Configuring wlan ids, Overview, Terminology – H3C Technologies H3C MSR 50 User Manual

56

Configuring WLAN IDS

The terms AP and fat AP in this document refer to MSR 900, MSR 930, and MSR 20-1X routers with IEEE

802.11b/g and MSR series routers installed with a SIC WLAN module.

Overview

802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients,

ad hoc networks, and DoS attacks. Rogue devices are a serious threat to enterprise security. Wireless

intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a

wireless network. WIPS helps to protect enterprise networks and users from unauthorized wireless access.
The Rogue detection feature is a part of the WIDS/WIPS solution, which detects the presence of rogue

devices in a WLAN network and takes countermeasures to prevent rogue devices operation.

Terminology

•

WIDS—WLAN IDS is designed to be deployed in an area that an existing wireless network covers.

It aids in the detection of malicious outsider attacks and intrusions through the wireless network.

•

Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. It is not authorized, so if any

vulnerability occurs on the AP, the hacker has a chance to compromise your network security.

•

Rogue client—An unauthorized or malicious client on the network.

•

Rogue wireless bridge—Unauthorized wireless bridge on the network.

•

Monitor AP—An AP that scans or listens to 802.11 frames to detect wireless attacks in the network.

•

Ad hoc mode—Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can
communicate directly with other stations without support from any other device.

•

Passive scanning—In passive scanning, a monitor AP listens to all the 802.11 frames over the air in
that channel.

•

Active scanning—In active scanning, a monitor AP, besides listening to all 802.11 frames, sends a

broadcast probe request and receives all probe response messages on that channel. Each AP in the
vicinity of the monitor AP replies to the probe request. This helps identify all authorized and

unauthorized APs by processing probe response frames. The monitor AP masquerades as a client

when sending the probe request.

Attack detection

The attack detection function detects intrusions or attacks on a WLAN network, and informs the network

administrator of the attacks through recording information or sending logs. At present, WIDS detection

supports detection of the following attacks:

•

Flood attack

•

Spoofing attack

•

Weak IV attack