Cisco Adaptive wIPS Deployment Guide

Cisco Adaptive wIPS Deployment Guide

November 2008

IntroductionThis document provides general configuration and deployment guidelines for Cisco’s Adaptive Wireless Intrusion Prevention System (wIPS) solution which utilizes Cisco’s Mobility Services Engine. This comprehensive security monitoring and threat detection system can be integrated into an existing Cisco Wireless LAN network or deployed as a dedicated wireless security overlay solution. The greatest functionality is delivered when deployed as a system integrated with the WLAN. In addition, troubleshooting tips and frequently asked questions are addressed in this document to further bolster the information base regarding the product.

The purpose of this document is the following:

• Explain the various components and communications framework for Cisco’s Adaptive wIPS solution

• Provide general deployment guidelines for implementing Cisco’s Adaptive wIPS solution

• Explain the differentiators between Cisco’s pre-5.2 release controller-based IDS system and Cisco’s Adaptive wIPS System

Product InformationThe Cisco® Adaptive Wireless Intrusion Prevention System (wIPS) is integrated in the Cisco Unified Wireless Network infrastructure and provides wireless-specific network threat detection and mitigation against malicious attacks, security vulnerabilities, and sources of performance disruption. Cisco Adaptive Wireless IPS provides the ability to detect, analyze, and identify wireless threats, and centrally manages mitigation and resolution of security and performance issues. Cisco Adaptive Wireless IPS also delivers proactive threat prevention capabilities for a hardened wireless network core that is impenetrable by most wireless attacks, as well as the ability to collaborate with Cisco Self-Defending Network security portfolio to provide a superset of layered threat protection for both the wired and wireless network.

Americas Headquarters:

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

wIPS System Architecture

Features and BenefitsCisco Adaptive Wireless IPS embeds complete wireless threat detection and mitigation into the wireless network infrastructure to deliver the industry’s most comprehensive, accurate and operationally cost-effective wireless security solution. Adaptive wIPS performs rogue access point/client and ad-hoc connection detection and mitigation, over-the-air wireless hacking and threat detection, security vulnerability monitoring, performance monitoring and self-optimization, network hardening for proactive prevention of threats and complete wireless security management and reporting. Built on the Cisco Unified Wireless Network and leveraging the efficiencies of Cisco Motion, Adaptive wIPS is deployment-hardened and enterprise-ready.

wIPS System ArchitectureCisco’s Adaptive Wireless Intrusion Prevention System (wIPS) is made up of a number of components that work together to provide a unified security monitoring solution. In addition to the WLAN Controllers, Access Points and Wireless Control System components that currently comprise Cisco’s Unified Wireless Networking solution; the wIPS portion introduces two additional components. These additional hardware components include Access Points in wIPS-Monitor mode and the Mobility Services Engine running the wIPS service software.

2Cisco Adaptive wIPS Deployment Guide

OL-18385-01

wIPS System Architecture

Component Functions in a wIPS Deployment• wIPS Monitor Mode Access Point(s) – Provides constant channel scanning with attack detection and

forensics (packet capture) capabilities.

• Mobility Services Engine (running wIPS Service) – The central point of alarm aggregation from all controllers and their respective wIPS Monitor Mode Access Points. Alarm information and forensic files are stored on the system for archival purposes.

• Local Mode Access Point(s) – Provides wireless service to clients in addition to time-sliced rogue and location scanning.

• Wireless LAN Controller(s) – Forwards attack information from wIPS Monitor Mode Access Points to the MSE and distributes configuration parameters to APs.

• Wireless Control System – Provides the administrator the means to configure the wIPS Service on the MSE, push wIPS configurations to the controller and set Access Points into wIPS Monitor mode. It is also used for viewing wIPS alarms, forensics, reporting and accessing the threat encyclopedia.

wIPS Communication ProtocolsTo provide communication between each system component, a number of protocols are utilized:

• CAPWAP (Control and Provisioning of Wireless Access Points) – This protocol is the successor to LWAPP and is utilized for communication between Access Points and controllers. It provides a bi-directional tunnel in which alarm information is shuttled to the controller and configuration information is pushed to the Access Point.

• NMSP (Network Mobility Services Protocol) – The protocol used for communication between Wireless LAN Controllers and the Mobility Services Engine. In the case of a wIPS Deployment, this protocol provides a pathway for alarm information to be aggregated from controllers to the MSE and for wIPS configuration information to be pushed to the controller. This protocol is encrypted.

– Controller TCP Port: 16113

• SOAP/XML (Simple Object Access Protocol) - The method of communication between the MSE and WCS. This protocol is used to distribute configuration parameters to the wIPS service running on the MSE.

– MSE TCP Port: 443

• SNMP (Simple Network Management Protocol) – This protocol is used to forward wIPS alarm information from the Mobility Services Engine to the Wireless Control System. It is also utilized to communicate rogue access point information from the Wireless LAN Controller to the Wireless Control System.


OL-18385-01

wIPS Configuration and Profile Management

wIPS Configuration and Profile ManagementConfiguration of wIPS Profiles follows a chained hierarchy starting with WCS which is used for profile viewing and modification. The actual profiles are stored within the wIPS service running on the MSE. From the wIPS Service on the MSE, profiles are propagated to specific controllers which in turn communicate this profile transparently to wIPS Mode Access Points associated to that perspective controller.

When a configuration change to a wIPS profile is made at WCS and applied to a set of Mobility Services Engine(s) and Controller(s), the following steps occur to put the change in place:

1. The configuration profile is modified on WCS and versioning information is updated.

2. An XML-based profile is pushed to the wIPS Engine running on the MSE. This update occurs via the SOAP/XML protocol.

3. The wIPS Engine on the MSE will update each controller associated with that profile by pushing out the configuration profile via NMSP.

4. The Wireless LAN Controller receives the updated wIPS profile, stores it into NVRAM (replacing any previous revision of the profile) and propagates the updated profile to its associated wIPS Access Points via CAPWAP control messages.

5. A wIPS Mode Access Point receives the updated profile from the controller and applies the modifications to its wIPS software engine.

It should be noted that a Mobility Services Engine can only be configured from one Wireless Control System. This is essentially a 1:1 relationship meaning that a Mobility Services Engine, once associated to a particular WCS, cannot be added to another WCS.

wIPS Alarm FlowThe Adaptive wIPS system follows a linear chain of communication to propagate attack information obtained from scanning the airwaves to the console of the Wireless Control System.


OL-18385-01

Deployment Considerations

1. In order for an alarm to be triggered on the Cisco Adaptive wIPS system, an attack must be launched against a legitimate Access Point or Client. Legitimate Access Points and clients are discovered automatically in a Cisco Unified Wireless Network by ‘trusting’ devices broadcasting the same ‘RF-Group’ name. In this configuration, the system dynamically maintains a list of local-mode Access Points and their associated clients. The system can also be configured to ‘trust’ devices by SSID using the SSID Groups feature. Only attacks which are considered harmful to the WLAN infrastructure are propagated upwards to the rest of the system.

2. Once an attack has been identified by the wIPS Mode Access Point engine, an alarm update is sent to the Wireless LAN Controller and is encapsulated inside the CAPWAP control tunnel.

3. The Wireless LAN Controller will transparently forward the alarm update from the Access Point to the wIPS Service running on the Mobility Services Engine. The protocol used for this communication is NMSP.

4. Once received by the wIPS Service on the Mobility Services Engine, the alarm update will be added to the alarm database for archival and attack tracking. An SNMP trap is forwarded to the Wireless Control System containing the attack information. If multiple alarm updates are received referencing the same attack (for example, if multiple Access Points hear the same attack) only one SNMP trap will be sent to WCS.

