV Key Reused 164

Alarm Description and Possible Causes 164

wIPS Solution 164

WPA and 802.11i 165

Device Unprotected by EAP-TTLS 165

Alarm Description and Possible Causes 165

wIPS Solution 165

Device Unprotected by 802.1X 165

Alarm Description and Possible Causes 165

wIPS Solution 166

Device Unprotected by any Selected Authentication Methods 166

Alarm Description and Possible Causes 166

wIPS Solution 166

802.1 X Unencrypted Broadcast or Multicast 166

Alarm Description and Possible Causes 166

wIPS Solution 167

802.1 X Rekey Timeout Too Long 167

Alarm Description and Possible Causes 167

wIPS Solution 167

Device Not Protected by EAP-TLS 167

Alarm Description and Possible Causes 167

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 ix

Contents

wIPS Solution 168

Device Unprotected by IEEE 802.11i/AES 168

Alarm Description and Possible Causes 168

wIPS Solution 168

Device Unprotected By EAP-FAST 169

Alarm Description and Possible Causes 169

wIPS Solution 169

Device Unprotected by PEAP 169

Alarm Description and Possible Causes 169

wIPS Solution 169

Device Unprotected by TKIP 170

Alarm Description and Possible Causes 170

wIPS Solution 170

WPA or 802.11i Pre-Shared Key Used 170

Alarm Description and Possible Causes 170

wIPS Solution 170

Intrusion Detection—Denial of Service Attack 170

Denial of Service Attack Against Access Points 171

Alarm Description and Possible Causes 171

wIPS Solution 171

Denial of Service Attack: Association Table Overflow 172

Alarm Description and Possible Causes 172

wIPS Solution 172

Denial of Service Attack: Authentication Flood 172

Alarm Description and Possible Causes 172

wIPS Solution 172

Denial of Service Attack: EAPOL-Start Attack 173

Alarm Description and Possible Causes 173

wIPS Solution 173

Denial of Service Attack: PS Poll Flood Attack 173

Alarm Description and Possible Causes 173

wIPS Solution 173

Denial of Service Attack: Probe Request Flood 173

Alarm Description and Possible Causes 173

wIPS Solution 174

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

xOL-29331-01

Contents

Denial of Service Attack: Re-association Request Flood 174

Alarm Description and Possible Causes 174

wIPS Solution 174

Denial of Service Attack: Unauthenticated Association 174

Alarm Description and Possible Causes 174

wIPS Solution 174

Denial of Service Attack Against Infrastructure 175

Denial of Service Attack: Beacon Flood 175

Alarm Description and Possible Causes 175

wIPS Solution 175

Denial of Service Attack: CTS Flood 175

Alarm Description and Possible Causes 175

wIPS Solution 175

Denial of Service Attack: Destruction Attack 176

Alarm Description and Possible Causes 176

wIPS Solution 176

Denial of Service Attack: Queensland University of Technology Exploit 176

Alarm Description and Possible Causes 176

wIPS Solution 177

Denial of Service attack: RF Jamming Attack 177

Alarm Description and Possible Causes 177

wIPS Solution 177

Denial of Service: RTS Flood 177

Alarm Description and Possible Causes 177

wIPS Solution 178

Denial of Service Attack: Virtual Carrier Attack 178

Alarm Description and Possible Causes 178

wIPS Solution 178

Denial of Service Attacks Against Client Station 178

Denial of Service Attack: Authentication Failure Attack 179

Alarm Description and Possible Causes 179

wIPS Solution 179

Denial of Service Attack: Block ACK Flood 179

Alarm Description and Possible Causes 179

wIPS Solution 179

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 xi

Contents

Denial of Service Attack: Deauthentication Broadcast 180

Alarm Description and Possible Causes 180

wIPS Solution 180

Denial of Service Attack: Deauthentication Flood 180

Alarm Description and Possible Causes 180

wIPS Solution 180

Denial of Service Attack: Disassociation Flood 181

Alarm Description and Possible Causes 181

wIPS Solution 181

Denial of Service Attack: EAPOL Logoff Attack 181

Alarm Description and Possible Causes 181

wIPS Solution 181

Denial of Service Attack: FATA Jack Tool Detected 182

Alarm Description and Possible Causes 182

wIPS Solution 182

Denial of Service Attack: Premature EAP Failure Attack 182

Alarm Description and Possible Causes 182

wIPS Solution 182

Intrusion Detection—Security Penetration 182

ASLEAP Tool Detected 183

Alarm Description and Possible Causes 183

wIPS Solution 184

Airdrop Session Detected 184

Alarm and Possible Causes 184

wIPS Solution 184

AirPwn 185

Alarm Description and Possible Causes 185

wIPS Solution 185

Airsnarf Attack Detected 185

Alarm Description and Possible Causes 185

wIPS Solution 185

Bad EAP-TLS Frames 185

Alarm Description and Possible Causes 185

wIPS Solution 185

Beacon Fuzzed Frame Detected 186

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

xii OL-29331-01

Contents

Alarm Description and Possible Causes 186

wIPS Solution 186

Brute Force Hidden SSID 186

