Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor I
Posts: 228
Registered: ‎09-14-2011
IDS / WIPS Configuration Question

One of our computer engineering instructors acquired several new little wireless AP spoofing devices after attending the Ethical Hacker Convention in Atlanta not long ago. He and I have been talking a lot and I need to be able to defeat his devices. One of these little guys scans the local area, grabs SSIDs and their corresponding BSSIDs and can then spoof both SSID and BSSID and also allows you to clone a portal page.

 

My question is this, how do I need to configure my IDS (either manually or through the wizard) to shut that down? My attempts thus far have not met with success and when I look at my master controller security dashboard I actually see where my own authorized AP's marked for containment (obviously I am doing something wrong here LOL)

 

Any advice is appreciated!

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007
Re: IDS / WIPS Configuration Question

Try the wizard with the attached parameters.  In the Protected SSID field, put your SSIDs that you want protected (case sensitive).  If you can put a dedicated air monitor in that AP-Group, that would be desired for the best IDS performance.

 

policy1.png

 

policy2.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 228
Registered: ‎09-14-2011
Re: IDS / WIPS Configuration Question

Hmmm I missed the "Protect SSID" part in prior attempts. I'm going to give it a try and I'll let you know!

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
Frequent Contributor I
Posts: 228
Registered: ‎09-14-2011
Re: IDS / WIPS Configuration Question
[ Edited ]

So here is the issue, check the attachment. Why are legitimate AP's getting marked for containment? (I used the settings you showed above)

 

SurfCFCC is our primarry SSID

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007
Re: IDS / WIPS Configuration Question

Let's take a step back.  For now, only enable "Detect Valid SSID Misuse".  Uncheck Protect SSID and remove those SSIDs.

 

See if that classifies the duplicate APs as rogue without marking the others for contain.  Make sure you change the contain status of your SSIDs, first, though.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 228
Registered: ‎09-14-2011
Re: IDS / WIPS Configuration Question

Will do, I have a meeting with the instructor this afternoon where we will be testing out his devices and will be able to give feedback then.

 

Thanks man!!

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
Frequent Contributor I
Posts: 228
Registered: ‎09-14-2011
Re: IDS / WIPS Configuration Question
[ Edited ]

Ok CJ here is what has happened so far. Using Detect Valid SSID Misuse by its self did not seem to detect anything :-( and Any time I tried to implement either Detect AP Spoofing or Detect AP Impersonation or a combination of the two I would get what I showed you in the attachment earlier in this thread. When I leave them UNchecked, it seems fine but those are two of the things I am looking to protect against.

 

I don't have AirWave yet so I don't know if there is anything there that can help...

 

Any other ideas or suggestions to try?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007
Re: IDS / WIPS Configuration Question

americanmcneil wrote:

Ok CJ here is what has happened so far. Using Detect Valid SSID Misuse by its self did not seem to detect anything :-( and Any time I tried to implement either Detect AP Spoofing or Detect AP Impersonation or a combination of the two I would get what I showed you in the attachment earlier in this thread. When I leave them UNchecked, it seems fine but those are two of the things I am looking to protect against.

 

I don't have AirWave yet so I don't know if there is anything there that can help...

 

Any other ideas or suggestions to try?


Detect Valid SSID Misuse should mark the foreign access point as rogue.  That is the first step.  You should be able to find the foreign access point in the dashboard.  It will not do anything unless we have a "Protect" enabled.  Did you see the foreign access point in the dashboard?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 228
Registered: ‎09-14-2011
Re: IDS / WIPS Configuration Question

Hey Cj, as soon as I get some more Lab time I'll get back to you on this. Its pretty important but as I am sure you know how busy we all get...

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007
Re: IDS / WIPS Configuration Question

Absolutely.

 

Let us know.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: