Wips-policy, Chapter 21, Chapter 21, wips-policy – Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility RFS Controller CLI Reference Guide

1145

53-1003098-01

Chapter

21

WIPS-POLICY

This chapter summarizes the Wireless Intrusion Protection Systems (WIPS) policy commands in the
CLI command structure.

WIPS is an additional measure of security designed to continuously monitor the network for threats
and intrusions. Along with wireless VPNs, encryptions, and authentication policies WIPS enhances
the security of a WLAN.

The WIPS policy enables detection of intrusions and threats that a managed network is likely to
encounter. However, the WIPS policy does not include threat mitigation configurations. These
intrusions and threats are available within the WIPS policy configuration mode as pre configured,
fixed events. Each event consists of a set of frames or anomalies that may be harmful to the
managed network. You can enable/disable various aspects of each individual event.

Events are broadly grouped into the following three categories:

•

Excessive/Thresholdable events: These events detect DOS attacks, like excessive deauths,
EAP floods etc. Threshold limits for such events can be configured for mobile units (MU) and
radios. Once these threshold limits are exceeded, an event is triggered. Stations triggering an
event are usually filtered. You can configure a filter ageout specifying the time for which the
station, triggering the event, is filtered. However, the filter ageout only applies when the
MU-threshold is exceeded. When radio threshold is reached, the system raises a warning
about the same and updates event history with event details.

•

Station/MU anomalies: These events are triggered when a MU performs suspicious activities
that can compromise the security and stability of the managed network. You can configure a
filter ageout, similar to the above class of events, to filter the station triggering such events.

•

AP/neighbor anomalies: These events are triggered when an AP or neighbor sends suspicious
frames. The system cannot filter APs or neighbors triggering such events. However, the system
warns you about such attacks, allowing you to take further actions against such APs and
neighbors.

In addition to event monitoring configuration, the WIPS policy also you to configure a list of
signatures. Unlike events, signatures are not fixed. You are free to define your own signatures
based on a specific set of parameters. A signature is a rule, consisting of a set of fields to match
and a corresponding set of actions in case of a match. By default, whenever a signature is matched
an event log is triggered. This event log is similar to the one triggered upon an event. In addition to
an event log, you can also configure other actions. Signatures have all the features supported by
events. In fact most events are internally implemented as signatures.

Signature rules are of the following three types:

•

ssid, ssid length rule: This signature matches a specified SSID or SSID length. It is mandatory
to configure the frame type to match for this signature. When configured, only frame types
allowed are beacons, probe requests, and probe responses. Example rule: ssid : AirJack and
frame type beacon : Signature for AirJack attack.

•

payload rule: This signature matches a particular payload at a particular frame offset. You can
restrict these matches based on frame type. Example rule: Payload : 0x00601d Offset 3 :
Netstumbler