5. The SNMP trap containing the alarm information is received and displayed by WCS.


Required ComponentsThe basic system components for a Cisco Adaptive wIPS system include:

• Access Points in wIPS Monitor Mode

• Wireless LAN Controller(s)

• A Mobility Services Engine running the wIPS Service

• A Wireless Control System

The minimum code versions required for an Adaptive wIPS system:

• Wireless LAN Controller(s) – Version 5.2.XX or greater

• Wireless Control System – Version 5.2.XX or greater

• Mobility Services Engine – Version 5.2.XX or greater

The Access Points supported for wIPS Monitor mode include the following: Cisco 1130, 1140, 1240 and 1250 series.

802.11n AttacksGiven that the 802.11n introduces an entirely new physical layer specification, existing 802.11a/b/g Access Points are unable to decode these new high-throughput data rates as the modulation scheme is fundamentally different. This can leave the wireless network vulnerable to attacks sent out at 802.11n rates with no visibility into these threats as they are essentially invisible to non-802.11n devices.


OL-18385-01


Although 802.11a/b/g access points can detect most 802.11n rogues because their beacons are sent at legacy rates, only an 802.11n Access Points can detect rogues operating in Greenfield mode. Greenfield mode is a configuration parameter of an 802.11n Access Point that precludes the device from transmitting at non-802.11n rates. While rogues not operating in 802.11n Greenfield mode can be detected, Greenfield rogues and attacks at 802.11n data rates will not be detected by 802.11a/b/g Access Points. Customers are encouraged to utilize the Cisco 1140 and 1250 series Access Points to allow the detection of these 802.11n-based attacks.

System ScalabilityA Mobility Services Engine can be managed only by one Wireless Control System, which has design implications when scaling the network. It is possible to have multiple Mobility Services Engines managed by a single Wireless Control System.

Use the following scalability facts when designing a system:

• WCS can support a maximum of 3000 Access Points on a high-end server. This limit of 3000 includes both client-serving Access Points and Access Points in wIPS Monitor Mode. As depicted in the below table, wIPS and Data APs can be intermixed at a variety of ratios to reach the upper limit of 3000 Access Points per WCS. These ratios are dependent on environmental RF conditions, density of the existing WLAN installation and the required level of security monitoring.

• An MSE 3310 running the wIPS Service can support an upper limit of 2000 wIPS Monitor Mode Access Points. As depicted in the above charts, the limiting factor when wIPS and Data APs are intermixed within the same WCS is the scalability of WCS itself. To reach to upper limit of 2000 wIPS APs per MSE, a separate wIPS-only overlay deployment will need to be utilized. This is described later in this document.

Table 1 wIPS and Data APs on Same WCS

1:3 Ratio 1:4 Ratio 1:5 Ratio 1:6 Ratio 1:7 Ratio 1:8 Ratio

wIPS APs 750 600 500 429 375 333

Data APs 2250 2400 2500 2571 2625 2667

Total (WCS Limited) 3000 3000 3000 3000 3000 3000


OL-18385-01


• A Wireless LAN Controller can support running wIPS Monitor Mode Access Points and Local Mode Access Points concurrently. A wIPS Monitor Mode Access Point consumes the same amount of controller capacity as a Local Mode AP. For example, a Cisco 4404 supporting 100 Access Points can support 100 wIPS Monitor Mode Access Points, or any ratio of wIPS:Local Mode Access Points so long as the total does not exceed 100.

How Many wIPS Monitor Mode Access Points Do I Need?Before deploying an Adaptive wIPS system, it’s important to consider that the communications range of an access point’s cell is less than the actual range at which frames may be received and decoded. The reason for this discrepancy is that an Access Point’s communication range is limited by the weakest link – which in typical deployments is the WLAN client. Given that the output power of a WLAN client is intrinsically less than the Access Point’s maximum, the range of the cell is restricted to the client’s abilities. In addition, it is recommended practice to run Access Points at less than full power to build RF redundancy and load balancing into the wireless network. These aforementioned fact combined with the superior receive sensitivity of Cisco’s Access Points allows the Adaptive wIPS system to be deployed with less access point density than the client serving infrastructure while still providing pervasive monitoring.

As depicted in the above diagram, a wIPS deployment is based on hearing 802.11 management and control frames which are used by a majority of attacks to cause harm. This is in contrast to a data Access Points deployment which is surveyed to provide higher throughput data rates anywhere from 24Mbps to 54Mbps.

There are numerous factors that go into deciding exactly the number of wIPS Access Points that are required for a specific environment. Given that each prospective deployment’s security requirements and environmental conditions are different, there is no hard and fast rule that will address the needs of every deployment but a few generalized guidelines must be taken into account.

The main factors which affect the number of wIPS Access Points required are as follows.


OL-18385-01


Deployment Conditions

Deployment-specific environmental conditions such as floor layout and building materials. Given that wireless signal propagation is heavily dependent on the type of material the signal must pass through, an office environment with numerous walls will require more sensors than an empty warehouse. This factor is similar to pre-existing knowledge as to how data-serving Access Points are deployed. The more obstacles in the environment which cause RF signal attenuation, the denser the deployment of wIPS Access Points will need to be.

In the below diagram, an open indoor environment is depicted where wIPS Access Points are deployed with the ability to ‘listen’ for attacks for a long distance given that there are no walls to disrupt or weaken a wireless signal.

In sharp contrast, the diagram below depicts an indoor environment with numerous heavy walls which cause signal attenuation. In this case, more wIPS Access Points will need to be deployed to ensure that attacks are picked up.


OL-18385-01


Frequency Band(s) Monitored

The radio frequency propagation characteristics of the 2.4GHz and 5GHz bands vary as a result of the wavelength differences between the two. Put simply, 2.4GHz wireless signals (802.11b/g/n) travel a further distance than 5GHz (802.11a/n). In order to accurately compute the number of wIPS access points needed for a prospective installation, one must consider what frequency bands must be monitored in the wIPS deployment.

The above charts outline the circular square footage than can be covered by a single wIPS monitor mode Access Point in each frequency band and each type of environment. These metrics can provide a baseline as how many wIPS Access Points are needed to cover a specific floor area. The receive sensitivity used in this guidance represents the lowest common denominator between Cisco’s line of Access Points that support wIPS.

Security Confidence Level

Given that the wireless security monitoring needs of different verticals vary widely based on the specific regulations and use cases, one specific deployment density does not fit every installation. In order to simplify the selection of a specific number of wIPS Access Points per sqft, a sliding scale based on a “security confidence level” is introduced.

Monitor Range per wIPS AP (2.4GHz)

Data Rate Walled Indoor Open Indoor

6Mbps @ -86dBm ~ 35,000 sqft ~ 85,000 sqft

Monitor Range per wIPS AP (5GHz)

Data Rate Walled Indoor Open Indoor

6Mbps @ -86dBm ~ 15,000 sqft ~ 30,000 sqft


OL-18385-01


In a walled indoor environment, the propagation characteristics of 2.4GHz allow a less dense deployment of wIPS Access Points to achieve an adequate confidence level of detection whereas a denser deployment will be required to provide a high level of confidence in the 5GHz band. The below chart depicts the differences in level of detection when a variety of deployment densities are used. The deployment density in this case means a wIPS Access Point is deployed at a ratio of one per XX,000 number of square feet.

The general recommendation is that a more security conscious customer such as government, financial or retail utilize the ‘Gold’ level of deployment as their needs represent the most stringent requirements. In a carpeted enterprise or typical office setting, the ‘Silver’ level should be selected as it provides adequate or better detection across both frequency bands. Only in cases where 5GHz security is of minimal concern should the ‘Bronze’ level be utilized as this deployment density provides a limited view of this frequency band.

An open indoor environment is one which has little or no obstacles which can serve to block wireless signals and security threats from detection. In an open indoor environment, the propagation characteristics of 2.4GHz allow a less dense deployment of wIPS Access Points to achieve an adequate confidence level of detection whereas a denser deployment will be required to provide a high level of confidence in the 5GHz band. The below chart depicts the differences in level of detection when a variety of deployment densities are used. The deployment density in this case means a wIPS Access Point is deployed at a ratio of one per XX,000 number of square feet.

The below chart is meant to showcase the difference in number of wIPS Access Points that should be utilized dependant on the installation types. This is to serve as example only and does not represent a hard and fast rule for all deployments.

Table 2 Walled Office Indoor Environment

Confidence Level Deployment Density 2.4GHz Detection 5GHz Detection

Gold 15,000 sqft Exhaustive Comprehensive

Silver 20,000 sqft Comprehensive Adequate

Bronze 25,000 sqft Adequate Sparse

Table 3 Open Indoor Environment

Confidence Level Deployment Density 2.4GHz Detection 5GHz Detection

Gold 30,000 sqft Exhaustive Comprehensive

Silver 40,000 sqft Comprehensive Adequate

Bronze 50,000 sqft Adequate Sparse

Table 4 Example Deployments

Deployment Level Size Density # of wIPS APs

Financial Office Gold 200,000 sqft 15,000 sqft 14

Enterprise Office Silver 200,000 sqft 20,000 sqft 10

Warehouse Silver 200,000 sqft 30,000 sqft 5


OL-18385-01


Location of wIPS Access PointsThe physical deployment of wIPS Monitor Mode Access Points is based on the end goal of providing pervasive monitoring across the entire WLAN infrastructure. To this end, wIPS mode APs are placed using two general guidelines. First, deploy wIPS access points around the periphery of your physical location to ensure adequate monitoring of attacks being launched from outside the building. This does not mean that wIPS mode Access Points should be deployed in the physical extremities of the building but instead they should be appropriately positioned to provide detection coverage to the extremities. Second, deploy wIPS access points throughout the center of the building to ensure complete detection of attacks launched from within the physical building.

The physical mounting location of a wIPS Access Point should be based on the same best practices used when mounting data serving Access Points. Following these conventions, it’s important that wIPS Access Point antennas are not hidden behind heavy building materials or placed above drop ceilings. In the case that an Access Point is mounted above the ceiling, specific external antennas should be used to bring antenna leads into the same physical space that will be monitored.

In the above deployment example, four wIPS Access Points are deployed around the edges of the building to provide security monitoring around the periphery of the physical building. In addition, a wIPS Access Point is deployed in the center of the building to provide security monitoring coverage inside the building.

wIPS Integrated in a Cisco Unified Wireless NetworkAn integrated wIPS deployment is a system design in which both Local mode and wIPS Monitor Mode Access Points are intermixed on the same controller(s) and managed by the same Wireless Control System. This is the recommended configuration as it allows the tightest integration between the client serving and monitoring infrastructure. In fact, many of the components including controllers and Wireless Control System are dual-purposed thus reducing duplicate infrastructure costs.


OL-18385-01


wIPS Overlay in a Cisco Unified Wireless NetworkIn a wIPS Overlay deployment, the wIPS Monitoring infrastructure is completely separate from the client serving infrastructure. Each distinct system has its own set of controllers, access points and Wireless Control Systems. The reasons for selecting this deployment model often stem from business mandates that require distinct network infrastructure and security infrastructure systems with separate management consoles. This deployment model is also used when the total number of Access Points (wIPS and local mode) exceed the 3000 AP limit contained in WCS.


OL-18385-01


In order to configure the wIPS Overlay Monitoring network to provide security assessment of the client serving infrastructure, specific configuration items must be completed. The wIPS system operates on the assumption that only attacks against ‘trusted’ devices should be logged. In order for an overlay system to view a separate Cisco Unified WLAN infrastructure as ‘trusted’, the controllers must be in the same RF Group.

As a result of bisecting the client serving infrastructure from the wIPS monitoring overlay infrastructure, several monitoring caveats, typical of any wIPS overlay deployment model available in the industry, arise:

• wIPS Alarms will only be shown on the wIPS Overlay WCS instance

• Management Frame Protection (MFP) alarms will only be shown on the client infrastructure WCS instance

• Rogue alarms will be shown on both WCS instances

• Rogue location accuracy will be greater on the client serving infrastructure WCS because this deployment will utilize a greater density of Access Points than the wIPS overlay.

