Wireless Access

Reply
Contributor I

Some questions about IDS properties

I'm not sure how simple or complicated this is, but I am curious about the 'protect' class of checkboxes in regards to IDS on the Aruba controller. For example, we currently have 'detect adhoc networks' checked, but not 'protect from adhoc networks'. I seem alerts constantly in airwave that adhoc networks are detected, but what would the protect box actually do? Prevent devices from connecting to an adhoc network? Prevent an adhoc network from attaining and maintaining connections? Ideally, there is a database of valid users - there almost has to be, right? - that have already connected to my valid SSIDs. Does airwave only prevent THOSE devices from connecting to an adhoc network - when said adhoc network is within range of my valid SSIDs, of course - or does it prevent ANYONE from connecting to an adhoc network while in range? I would prefer the former, but I could live with the latter I guess. The same question/pondering/rambling goes for the other 'protect' boxes as well: does protect mean 'prevent connection'? It seems like if protecting does mean that the bad SSIDs/APs/BSSIDs cannot be connected to by my valid devices, then rogue mitigation becomes a purely hands-off process - once properly configured. Between the controller and airwave, I define valid APs, everything else, whether a neighbor, rogue, or even impersonator becomes irrelevant, since the controller and airwave will only allow devices to connect to valid APs, and kill any other connections. Even better is if the same combination let's other devices connect to them - i.e. they aren't contained, so the heart monitors in the hospital across the street can still connect to the hospital APs, but none of my devices can connect to the hospital APs.

 

Does that make sense?

 

Short version: Does checking the 'protect' boxes in the IDS configuration portion of the controller *prevent* my devices from connecting to the type of thing being protected from?

 

 

Thanks all,

 

Russell

Re: Some questions about IDS properties

Russell,

 

Yes you are essentially correct, by enabling the protect feature the APs (better if you use AMs) will prevent clients from connecting to adhoc networks through the use of deauth messages or tarpitting.  Let me know if you need additional information on this topic.

 

 

James

Contributor I

Re: Some questions about IDS properties

Thanks James. 

 

One clarification: will it only prevent my clients from connecting, or will it prevent any clients from connecting? If it prevents all clients, can I specify that neighbors - and suspected neighbors -  are exempt, thus making it so only suspected rogues and worse get tarpitted?

 

Russell

Re: Some questions about IDS properties

Russell,

 

When working properly it will prevent all clients from connecting, however you can always manually reclassify it as a neighbor or interfering (if it was misclassified) and then the APs/AMs won't take any action at all.

 

James

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: