Professional Documents
Culture Documents
Paper
Issue 1.0
Date 2014-04-24
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Keyword
WLAN, WIDS, WIPS
Abstract
An 802.11 network is an open wireless network prone to various security threats, for example,
attacks from rogue APs, unauthorized STAs, ad-hoc networks, spoofing APs, and DDoS
attacks launched by malicious terminals. WIDS/WIPS can monitor and defend against these
security threats on WLANs.
Abbreviations
Abbreviation Full Name Description
Rogue AP An unauthorized AP.
SSID Service Set Identifier Name of the WLAN access service provided by the
AP.
BSSID Basic Service Set Identifier MAC address of the AP.
CAPWAP Control And Provisioning of IETF-defined standards for AP management and
Wireless Access Points communications with the AC.
WIDS Wireless Intrusion Detection System Wireless Intrusion Detection System.
Contents
1 Overview
An 802.11 network is an open wireless network prone to various security threats, for example,
attacks from rogue APs, unauthorized STAs, ad-hoc networks, spoofing APs, and DDoS
attacks launched by malicious terminals. WIDS/WIPS can monitor and defend against these
security threats on WLANs.
Wireless Intrusion Detection System (WIDS): detects malicious attacks and intrusions to
WLANs.
Wireless Intrusion Prevention System (WIPS): protects an enterprise network against
access from unauthorized devices and prevents attacks to the network system.
WIDS and WIPS technologies secure a wireless network, reduce interference from
unauthorized devices, and protect users from malicious attacks, delivering better user
experience.
WIDS and WIPS provide different functions on enterprise networks of different scales:
On family networks or small enterprise networks: control access from APs and clients
using blacklist and whitelist. Access control is implemented on ACs and irrelevant to
APs. (For more details, see AP and user access control documents.)
On small and medium enterprise networks: WIDS detects attacks from unauthorized
devices.
On medium and large enterprise networks: detect and identify rogue devices, and take
countermeasures to protect the networks.
In addition to secure WLAN access, a large-sized network requires a system that can detect
rogue wireless devices and reject access from these devices to protect services of authorized
users.
2 Technology Implementation
STA AP AC AAA
Access authentication
Link encryption
Policy control
As shown in the figure, WIDS and WIPS are used to detect and counter unauthorized devices.
WIDS: detects unauthorized APs, bridges, user terminals, ad-hoc devices, and
interference APs with overlapping channels.
The monitoring channels can be all channels of the frequency band that the AP works on or channels
specified by the country code.
AC
IP network
AP AP AP
Ad-hoc Rogue
Rogue STAs Rogue APs
devices bridges
Bits
2 2 4 1 1 1 1 1 1 1
If the Type subfield is 00, the AP checks the Subtype subfield. The values of the Subtype
subfield and corresponding frame types are as follows:
1000: Beacon
0001: Association Response
0010: Reassociation Request
0011: Reassociation Response
If the IBSS subfield is 1, the device is an ad-hoc device; if the IBSS subfield is 0 and the ESS
subfield is 0, the device is a wireless bridge; if the IBSS subfield is 0 and the ESS subfield is
1, the device is an AP or STA, which can be further clarified based on the management frame
type.
The AP determines the types of rogue devices based on the collected management frames (Subtype field
in the 802.11 frames).
To DS From DS Meaning
0 0 Data frame sent between two stations that are not
APs in a basic service set
0 1 Data frame sent from a wireless station in a basic
service set
To DS From DS Meaning
1 0 Data frame sent to a wireless station in a basic
service set
1 1 Data frame sent between two wireless bridges
A short interval is also called a real-time report interval, in which the AP reports incremental
information about neighboring devices to the AC. The short interval ranges from 10 to 3,600,
in seconds. The default value is 300s.
At regular long intervals, the AP reports all information about neighboring devices that is
saved locally to the AC. The long interval ranges from 120 to 360 in minutes. The default
value is 360 min, that is, 6 hours. The minimum report interval is 2 hours. If massive APs
report a large amount of data to the AC at the same time, the AC will be overloaded and
cannot process the data. To prevent this problem, an AP postpones data report for a random
time (1 to 10 minutes) when a long interval is reached.
Item Description
MAC MAC address of the detected device.
address
BSSID BSSID of the detected device.
Device type Type of the detected devices, including ad-hoc devices, APs, clients, and
wireless bridges.
SSID SSID of an extended service set (ESS).
Vendor Vendor of the detected device. It is a 4-byte Organizationally Unique
Identifier (OUI). IANA-assigned "SMI Network Management Private
Enterprise Codes"
Channel Channel in which the device is detected for the last time.
Item Description
RSSI RSSI detected by the device.
Beacon Interval at which the detected AP and ad-hoc device send Beacon frames.
Interval
First First time when the device is detected.
Detected
Time
Last Last time when the device is detected.
Detected
Time
Based on the neighboring device information reported by the AP, the AC identifies rogue
devices as follows:
Ad-hoc devices or wireless bridges: the AC regards the devices as rogue devices.
APs: The AC first checks whether the APs are authorized APs. If the BSSIDs of the APs
are managed by the AC, the AC regards the APs as authorized APs; if not, the AC checks
the APs' SSIDs. If the SSIDs are in the whitelist configured by the network administrator,
for example, CMCC, the AC regards the APs as authorized APs; if not, the AC regards
the APs as rogue APs.
STAs: The AC first checks whether the STAs are authorized STAs. If the MAC addresses
belong to the STAs connected to the local AC, the AC regards the STAs as authorized
STAs; if not, the AC checks the STAs' BSSIDs to determine whether the STAs connect to
the SSIDs in the whitelist. If the BSSIDs belong to rogue APs, the STAs are rogue STAs.
If a rogue AP is identified, the AC generates an alarm and sends an SNMP trap message to the network
management platform. The AC does not generate an alarm when other types of rogue devices are
detected.
Figure 2-9 shows the process of rogue device countermeasure. Rogue device detection and identification
must be configured before the countermeasure function takes effect.
Monitor APs take countermeasures periodically on rogue devices using the configured probing mode.
AC
IP network
AP AP AP
Attack Attack
Malicious Malicious
STA
terminal terminal
As shown in the figure, a WLAN provides access services for terminals. WIDS is enabled on
the WLAN to detect various types of attacks.
Flood attack detection: Malicious users may send a large number of connection request
packets to AP3. AP3 will forward these packets to the AC for processing, affecting
normal network running. If flood attack detection and dynamic blacklist are enabled,
WIDS can detect the flood attacks of malicious users and add these users to the dynamic
blacklist. All packets from these users are discarded to protect network security.
Spoofing attack detection: A spoofing attacker sends attack packets in the name of
another device. For example, a malicious AP or user may send spoofing
Deauthentication packets to disconnect an authorized client. Upon receipt of these
packets, the AP defines these packets as spoofing attack packets and reports the attacks
to the AC.
Weak IV attack detection: Data packets from Client1 use WEP encryption. WIDS detects
weak IV attacks based on IV security policies after IV detection is enabled. When the AP
detects a packet carrying a weak IV, the AP reports it to the AC.
Defense against PSK cracking: Security authentication modes for wireless users include
WEP shared key, WPA/WPA2 PSK, WPA/WPA2 dot1x, WAPI certificate, and WAPI
PSK. Theoretically, if a client keeps exhaustive key search, it can crack the key.
Therefore, a protection mechanism is added so that when the number of authentication
attempts exceeds a specified threshold, packets from the client are discarded in a
specified time to prevent the user from continuous brute force attacks, reducing the
adverse effects of frequent negotiations on devices and the network.
WIDS can detect 802.11 packet flood, spoofing, and weak IV attacks. Attack information
reported by an AP includes the rogue device MAC address, channel, attack type, and received
signal strength indicator (RSSI).
Attack
Rogue STA
By default, the system considers that a flood attack is initiated when it receives 30 packets (y) of the
same type from a MAC address in 60 seconds (x). The values of x and y are configurable.
Rogue AP
Normal data
communication is
interrupted
Disassociation
frame
Since a spoofing AP does not use the MAC address of its own to initiate an attack, the system cannot
obtain the real MAC address of the spoofing AP when detecting the attack. Therefore, the system only
generates a log and an alarm to alert the network administrator but cannot use the dynamic blacklist
function to defend against the attack.
is correlated to the first several bytes of the key. This greatly reduces the workload in
searching the RC4 key space. In other words, the IV leaks key information.
Weak IV detection identifies the IV of each WEP packet to prevent attackers from cracking
the shared key. When the AP detects a packet carrying a weak IV, the AP sends an alarm to the
AC so that users can use other security policies to prevent STAs from using the weak IV for
encryption.
