Wireless_DWIT_IDS
Wireless > IDS
Wireless Intrusion Detection Services (IDS) greatly increase the security capabilities of the ADTRAN wireless security appliances by enabling them to recognize and even take countermeasures against the most common types of illicit wireless activity. WIDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection. Wireless IDS logging and notification can be enabled under Log > Categories by selecting the WLAN IDS checkbox under Log Categories and Alerts .
Access Point IDS
When the Radio Role of the wireless security appliance is set to Access Point mode, all three types of WIDS services are available, but Rogue Access Point detection, by default, acts in a passive mode (passively listening to other Access Point Beacon frames only on the selected channel of operation). Selecting Scan Now momentarily changes the Radio Role to allow the wireless security appliance to perform an active scan, and may cause a brief loss of connectivity for associated wireless clients. While in Access Point mode, the Scan Now function should only be used if no clients are actively associated, or if the possibility of client interruption is acceptable.
Intrusion Detection Settings
Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks.
The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all 802.11a, 802.11g, and 802.11n channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation.
Select the Enable Rogue Access Point Detection checkbox to specify the rogue access point detection method. The Authorized Access Points menu allows you to specify All Authorized Access Points , Create new MAC Address Object Group , or Select an Address Object Group .
The Authorized Access Points menu allows you to specify which access points the firewall will considered authorized when it performs a scan. You can select All Authorized Access Points to allow all wireless appliances, or you can select Create new MAC Address Object Group to create an address object group containing a group of MAC address to limit the list to only those wireless appliances whose MAC addresses are contained in the address object group.
Select Create Address Object Group to add a new group of MAC address objects to the list.
Discovered Access Points
The Discovered Access Points table displays information on every access point that can be detected by all your wireless appliances or on a individual wireless appliance basis:
|
|
|
MAC Address (BSSID) : The MAC address of the radio interface of the detected access point. |
|
|
|
SSID : The radio SSID of the access point. |
|
|
|
Channel : The radio channel used by the access point. |
|
|
|
Manufacturer : The manufacturer of the access point. NetVanta wireless appliances will show a manufacturer of either ADTRAN or Senao. |
|
|
|
Signal Strength : The strength of the detected radio signal |
|
|
|
Max Rate : The fastest allowable data rate for the access point radio, typically 54 Mbps. |
|
|
|
Authorize
: Click the icon  in the Authorize
column to add the access point to the address object group of authorized access points.
|
Scanning for Access Points
Active scanning occurs when the wireless security appliance starts up, and at any time Scan Now is clicked at the bottom of the Discovered Access Points table. When the wireless security appliance is operating in a Bridge Mode, the Scan Now feature does not cause any interruption to the bridged connectivity. When the wireless security appliance is operating in Access Point Mode, however, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows:
|
|
|
The Scan Now feature causes a brief disruption in service. If this is a concern, wait and use the Scan Now feature at a time when no clients are active, or the potential for disruption becomes acceptable. |
Authorizing Access Points on Your Network
Access Points detected by the wireless security appliance are regarded as rogues until they
are identified to the wireless security appliance as authorized for operation. To authorize an access point, select it in the list of access points discovered by the wireless security appliance scanning feature, and add it clicking the Authorize
icon .