• Over-the-air rogue mitigation will be more scalable in an integrated model, as the local-mode APs can be utilized in mitigation actions.

• The security monitoring dashboard will be incomplete on both WCS instances because some events such as wIPS will only exist on the wIPS Overlay WCS. To truly monitor the comprehensive security of the wireless network, both security dashboard instances must be observed.

One consideration of the overlay solution is the possibility of Light Weight Access Points on either the client serving infrastructure or wIPS monitoring overlay associating to the wrong controller. This can be headed off by specifying the primary, secondary and tertiary Wireless LAN Controller names on each Access Point (both Local and wIPS Mode). In addition, it is recommended that the controllers for each respective solution have separate management VLANs for communication with their respective Access Points and that ACLs are used to prevent LWAPP/CAPWAP traffic from crossing these VLAN boundaries.

Client Serving Infrastructure WCS wIPS Monitoring Overlay WCS

wIPS Alarms No Yes

MFP Alarms Yes No

Rogue Alarms Yes Yes

Rogue Location High Accuracy Low Accuracy

Rogue Containment Yes Yes, but less scalable


OL-18385-01

Adaptive wIPS Features

wIPS Overlay in Autonomous or Other Wireless Network

The Adaptive wIPS solution is also capable of performing security monitoring over an existing WLAN infrastructure that does not utilize Cisco’s Unified WLAN solution. In this case the client serving infrastructure is completing separate and uncoordinated with the wIPS overlay. The use case for this deployment scenario includes security monitoring for Cisco’s autonomous Access Points or 3rd party Access Points.


Differences between Controller IDS and MSE-Based Adaptive wIPS

Reduction in False Positives

Leveraging Cisco’s Adaptive wIPS solution will facilitate a reduction in false positives when it comes to monitoring the security of the wireless network. In contrast to Cisco’s controller based solution which merely triggers an alarm when it detects a number of management frames over the air, Cisco’s Adaptive wIPS system only triggers an alarm when it detects a number of management frames over the air that are causing damage to the wireless infrastructure network. This a result of the Adaptive wIPS system being able to dynamically identify the state and validity of Access Points and clients present in the wireless infrastructure. Only when attacks are launched against the infrastructure are alarms raised.

Alarm Aggregation

One major differentiator between Cisco’s existing controller-based IDS system and Cisco’s MSE-based Adaptive wIPS system is the unique attacks seen over the air are correlated and aggregated into a single alarm. This is accomplished by the wIPS system automatically assigning a unique hash key to each


OL-18385-01


particular attack the first time it is identified. If the attack is received by multiple wIPS Access Points, it will only be forwarded to the WCS once because alarm aggregation takes place on the Mobility Services Engine. This is in stark contrast to Cisco’s existing controller based IDS system which doesn’t aggregate alarms.

Another major differentiator between Cisco’s controller-based IDS and Cisco’s Adaptive wIPS is the number of attacks that each system can detect. As described in the sub-sections and showcased in the tables below, wIPS can detect a multitude of attacks and attack tools. These attacks include both denial of service attacks and security penetration attacks.

Denial of Service Attacks

A denial of service attack involves mechanisms which are designed to prohibit or slow successful communication within a wireless network. These often incorporate a number of spoofed frames which are designed to drop or falter legitimate connections within the wireless network. Although a Denial of Service attack can be devastating to a wireless networks ability to deliver reliable services, they do not result in a data breach and their negative consequences are often over once the attack has stopped.

The table below outlines the various classes of DoS attacks detected by controller-based wIDS and the MSE-based Adaptive wIPS. Each class may have several attack tools and techniques associated with it.