Listen on
frames and
crack
passwords
Account,
password, user
information
Rogue STA
1. Weak IV detection can prevent user information cracking without the need of a dynamic blacklist.
2. WEP authentication has high security risks and is randomly used.
To improve key security, the PSK cracking defense function is enabled to prolong the
password cracking time. An AP checks whether the number of key negotiation attempts
during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the
configured threshold. If so, the AP considers that a user is using the brute force method to
initiate an attack and reports an alarm to the AC. If the dynamic blacklist function is enabled,
the AP adds the user to the dynamic blacklist, drops all the packets from the user until the
dynamic blacklist entry ages.
PSK authentication and WEP shared key authentication are implemented on the AC and AP
respectively; therefore, the brute force attack detection points are also different, as shown in
the following figure.
Figure 2-14 Brute force PSK cracking detection and WEP shared key cracking
Defense against brute force cracking attacks is also required for user authentication modes,
such as MAC address authentication, Portal authentication, and 802.1x authentication. The
defense principles are as follows:
MAC address authentication: The MAC address of the terminal is used as the account for
RADIUS authentication. As long as the user fails the authentication, the user is
"punished" and added to the blacklist. The user is denied access in the specified time (for
example, 60s).
Portal authentication/802.1x authentication: If a user fails the authentication for three
consecutive times within 60 seconds (the number of allowed authentication attempts and
the time threshold can be configured), the user is considered initiating a brute force
cracking attack and added to the blacklist. The user is denied access in the specified time
(for example, 60s).
1. The dynamic blacklist function is enabled and the blacklist entry aging time is set on the
AC.
2. The AC sends the dynamic blacklist enabled flag and blacklist entry aging time to the
AP.
3. The WIDS attack detection mode, detection period, and detection threshold (number of
packets detected within the specified period to identify an attack) are configured on the
AC.
4. The AC sends the detection mode, detection period, and detection threshold to the AP.
5. The AP performs attack detection according to the configuration.
6. When the AP detects an attack, it reports the attack information to the AC, including the
rogue device MAC address and attack type. The AC receives the attack information and
adds the received information to the attack record. If the AP does not detect attacks from
this rogue device again in the next three attack detection periods, it requests the AC to
delete the corresponding attack record.
7. The AP determines whether to add the rogue device to the dynamic blacklist. If the AP
adds the rogue device to the dynamic blacklist, the AP reports the dynamic blacklist
entry to the AC. The AC adds this entry to the dynamic blacklist cache.
8. The AC records attack types and sends trap messages to report the attack types to the
NMS.
9. The AP drops packets sent from blacklisted devices.
10. When the configured aging time (penalty time) is reached, dynamic blacklist entries are
automatically deleted and normal access of the attacker is restored.
The following figure shows how WIDS-enabled AP processes attacks.
Receive
packet
Is blacklist No
enabled?
No
Is the device in
the blacklist?
Is flood attack No
detection
enabled?
Is spoofing attack No
Yes detection enabled?
Yes
Report attack Yes
device information
to the AC
Is the packet a broadcast No Is weak IV attack No
Deauthentication frame/ detection
Disassociation frame? enabled?
Yes
No Is defense against
Does the packet WEP shared key
Yes contain weak IV? cracking enabled?
Yes
After the AC receives the attacking device information reported by the AP, it adds the attacker
to the attacking device list, collects attack statistics based on the attack types, and sends trap
messages. The devices on the attacking device list are sequenced based on the detection time.
When the number of attacking device entries reaches the maximum, the new attacking device
entries overwrite the previous ones.
Statistics information: Upon receipt of WIDS attack detection packets sent from the AP,
the AC collects attack statistics, including the attack types and the number of attacks.
Traps: The AC sends trap messages only when spoofing and flood attacks are detected.
The trap message carries the AP's MAC address, attacking device's MAC address,
channel, and attack type. The alarm suppression and match functions need to be enabled.
If a flood attack or a PSK cracking attack is detected, the AC enabled with the dynamic
blacklist adds the attacking device to the dynamic blacklist and delivers the blacklist to the AP.
The AP discards packets from the attacking device. If the attacking device has associated with
the AP, the AP must disassociate from the device, and the drive provides the disassociation
interface. The AC needs to maintain dynamic blacklist entries and aging mechanism of the
entries. After the dynamic blacklist is aged out, the AC delivers information to the AP,
requesting the AP to delete the blacklist. The same attacking device may be detected by
different APs. Therefore, the entry must contain list information about the AP that detects the
attack. The aging mechanism takes effect only on the correct AP. If the AC cannot deliver the
dynamic blacklist deletion information to the AP, the dynamic blacklist remains being
effective on the AP. To prevent this problem, the AC and AP use the same dynamic blacklist
aging mechanism.
Huawei static STA blacklist can also be used for countering unauthorized devices. The system
administrator can add devices to be countered to the STA static blacklist. When the devices are detected,
the system takes countermeasures against them.
3 Benefits to Customers
WIDS and WIPS provide different functions on enterprise networks of different scales:
On family networks or small enterprise networks: control access from APs and clients
using blacklist and whitelist. Access control is implemented on ACs and irrelevant to
APs.
(For more details, see AP and user access control documents.)
On small and medium enterprise networks: WIDS detects attacks from unauthorized
devices.
On medium and large enterprise networks: detect and identify rogue devices, and take
countermeasures to protect the networks.
In addition to secure WLAN access, a large-sized network requires a system that can detect
rogue wireless devices and reject access from these devices to protect services of authorized
users.
WIDS also detects attacks such as flood attacks, weak IV attacks, spoofing attacks,
WPA/WPA2/WAPI pre-shared key cracking, and WEP shared key cracking. WIDS records
logs, statistics, and alarms to notify network administrators of the attacks. The AC adds
devices that perform flood attacks and key cracking to the dynamic blacklist and rejects
packets from these devices within the aging time of the dynamic blacklist.
ChinaNet CMCC
AC AC
IP network
In public places, such as airports or railway stations, multiple carriers deploy WLANs to
cover public areas. APs of each WLAN system can listen on WLAN signals of other carriers'
APs. Signal interference between different WLAN systems cannot be avoided, but all the APs
are authorized. To prevent incorrect report about rogue APs or STAs, configure the SSID
whitelist on the devices.
Key configuration commands are as follows: (ChinaNet is taken as an example)
# Configure WIDS.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] work-mode hybrid
Warning: Modify the work mode may cause business interruption, are you sure to
continue?(y/n)[n]:y
[AC-wlan-radio-0/0] device detect enable
# Add CMCC to the SSID whitelist.
Company A
Floor 5
Company B
Floor 4
The preceding configuration commands apply to scenarios where multiple companies share
one office building. As shown in the preceding figure, company A leases offices in Floor 5
while company B leases offices in Floor 4. Devices of company B can receive signals from
company A. To prevent incorrect report on rogue devices, company B needs to add company
A to the SSID whitelist.
AC
SSID=Corp
Company A
AP AP AP
SSID=Jack SSID=Corp
STA C
As shown in the preceding figure, some employees deploy Fat APs or enable the AP function
on personnel smart terminals without company authorization. The unauthorized AP on the left
offers the SSID Jack to connect personnel devices, for example, pads. The signals transmitted
from the AP may cause interference to the company's WLAN system or even leak company
information. The AP on the right poses higher security risks. The SSID provided by the AP is
the same as the company SSID. The AP pretends to be an authorized AP on the company
WLAN to set up connections with company devices and intercept company information.
To defend against the rogue APs, enable WIDS on the company's WLAN system to counter
the APs using the spoofing SSID. After WIDS and WIPS are configured on the AC, the
monitor AP collects neighbor information and reports it to the AC. When the AC identifies the
rogue AP, the AC notifies the monitor AP of the rogue AP's identity information. The monitor
AP then uses the rogue AP's identity information to broadcast a Deauthentication frame. After
STAs associating with the rogue AP receive the Deauthentication frame, they disassociate
from the rogue AP. This countermeasure prevents STAs from associating with the rogue AP.
Key configuration commands are as follows:
# Configure WIDS.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] work-mode hybrid
Warning: Modify the work mode may cause business interruption, are you sure to
continue?(y/n)[n]:y
[AC-wlan-radio-0/0] device detect enable
# Configure WIPS to counter the rogue APs.
[AC-wlan-radio-0/0] countermeasures enable
[AC-wlan-radio-0/0] countermeasures mode rogue ap
[AC-wlan-radio-0/0] quit
AC
IP network
AP AP AP
Attack Attack
Malicious Malicious
STA
terminal terminal
Malicious users or terminals infected with viruses may attack the system. After WIDS is
enabled on the company WLAN, the WLAN devices can detect flood, spoofing, and brute
force cracking attacks. After a rogue terminal is identified, the WLAN device adds the rogue
terminal to the dynamic blacklist and discards packets from the terminal within the specified
period to protect the system against attacks.
Key configuration commands are as follows:
# Configure WIDS.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] work-mode hybrid
Warning: Modify the work mode may cause business interruption, are you sure to
continue?(y/n)[n]:y
[AC-wlan-radio-0/0] device detect enable
# Enable the dynamic blacklist function.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] dynamic-blacklist enable