Q1 - Detection
Wanted to clarify about the Aruba WIPS detection:
-When the detections signatures are turned ON, it will perform detection and log the events into WIDS Events.
- Do any action take place after an attack is detected ?
- Or detection is purely for reporting the attack activities.


Q2 – Protection – rogue_containment
Wanted to clarify the Aruba WIPS protection:
-IF none of the protection signatures are turned ON, no containment will happen.
-The type of containment methods that can be defined are DEAUTH/Tarpit Invalid station/ Tarpit stations.
-Default is set to NONE. Even though the rogue_containment is turned on in the AP protection setting – no action is taken unless enabled with one of the methods is defined.

Q3 – Protection - others
Wanted to clarify the Aruba WIPS protection:
-IF enabled all the following protections:
-Protect_ssid
-Protect_ap_impersonation
-Protect_adhoc_network
-Protect_valid_sta
-Protect_windows_bridge.
Take protect_ssid as example, where protect_ssid is enabled.
Protecting SSIDs defination : Protect SSID ensures that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating with the AP.
Let's say we bring in the offending APs into the corporate Wi-Fi environment.
The offending APs are broadcasting a similar SSID used by corporate valid APs.
This protection policy, protect_ssid, will detect and contain the offending AP by disallowing clients to associate (or Tarpit) with the offending AP. My statement correct ?
------------------------------
Choh Koon
------------------------------