WLAN WIDS Technology White Paper

WLAN WIDS Technology White
Paper
Issue 1.0
Date 2014-04-24
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Tel: 0755-28560000 4008302118
Fax: 0755-28560111
Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
WLAN WIDS Technology White Paper About This Document
About This Document
Keyword
WLAN, WIDS, WIPS
Abstract
An 802.11 network is an open wireless network prone to various security threats, for example,
attacks from rogue APs, unauthorized STAs, ad-hoc networks, spoofing APs, and DDoS
attacks launched by malicious terminals. WIDS/WIPS can monitor and defend against these
security threats on WLANs.
Abbreviations
Abbreviation Full Name Description
Rogue AP An unauthorized AP.
SSID Service Set Identifier Name of the WLAN access service provided by the
AP.
BSSID Basic Service Set Identifier MAC address of the AP.
CAPWAP Control And Provisioning of IETF-defined standards for AP management and
Wireless Access Points communications with the AC.
WIDS Wireless Intrusion Detection System Wireless Intrusion Detection System.
Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential ii

WLAN WIDS Technology White Paper Contents
Contents
About This Document ............................................................................................................... ii

1 Overview ................................................................................................................................... 1
2 Technology Implementation .................................................................................................. 2
2.1 Basic Concepts ...................................................................................................................................................... 2
2.2 Rogue Device Monitoring...................................................................................................................................... 3
2.2.1 AP Working Mode .............................................................................................................................................. 3
2.2.2 Device Type Identification .................................................................................................................................. 4
2.2.3 Device Information Report.................................................................................................................................. 7
2.2.4 Rogue Device Identification ................................................................................................................................ 9
2.3 Rogue Device Defense and Countermeasures ........................................................................................................10
2.4 Wireless Attack Detection .....................................................................................................................................12
2.4.2 Flood Attack Detection ......................................................................................................................................13
2.4.3 Spoofing Attack Detection .................................................................................................................................14
2.4.4 Weak IV Attack Detection ..................................................................................................................................14
2.4.5 Defense Against Brute Force PSK Cracking .......................................................................................................15
2.5 Wireless Attack Defense .......................................................................................................................................17
2.5.1 Dynamic Blacklist .............................................................................................................................................17
2.5.2 Static Blacklist...................................................................................................................................................19
3 Benefits to Customers ............................................................................................................ 20

4 Typical Application Scenarios.............................................................................................. 21
4.1 Public Places or Neighboring Companies ..............................................................................................................21
4.2 Deployment of Rogue APs in a Company..............................................................................................................22
4.3 Attacks to WLANs ...............................................................................................................................................23
Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential iii

WLAN WIDS Technology White Paper 1 Overview
1 Overview
An 802.11 network is an open wireless network prone to various security threats, for example,
attacks from rogue APs, unauthorized STAs, ad-hoc networks, spoofing APs, and DDoS
attacks launched by malicious terminals. WIDS/WIPS can monitor and defend against these
security threats on WLANs.
Wireless Intrusion Detection System (WIDS): detects malicious attacks and intrusions to
WLANs.
Wireless Intrusion Prevention System (WIPS): protects an enterprise network against
access from unauthorized devices and prevents attacks to the network system.
WIDS and WIPS technologies secure a wireless network, reduce interference from
unauthorized devices, and protect users from malicious attacks, delivering better user
experience.
WIDS and WIPS provide different functions on enterprise networks of different scales:
On family networks or small enterprise networks: control access from APs and clients
using blacklist and whitelist. Access control is implemented on ACs and irrelevant to
APs. (For more details, see AP and user access control documents.)
On small and medium enterprise networks: WIDS detects attacks from unauthorized
devices.
On medium and large enterprise networks: detect and identify rogue devices, and take
countermeasures to protect the networks.
In addition to secure WLAN access, a large-sized network requires a system that can detect
rogue wireless devices and reject access from these devices to protect services of authorized
users.
Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 1

WLAN WIDS Technology White Paper 2 Technology Implementation
2 Technology Implementation
2.1 Basic Concepts

The WLAN security mechanism consists of access authentication for wireless terminals,
wireless link data encryption, and WIDS/WIPS, among which the access authentication
process includes link authentication and user authentication. Essentially, STA blacklist and
whitelist are also applied during the terminal access authentication process. In the wireless
link data encryption process, WEP, TKIP, or CCMP is used to encrypt air port data to ensure
data confidentiality and security. WIDS/WIPS detects and defends against intrusion from
unauthorized users or APs. Figure 2-1 shows application of the WLAN security mechanism.
Figure 2-1 Application of the WLAN security mechanism
STA AP AC AAA
Access authentication
Link encryption
Policy control
Detect and defend against

attacks WIDS/WIPS
Detect and counter

unauthorized devices WIDS/WIPS
As shown in the figure, WIDS and WIPS are used to detect and counter unauthorized devices.
WIDS: detects unauthorized APs, bridges, user terminals, ad-hoc devices, and
interference APs with overlapping channels.

WIPS: disconnects an authorized user from a spoofing AP or disconnects unauthorized

APs or ad-hoc devices, and counters unauthorized devices.
Basic concepts involved in WIDS/WIPS:
Rogue AP: an authorized or malicious AP. A rogue AP can be an AP that is connected to
a network without permission, unconfigured AP, neighbor AP, or an AP manipulated by
an attacker.
Rogue client: an unauthorized or malicious client, similar to a rogue AP.
Rogue wireless bridge: an unauthorized or malicious wireless bridge.
Monitor AP: an AP that scans or listens on wireless channels and attempts to detect
attacks to the wireless network.
Ad-hoc mode: a client working mode, in which clients can communicate with each other
without using any other network device.
2.2 Rogue Device Monitoring

Monitor APs can be deployed on a network that needs protection to monitor the entire
network. The monitor APs can periodically listen on wireless frames to detect rogue devices.
2.2.1 AP Working Mode

Before configuring rogue device detection on an AP, configure the AP working mode.
An AP supports three working modes: access, monitoring, and hybrid:
Access mode: If background neighbor probing is not enabled on an AP, the AP only
transmits data of wireless users and does not monitor wireless devices on the network. If
background neighbor probing is enabled, the AP can not only transmit data of wireless
users but also scan wireless devices and listen on all 802.11 frames on wireless channels.
Monitoring mode: An AP scans wireless devices on the network and listens on all 802.11
frames on wireless channels. In this mode, all WLAN services on the AP are disabled
and the AP cannot transmit data of wireless users.
Hybrid mode: An AP can monitor wireless devices while transmitting data of wireless
users.
An AP can implement the WIDS or WIPS function only when it works in monitoring or
hybrid mode.
Compared to APs working in access or monitoring mode, APs in hybrid mode can work
alternatively between the access and monitoring modes. Figure 2-2 shows the three working
modes.

Figure 2-2 Working modes of APs
The monitoring channels can be all channels of the frequency band that the AP works on or channels
specified by the country code.
2.2.2 Device Type Identification

On a WLAN network, APs, clients, ad-hoc STAs, and wireless bridges need to be monitored.
Figure 2-3 Rogue device monitoring and identification
AC
IP network
AP AP AP
Ad-hoc Rogue
Rogue STAs Rogue APs
devices bridges

An AP working in monitoring or hybrid mode can identify types of neighboring wireless

devices according to detected 802.11 management frames and data frames. The process is as
follows:
The AP working mode is set to monitoring or hybrid on the AC.
The AC delivers the configuration to the AP.
The AP listens on frames sent from neighboring wireless devices to collect information.
The AP determines frame types and device types according to MAC headers in received
802.11 MAC frames.
A monitor AP listens on the following frames to collect information about neighboring clients,
ad-hoc STAs, and wireless bridges:
Beacon
Association Request
Association Response
Reassociation Request
Reassociation Response
Probe Response
Data frame
When the AP receives an 802.11 MAC frame, it checks the frame type and network type
according to the 802.11 protocol.
The Frame Control field in the MAC header of a frame indicates the frame type. Figure 2-4
and Figure 2-5 show the MAC frame header and structure of the Frame Control field.
Figure 2-4 802.11 MAC frame header
Figure 2-5 Frame Control field structure
Protocol To From More More Protected

Type Subtype Retry Order
Version DS DS Frag Data Frame
Bits
2 2 4 1 1 1 1 1 1 1
If the Type subfield is 00, the AP checks the Subtype subfield. The values of the Subtype
subfield and corresponding frame types are as follows:
1000: Beacon
0001: Association Response
0010: Reassociation Request
0011: Reassociation Response

0101: Probe Response

A management frame carries the Capability Information field, which consists of ESS and
IBSS subfields. The AP identifies ad-hoc networks or wireless bridges based on the two
subfields.
Figure 2-6 Capability Information field
1. Independent BSS (IBSS) indicates an ad-hoc network.

