Wireless Access

Q1 - Detection

Wanted to clarify about the Aruba WIPS detection:

-When the detections signatures are turned ON, it will perform detection and log the events into WIDS Events.

- Do any action take place after an attack is detected ?

- Or detection is purely for reporting the attack activities.

Q2 – Protection – rogue_containment

Wanted to clarify the Aruba WIPS protection:

-IF none of the protection signatures are turned ON, no containment will happen.

-The type of containment methods that can be defined are DEAUTH/Tarpit Invalid station/ Tarpit stations.

-Default is set to NONE. Even though the rogue_containment is turned on in the AP protection setting – no action is taken unless enabled with one of the methods is defined.

Q3 – Protection - others

Wanted to clarify the Aruba WIPS protection:

-IF enabled  all the following protections:

-Protect_ssid

-Protect_ap_impersonation

-Protect_adhoc_network

-Protect_valid_sta

-Protect_windows_bridge.

Take protect_ssid as example, where protect_ssid is enabled.

Protecting SSIDs defination : Protect SSID ensures that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating with the AP.

Let's say we bring in the offending APs into the corporate Wi-Fi environment.

The offending APs are broadcasting a similar SSID used by corporate valid APs.

This protection policy, protect_ssid, will detect and contain the offending AP by disallowing clients to associate (or Tarpit) with the offending AP. My statement correct ?

yes detection is used purely for events and reporting and yes you need to turn on the protection and containment for it to perform IPS

you can refer to IDPS doco here.

Q1 - Detection

Wanted to clarify about the Aruba WIPS detection:

-When the detections signatures are turned ON, it will perform detection and log the events into WIDS Events.

- Do any action take place after an attack is detected ?

- Or detection is purely for reporting the attack activities.

Q2 – Protection – rogue_containment

Wanted to clarify the Aruba WIPS protection:

-IF none of the protection signatures are turned ON, no containment will happen.

-The type of containment methods that can be defined are DEAUTH/Tarpit Invalid station/ Tarpit stations.

-Default is set to NONE. Even though the rogue_containment is turned on in the AP protection setting – no action is taken unless enabled with one of the methods is defined.

Q3 – Protection - others

Wanted to clarify the Aruba WIPS protection:

-IF enabled  all the following protections:

-Protect_ssid

-Protect_ap_impersonation

-Protect_adhoc_network

-Protect_valid_sta

-Protect_windows_bridge.

Take protect_ssid as example, where protect_ssid is enabled.

Protecting SSIDs defination : Protect SSID ensures that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating with the AP.

Let's say we bring in the offending APs into the corporate Wi-Fi environment.

The offending APs are broadcasting a similar SSID used by corporate valid APs.

This protection policy, protect_ssid, will detect and contain the offending AP by disallowing clients to associate (or Tarpit) with the offending AP. My statement correct ?

Hi ariyap,

Do you mean WIPS depends on WIDS to detect the rogue AP?

WIDS detects the rogue AP, it will register it as the rogue AP in the ROGUE tab, classified as rogue.

For this moment, I am a bit lost about how these relationship of WIDS/IPS  Detection, Protection, RAPID's Rules and the Classification work together to identify rogue and containt it.

Intrusion Detection
The IDS is a feature that monitors the network for the presence of unauthorized APs and clients. It also logs information about the unauthorized APs and clients, and generates reports based on the logged information.

The IDS feature in the Instant network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.

yes detection is used purely for events and reporting and yes you need to turn on the protection and containment for it to perform IPS

you can refer to IDPS doco here.

Q1 - Detection

Wanted to clarify about the Aruba WIPS detection:

-When the detections signatures are turned ON, it will perform detection and log the events into WIDS Events.

- Do any action take place after an attack is detected ?

- Or detection is purely for reporting the attack activities.

Q2 – Protection – rogue_containment

Wanted to clarify the Aruba WIPS protection:

-IF none of the protection signatures are turned ON, no containment will happen.

-The type of containment methods that can be defined are DEAUTH/Tarpit Invalid station/ Tarpit stations.

-Default is set to NONE. Even though the rogue_containment is turned on in the AP protection setting – no action is taken unless enabled with one of the methods is defined.

Q3 – Protection - others

Wanted to clarify the Aruba WIPS protection:

-IF enabled  all the following protections:

-Protect_ssid

-Protect_ap_impersonation

-Protect_adhoc_network

-Protect_valid_sta

-Protect_windows_bridge.

Take protect_ssid as example, where protect_ssid is enabled.

Protecting SSIDs defination : Protect SSID ensures that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating with the AP.

Let's say we bring in the offending APs into the corporate Wi-Fi environment.

The offending APs are broadcasting a similar SSID used by corporate valid APs.

This protection policy, protect_ssid, will detect and contain the offending AP by disallowing clients to associate (or Tarpit) with the offending AP. My statement correct ?