WIDS Technology White Paper

Similar documents
WLAN high availability

HP High-End Firewalls

HPE Security ArcSight Connectors

Requirements from the

HP Unified Wired-WLAN Products

HP D6000 Disk Enclosure Direct Connect Cabling Guide

Release Notes: Version Operating System

HPE Knowledge Article

Wireless Attacks and Countermeasures

QuickSpecs. HP enterprise access point WL520. Overview

PRODUCT GUIDE Wireless Intrusion Prevention Systems

External Devices. User Guide

HP ProCurve Mobility Access Point Series

External Devices User Guide

Models HP ProCurve M110 Access Point WW

HP High-End Firewalls

QuickSpecs. HPE OfficeConnect M n Access Point Series. Overview. HPE OfficeConnect M n Access Point Series

External Devices User Guide

BackTrack 5 Wireless Penetration Testing

External Devices User Guide

HP AutoPass License Server

With Aruba Central, you get anywhere-anytime access to ensure that your network is up and performing efficiently.

QuickSpecs. HP M111 Client Bridge Series (Retired) Model. Key features

HP Fortify Scanning Plugin for Xcode

HP Web Jetadmin 8.0 Credential Store Feature

Secure Access Configuration Guide For Wireless Clients

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

HP OfficeJet 200 Mobile Printer series. Bluetooth Setup Guide

HP ALM Client MSI Generator

HP Device Manager 4.7

HPE Aruba Airwave Installation and Startup Service

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Wireless (Select Models Only) User Guide

Release Notes: ProCurve Mobility Manager Version 1.0, Update 1

HP 5120 SI Switch Series

External Media Cards User Guide

HPE Intelligent Management Center

WHITE PAPER AX WAIT, DID WE JUST BUILD A WIRELESS SWITCH?

Configuring RAID with HP Z Turbo Drives

Wireless (Select Models Only) User Guide

Enterprise Data Communication Products. Feature Description - WLAN. Issue 02 Date HUAWEI TECHNOLOGIES CO., LTD.

QuickSpecs. Aruba Airwave Usage Licenses. Overview. Aruba Airwave Usage Licenses. Product overview. Features and Benefits

Configuring LDAP Authentication for HPE OBR

HP MSM3xx / MSM4xx APs v Release Notes

HP FlexFabric 5700 Switch Series

HP M n Access Point Configuration and Administration Guide

HP S1500 SSL Appliance. Product overview. Key features. Data sheet

Rev HP ap5000 VFD & MSR Frequently Asked Question and Troubleshooting Guide

Configuring Security Mitigation Settings for Security Bulletin HPSBPI03569 Protecting Solution Installation Settings

QuickSpecs ProCurve Identity Driven Manager 2.2

HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified

QuickSpecs. Models. ProCurve Mini-GBICs. Overview. ProCurve Gigabit-LH-LC Mini-GBIC. ProCurve Gigabit-LX-LC Mini-GBIC

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

QuickSpecs. Models. Features and Benefits Mobility. ProCurve Wireless Edge Services xl Module. ProCurve Wireless Edge Services xl Module.

IDE Connector Customizer Readme

HP V-M n Access Point Series

HP Load Balancing Module

HPE ESXi Offline Bundle

HP 5920 & 5900 Switch Series

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Models HP Security Management System XL Appliance with 500-IPS System License

Troubleshooting. Document Part Number: December 2005

ProCurve Wireless Edge Services xl Module

SQL/MX UPDATE STATISTICS Enhancements

LASERJET ENTERPRISE M4555 MFP SERIES. Quick Reference Guide

Wireless (Select Models Only) User Guide

HP Operations Orchestration

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Standard Content Guide

External Media Cards. User Guide

ProCurve Wireless Edge Services xl Module

SMB Protocol Support for HP Printing Devices

Guest Management Software Administrator Guide. Installation and Getting Started Guide Administrator Guide

TippingPoint Best Practice Guide. RADIUS PEAP Configuration for IPS Devices and Cisco ACS. Version:

HP Velocity User Guide for Thin Clients

Updates to the Service Manager Web Tier Directory Structure

QuickSpecs. Models HP RF Manager Controller with 50-sensor License HP MSM415 RF Security Sensor

THE HP Storageworks X510 Data Vault

Migrating from Cisco HSRP to industry standard VRRP

HP Notebook Stands Overview. HP Adjustable Display Stand. HP Display and Notebook Stand HP Dual Hinge Notebook Stand. HP LCD Monitor Stand

Installing Windows Vista TM Business on HP Compaq Business 4400, 6300, 7300, 7400 notebook models

External Media Cards User Guide

HP ProCurve MultiService Controller Series

QuickSpecs. Models. Introduction. Intel a/b/g/n PCIe x1 WLAN Card. Overview

What is Eavedropping?