2. Extend Service Set (ESS) indicates an AP or a STA.
If the IBSS subfield is 1, the device is an ad-hoc device; if the IBSS subfield is 0 and the ESS
subfield is 0, the device is a wireless bridge; if the IBSS subfield is 0 and the ESS subfield is
1, the device is an AP or STA, which can be further clarified based on the management frame
type.
ESS and IBSS Beacon, Association Response, Association Request,

Subfields Reassociation Response Reassociation Request
10 AP STA
01 Ad-hoc Ad-hoc
00 Wireless bridge Wireless bridge
11 Reserved
The AP determines the types of rogue devices based on the collected management frames (Subtype field
in the 802.11 frames).
When the Type subfield is 10, the frame is a data frame.

The To DS and From DS subfields indicate whether the data frame is sent from or to a
distribution system (DS). The following table describes combinations of the two subfields.
To DS From DS Meaning
0 0 Data frame sent between two stations that are not
APs in a basic service set
0 1 Data frame sent from a wireless station in a basic
service set

To DS From DS Meaning
1 0 Data frame sent to a wireless station in a basic
service set
1 1 Data frame sent between two wireless bridges
An AP identifies device types in the following way:

When receiving a Probe Request, Association Request, or Reassociation Request frame,
the AP determines whether the sender is an ad-hoc device or STA according to the
network type specified in the Capability Information field in Frame Body of the
802.11 MAC frame.
1. Ad-hoc device: In Capability Information field, the ESS subfield is 0 and the IBSS
subfield is 1.
2. STA: In Capability Information field, the ESS subfield is 1 and the IBSS subfield is
0.
When receiving a Beacon, Probe Response, Association Response, or Reassociation
Response frame, the AP determines whether the sender is an ad-hoc device or AP
according to the network type specified in the Capability Information field in Frame
Body of the 802.11 MAC frame.
1. Ad-hoc device: In Capability Information field, the ESS subfield is 0 and the IBSS
subfield is 1.
2. AP: In Capability Information field, the ESS subfield is 1 and the IBSS subfield is
0.
The AP listens on all 802.11 data frames and checks the DS subfields of the data frames
to determine whether the sender is an ad-hoc device, wireless bridge, STA, or AP.
1. Ad-hoc device: In the Frame Control field of the 802.11 MAC header, both the To
DS and From DS subfields are 0.
2. Wireless bridge: Both the To DS and From DS subfields are 1.
3. STA: The To DS subfield is 1 and the From DS subfield is 0.
4. AP: The To DS subfield is 0 and the From DS field is 1.
2.2.3 Device Information Report

The AP listens on WLAN packets sent from neighboring devices to collect information about
wireless devices. APs periodically report collected device information to an AC which
determines whether the neighboring devices are rogue devices.

Figure 2-7 Device information report
A short interval is also called a real-time report interval, in which the AP reports incremental
information about neighboring devices to the AC. The short interval ranges from 10 to 3,600,
in seconds. The default value is 300s.
At regular long intervals, the AP reports all information about neighboring devices that is
saved locally to the AC. The long interval ranges from 120 to 360 in minutes. The default
value is 360 min, that is, 6 hours. The minimum report interval is 2 hours. If massive APs
report a large amount of data to the AC at the same time, the AC will be overloaded and
cannot process the data. To prevent this problem, an AP postpones data report for a random
time (1 to 10 minutes) when a long interval is reached.
Table 2-1 Information about the detected wireless devices
Item Description
MAC MAC address of the detected device.
address
BSSID BSSID of the detected device.
Device type Type of the detected devices, including ad-hoc devices, APs, clients, and
wireless bridges.
SSID SSID of an extended service set (ESS).
Vendor Vendor of the detected device. It is a 4-byte Organizationally Unique
Identifier (OUI). IANA-assigned "SMI Network Management Private
Enterprise Codes"
Channel Channel in which the device is detected for the last time.

Item Description
RSSI RSSI detected by the device.
Beacon Interval at which the detected AP and ad-hoc device send Beacon frames.
Interval
First First time when the device is detected.
Detected
Time
Last Last time when the device is detected.
Detected
Time
2.2.4 Rogue Device Identification

After receiving the neighbor information reported by the AP, the AC determines whether the
device is authorized as follows:
Figure 2-8 Rogue device identification
Based on the neighboring device information reported by the AP, the AC identifies rogue
devices as follows:
Ad-hoc devices or wireless bridges: the AC regards the devices as rogue devices.

APs: The AC first checks whether the APs are authorized APs. If the BSSIDs of the APs
are managed by the AC, the AC regards the APs as authorized APs; if not, the AC checks
the APs' SSIDs. If the SSIDs are in the whitelist configured by the network administrator,
for example, CMCC, the AC regards the APs as authorized APs; if not, the AC regards
the APs as rogue APs.
STAs: The AC first checks whether the STAs are authorized STAs. If the MAC addresses
belong to the STAs connected to the local AC, the AC regards the STAs as authorized
STAs; if not, the AC checks the STAs' BSSIDs to determine whether the STAs connect to
the SSIDs in the whitelist. If the BSSIDs belong to rogue APs, the STAs are rogue STAs.
If a rogue AP is identified, the AC generates an alarm and sends an SNMP trap message to the network
management platform. The AC does not generate an alarm when other types of rogue devices are
detected.
2.3 Rogue Device Defense and Countermeasures

The attack defense and countermeasure functions can be enabled to reject access from
detected rogue devices. The attack defense function restricts access from rogue APs or clients
using a blacklist. The countermeasure function prevents rogue devices from operating
according to the configured countermeasure mode. Monitor APs download the
countermeasure list from the AC and take countermeasures to the rogue devices.
If an AC identifies a rogue AP (an AP not managed by the local AC or not in the SSID
whitelist), the AC notifies the monitor AP of the rogue AP. The monitor AP then uses the
rogue AP's identity information to broadcast a Deauthentication frame. After STAs
associating with the rogue AP receive the Deauthentication frame, they disassociate from
the rogue AP. This countermeasure prevents STAs from associating with the rogue AP.
When the AC identifies an unauthorized user terminal, a bridge, or an ad-hoc device
(devices not managed by the local AC), the monitor AP uses the BSSID or MAC address
of the unauthorized device to unicast a Deauthentication frame to disconnect the
unauthorized device.
Figure 2-9 shows the process of rogue device countermeasure. Rogue device detection and identification
must be configured before the countermeasure function takes effect.

Figure 2-9 Rogue device countermeasure
The rogue device countermeasure process is as follows:

1. The countermeasure function is enabled and the countermeasure mode is specified on the
AC.
2. The AC selects rogue devices from the wireless device list reported by a monitor AP and
sends the rogue device list to the monitor AP.
3. The monitor AP takes countermeasure on the rogue devices in the rogue device list sent
from the AC.
When a rogue device is moved to the historical list, the AC sends an instruction to the monitor
AP, requesting the AP to stop countering the rogue device.
The countermeasure function is valid only for rogue APs, rogue clients, and ad-hoc devices. It
cannot be applied to wireless bridges.
Countering rogue APs: When detecting a rogue AP, a monitor AP uses the rogue AP's
address to broadcast Deauthentication frames and unicast Deauthentication frames. After
receiving the Deauthentication frames, STAs disassociate from the rogue AP.
Countering rogue clients: After detecting a rogue client, a monitor AP uses the BSSID or
MAC address of the rogue client to send unicast Deauthentication frames, preventing the
rogue client from connecting to the wireless network. The rogue client countermeasure
function can also prevent an authorized client from associating with rogue APs by using
identity information of the rogue AP connected to the rogue client to send unicast
Deauthentication frames and Disassociation frames to the authorized client.
Countering ad-hoc devices: Ad-hoc devices are countered in the same way as rogue
clients.
Monitor APs take countermeasures periodically on rogue devices using the configured probing mode.

2.4 Wireless Attack Detection

An AP working in access or hybrid mode detect attacks in real time. When detecting an attack,
the AP adds the attacker to the dynamic blacklist to protect the security of the network.
Figure 2-10 WIDS attack detection
AC
IP network
AP AP AP
Attack Attack
Malicious Malicious
STA
terminal terminal
As shown in the figure, a WLAN provides access services for terminals. WIDS is enabled on
the WLAN to detect various types of attacks.
Flood attack detection: Malicious users may send a large number of connection request
packets to AP3. AP3 will forward these packets to the AC for processing, affecting
normal network running. If flood attack detection and dynamic blacklist are enabled,
WIDS can detect the flood attacks of malicious users and add these users to the dynamic
blacklist. All packets from these users are discarded to protect network security.
Spoofing attack detection: A spoofing attacker sends attack packets in the name of
another device. For example, a malicious AP or user may send spoofing
Deauthentication packets to disconnect an authorized client. Upon receipt of these
packets, the AP defines these packets as spoofing attack packets and reports the attacks
to the AC.
Weak IV attack detection: Data packets from Client1 use WEP encryption. WIDS detects
weak IV attacks based on IV security policies after IV detection is enabled. When the AP
detects a packet carrying a weak IV, the AP reports it to the AC.
Defense against PSK cracking: Security authentication modes for wireless users include
WEP shared key, WPA/WPA2 PSK, WPA/WPA2 dot1x, WAPI certificate, and WAPI
PSK. Theoretically, if a client keeps exhaustive key search, it can crack the key.
Therefore, a protection mechanism is added so that when the number of authentication
attempts exceeds a specified threshold, packets from the client are discarded in a
specified time to prevent the user from continuous brute force attacks, reducing the
adverse effects of frequent negotiations on devices and the network.

WIDS can detect 802.11 packet flood, spoofing, and weak IV attacks. Attack information
reported by an AP includes the rogue device MAC address, channel, attack type, and received
signal strength indicator (RSSI).
2.4.2 Flood Attack Detection

A flood attack occurs when an AP receives a large number of management packets or null
data packets of the same type from a source MAC address within a short period. These attack
packets consume many system resources of the AP, and therefore the AP cannot process
packets from authorized STAs.
Flood attack detection allows an AP to keep monitoring the traffic volume of each STA to
prevent flood attacks. When the traffic received from a STA exceeds the allowed threshold
(for example, more than 100 packets per second), the AP considers that the STA is initiating a
flood attack and reports an alarm message to the AC. If the dynamic blacklist function is
enabled, the attacking STA is added to the blacklist. The AP drops all the packets from this
STA to prevent the network from a flood attack, until the dynamic blacklist entry ages.
An AP can detect flood attacks of the following frames:
Authentication Request
Deauthentication
Association Request
Disassociation
Probe Request
Action (an extended management frame used for spectrum management, QoS, and HT
mode)
EAPOL Start
EAPOL-Logoff
PS-Poll (management frame sent by the STA when the STA transitions from the sleep
mode to the active mode)
802.11 Null (data frame sent by a STA when not data frame needs to be sent to notify an
AP of the changes in the power-saving state)
Figure 2-11 Flood attack
Attack
Rogue STA

By default, the system considers that a flood attack is initiated when it receives 30 packets (y) of the
same type from a MAC address in 60 seconds (x). The values of x and y are configurable.
2.4.3 Spoofing Attack Detection

A spoofing attack is also called a man-in-the-middle attack. An attacker (a rogue AP or
malicious user) uses an authorized user's identity to send spoofing packets to STAs. As a
result, the STAs cannot go online. Spoofing attack packets include Disassociation frames and
Deauthentication frames, which are broadcast frames.
After the spoofing attack detection function is enabled, an AP checks whether the source
MAC address of received Disassociation frames or Deauthentication frames is its own MAC
address. If so, the WLAN is undergoing a spoofing attack of Disassociation or
Deauthentication packets. The AP then sends an alarm to the AC.
Figure 2-12 Spoofing attack
Rogue AP
Normal data
communication is
interrupted
Disassociation
frame
Since a spoofing AP does not use the MAC address of its own to initiate an attack, the system cannot
obtain the real MAC address of the spoofing AP when detecting the attack. Therefore, the system only
generates a log and an alarm to alert the network administrator but cannot use the dynamic blacklist
function to defend against the attack.
2.4.4 Weak IV Attack Detection

If a potential attacker obtains the shared key, he may use it to control network resources,
threatening the security of the network.
WEP encryption on WLANs uses a random 3-byte IV and shared key to generate a key string
which is used together with plain text encryption to encrypt every packet to be sent. Weak IV
refers to IV generated in an insecure way, for example, duplicate IVs or the same IV
frequently generated. Attackers can easily crack the shared key because STAs send the IV in
plain text in the packet header. The attackers can then access the WLAN.
If the first byte of an IV ranges from 3 to 15 and the second byte is 255, the system considers
the IV as a weak IV. There is an IV of special format in the WEP encryption algorithm. The
key constructed using the IV generates a pseudorandom stream of bits, initial bytes of which

is correlated to the first several bytes of the key. This greatly reduces the workload in
searching the RC4 key space. In other words, the IV leaks key information.
Weak IV detection identifies the IV of each WEP packet to prevent attackers from cracking
the shared key. When the AP detects a packet carrying a weak IV, the AP sends an alarm to the
AC so that users can use other security policies to prevent STAs from using the weak IV for
encryption.
Figure 2-13 Password cracking through weak IVs
Listen on
frames and
crack
passwords
Account,
password, user
information
Rogue STA
1. Weak IV detection can prevent user information cracking without the need of a dynamic blacklist.
2. WEP authentication has high security risks and is randomly used.
2.4.5 Defense Against Brute Force PSK Cracking

A brute force cracking, or exhaustive key search, is a cryptanalytic attack that tries every
possible password combination to find the real password. For example, a password that
contains only four digits may have a maximum of 10,000 combinations. The password can be
cracked after a maximum of 10,000 attempts. Theoretically, attackers can use the brute force
method to crack all passwords. The time taken may vary according different security
mechanism and password lengths. Therefore, there are security risks of brute force attacking
in all authentication modes.
Link authentication security policies, including WPA/WPA2-PSK, WAPI-PSK, and
WEP-Share-Key have brute force key cracking risks on air ports.
User layer authentication modes, including MAC address authentication, Portal
authentication, and 802.11x authentication have brute force key cracking risks, which
will be described in the last chapter.

