2. Computers & electronics
  3. Software
  4. Cisco
  5. Adaptive Wireless IPS Software

Cisco Adaptive Wireless IPS Software Configuration Guide

  • Hello! I am an AI chatbot trained to assist you with the Cisco Adaptive Wireless IPS Software Configuration Guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Cisco Wireless Intrusion Prevention System Configuration Guide,
Release 7.5
First Published: July 31, 2013
Last Modified: July 31, 2013
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-29331-01
©2013 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
Preface xvii
CHAPTER 1
Overview 1
Information About wIPS 1
wIPS in a Cisco Unified Wireless Network 3
wIPS Integrated Within a Cisco Unified Wireless Network 3
wIPS Overlay Deployment in a Cisco Unified Wireless Network 3
wIPS Overlay in an Autonomous or Other Wireless Network 5
Differences Between Controller IDS and wIPS 6
Guidelines and Limitations 6
Reduction in False Positives 6
Alarm Aggregation 6
User Authentication And Encryption 7
DoS Attacks 8
Security Penetration Attacks 10
wIPS Alarm Flow 13
Performance Violation 13
Forensics 14
Rogue Detection 14
Anomaly Detection 15
Default Configuration Profiles 15
Auto MAC Learning Of Valid Clients 15
CHAPTER 2
Adding and Deleting Mobility Services Engines and Licenses 17
Licensing Requirements for MSE 17
MSE License Structure Matrix 18
Sample MSE License File 19
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 iii
Revoking and Reusing an MSE License 19
Guidelines and Limitations 20
Adding a Mobility Services Engine to the Prime Infrastructure 20
Enabling Services on the Mobility Services Engine 22
Configuring MSE Tracking and History Parameters 23
Assigning Maps to the MSE 24
Deleting an MSE License File 25
Deleting a Mobility Services Engine from the Prime Infrastructure 25
Registering Device and wIPS Product Authorization Keys 25
Installing Device and wIPS License Files 26
CHAPTER 3
Synchronizing Mobility Services Engines 29
Synchronizing the Prime Infrastructure and Mobility Services Engines 29
Prerequisites for Synchronizing Mobility Services Engine 30
Working with Third-Party Elements 30
Deleting the Elements or Marking Them as Third-Party Elements 31
Synchronizing Controllers with a Mobility Services Engine 31
Assigning and Synchronizing Network Designs, a Controller, Catalyst Switch, or Event
Group 31
Assigning an MSE to the Controller 32
Unassigning a Network Design, Wired Switch, or Event Group from MSE 33
Configuring Automatic Database Synchronization and Out-of-Sync Alerts 33
Configuring Automatic Database Synchronization 34
Smart Controller Assignment and Selection Scenarios 35
Out-of-Sync Alarms 35
Viewing the Status of Mobility Services Engine Synchronization 36
Viewing the Status of Mobility Services Engine Synchronization 36
Viewing Synchronization History 36
CHAPTER 4
Configuring and Viewing System Properties 39
Licensing Requirement 39
Editing General Properties and Viewing Performance 39
Editing General Properties 40
Viewing Performance Information 42
Modifying NMSP Parameters 42
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
iv OL-29331-01
Contents
Viewing Active Sessions on a System 43
Adding and Deleting Trap Destinations 44
Adding Trap Destinations 44
Deleting Trap Destinations 46
Viewing and Configuring Advanced Parameters 46
Viewing Advanced Parameter Settings 47
Initiating Advanced Parameters 47
Configuring Advanced Parameters 48
Initiating Advanced Commands 49
Rebooting or Shutting Down a System 49
Clearing the System Database 50
CHAPTER 5
Working with Maps 51
About Maps 51
Adding a Building to a Campus Map 52
Adding Floor Areas 53
Adding Floor Areas to a Campus Building 53
Adding Floor Plans to a Standalone Building 55
Adding a Campus Map 57
Configuring Buildings 57
Adding a Building to a Campus Map 58
Adding a Standalone Building 59
Viewing a Building 60
Editing a Building 61
Deleting a Building 61
Moving a Building 62
Adding Floor Areas 62
Adding Floor Areas to a Campus Building 62
Adding Floor Plans to a Standalone Building 64
Configuring Floor Settings 66
Defining Inclusion and Exclusion Regions on a Floor 67
Cisco 1000 Series Lightweight Access Point Icons 67
Filtering Access Point Floor Settings 70
Filtering Access Point Heatmap Floor Settings 72
Filtering AP Mesh Info Floor Settings 73
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 v
Contents
Filtering Client Floor Settings 74
Filtering 802.11 Tag Floor Settings 75
Filtering Rogue AP Floor Settings 75
Filtering Rogue Adhoc Floor Settings 76
Filtering Rogue Client Floor Settings 76
Filtering Interferer Settings 77
Filtering wIPS Attacker Floor Settings 77
Import Map and AP Location Data 79
Monitoring the Floor Area 80
Planning and Zooming with Next Generation Maps 80
Adding Access Points to a Floor Area 81
Placing Access Points 82
Using the Automatic Hierarchy to Create Maps 83
Using the Map Editor 86
Guidelines for Using the Map Editor 86
Guidelines for Inclusion and Exclusion Areas on a Floor 87
Opening the Map Editor 87
Using the Map Editor to Draw Coverage Areas 87
Defining an Inclusion Region on a Floor 88
Defining an Exclusion Region on a Floor 89
Defining a Rail Line on a Floor 89
Adding an Outdoor Area 90
Using Planning Mode 91
Using Chokepoints to Enhance Tag Location Reporting 92
Adding Chokepoints to the Prime Infrastructure 93
Adding a Chokepoint to a Prime Infrastructure Map 93
Removing Chokepoints from the Prime Infrastructure 94
CHAPTER 6
Configuring wIPS and Profiles 95
Configuring wIPS and Profiles 95
Guidelines and Limitations 95
Prerequisites 95
Information About wIPS Configuration and Profile Management 96
Guidelines and Limitations 96
Configuring Access Points for wIPS Monitor Mode 97
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
vi OL-29331-01
Contents
Configuring wIPS Profiles 98
wIPS Profiles 105
Adding a Profile 106
Deleting a Profile 107
Applying a Current Profile 107
Configuring wIPS SSID Group List 108
Global SSID Group List 108
Adding a Group 109
Editing a Group 109
Deleting a Group 110
SSID Groups 110
Adding a Group 111
Adding Groups from Your Global List 111
Editing a Group 112
Deleting Group 112
Profile Configuration Using the Profile Editor 112
CHAPTER 7
Monitoring the System and Services 115
Working with Alarms 115
Guidelines and Limitations 116
Viewing Alarms 116
wIPS Alarm Consolidation 116
Monitoring Cisco Adaptive wIPS Alarm Details 117
Assigning and Unassigning Alarms 119
Deleting and Clearing Alarms 120
E-mailing Alarm Notifications 120
Working with Events 121
Displaying Location Notification Events 121
Working with Logs 121
Guidelines and Limitations 121
Configuring Logging Options 122
MAC address-based Logging 123
Downloading Log Files 123
Monitoring Access Points Details 123
General Tab 124
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 vii
Contents
GeneralLightweight Access Points 124
GeneralAutonomous 131
Interfaces Tab 132
CDP Neighbors Tab 135
Current Associated Clients Tab 136
SSID Tab 137
Clients Over Time Tab 138
Generating Reports 138
Report Launch Pad 138
Creating and Running a New Report 139
Managing Current Reports 144
Managing Scheduled Run Results 144
Managing Saved Reports 145
Creating a Device Utilization Report 145
Viewing Saved Utilization Reports 147
Viewing Scheduled Utilization Runs 148
Client Support on the MSE 148
Searching a Wireless Client from the Prime Infrastructure on the MSE by IPv6 Address 148
Viewing the Clients Detected by the MSE 149
Monitoring Geo-Location 155
Adding a GPS Marker to a Floor Map 155
Editing a GPS Marker 156
Deleting a GPS Marker From the Floor 156
Ekahau Site Survey Integration 157
AirMagnet Survey and Planner Integration 157
Interpreting Security Dashboard 157
Viewing the Rogue APs 158
Client Classification 159
APPENDIX A
wIPS Policy Alarm Encyclopedia 161
wIPS Policy Alarm Encyclopedia 161
Security IDS/IPS Overview 161
User Authentication and Encryption 162
Static WEP Encryption 162
AP with Encryption Disabled 162
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
viii OL-29331-01
Contents
Alarm Description and Possible Causes 162
wIPS Solution 162
Client with Encryption Disabled 163
Alarm Description and Possible Causes 163
wIPS Solution 163
Crackable WEP IV key used 163
Alarm Description and Possible Causes 163
wIPS Solution 163
Device Using Open Authentication 164
Alarm Description and Possible Causes 164
wIPS Solution 164
Device Using Shared Key Authentication 164
Alarm Description and Possible Causes 164
wIPS Solution 164
WEP IV Key Reused 164
Alarm Description and Possible Causes 164
wIPS Solution 164
WPA and 802.11i 165
Device Unprotected by EAP-TTLS 165
Alarm Description and Possible Causes 165
wIPS Solution 165
Device Unprotected by 802.1X 165
Alarm Description and Possible Causes 165
wIPS Solution 166
Device Unprotected by any Selected Authentication Methods 166
Alarm Description and Possible Causes 166
wIPS Solution 166
802.1 X Unencrypted Broadcast or Multicast 166
Alarm Description and Possible Causes 166
wIPS Solution 167
802.1 X Rekey Timeout Too Long 167
Alarm Description and Possible Causes 167
wIPS Solution 167
Device Not Protected by EAP-TLS 167
Alarm Description and Possible Causes 167
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 ix
Contents
wIPS Solution 168
Device Unprotected by IEEE 802.11i/AES 168
Alarm Description and Possible Causes 168
wIPS Solution 168
Device Unprotected By EAP-FAST 169
Alarm Description and Possible Causes 169
wIPS Solution 169
Device Unprotected by PEAP 169
Alarm Description and Possible Causes 169
wIPS Solution 169
Device Unprotected by TKIP 170
Alarm Description and Possible Causes 170
wIPS Solution 170
WPA or 802.11i Pre-Shared Key Used 170
Alarm Description and Possible Causes 170
wIPS Solution 170
Intrusion DetectionDenial of Service Attack 170
Denial of Service Attack Against Access Points 171
Alarm Description and Possible Causes 171
wIPS Solution 171
Denial of Service Attack: Association Table Overflow 172
Alarm Description and Possible Causes 172
wIPS Solution 172
Denial of Service Attack: Authentication Flood 172
Alarm Description and Possible Causes 172
wIPS Solution 172
Denial of Service Attack: EAPOL-Start Attack 173
Alarm Description and Possible Causes 173
wIPS Solution 173
Denial of Service Attack: PS Poll Flood Attack 173
Alarm Description and Possible Causes 173
wIPS Solution 173
Denial of Service Attack: Probe Request Flood 173
Alarm Description and Possible Causes 173
wIPS Solution 174
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
xOL-29331-01
Contents
Denial of Service Attack: Re-association Request Flood 174
Alarm Description and Possible Causes 174
wIPS Solution 174
Denial of Service Attack: Unauthenticated Association 174
Alarm Description and Possible Causes 174
wIPS Solution 174
Denial of Service Attack Against Infrastructure 175
Denial of Service Attack: Beacon Flood 175
Alarm Description and Possible Causes 175
wIPS Solution 175
Denial of Service Attack: CTS Flood 175
Alarm Description and Possible Causes 175
wIPS Solution 175
Denial of Service Attack: Destruction Attack 176
Alarm Description and Possible Causes 176
wIPS Solution 176
Denial of Service Attack: Queensland University of Technology Exploit 176
Alarm Description and Possible Causes 176
wIPS Solution 177
Denial of Service attack: RF Jamming Attack 177
Alarm Description and Possible Causes 177
wIPS Solution 177
Denial of Service: RTS Flood 177
Alarm Description and Possible Causes 177
wIPS Solution 178
Denial of Service Attack: Virtual Carrier Attack 178
Alarm Description and Possible Causes 178
wIPS Solution 178
Denial of Service Attacks Against Client Station 178
Denial of Service Attack: Authentication Failure Attack 179
Alarm Description and Possible Causes 179
wIPS Solution 179
Denial of Service Attack: Block ACK Flood 179
Alarm Description and Possible Causes 179
wIPS Solution 179
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 xi
Contents
Denial of Service Attack: Deauthentication Broadcast 180
Alarm Description and Possible Causes 180
wIPS Solution 180
Denial of Service Attack: Deauthentication Flood 180
Alarm Description and Possible Causes 180
wIPS Solution 180
Denial of Service Attack: Disassociation Flood 181
Alarm Description and Possible Causes 181
wIPS Solution 181
Denial of Service Attack: EAPOL Logoff Attack 181
Alarm Description and Possible Causes 181
wIPS Solution 181
Denial of Service Attack: FATA Jack Tool Detected 182
Alarm Description and Possible Causes 182
wIPS Solution 182
Denial of Service Attack: Premature EAP Failure Attack 182
Alarm Description and Possible Causes 182
wIPS Solution 182
Intrusion DetectionSecurity Penetration 182
ASLEAP Tool Detected 183
Alarm Description and Possible Causes 183
wIPS Solution 184
Airdrop Session Detected 184
Alarm and Possible Causes 184
wIPS Solution 184
AirPwn 185
Alarm Description and Possible Causes 185
wIPS Solution 185
Airsnarf Attack Detected 185
Alarm Description and Possible Causes 185
wIPS Solution 185
Bad EAP-TLS Frames 185
Alarm Description and Possible Causes 185
wIPS Solution 185
Beacon Fuzzed Frame Detected 186
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
xii OL-29331-01
Contents
Alarm Description and Possible Causes 186
wIPS Solution 186
Brute Force Hidden SSID 186
Alarm Description and Possible Causes 186
wIPS Solution 186
ChopChop Attack 186
Alarm Description and Possible Causes 186
wIPS Solution 187
DHCP Starvation Attack Detected 187
Alarm Description and Possible Causes 187
wIPS Solution 187
Day-0 Attack by WLAN Security Anomaly 188
wIPS Solution 188
Day-0 Attack by Device Security Anomaly 188
wIPS Solution 188
Device Broadcasting XSS SSID 188
Alarm Description and Possible Causes 188
wIPS Solution 188
Device Probing for Access Points 189
Alarm Description and Possible Causes 189
wIPS Solution 189
Dictionary Attack on EAP Methods 189
Alarm Description and Possible Causes 189
wIPS Solution 190
Fake Access Points Detected 190
Alarm Description and Possible Causes 190
wIPS Solution 190
Fake DHCP Server Detected 190
Alarm Description and Possible Causes 190
wIPS Solution 191
Fast WEP Crack (ARP Replay) Detected 191
Alarm Description and Possible Causes 191
wIPS Solution 191
Fragmentation Attack 191
Alarm Description and Possible Causes 191
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 xiii
Contents
wIPS Solution 192
HT Intolerant Degradation Services 192
Alarm Description and Possible Causes 192
Alarm Description and Possible Causes 192
Honeypot AP Detected 192
Alarm Description and Possible Causes 192
wIPS Solution 192
Hot-Spotter Tool Detected (Potential Wireless Phishing) 193
Alarm Description and Possible Causes 193
wIPS Solution 193
Identical Send and Receive Address 194
Alarm Description and Possible Causes 194
wIPS Solution 194
Improper Broadcast Frames 194
Alarm Description and Possible Causes 194
Improper Broadcast Frames 194
Karma Tool Detected 194
Alarm Description and Possible Causes 194
wIPS Solution 194
Man-in-the-Middle Attack Detected 195
Alarm Description and Possible Causes 195
wIPS Solution 195
NetStumbler Detected 195
Alarm Description and Possible Causes 195
wIPS Solution 196
NetStumbler Victim Detected 196
wIPS Solution 196
Alarm Description and Possible Causes 196
Publicly Secure Packet Forwarding (PSPF) Violation 196
Alarm Description and Possible Causes 196
wIPS Solution 197
Probe Request Fuzzed Frame Detected 197
Alarm Description and Possible Causes 197
Probe Response Fuzzed Frame Detected 197
Alarm Description and Possible Causes 197
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
xiv OL-29331-01
Contents
wIPS Solution 197
Soft AP or Host AP Detected 198
Alarm Description and Possible Causes 198
wIPS Solution 198
Spoofed MAC Address Detected 199
Alarm Description and Possible Causes 199
Suspicious After Hours Traffic Detected 199
Alarm Description and Possible Causes 199
wIPS Solution 199
Unauthorized Association By Vendor List 200
Alarm Description and Possible Causes 200
wIPS Solution 200
Unauthorized Association Detected 200
Alarm Description and Possible Causes 200
wIPS Solution 200
Wellenreiter Detected 201
Alarm Description and Possible Causes 201
wIPS Solution 201
WiFi Protected Setup Pin Brute Force 201
Alarm Description and Possible Causes 201
wIPS Solution 202
WiFi Tap Tool Detected 202
Alarm Description and Possible Causes 202
wIPS Solution 202
Performance Violation 202
Channel or Device Overload 202
AP Association Capacity Full 203
Alarm Description and Possible Causes 203
wIPS Solution 203
AP Overloaded by Stations 203
Alarm Description and Possible Causes 203
wIPS Solution 203
AP Overloaded by Utilization 203
Alarm Description and Possible Causes 203
wIPS Solution 203
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 xv
Contents
Excessive Bandwidth Usage 203
Alarm Description and Possible Causes 203
wIPS Solution 204
Excessive Multicast/Broadcast on Channel 204
Alarm Description and Possible Causes 204
wIPS Solution 204
Excessive Multicast/Broadcast on Node 204
Alarm Description and Possible Causes 204
wIPS Solution 204
APPENDIX B
Rogue Management 205
Rogue Access Point Challenges 205
Rogue Access Point Location, Tagging, and Containment 205
Detecting and Locating Rogue Access Points 206
Monitoring Alarms 207
Monitoring Rogue Access Point Alarms 208
Monitoring Rogue AP Details 210
Detecting Access Points 211
Monitoring Rogue Ad hoc Alarms 212
Monitoring Rogue Ad hoc Details 214
Monitoring Events 216
Monitoring Rogue Clients 216
Configuring Auto SPT Criteria on Prime Infrastructure 217
Configuring Auto Containment Settings on the Prime Infrastructure 217
Configuring Controllers 218
Configuring Rogue Policies 218
Configuring Rogue AP Rules 219
Configuring Controller Template 219
Configuring Rogue Policies 219
Configuring Rogue AP Rules 220
Configuring Rogue AP Rule Groups 222
APPENDIX C
Configuring and Deploying wIPS Solution 225
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
xvi OL-29331-01
Contents
Preface
This preface describes the audience, organization, and conventions of the Cisco Wireless Intrusion Prevention
System Configuration Guide. It also provides information on how to obtain other documentation. This chapter
includes the following sections:
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 xvii
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
xviii OL-29331-01
Preface
CHAPTER 1
Overview
This chapter describes the role of the Cisco Mobility Services Engine (MSE) and the Cisco Wireless Intrusion
Prevention System (wIPS) within the overall Cisco Unified Wireless Network (CUWN).
Cisco wIPS protects the network from penetration attacks, rogue wireless devices, and denial-of-service
(DoS) attacks to improve security and meet compliance objectives. It offers flexible and scalable wireless
network security for dedicated monitoring and detection of wireless network anomalies, unauthorized access,
and RF attacks. This solution delivers integrated visibility and control access across the network, without
the need for an overlay solution.
This chapter contains the following sections:
Information About wIPS, page 1
wIPS in a Cisco Unified Wireless Network, page 3
Differences Between Controller IDS and wIPS, page 6
Information About wIPS
The wIPS performs rogue access point, rogue client, and ad hoc connection detection and mitigation, over-the-air
wireless hacking and threat detection, security vulnerability monitoring, performance monitoring and
self-optimization, network hardening for proactive prevention of threats, and complete wireless security
management and reporting.
Built on the CUWN and leveraging the efficiencies of Cisco Motion, wIPS is deployment-hardened and
enterprise-ready. The wIPS is made up of the following components that work together to provide a unified
security monitoring solution:
A Mobility Services Engine running wIPS softwareServes as the central point of alarm aggregation
for all controllers and their respective wIPS monitor mode access points. Alarm information and forensic
files are stored on the Mobility Services Engine for archival purposes.
A wIPS monitor mode access pointProvides constant channel scanning with attack detection and
forensics (packet capture) capabilities.
Local mode access pointProvides wireless service to clients in addition to time-sliced rogue scanning.
Cisco Wireless Security and Spectrum Intelligence (WSSI)Helps you to avoid radio frequency (RF)
interference so that you get better coverage and performance on your wireless network.
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
OL-29331-01 1
Wireless LAN ControllerForwards attack information received from wIPS monitor mode access points
to the Mobility Services Engine and distributes configuration parameters to access points.
Cisco Prime InfrastructureProvides a centralized management platform for the administrator to
configure the wIPS Service on the Mobility Services Engine, push wIPS configurations to the controller,
and configure access points in wIPS monitor mode. Prime Infrastructure is also used to view wIPS
alarms, forensics, reporting, and to access the attack encyclopedia. This figure shows the wireless
Intrusion Prevention System.
Figure 1: Wireless Intrusion Prevention System
Communication among the system components involves the following protocols:
Control and Provisioning of Wireless Access Points (CAPWAP)This protocol is the successor to
LWAPP and is used for communication between access points and controllers. It provides a bi-directional
tunnel in which alarm information is sent to the controller and configuration information is sent to the
access point.
Network Mobility Services Protocol (NMSP)The protocol handles communication between controllers
and the Mobility Services Engine. In a wIPS deployment, this protocol provides a pathway for alarm
information to be aggregated from controllers and forwarded to the Mobility Services Engine and for
wIPS configuration information to be pushed to the controller. This protocol is encrypted.
Controller TCP Port: 16113
Simple Object Access Protocol (SOAP/XML)The method of communication between the Mobility
Services Engine and the Prime Infrastructure. This protocol is used to distribute configuration parameters
to the wIPS service running on the Mobility Services Engine.
MSE TCP Port: 443
Simple Network Management Protocol (SNMP)This protocol is used to forward wIPS alarm information
from the Mobility Services Engine to the Prime Infrastructure. It is also employed to communicate rogue
access point information from the controller to the Prime Infrastructure.
Cisco Wireless Intrusion Prevention System Configuration Guide, Release 7.5
2OL-29331-01
Overview
Information About wIPS
/