Alarm Description and Possible Causes 186

wIPS Solution 186

ChopChop Attack 186

Alarm Description and Possible Causes 186

wIPS Solution 187

DHCP Starvation Attack Detected 187

Alarm Description and Possible Causes 187

wIPS Solution 187

Day-0 Attack by WLAN Security Anomaly 188

wIPS Solution 188

Day-0 Attack by Device Security Anomaly 188

wIPS Solution 188

Device Broadcasting XSS SSID 188

Alarm Description and Possible Causes 188

wIPS Solution 188

Device Probing for Access Points 189

Alarm Description and Possible Causes 189

wIPS Solution 189

Dictionary Attack on EAP Methods 189

Alarm Description and Possible Causes 189

wIPS Solution 190

Fake Access Points Detected 190

Alarm Description and Possible Causes 190

wIPS Solution 190

Fake DHCP Server Detected 190

Alarm Description and Possible Causes 190

wIPS Solution 191

Fast WEP Crack (ARP Replay) Detected 191

Alarm Description and Possible Causes 191

wIPS Solution 191

Fragmentation Attack 191

Alarm Description and Possible Causes 191

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 xiii

Contents

wIPS Solution 192

HT Intolerant Degradation Services 192

Alarm Description and Possible Causes 192

Honeypot AP Detected 192

Alarm Description and Possible Causes 192

wIPS Solution 192

Hot-Spotter Tool Detected (Potential Wireless Phishing) 193

Alarm Description and Possible Causes 193

wIPS Solution 193

Identical Send and Receive Address 194

Alarm Description and Possible Causes 194

wIPS Solution 194

Improper Broadcast Frames 194

Alarm Description and Possible Causes 194

Improper Broadcast Frames 194

Karma Tool Detected 194

Alarm Description and Possible Causes 194

wIPS Solution 194

Man-in-the-Middle Attack Detected 195

Alarm Description and Possible Causes 195

wIPS Solution 195

NetStumbler Detected 195

Alarm Description and Possible Causes 195

wIPS Solution 196

NetStumbler Victim Detected 196

wIPS Solution 196

Alarm Description and Possible Causes 196

Publicly Secure Packet Forwarding (PSPF) Violation 196

Alarm Description and Possible Causes 196

wIPS Solution 197

Probe Request Fuzzed Frame Detected 197

Alarm Description and Possible Causes 197

Probe Response Fuzzed Frame Detected 197

Alarm Description and Possible Causes 197

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

xiv OL-29331-01

Contents

wIPS Solution 197

Soft AP or Host AP Detected 198

Alarm Description and Possible Causes 198

wIPS Solution 198

Spoofed MAC Address Detected 199

Alarm Description and Possible Causes 199

Suspicious After Hours Traffic Detected 199

Alarm Description and Possible Causes 199

wIPS Solution 199

Unauthorized Association By Vendor List 200

Alarm Description and Possible Causes 200

wIPS Solution 200

Unauthorized Association Detected 200

Alarm Description and Possible Causes 200

wIPS Solution 200

Wellenreiter Detected 201

Alarm Description and Possible Causes 201

wIPS Solution 201

WiFi Protected Setup Pin Brute Force 201

Alarm Description and Possible Causes 201

wIPS Solution 202

WiFi Tap Tool Detected 202

Alarm Description and Possible Causes 202

wIPS Solution 202

Performance Violation 202

Channel or Device Overload 202

AP Association Capacity Full 203

Alarm Description and Possible Causes 203

wIPS Solution 203

AP Overloaded by Stations 203

Alarm Description and Possible Causes 203

wIPS Solution 203

AP Overloaded by Utilization 203

Alarm Description and Possible Causes 203

wIPS Solution 203

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 xv

Contents

Excessive Bandwidth Usage 203

Alarm Description and Possible Causes 203

wIPS Solution 204

Excessive Multicast/Broadcast on Channel 204

Alarm Description and Possible Causes 204

wIPS Solution 204

Excessive Multicast/Broadcast on Node 204

Alarm Description and Possible Causes 204

wIPS Solution 204

APPENDIX B

Rogue Management 205

Rogue Access Point Challenges 205

Rogue Access Point Location, Tagging, and Containment 205

Detecting and Locating Rogue Access Points 206

Monitoring Alarms 207

Monitoring Rogue Access Point Alarms 208

Monitoring Rogue AP Details 210

Detecting Access Points 211

Monitoring Rogue Ad hoc Alarms 212

Monitoring Rogue Ad hoc Details 214

Monitoring Events 216

Monitoring Rogue Clients 216

Configuring Auto SPT Criteria on Prime Infrastructure 217

Configuring Auto Containment Settings on the Prime Infrastructure 217

Configuring Controllers 218

Configuring Rogue Policies 218

Configuring Rogue AP Rules 219

Configuring Controller Template 219

Configuring Rogue Policies 219

Configuring Rogue AP Rules 220

Configuring Rogue AP Rule Groups 222

APPENDIX C

Configuring and Deploying wIPS Solution 225

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

xvi OL-29331-01

Contents

Preface

This preface describes the audience, organization, and conventions of the Cisco Wireless Intrusion Prevention

System Configuration Guide. It also provides information on how to obtain other documentation. This chapter

includes the following sections:

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 xvii

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

xviii OL-29331-01

Preface

CHAPTER 1

Overview

This chapter describes the role of the Cisco Mobility Services Engine (MSE) and the Cisco Wireless Intrusion

Prevention System (wIPS) within the overall Cisco Unified Wireless Network (CUWN).

Cisco wIPS protects the network from penetration attacks, rogue wireless devices, and denial-of-service

(DoS) attacks to improve security and meet compliance objectives. It offers flexible and scalable wireless

network security for dedicated monitoring and detection of wireless network anomalies, unauthorized access,

and RF attacks. This solution delivers integrated visibility and control access across the network, without

the need for an overlay solution.

This chapter contains the following sections:

•Information About wIPS, page 1

•wIPS in a Cisco Unified Wireless Network, page 3

•Differences Between Controller IDS and wIPS, page 6

Information About wIPS

The wIPS performs rogue access point, rogue client, and ad hoc connection detection and mitigation, over-the-air

wireless hacking and threat detection, security vulnerability monitoring, performance monitoring and

self-optimization, network hardening for proactive prevention of threats, and complete wireless security

management and reporting.

Built on the CUWN and leveraging the efficiencies of Cisco Motion, wIPS is deployment-hardened and

enterprise-ready. The wIPS is made up of the following components that work together to provide a unified

security monitoring solution:

•A Mobility Services Engine running wIPS software—Serves as the central point of alarm aggregation

for all controllers and their respective wIPS monitor mode access points. Alarm information and forensic

files are stored on the Mobility Services Engine for archival purposes.

•A wIPS monitor mode access point—Provides constant channel scanning with attack detection and

forensics (packet capture) capabilities.

•Local mode access point—Provides wireless service to clients in addition to time-sliced rogue scanning.

•Cisco Wireless Security and Spectrum Intelligence (WSSI)—Helps you to avoid radio frequency (RF)

interference so that you get better coverage and performance on your wireless network.

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

OL-29331-01 1

•Wireless LAN Controller—Forwards attack information received from wIPS monitor mode access points

to the Mobility Services Engine and distributes configuration parameters to access points.

•Cisco Prime Infrastructure—Provides a centralized management platform for the administrator to

configure the wIPS Service on the Mobility Services Engine, push wIPS configurations to the controller,

and configure access points in wIPS monitor mode. Prime Infrastructure is also used to view wIPS

alarms, forensics, reporting, and to access the attack encyclopedia. This figure shows the wireless

Intrusion Prevention System.

Figure 1: Wireless Intrusion Prevention System

Communication among the system components involves the following protocols:

•Control and Provisioning of Wireless Access Points (CAPWAP)—This protocol is the successor to

LWAPP and is used for communication between access points and controllers. It provides a bi-directional

tunnel in which alarm information is sent to the controller and configuration information is sent to the

access point.

•Network Mobility Services Protocol (NMSP)—The protocol handles communication between controllers

and the Mobility Services Engine. In a wIPS deployment, this protocol provides a pathway for alarm

information to be aggregated from controllers and forwarded to the Mobility Services Engine and for

wIPS configuration information to be pushed to the controller. This protocol is encrypted.

◦Controller TCP Port: 16113

•Simple Object Access Protocol (SOAP/XML)—The method of communication between the Mobility

Services Engine and the Prime Infrastructure. This protocol is used to distribute configuration parameters

to the wIPS service running on the Mobility Services Engine.

◦MSE TCP Port: 443

•Simple Network Management Protocol (SNMP)—This protocol is used to forward wIPS alarm information

from the Mobility Services Engine to the Prime Infrastructure. It is also employed to communicate rogue

access point information from the controller to the Prime Infrastructure.

Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5

2OL-29331-01

Overview

Information About wIPS

Page is loading ...

Cisco Adaptive Wireless IPS Software Configuration Guide

Cisco Adaptive Wireless IPS Software Configuration Guide

Related papers

Other documents