05-14-2015 07:11 AM
I'm not sure how simple or complicated this is, but I am curious about the 'protect' class of checkboxes in regards to IDS on the Aruba controller. For example, we currently have 'detect adhoc networks' checked, but not 'protect from adhoc networks'. I seem alerts constantly in airwave that adhoc networks are detected, but what would the protect box actually do? Prevent devices from connecting to an adhoc network? Prevent an adhoc network from attaining and maintaining connections? Ideally, there is a database of valid users - there almost has to be, right? - that have already connected to my valid SSIDs. Does airwave only prevent THOSE devices from connecting to an adhoc network - when said adhoc network is within range of my valid SSIDs, of course - or does it prevent ANYONE from connecting to an adhoc network while in range? I would prefer the former, but I could live with the latter I guess. The same question/pondering/rambling goes for the other 'protect' boxes as well: does protect mean 'prevent connection'? It seems like if protecting does mean that the bad SSIDs/APs/BSSIDs cannot be connected to by my valid devices, then rogue mitigation becomes a purely hands-off process - once properly configured. Between the controller and airwave, I define valid APs, everything else, whether a neighbor, rogue, or even impersonator becomes irrelevant, since the controller and airwave will only allow devices to connect to valid APs, and kill any other connections. Even better is if the same combination let's other devices connect to them - i.e. they aren't contained, so the heart monitors in the hospital across the street can still connect to the hospital APs, but none of my devices can connect to the hospital APs.
Does that make sense?
Short version: Does checking the 'protect' boxes in the IDS configuration portion of the controller *prevent* my devices from connecting to the type of thing being protected from?
05-14-2015 09:56 AM
Yes you are essentially correct, by enabling the protect feature the APs (better if you use AMs) will prevent clients from connecting to adhoc networks through the use of deauth messages or tarpitting. Let me know if you need additional information on this topic.
05-14-2015 10:31 AM
One clarification: will it only prevent my clients from connecting, or will it prevent any clients from connecting? If it prevents all clients, can I specify that neighbors - and suspected neighbors - are exempt, thus making it so only suspected rogues and worse get tarpitted?
05-14-2015 10:45 AM
When working properly it will prevent all clients from connecting, however you can always manually reclassify it as a neighbor or interfering (if it was misclassified) and then the APs/AMs won't take any action at all.