Alarm NameDetected by Controller IDS

Detected by wIPS

Association flood X X

Association table overflow X

Authentication flood X X

EAPOL-Start attack X X


OL-18385-01


Security Penetration Attacks

Arguably the more harmful of the two attack types threatening wireless networks, a security penetration is designed to capture or expose information such as sensitive data or encryption keys that can later be used for exposing confidential data. A security penetration attack can involve targeted queries against the infrastructure or replay attacks that aim to break cryptographic keys. Security Penetration attacks can also be harmful to the client by which an attempt to lure the client onto a fake access point such as a Honeypot.

The table below outlines the various classes of penetration attacks detected by controller-based wIDS and the MSE-based Adaptive wIPS. Each class may have several attack tools and techniques associated with it.

PS-Poll flood X

Unauthenticated Association X

CTS Flood X

Queensland University of Technology Exploit X

RF Jamming attack X

RTS Flood X

Virtual Carrier attack X X

Authentication-failure attack X

De-Auth broadcast attack X X

De-Auth flood attack X X

Dis-Assoc broadcast attack X

Dis-Assoc flood attack X X

EAPOL-Logoff attack X X

FATA-Jack tool detected X

Premature EAP-Failure attack X

Premature EAP-Success attack X


Detected by wIPS


Detected by wIPS

Airsnarf attack X

ChopChop Attack X

Day-Zero attack by WLAN security anomaly X

Day-Zero attack by device security anomaly X

Device Probing for APs X

Dictionary attack on EAP methods X

EAP attack against 802.1x Authentication X

Fake APs detected X X


OL-18385-01


ForensicsCisco’s Adaptive wIPS system provides the ability to capture attack forensics for further investigation and troubleshooting purposes. At a base level, the forensics capability is a toggle-based packet capture facility which provides the ability to log and retrieve a set of wireless frames. This feature is enabled on a per attack basis from within the wIPS profile configuration of WCS.

Once enabled, the forensics feature is triggered once a specific attack alarm is seen over the airwaves. The forensic file will be created based on the packets contained within the buffer of the wIPS Monitor Mode AP that triggered the original alarm. This file is transferred to the Wireless LAN Controller via CAPWAP, which then forwards the forensic file via NMSP to the wIPS Service running on the Mobility Services Engine. The file is stored within the forensic archive on the MSE until the user configured disk space limit for forensics is reached. By default this limit is 20 Gigabytes, which when reached will cause the oldest forensic files to be removed. The forensic file can is accessed by opening the alarm on the Wireless Control System which contains a hyperlink to the forensic file.

Note The forensics capability of the wIPS system should be used sparingly and then disabled after the desired information is captured. The reason for this recommendation is the intensive load it places on the Access Point as well as the interruption in scheduled channel scanning this capability requires. A wIPS Access Point cannot be simultaneously performing channel scanning at the same instance it is producing a forensic file. While the forensic file is being dumped, channel scanning will be delayed for a maximum of 5 seconds.

Fake DHCP Server detected X

Fast WEP crack detected X

Fragmentation Attack X

Hotspotter tool detected X

Malformed 802.11 Packets detected X

Man in the Middle Attack detected X

NetStumbler detected X X

NetStumbler victim detected X

PSPF Violation X

ASLEAP attack Detected X

Honey pot AP detected X X

Soft AP or Host AP detected X

Spoofed MAC address detected X

Suspicious after-hours traffic X

Unauthorized association by vendor list X

Unauthorized association detected X

Wellenreiter detected X X


Detected by wIPS


OL-18385-01


Rogue DetectionAn Access Point in wIPS-optimized monitor mode will perform rogue threat assessment and mitigation using the same logic as current Cisco Unified Wireless Network implementations. This allows a wIPS mode access point to scan, detect and contain rogue access points and ad-hoc networks. Once discovered, this information regarding rogue wireless devices is reported to WCS where rogue alarm aggregation takes place. However, with this functionality comes the caveat that if a containment attack is launched using a wIPS mode access point, its ability to perform methodical attack-focused channel scanning is interrupted for the duration of the containment.