To improve key security, the PSK cracking defense function is enabled to prolong the
password cracking time. An AP checks whether the number of key negotiation attempts
during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the
configured threshold. If so, the AP considers that a user is using the brute force method to
initiate an attack and reports an alarm to the AC. If the dynamic blacklist function is enabled,
the AP adds the user to the dynamic blacklist, drops all the packets from the user until the
dynamic blacklist entry ages.
PSK authentication and WEP shared key authentication are implemented on the AC and AP
respectively; therefore, the brute force attack detection points are also different, as shown in
the following figure.
Figure 2-14 Brute force PSK cracking detection and WEP shared key cracking
Defense against brute force cracking attacks is also required for user authentication modes,
such as MAC address authentication, Portal authentication, and 802.1x authentication. The
defense principles are as follows:
MAC address authentication: The MAC address of the terminal is used as the account for
RADIUS authentication. As long as the user fails the authentication, the user is
"punished" and added to the blacklist. The user is denied access in the specified time (for
example, 60s).
Portal authentication/802.1x authentication: If a user fails the authentication for three
consecutive times within 60 seconds (the number of allowed authentication attempts and
the time threshold can be configured), the user is considered initiating a brute force

cracking attack and added to the blacklist. The user is denied access in the specified time
(for example, 60s).
2.5 Wireless Attack Defense

On small and medium WLAN networks, WIDS can be enabled to detect security threats,
including flood, weak IV, and spoofing attacks. This function enables an AP to add attackers
to the dynamic blacklist and send attacker information to the AC. The AC then sends trap
messages to the network management system (NMS) to alert the network administrator.
2.5.1 Dynamic Blacklist

The WIDS attack defense process is as follows:
Figure 2-15 WIDS attack defense
1. The dynamic blacklist function is enabled and the blacklist entry aging time is set on the
AC.
2. The AC sends the dynamic blacklist enabled flag and blacklist entry aging time to the
AP.
3. The WIDS attack detection mode, detection period, and detection threshold (number of
packets detected within the specified period to identify an attack) are configured on the
AC.
4. The AC sends the detection mode, detection period, and detection threshold to the AP.
5. The AP performs attack detection according to the configuration.

6. When the AP detects an attack, it reports the attack information to the AC, including the
rogue device MAC address and attack type. The AC receives the attack information and
adds the received information to the attack record. If the AP does not detect attacks from
this rogue device again in the next three attack detection periods, it requests the AC to
delete the corresponding attack record.
7. The AP determines whether to add the rogue device to the dynamic blacklist. If the AP
adds the rogue device to the dynamic blacklist, the AP reports the dynamic blacklist
entry to the AC. The AC adds this entry to the dynamic blacklist cache.
8. The AC records attack types and sends trap messages to report the attack types to the
NMS.
9. The AP drops packets sent from blacklisted devices.
10. When the configured aging time (penalty time) is reached, dynamic blacklist entries are
automatically deleted and normal access of the attacker is restored.
The following figure shows how WIDS-enabled AP processes attacks.
Figure 2-16 WIDS attack detection process
Receive
packet
Is blacklist No
enabled?
No
Is the device in
the blacklist?
Is flood attack No
detection
enabled?
Does the traffic No

exceed upper limit?
Is spoofing attack No
Yes detection enabled?
Yes
Report attack Yes
device information
to the AC
Is the packet a broadcast No Is weak IV attack No
Deauthentication frame/ detection
Disassociation frame? enabled?
Yes
No Is defense against
Does the packet WEP shared key
Yes contain weak IV? cracking enabled?
Yes
Yes Does the number of WEP No Normal

Discard Report the key authentication attempts
packet attack to the AC processing
exceed the uppler limit?
After the AC receives the attacking device information reported by the AP, it adds the attacker
to the attacking device list, collects attack statistics based on the attack types, and sends trap
messages. The devices on the attacking device list are sequenced based on the detection time.
When the number of attacking device entries reaches the maximum, the new attacking device
entries overwrite the previous ones.
Statistics information: Upon receipt of WIDS attack detection packets sent from the AP,
the AC collects attack statistics, including the attack types and the number of attacks.

Traps: The AC sends trap messages only when spoofing and flood attacks are detected.
The trap message carries the AP's MAC address, attacking device's MAC address,
channel, and attack type. The alarm suppression and match functions need to be enabled.
If a flood attack or a PSK cracking attack is detected, the AC enabled with the dynamic
blacklist adds the attacking device to the dynamic blacklist and delivers the blacklist to the AP.
The AP discards packets from the attacking device. If the attacking device has associated with
the AP, the AP must disassociate from the device, and the drive provides the disassociation
interface. The AC needs to maintain dynamic blacklist entries and aging mechanism of the
entries. After the dynamic blacklist is aged out, the AC delivers information to the AP,
requesting the AP to delete the blacklist. The same attacking device may be detected by
different APs. Therefore, the entry must contain list information about the AP that detects the
attack. The aging mechanism takes effect only on the correct AP. If the AC cannot deliver the
dynamic blacklist deletion information to the AP, the dynamic blacklist remains being
effective on the AP. To prevent this problem, the AC and AP use the same dynamic blacklist
aging mechanism.
2.5.2 Static Blacklist

After detecting an attack, the device enabled with the dynamic blacklist automatically adds
the attacker to the blacklist and denies access of the attacker to protect the network. The
system administrator can manually add the MAC addresses of rogue terminals or APs to the
static blacklist to defend against rogue devices (terminals or APs) that are already known.
Devices in the static blacklist cannot access the network. The WLAN supports two types of
static blacklists:
STA static blacklist:
The AP discards packets from terminals with MAC addresses in the STA blacklist to
prevent these terminals from accessing the network.
AP static blacklist:
The AC discards packets from APs with MAC addresses in the AP blacklist to prevent
the APs from accessing the AC through the CAPWAP tunnels.
WLANs can also use the whitelist function to prohibit access of rogue devices. Huawei offers
STA and AP whitelists.
Huawei static STA blacklist can also be used for countering unauthorized devices. The system
administrator can add devices to be countered to the STA static blacklist. When the devices are detected,
the system takes countermeasures against them.

WLAN WIDS Technology White Paper 3 Benefits to Customers
3 Benefits to Customers
WIDS and WIPS provide different functions on enterprise networks of different scales:
On family networks or small enterprise networks: control access from APs and clients
using blacklist and whitelist. Access control is implemented on ACs and irrelevant to
APs.
(For more details, see AP and user access control documents.)
On small and medium enterprise networks: WIDS detects attacks from unauthorized
devices.
On medium and large enterprise networks: detect and identify rogue devices, and take
countermeasures to protect the networks.
In addition to secure WLAN access, a large-sized network requires a system that can detect
rogue wireless devices and reject access from these devices to protect services of authorized
users.
WIDS also detects attacks such as flood attacks, weak IV attacks, spoofing attacks,
WPA/WPA2/WAPI pre-shared key cracking, and WEP shared key cracking. WIDS records
logs, statistics, and alarms to notify network administrators of the attacks. The AC adds
devices that perform flood attacks and key cracking to the dynamic blacklist and rejects
packets from these devices within the aging time of the dynamic blacklist.

WLAN WIDS Technology White Paper 4 Typical Application Scenarios
4 Typical Application Scenarios
4.1 Public Places or Neighboring Companies

Figure 4-1 Networking in airport with multiple carrier networks
ChinaNet CMCC
AC AC
IP network
ChinaNet CMCC ChinaNet CMCC
In public places, such as airports or railway stations, multiple carriers deploy WLANs to
cover public areas. APs of each WLAN system can listen on WLAN signals of other carriers'
APs. Signal interference between different WLAN systems cannot be avoided, but all the APs
are authorized. To prevent incorrect report about rogue APs or STAs, configure the SSID
whitelist on the devices.
Key configuration commands are as follows: (ChinaNet is taken as an example)
# Configure WIDS.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] work-mode hybrid
Warning: Modify the work mode may cause business interruption, are you sure to
continue?(y/n)[n]:y
[AC-wlan-radio-0/0] device detect enable
# Add CMCC to the SSID whitelist.