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Troubleshooting. User Guide

QuickSpecs. Models HP 110 ADSL-B Wireless-N Router

Administrator Guide. HP USB Port Manager

HP0-Y35: WIRELESS NETWORKS ASE 2011 DELTA EXAM

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

HP0-Y33: IMPLEMENTING HP WIRELESS NETWORKS

HP 3PAR OS MU1 Patch 11

Introduction Enjoy business-class, high-speed wireless and Bluetooth connectivity on your desktop with the Realtek 8822BE ac PCIe x1 Card.

Chapter 24 Wireless Network Security

HPE Automatic Number Plate Recognition Software Version: Automatic Number Plate Recognition Release Notes

QuickSpecs. HP StorageWorks Command View SDM. Models. Models Feature List

HP A3100 v2 Switch Series

QuickSpecs. Models HP V110 Cable/DSL Wireless-N Router HP V110 ADSL-B Wireless-N Router

Transcription:

Technical white paper WIDS Technology White Paper Table of contents Overview... 2 Background... 2 Functions... 2 Rogue detection implementation... 2 Concepts... 2 Operating mechanism... 2 Operating modes... 3 Attack detection implementation... 3 Concepts... 3 Operating mechanism... 3 Access control implementation... 3 Concepts... 3 Operating mechanism... 4 Restrictions... 4 HP WIDS benefits... 4 Application scenarios... 4 Permitting specific clients to access the WLAN... 4 Combining attack detection with access control... 5 Monitoring WLAN networks... 6

Overview Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a wireless network. WIDS helps protect enterprise networks and users from unauthorized wireless access. Background WLAN is vulnerable to attacks because all wireless devices share the same wireless medium. WLAN cannot prevent devices from receiving or sending data. Wireless security can only be accomplished through authentication, encryption, and detection. 802.11 standards do not define any protection methods against wireless intrusions. Vendors provide their own WIDS solution. HP WIDS focuses on link layer security on WLAN networks. Functions HP WIDS provides the following functions: Rogue detection Detects the presence of rogue devices in a WLAN network, including rogue APs, rogue clients, and rogue bridges. It also provides countermeasures to stop rogue devices from providing services or accessing the network. Rogue detection is applicable to large wireless networks. Attack detection Detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through logs. It can detect the following attacks: Flood attack Spoofing attack Weak IV Access control Uses blacklists and a whitelist to filter frames based on MAC addresses. Rogue detection implementation This section describes the operating mechanism and modes of rogue detection. Concepts Rogue device: An unauthorized or malicious device, such as a rogue AP or rogue client. Ignore list: Contains the MAC addresses of permitted devices. A device in the list is not a rogue device. Permitted vendor list: Contains the OUIs of permitted vendors. A device with an OUI in the list is not a rogue device. Permitted SSID list: Contains permitted SSIDs. A device with an SSID in the list is not a rogue device. Static attack list: Contains the MAC addresses of denied devices. A device in the list is a rogue device. Operating mechanism Rogue detection operates in the following process: 1. Monitors wireless devices. The monitor AP monitors and analyzes surrounding wireless signals and packets, and generates information about detected devices. 2. Identifies rogue devices. The monitor AP determines whether a detected device is a rogue device based on the device information and configured detection rules. 3. Generates logs and traps. If the device is a rogue device, the AC sends logs and traps to the syslog server or the NMS. 4. Takes countermeasures against rogue devices. The monitor AP takes countermeasures (if enabled) against rogue devices. For a rogue AP, the monitor AP simulates the rogue AP and sends de-authentication packets to clients associated with the rogue AP. For a rogue client, the monitor AP sends a de-authentication packet to the client. 2

Operating modes Rogue detection supports the following operating modes: Sensor mode Monitors the working channel without providing wireless access. Or, it provides both wireless access and periodic channel monitoring. Off-channel scan mode Monitors a non-working channel. The AP cannot provide wireless access within the monitoring interval (less than 100ms). Therefore, this mode affects wireless access performance. Attack detection implementation This section describes the operating mechanism of attack detection. Concepts Flood attack A flood attack sends excessive frames of the same type within a short span of time to overwhelm a WLAN device. Attack detection can detect flood attacks that send the following frames: Probe requests Authentication requests Association requests De-authentication frames Disassociation frames Null data frames Spoofing attack A spoofing attack sends frames on behalf of a device. For example, a spoofed de-authentication frame can cause a client to go offline. Weak IV WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream. Encryptions using the same key have different results. However, if a WLAN device generates IVs insecurely, for example, it uses a fixed IV for all frames, the shared secret key may be exposed to attackers. When the shared secret key is compromised, the attacker can access network resources. Operating mechanism Attack detection operates as follows: 1. Updates statistics upon receiving a frame. 2. Performs attack detection: Performs spoofing detection if the frame is a de-authentication or a disassociation frame. If the source MAC address is the MAC address of an AP, the frame is considered to be a disassociation spoofing attack. Performs IV detection if the frame is a data frame that uses WEP encryption. Based on the IV security policy, the AP determines whether it is a weak IV attack. Periodically examine statistics to detect flood attacks. 3. Sends logs or traps upon detecting an attack. 4. Adds the MAC addresses of attackers to the dynamic blacklist (if enabled). All frames from devices in the blacklist are discarded. Access control implementation This section describes the operating mechanism and restrictions of access control. Concepts Blacklist A blacklist contains the MAC addresses of denied clients. All frames from denied clients are discarded. Blacklists include a static blacklist and a dynamic blacklist. The static blacklist is manually configured. The dynamic blacklist contains devices found by attack detection and rogue detection. 3

Whitelist The whitelist contains the MAC addresses of permitted clients. If the whitelist is used, only permitted clients can access the WLAN, and all frames from other clients are discarded. Operating mechanism Access control processes a frame as follows: Check the frame against the whitelist: Accept the frame if its source MAC address exists in the whitelist. Discard the frame if its source MAC address does not exist in the whitelist. Check the frame against the blacklists if the whitelist is not used: Discard the frame if its source MAC address exists in a blacklist. Accept the frame if its source MAC address does not exist in any blacklist. Restrictions The whitelist is manually configured. Therefore, it is more applicable to small WLAN networks. HP WIDS benefits HP WIDS has the following benefits: Flexible access control Provides a whitelist for small WLAN networks to permit only specific clients, and blacklists for large WLAN networks to block attackers. Countermeasures Performs the following actions: Sends deauthentication or disassociation packets to rogue devices periodically. Adds attackers found by rogue detection and attack detection to the dynamic blacklist. Sensor mode Detects rogue devices based on user-defined policies. This mode can also take countermeasures against rogue devices. Application scenarios This section provides typical application scenarios. Permitting specific clients to access the WLAN In a small WLAN network, clients that need to access the WLAN are stable. You can configure the whitelist to permit specific clients to access the WLAN. As shown in Figure 1, there is only one AP providing wireless access. Client 1 (MAC address 00-0f-e2-00-00-01) and Client 2 (MAC address 00-0f-e2-00-00-02) need to access the WLAN. You can add the MAC addresses of the two clients to the whitelist, so that only Client 1 and Client 2 can access the WLAN. All frames from other clients are discarded by the AP. 4

Figure 1. Network diagram Internet Accesses the Internet through PSTN or community broadband network AP Client 1 Client 2 00-0f-e2-00-00-01 00-0f-e2-00-00-02 Combining attack detection with access control In a medium-size WLAN network, you can configure both attack detection and blacklist. Attack detection will add attackers to the blacklist. All frames from the attackers are discarded. As shown in Figure 2, when the rogue client floods association requests to AP 3, WIDS can detect the attack and add the client to the blacklist. AP3 discards all frames from the rogue client. Figure 2. Network diagram Radius server Internet AC Intranet AP 1 AP 3 AP 2 Client 1 Client 2 Rogue client 5

Monitoring WLAN networks In a large WLAN network, you can configure monitor APs besides attack detection and access control. The monitor APs provide rogue device detection. As shown in Figure 3, three monitor APs are responsible for detecting rogue devices. You can enable countermeasures to add attackers found by rogue detection and attack detection to the dynamic blacklist. All frames from devices in the blacklist are discarded. Figure 3. Network diagram Radius server Internet AC Intranet Monitor AP 1 Monitor AP 3 Monitor AP 2 Ad hoc client Rogue AP Rogue client Sign up for updates hp.com/go/getupdated Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 5998-7002, October 2014

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback