PRODUCT GUIDE Wireless Intrusion Prevention Systems The Need for Wireless INTRUSION PREVENTION SYSTEMS A Wireless Intrusion Prevention System (WIPS) is designed to address two classes of challenges facing today s network manager. First is the threat of uncontrolled wireless devices. Wireless is inside almost every organization, whether sanctioned by IT or not. One of the more dangerous forms this takes is the rogue AP a standard Wi-Fi access point deployed by an employee or some other person outside the IT organization. When these rogue APs are connected to an enterprise network, they introduce security holes that may be exploited by an attacker. Another form of uncontrolled wireless is the Wi-Fi enabled laptop, PDA, or phone. Almost all laptops manufactured today include Wi-Fi built in, and the threat of end users misconfiguring these devices and compromising network security is very real. Some users may enable bridging between a wired network and a wireless network, while other users may form ad-hoc peer to peer Wi-Fi networks which may be intercepted by an intruder. All organizations regardless of plans for general Wi-Fi deployment should put measures in place to protect against uncontrolled wireless. If a general Wi-Fi deployment is in place, a second class of challenges presents itself detecting and defending against a wireless attacker. At a basic level, all wireless networks are vulnerable to denial-of-service attacks caused by jamming, flooding of traffic, or malicious manipulation of control and management network traffic. A WIPS can detect such attacks, localize them, and notify an administrator. Next, some types of Wi-Fi networks, particularly open networks or those based on WEP encryption, are vulnerable to a class of attacks such as impersonation, man-in-the-middle, and injection. A WIPS will detect and prevent these types of attacks. Aruba s WIPS Product Offerings Four major classifications of WIPS exist in the market: Wired Rogue Detection Focused on scanning wired and wireless networking equipment to identify rogue APs. Does not use any wireless sensors of its own. On-demand systems Offer portable, on-demand scanning and monitoring for situations where full-time monitoring is not required. Installed on a laptop. Overlay Infrastructure (permanently installed) system that can enforce no-wireless policies or monitor and protect an alreadyinstalled WLAN through a network of sensors communicating with a central server. An overlay WIPS is not part of the WLAN access network, and thus can be used with any vendor s WLAN equipment. Integrated Infrastructure (permanently installed) system that can enforce no-wireless policies or monitor and protect an installed WLAN. In an integrated system, the WIPS is part of the WLAN access network APs can act as hybrid devices by simultaneously serving wireless clients while monitoring for WIPS events. Of the architectures described above, Aruba Networks offers products in all four categories. Each solution offers industry-leading performance and features within their categories. WIRED ROGUE DETECTION The software module is designed for organizations that do not have wallto-wall coverage with RF sensors, but still need to defend their networks against rogue APs. automatically detects and locates unauthorized access points through a combination of wireless and wired network scans. First, the software can use existing authorized APs and wireless LAN controllers to scan the airspace for any unauthorized devices in range. Second, queries wired switches and routers, and scans the wired network to determine whether any unknown devices that are likely rogue APs are connected. Even without an installed wireless LAN, can ensure no rogue APs are on the network. can also be combined with an Aruba or other third-party Wireless Intrusion Prevention System to increase their joint effectiveness. On-Demand For occasional WIPS monitoring or on-demand scanning, Mobile delivers all the power of an infrastructure WIPS in a portable form factor. Mobile Mobile is a powerful, portable suite for vulnerability assessments, incident response and surveying. It is the industry s most complete wireless analysis tool to help design, maintain, and secure wireless networks. Running on a
Windows-based laptop and designed for walk-around use, Mobile can be used for locating suspect devices, conducting security audits, site surveys and troubleshooting whether a wireless LAN (WLAN) has been deployed or not. The Mobile system also helps organizations enforce both no wireless policies and WLAN security best practices, as well as ensure compliance with regulations and corporate security policies. OVERLAY is an infrastructurebased two-tier WIPS consisting of a network of sensors, built from Aruba s line of access points, and a centralized server running software. This powerful wireless security solution incorporates the industry s only Wireless Threat Protection Framework for complete threat detection, attack prevention, no wireless policy enforcement and compliance reporting inside the enterprise. secures your wireless network against intrusions that are perpetrated intentionally and from vulnerabilities caused unintentionally through misconfigured network equipment. The solution can be deployed standalone, with no wireless LAN present, or as an overlay to monitor any vendor s wireless LAN equipment. Integrated For organizations that have deployed wireless LAN access using Aruba mobility controllers, or for organizations who wish to enforce a no-wireless policy today but plan to enable wireless in the WIP future, Aruba mobility controllers running include a built-in cost-effective WIPS solution. In this architecture, a network of access points is deployed to provide wireless monitoring coverage throughout a facility. Access points can be configured in dedicated air monitor mode where only scanning and WIPS functions are performed, or as hybrid APs that perform WIPS functions while simultaneously serving WLAN clients. is a modular operating system consisting of multiple licensed software packages. In the base operating system, performs rogue AP detection and containment. With the addition of the Wireless Intrusion Prevention software module, the system is transformed into a full WIPS protecting against malicious attacks as well as misconfigured or uncontrolled wireless devices. How to Choose Each Aruba WIPS product contains industry-leading functionality within its category. The architecture of your wireless network will often help determine which product is right for your organization. Where portable, on-demand monitoring is needed, Mobile is the solution of choice. For infrastructure (permanently installed) systems, the following table presents a summary of the differences between each Aruba WIPS product. Infrastructure WIPS Feature Table Cost Scanning $ $ $$ $$$ Scanning Type Wired All valid 802.11 channels All valid 802.11 channels TotalWatch Hybrid APs (Simultaneous WLAN access and WIP monitoring) Rogue AP Detection Future release Rogue AP Detection Detection without APs or sensors deployed Rogue AP Classification Comparing MAC addresses on wireless and wired Packet injection (Open and WEP rogues) Comparing MAC addresses with CAM tables from network switches Rogue AP Containment Techniques Future release Wireless (De-auth method) Wireless (Tarpit method) Wired (SNMP-based shut down of wired switch port) Wired (wired laser beam) Future release Intrusions / Events Security - Vulnerability AP Broadcasting SSID AP is not using encryption AP is using default SSID
AP is sending encrypted and unencrypted data Ad-hoc network operating Client is not using encryption Client is sending encrypted and unencrypted data Detected Soft AP Detected AP/Client State change NetBIOS Traffic Station is operating as Unauthorized type Station is using Weak WEP IVs Security - Threat AP is using Hotspot SSID Authorized AP denied association Authorized AP denied authentication Client probing for any access point NetStumbler detected Unauthorized AP detected Unauthorized ad-hoc client detected Unauthorized client detected Wellenreiter detected Security Attack - Intrusion AP channel change AP SSID changed ASLEAP attack detected Adhoc SSID same as authorized AP AirJack attack detected Airsnarf attack detected Aruba attack Broadcast Disassociation packet Broadcast deauthentication packet Client (authorized) connected to rogue AP Client (rogue) connected to authorized AP Constant traffic sent/received by rogue AP Fake AP operating Fake Client operating Fata-jack attack detected Fragmentation attack detected Hotspotter attack detected Improper broadcast packet Possible ARP Poison - IP hijack Possible ARP Poison - multi IP hijack Possible ARP Worm traffic Possible Aireplay WEP attack in use Possible IP Worm traffic Service VAN nearby Spoofed MAC address 1 Spurious traffic sent by AP Spurious traffic sent by client Station is using random MAC address 1 Detected as sequence number anomaly
Suspected Evil Twin Attack Unauthorized AP using same SSID as Authorized AP WEPWedgie attack detected Wrong beacon channel number reported Security Attack - DOS AP Overloaded Association storm Authentication storm Deauthentication storm Disassociation storm Duration attack detected EAPOL Logoff storm EAPoL start storm Omerta attack RF Jamming detected Unmodified Omerta attack Operational - Performance Channel with too many APs Channel with excessive errors Client rate support mismatch Station with excess retransmissions Operational AP reported a problem to a client AP supports Multiple SSIDs Access Point restarted Authorized AP is down Client BSSID changed Client reported a problem to AP Client notified AP that it is leaving Constant traffic sent/received by authorized client New AP discovered New Ad-hoc client discovered New Client discovered Radar interference detected Turbocell detected WDS in Operation/Bridging Advanced WIP features PolicyEnforce (Customized security policy creation and enforcement) User Defined Signatures Forensics Reporting Compliance Reporting - PCI Compliance Reporting - HIPAA Compliance Reporting - SOX Standard security reports Custom report generation
How to Order The module is included at no extra charge in the Wireless Management Suite. Mobility Software rogue AP detection and containment is enabled in the base operating system, without the need for additional software licenses. To enable full WIP functionality, install the appropriate WIP software licenses from the table below. A WIP license must be installed on each mobility controller in the network. WIP functionality is purchased according to the number of APs connected to the mobility controller. The Aruba 200, 800, 2400, 6000-SC1, and 6000- SC2 mobility controllers are fixed-capacity systems; WIP licenses are purchased for the full capacity of the system. The Aruba 3000 series and 6000-M3 Multi-Service Mobility Controllers are variable-capacity systems that support different numbers of APs based on software licenses. For these systems, order enough WIP licenses to support the total licensed AP capacity of the system. For example, if the mobility controller is licensed for 128 campus-connected APs and 16 Remote APs, the WIP license capacity must equal at least 144. Part number Description The following licenses are only applicable for the Aruba 200, 800, 2400, 6000 SC-1, and 6000 SC-2 Mobility Controllers. LIC-200-WIP LIC-804-WIP LIC-800-WIP 804-UG-WIP-1 LIC-2400-WIP LIC-SC1-WIP-48 LIC-SC1-WIP LIC-SC2-WIP LIC-SC1-WIP-UG-1 A200 (6 AP License)) A800-4 (4 AP License) A800-16 (16 AP License) Up grade LIC-804-WIP to LIC-800-WIP A2400-48 (48 AP License) Aruba Supervisor Card I (48 AP) Aruba Supervisor Card I (128 AP) Aruba Supervisor Card II (256 AP) Wireless Intrusion Protection for Sup. Card I (Upgrade 48 AP to 128 AP) The following licenses are only applicable for the M3 and 3000 Series Multi-Service Mobility Controllers. The number of WIP licenses must be equal to the total licensed AP capacity of the mobility controller. Example: If the mobility controller is licensed for 128 campus-connected APs and 16 Remote APs, the WIP license capacity must equal at least 144. LIC-WIP-8 LIC-WIP-16 License (8 AP Support) License (16 AP Support) LIC-WIP-32 LIC-WIP-64 LIC-WIP-128 LIC-WIP-256 LIC-WIP-384 LIC-WIP-512 License (32 AP Support) License (64 AP Support) License (128 AP Support) License (256 AP Support) License (384 AP Support) License (512 AP Support) is delivered as installable software on a CD- ROM. You will need a permanently installed server meeting the minimum system requirements (available in the datasheet) to run the software. is licensed according to the number of sensors it supports, with sensor licenses available in increments of one. Part number RFP-1088-01-W RFP-1088-10-W RFP-1088-100-W RFP-1088-01-L RFP-1088-10-L RFP-1088-100-L Description (Windows) - up to 1 sensor (Windows) - up to 10 sensors (Windows) - up to 100 sensors (Linux) - up to 1 sensor (Linux) - up to 10 sensors (Linux) - up to 100 sensors LIC-RFP-1 RFProtect Expansion License - 1 sensor upgrade LIC-RFP-10 RFProtect Expansion License - 10 sensor upgrade LIC-RFP-100 RFProtect Expansion License - 100 sensor upgrade LIC-RFP-UL-1 Mobile Unlimited Sensor Expansion License for RFProtect Server Mobile is distributed as installable software on a CD-ROM. You will need a laptop meeting the minimum system requirements (available in the Mobile datasheet) and with a supported Wireless LAN adapter. RFP-1012-6 RFProtect Mobile Software www.arubanetworks.com 1344 Crossman Avenue. Sunnyvale, CA 94089 Tel. +1 408.227.4500 Fax. +1 408.227.4550 2008 Aruba Networks, Inc., Aruba Networks, Aruba Mobility Management System, Bluescanner, For Wireless That Works, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company are trademarks of Aruba Networks, Inc. All rights reserved. All other trademarks are the property of their respective owners. PG_WIPS_US_080715