Configuring IDS Parameters on APs
Aruba Central supports the IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. feature that monitors the network for the presence of unauthorized APs and clients. It also logs information about the unauthorized APs and clients, and generates reports based on the logged information.
Rogue APs
The IDS feature in the Aruba Central network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. A rogue AP is an unauthorized AP plugged into the wired side of the network. An interfering AP is an AP seen in the RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment, but it is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat, because it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.
The built-in IDS scans for APs that are not controlled by the VC. These are listed and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network.
Configuring Wireless Intrusion Detection and Protection Policies
To configure a Wireless Intrusion Detection and Protection policy:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click .
3. Click the icon. The tabs to configure access points is displayed.
4. Click .
5. Click . The details page is displayed.
6. Click the accordion.
The following three sections are displayed:
You can configure the following options in the above mentioned sections:
—Specifies the policy for detecting wireless attacks on APs.
—Specifies the policy for detecting wireless attacks on clients.
—Specifies the policy for protecting APs from wireless attacks.
—Specifies the policy for protecting clients from wireless attacks.
—Specifies the policies to set a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. for a secured network access.
—Prevents unauthorized stations from connecting to your Aruba Central network.
Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly.
Detection
The detection levels can be configured using the section. The following levels of detection can be configured in the WIPWireless Intrusion Protection. The WIP module provides wired and wireless AP detection, classification, and containment. It detects Denial of Service (DoS) and impersonation attacks, and prevents client and network intrusions. Detection page:
High
Medium
Low
Off
The following table describes the detection policies enabled in the Infrastructure Detection field.
|
Detection level |
Detection policy |
|
|
All detection policies are disabled. |
|
|
|
|
|
|
|
|
.
|
|
|
Allows you to select custom detection policies. To select, click the check box of respective detection policy. |
The following table describes the detection policies enabled in the Client Detection field.
|
Detection level |
Detection policy |
|
|
All detection policies are disabled. |
|
|
|
|
|
|
|
|
|
|
|
Allows you to select custom detection policies. To select, click the check box of respective detection policy. |
Protection
The following levels of detection can be configured in the WIP Protection page:
Off
Low
High
The following table describes the protection policies that are enabled in the Infrastructure Protection field.
|
Protection level |
Protection policy |
|
|
All protection policies are disabled |
|
|
|
|
|
|
|
|
Allows you to select custom detection policies. To select, click the check box of respective protection policy. |
The following table describes the detection policies that are enabled in the Client Protection field.
|
Protection level |
Protection policy |
|
|
All protection policies are disabled |
|
|
|
|
|
|
|
|
Allows you to select custom detection policies. To select, click the check box of respective protection policy. |
Containment Methods
You can enable wired and wireless containment measures to prevent unauthorized stations from connecting to your Aruba Central network.
Aruba Central supports the following types of containment mechanisms:
— When enabled, APs generate ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. packets on the wired network to contain wireless attacks.
— When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified AP.
— Disables all the containment mechanisms.
— With deauthentication containment, the AP or client is contained by disrupting the client association on the wireless interface.
— With tarpit containment, the AP is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the AP being contained.
|
|
The FCCFederal Communications Commission. FCC is a regulatory body that defines standards for the interstate and international communications by radio, television, wire, satellite, and cable. and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality. |
Protection Against Wired Attacks
In the section, enable the following options:
—Drops the fake ARP packets.
—Fixes the malformed DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. packets.
—Triggers an alert on ARP poisoning caused by the rogue APs.
Firewall Settings
To configure firewall settings by specifying the policies for a secured network access, see Configuring Management Subnets.
