Network Management

last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

IDS/IPS system for IAP doesn't work?

This thread has been viewed 3 times

  • 1.  IDS/IPS system for IAP doesn't work?

    Posted Feb 24, 2017 04:02 AM

    Good day,

     

    I have had a really hard time understanding the main differences between security features in Controller vs IAP-VPN based solutions. 

     

    I wanted to test a really basic security feature on IAP cluster, AP impersonation, by setting an access point with same SSID and MAC address. I set the security settings to MAX on everything detection and protection. Yet some clients still joined my fake AP... and stayed there for more than 3 hours!? 

     

    I also tried sending Deauth broadcasts with AP's MAC address and they worked, all the clients were disconnecting and connecting to my fake AP.

     

    Shouldn't these IPS features be working?

    Would a Controller with RFProtect license solve these flaws?

    Has anyone had similar issues?



  • 2.  RE: IDS/IPS system for IAP doesn't work?

    EMPLOYEE
    Posted Feb 24, 2017 04:50 AM

    You cannot just simply set the IDS/IPS features to max and have them  just work.  You need to configure what you need and test.  You need to configure detection, protection and containment specific to what you want to protect.  Lastly, maximum protection occurs when the device doing the protection is an Air Monitor and not serving clients.

     



  • 3.  RE: IDS/IPS system for IAP doesn't work?

    Posted Feb 24, 2017 05:30 AM

    I actually tried it with only specific options enabled and got the same results, at the very end I put everything to max in hopes that something will happen. I will do these tests with one of AP's working as AM, but does this mean that without Air Monitor enabled on one of AP's I am able to deauth and spoof that SSID?

     

     



  • 4.  RE: IDS/IPS system for IAP doesn't work?

    EMPLOYEE
    Posted Feb 24, 2017 05:48 AM

    The protection is greater if you have an Air Monitor because it is dedicated to protection and it is not splitting its time between IDS and serving clients.  You need to configure a custom policy and choose your containment to make sure your policy is being enforced.



  • 5.  RE: IDS/IPS system for IAP doesn't work?

    Posted Mar 14, 2017 05:40 AM

    I am sorry for the late reply, I was sick and out of country for a while.

    I did as you suggested and setup one of the Aruba's devices as an Air Monitor.

     

    To go really basic here, I created a hotspot on my mobile phone with the same SSID, and after deauthenticating (from Kali Linux) OR just plain restarting the wifi interface, it joined my mobile phone's wifi interface.

    It stayed there for more than 1 hour!

     

    Shouldn't it be deauthenticating it from my phone's hotspot!? Why aren't these basic IPS functions working, as they are written on the specs sheet?

     

    I have all of the IDS/IPS functionality enabled and an one of the devices is functioning as an Air monitor...