Configuring wlan ids, Overview, Terminology – H3C Technologies H3C MSR 50 User Manual
Page 65: Attack detection
56
Configuring WLAN IDS
The terms AP and fat AP in this document refer to MSR 900, MSR 930, and MSR 20-1X routers with IEEE
802.11b/g and MSR series routers installed with a SIC WLAN module.
Overview
802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients,
ad hoc networks, and DoS attacks. Rogue devices are a serious threat to enterprise security. Wireless
intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a
wireless network. WIPS helps to protect enterprise networks and users from unauthorized wireless access.
The Rogue detection feature is a part of the WIDS/WIPS solution, which detects the presence of rogue
devices in a WLAN network and takes countermeasures to prevent rogue devices operation.
Terminology
•
WIDS—WLAN IDS is designed to be deployed in an area that an existing wireless network covers.
It aids in the detection of malicious outsider attacks and intrusions through the wireless network.
•
Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. It is not authorized, so if any
vulnerability occurs on the AP, the hacker has a chance to compromise your network security.
•
Rogue client—An unauthorized or malicious client on the network.
•
Rogue wireless bridge—Unauthorized wireless bridge on the network.
•
Monitor AP—An AP that scans or listens to 802.11 frames to detect wireless attacks in the network.
•
Ad hoc mode—Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can
communicate directly with other stations without support from any other device.
•
Passive scanning—In passive scanning, a monitor AP listens to all the 802.11 frames over the air in
that channel.
•
Active scanning—In active scanning, a monitor AP, besides listening to all 802.11 frames, sends a
broadcast probe request and receives all probe response messages on that channel. Each AP in the
vicinity of the monitor AP replies to the probe request. This helps identify all authorized and
unauthorized APs by processing probe response frames. The monitor AP masquerades as a client
when sending the probe request.
Attack detection
The attack detection function detects intrusions or attacks on a WLAN network, and informs the network
administrator of the attacks through recording information or sending logs. At present, WIDS detection
supports detection of the following attacks:
•
Flood attack
•
Spoofing attack
•
Weak IV attack