[AC-wlan-view] ssid-whitelist ssid CMCC
Figure 4-2 Networking for an office building shared by multiple companies
Company A
Floor 5
Company B
Floor 4
The preceding configuration commands apply to scenarios where multiple companies share
one office building. As shown in the preceding figure, company A leases offices in Floor 5
while company B leases offices in Floor 4. Devices of company B can receive signals from
company A. To prevent incorrect report on rogue devices, company B needs to add company
A to the SSID whitelist.
4.2 Deployment of Rogue APs in a Company

To protect information security or prevent interference to the WLAN system, the company
forbids employees to deploy APs without authorization. Enable WIDS to detect unauthorized
devices in the surroundings.
Figure 4-3 Deployment of rogue APs in a company
AC
SSID=Corp
Company A
AP AP AP
SSID=Jack SSID=Corp
STA C

As shown in the preceding figure, some employees deploy Fat APs or enable the AP function
on personnel smart terminals without company authorization. The unauthorized AP on the left
offers the SSID Jack to connect personnel devices, for example, pads. The signals transmitted
from the AP may cause interference to the company's WLAN system or even leak company
information. The AP on the right poses higher security risks. The SSID provided by the AP is
the same as the company SSID. The AP pretends to be an authorized AP on the company
WLAN to set up connections with company devices and intercept company information.
To defend against the rogue APs, enable WIDS on the company's WLAN system to counter
the APs using the spoofing SSID. After WIDS and WIPS are configured on the AC, the
monitor AP collects neighbor information and reports it to the AC. When the AC identifies the
rogue AP, the AC notifies the monitor AP of the rogue AP's identity information. The monitor
AP then uses the rogue AP's identity information to broadcast a Deauthentication frame. After
STAs associating with the rogue AP receive the Deauthentication frame, they disassociate
from the rogue AP. This countermeasure prevents STAs from associating with the rogue AP.
Key configuration commands are as follows:
# Configure WIDS.
continue?(y/n)[n]:y
# Configure WIPS to counter the rogue APs.
[AC-wlan-radio-0/0] countermeasures enable
[AC-wlan-radio-0/0] countermeasures mode rogue ap
[AC-wlan-radio-0/0] quit
4.3 Attacks to WLANs

Figure 4-4 Attacks to WLANs
AC
IP network
AP AP AP
Attack Attack
Malicious Malicious
STA
terminal terminal

Malicious users or terminals infected with viruses may attack the system. After WIDS is
enabled on the company WLAN, the WLAN devices can detect flood, spoofing, and brute
force cracking attacks. After a rogue terminal is identified, the WLAN device adds the rogue
terminal to the dynamic blacklist and discards packets from the terminal within the specified
period to protect the system against attacks.
Key configuration commands are as follows:
# Configure WIDS.
continue?(y/n)[n]:y
# Enable the dynamic blacklist function.
[AC-wlan-radio-0/0] dynamic-blacklist enable


WLAN WIDS Technology White Paper

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WLAN WIDS Technology White Paper

Uploaded by

Copyright:

Available Formats

WLAN WIDS Technology White

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential i

About This Document

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential ii

About This Document ............................................................................................................... ii

3 Benefits to Customers ............................................................................................................ 20

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential iii

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 1

2.1 Basic Concepts

Figure 2-1 Application of the WLAN security mechanism

Detect and defend against

Detect and counter

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 2

WIPS: disconnects an authorized user from a spoofing AP or disconnects unauthorized

2.2 Rogue Device Monitoring

2.2.1 AP Working Mode

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 3

Figure 2-2 Working modes of APs

2.2.2 Device Type Identification

Figure 2-3 Rogue device monitoring and identification

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 4

An AP working in monitoring or hybrid mode can identify types of neighboring wireless

Figure 2-4 802.11 MAC frame header

Figure 2-5 Frame Control field structure

Protocol To From More More Protected

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 5

0101: Probe Response

Figure 2-6 Capability Information field

1. Independent BSS (IBSS) indicates an ad-hoc network.

ESS and IBSS Beacon, Association Response, Association Request,

When the Type subfield is 10, the frame is a data frame.

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 6

An AP identifies device types in the following way:

2.2.3 Device Information Report

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 7

Figure 2-7 Device information report

Table 2-1 Information about the detected wireless devices

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 8

2.2.4 Rogue Device Identification

Figure 2-8 Rogue device identification

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 9

2.3 Rogue Device Defense and Countermeasures

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 10

Figure 2-9 Rogue device countermeasure

The rogue device countermeasure process is as follows:

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 11

2.4 Wireless Attack Detection

Figure 2-10 WIDS attack detection

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 12

2.4.2 Flood Attack Detection

Figure 2-11 Flood attack

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 13

2.4.3 Spoofing Attack Detection

Figure 2-12 Spoofing attack

2.4.4 Weak IV Attack Detection

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 14

Figure 2-13 Password cracking through weak IVs

2.4.5 Defense Against Brute Force PSK Cracking

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 15

Issue 1.0 (2014-04-24) Huawei Proprietary and Confidential 16

2.5 Wireless Attack Defense