426
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key
are used to generate a key stream, and thus encryptions using the same key have different results. When
a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key may be exposed to potential attackers. When the shared secret key is
compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.
Blacklist and white list
Blacklist and white list
You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby
implement client access control.
The WLAN client access control is accomplished through the following types of lists.
• White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients are
discarded.
• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
• Dynamic blacklist—Contains MAC addresses of clients whose frames are dropped. A client is
dynamically added to the list if it is considered sending attacking frames until the timer of the entry
expires.
Process procedure
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame as follows:
1. If the source MAC address does not match any entry in the white list, it is dropped. If there is a
match, the frame is considered valid and processed.
2. If no white list entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, it is dropped.
If there is no match, or no blacklist entries exist, the frame is considered valid and processed.
Configuring WIDS
Configuring WIDS
1. Select Security > WIDS from the navigation tree.
You will enter the WIDS Setup tab.
To Next Page
Loading...
