Environment : This article applies to all Aruba Access Points and all Aruba Instant Access Points running on ArubaOS and InstantOS respectively.
Wireless Intrusion Detection System (WIDS) monitors the network for the presence of unauthorized access points (AP) and clients. It also logs and generates reports based on the logged information. In a wireless network with Instant APs, this feature allows you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
A rogue AP is an unauthorized AP plugged into the wired network.
An interfering AP is an AP seen in the RF environment but is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat, because it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.
The WIDS contains the following two sections:
1. Infrastructure IDS: For the network to function as intended, attacks on the infrastructure must be detected and mitigated. The infrastructure consists of authorized APs, the RF medium, and the wired network to which APs are connected.
2. Client IDS: The system monitoring allows users to monitor the clients connected to a network. The associated clients authenticate with the network and are considered as valid stations. The system looks for various attacks that are targeted at clients connected to the wireless network. The system can also watch for valid stations that attempt to connect to rogue or neighbor APs.
The detection setting on the Aruba Central for the infrastructure and the client can be turned off or set to a predefined high, medium, or low level.
- High - Enables all the applicable protection mechanisms
- Medium - Enables important protection mechanisms
- Low - Enables the most critical protection mechanisms
This wizard also allows custom settings.
NOTE: It is recommended to set the detection settings as Low. This ensures only the most critical attacks are detected. Setting it to Medium or High may result in false positives or too many alerts.
Wireless Intrusion Protection System (WIPS) offers a wide selection of protection features to protect the network against the threats detected. Device classification is the first step in securing the corporate environment from unauthorized wireless access. Adequate measures that quickly shut down intrusions are critical in protecting sensitive information and network resources. APs and stations must be accurately classified to determine whether they are valid, rogue, or a neighboring AP.
Intrusion protection features support containment of an AP or a client. In the case of an AP, disconnect all clients that are connected or attempting to connect to the AP. In the case of a client, the client's association to an AP is targeted. The following containment mechanisms are supported:
Wired containment - When enabled, APs generate ARP packets on the wired network to contain wireless attacks
Wireless containment - When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified access point.
Rate this article: