Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor II
Posts: 17
Registered: ‎08-05-2009

Adhoc device

So, it seems that someone has figured out that if they set their AP to AdHoc then they are able to attach to it and it works like normal. If they put it in AP mode then it receives a DOS attack from the controller/AP's like it should.

The documentation says it's supposed to protect from AdHoc networks but it's not doing it's job.

I am running version 5.0 of the aruba OS.

Here is my unauthorized device config, is there something I am not doing that is allowing this device to go unchecked? I don't believe it's plugged into our network but it is in the building.

IDS Unauthorized Device Profile "ids-unauth-device-custom-setting"
---------------------------------------------------------------------
Parameter Value
--------- -----
Detect Adhoc Networks true
Protect from Adhoc Networks true
Detect Windows Bridge true
Detect Wireless Bridge true
Detect Devices with an Invalid MAC OUI false
MAC OUI detection Quiet Time 900 sec
Adhoc Network detection Quiet Time 900 sec
Wireless Bridge detection Quiet Time 900 sec
Rogue AP Classification true
Overlay Rogue AP Classification true
Valid Wired MACs N/A
Allow Well Known MAC N/A
Rogue Containment true
Suspected Rogue Containment true
Suspected Rogue Containment Confidence Level 60
Protect Valid Stations true
Detect Bad WEP false
Detect Misconfigured AP true
Protect Misconfigured AP false
Protect SSID false
Privacy false
Require WPA false
Valid 802.11g channel for policy enforcement N/A
Valid 802.11a channel for policy enforcement N/A
Valid MAC OUIs N/A
Valid and Protected SSIDs ourssid
Valid and Protected SSIDs ourssid2
Valid and Protected SSIDs ourssid3
Protect 802.11n High Throughput Devices false
Protect 40MHz 802.11n High Throughput Devices false
Detect Active 802.11n Greenfield Mode true
Aruba Employee
Posts: 77
Registered: ‎04-11-2007

Re: Adhoc device

With protect-adhoc-network on like you have it, you should be good. Do you have AMs deployed? To check to see if it is being dos'd you can run these commands I use to find rogues.

On Master Controller:
============================
1. show wms ap list | include
- look at which Aruba APs (noted by their ether mac) see the rogue ap and at what SNR level they see it.

2. show wms ap
- look at which Aruba APs (noted by their ap names and bssids) see the rogue ap which is under title "Probe Info" and note its "RAP_Type" and Match-MAC"


============================
On Local Controller:
============================
1. show ap monitor ap-list ap-name
2. show ap monitor stats advanced ap-name client-mac
- look for how many and how often the dos frames are being transmitted

Gary
Aruba Employee
Posts: 1,242
Registered: ‎11-07-2008

Re: Adhoc device

From the master, you can also run some commands against the logs (unless you drastically modified logging): Note 'ADHOC' and 'Adhoc' (case sensitive in the two commands below)

(Aruba800) (wms) #show log all all | include Adhoc
Feb 11 04:08:31 am: AM 31.1.2-00:1a:1e:ad:78:20: Adhoc network protection started against SSID adhoctest and BSSID 26:da:aa:36:44:c8

You can see above where protection started

(Aruba800) (wms) #show log all all | include ADHOC
Feb 11 04:06:37 am: AM 31.1.2-00:1a:1e:ad:78:20: ADHOC network detected with Src 00:23:6c:9a:06:75, Dst ff:ff:ff:ff:ff:ff, BSSID 26:da:aa:36:44:c8, and RSSI 39
Feb 11 04:07:39 am: AM 31.1.2-00:1a:1e:ad:78:20: ADHOC network detected with Src 00:23:6c:9a:06:75, Dst ff:ff:ff:ff:ff:ff, BSSID 26:da:aa:36:44:c8, and RSSI 2
Feb 11 04:08:39 am: AM 31.1.2-00:1a:1e:ad:78:20: ADHOC network detected with Src 00:23:6c:9a:06:75, Dst ff:ff:ff:ff:ff:ff, BSSID 26:da:aa:36:44:c8, and RSSI 40

Also, as a side note, we have found more and more cases (in DoD/Federal) where some ad-hoc clients are ignoring the standard 802.11 ctrl frames and are either ignoring deauth/disassociates, can reconnect faster than we can deauth/dissac, or both. having dedicated AMs improves containment as they can spend more time on that channel doing containment. If you have APs you are using as AM for 110ms every 10sec (default), then it likely will not be enough to totally contain, but you should still get the alert and be able to locate via RSSI or RFPlan/VisualRF.
Jerrod Howard
Sr. Techical Marketing Engineer
Search Airheads
Showing results for 
Search instead for 
Did you mean: