Configuring wlan ids, Terminology, Rogue detection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

137

Configuring WLAN IDS

802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients,

ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise

security. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks
and intrusions on a wireless network. Wireless intrusion prevention system (WIPS) helps to protect

enterprise networks and users from unauthorized wireless access. The Rogue detection feature is a part

of the WIDS/WIPS solution, which detects the presence of rogue devices in a WLAN network and takes

countermeasures to prevent rogue devices operation.

Terminology

•

WLAN intrusion detection system—WLAN IDS is designed to be deployed in an area that an
existing wireless network covers. It aids in the detection of malicious outsider attacks and intrusions

via the wireless network.

•

Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if any
vulnerability occurs on the AP, the hacker will have chance to compromise your network security.

•

Rogue client—An unauthorized or malicious client on the network.

•

Rogue wireless bridge—Unauthorized wireless bridge on the network.

•

Monitor AP—An AP that scans or listens to 802.11 frames to detect wireless attacks in the network.

•

Ad hoc mode—Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can

directly communicate with other stations without support from any other device.

•

Passive scanning—In passive scanning, a monitor AP listens to all the 802.11 frames over the air in
that channel.

•

Active scanning—In active scanning, a monitor AP, besides listening to all 802.11 frames, sends a
broadcast probe request and receives all probe response messages on that channel. Each AP in the

vicinity of the monitor AP will reply to the probe request. This helps identify all authorized and

unauthorized APs by processing probe response frames. The monitor AP masquerades as a client

when sending the probe request.

Rogue detection

Detecting rogue devices

Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a
WLAN network based on the pre-configured rules.
Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue

clients, rogue wireless bridges, and ad-hoc terminals.

Taking countermeasures against rogue device attacks

You can enable the countermeasures function on a monitor AP. The monitor AP downloads an attack list
from the AC and takes countermeasures against the rogue devices based on the configured

countermeasures mode.