Attack EncyclopediaA feature aimed at reducing the necessary knowledge base to utilize the Adaptive wIPS system, the integrated attack encyclopedia provides a visual and textural description of each attack detected by the system. This attack encyclopedia is available from any wIPS alarm by clicking the ‘Help’ hyperlink or by browsing through a wIPS Profile configuration screen. This integrated encyclopedia provides the education to inform the administrator as to how the attack is undertaken, what tools may be utilized to launch it and potential mitigation strategies.

Anomaly DetectionThe Adaptive wIPS solution also includes specific alarms pertaining to anomalies in attack patterns or device characteristics captured. The anomaly detection system takes into account the historic attack log and device history contained within the MSE to baseline the ‘typical’ characteristics of the wireless network. The anomaly detection engine is triggered when events or attacks on the system undergo a measurable change as compared to historical data kept on the MSE. For example, if the system regularly captures a few MAC spoofing events each day, and then on another day MAC spoofing events are up 200%, an anomaly alarm would be trigged on the MSE. This alarm is then sent to WCS to inform the administrator that something else is going on in the wireless network beyond traditional attacks that they system may encounter. The anomaly detection alarm can also be utilized to detect day-zero attacks they may not have a preexisting signature in the wIPS system.

Default Configuration ProfilesTo simplify the configuration tuning for each specific WLAN security deployment, the Adaptive wIPS solution includes a number of default profiles tailored to meet the security needs of specific verticals. They are utilized because each specific installation has a different risk profile and requirements for security monitoring. The specific profiles include Education, Enterprise (Best), Enterprise (Rogue), Financial, Healthcare, Hotspot (Open Security), Hotspot (802.1x Security), Military, Retail, Tradeshow and Warehouse. The profiles are meant to serve as a starting place for further system tuning to address the specific needs of the prospective deployment.

Integration into Release 5.1 FeaturesCisco’s Adaptive wIPS solution tightly integrates into an existing Unified Wireless LAN leveraging the features introduced in previous releases. On the security dashboard, Adaptive wIPS events are show under their own category on the same useful heads-up display.


OL-18385-01

Frequently Asked Questions

Frequently Asked QuestionsQ. How is the wIPS functionality licensed?

A. wIPS licensing is controlled on the Mobility Services Engine and will be based on the number of wIPS Mode Access Points utilized. License capabilities can be purchased and augmented at a later date to increase the total monitoring capacity of the solution.

Q. How much traffic can be expected between a Wireless LAN Controller with wIPS Monitor Mode Access Points and a Mobility Services Engine?

A. In a traffic study performed by capturing traffic between the WLC and the MSE, it was found that the average utilization during a half-hour period was 1,806 bits a second. This assessment was done with a single Access Point in wIPS Monitor Mode and should be scale appropriately based on the number of wIPS Access Points associated to a controller.

Q. How many alarms can be archived on the wIPS Service running on the MSE?

A. Alarms are archived on the wIPS Server for a default time length of 30 days. This setting can be increased or decreased based on the requirements of the deployment via WCS under “Mobility Services Engine” -> “WIPS Service Settings”. The maximum number of alarms that can be archived in the current release is 6,000,000, which provides several months or years of event storage based on the deployment environment. An alarm will be sent from the MSE to WCS when database free space is becoming scarce. The specific intervals for these alarms are 75%, 85% and 95% of total system capacity. Once the wIPS Database has reached 95% capacity, the oldest alarm records will be forcibly aged out until the system drops below 70% capacity.

Q. What is the level of co-existence between context-aware location and Adaptive wIPS?

A. An Access Point in wIPS monitor mode can participate in location tracking of clients, rogues and asset tags. However, in the 5.2 release, a Mobility Services Engine can only run a single service at any one point. This means that a Unified Wireless Network deployment utilizing wIPS and Location-based services must physically have two Mobility Services Engines today. In this case, one would be running the Adaptive wIPS service and the other would be running the context aware service. In the release slated for 1Q09CY, these services will be permitted to coexist on the same physical MSE.

Statistic Value

Total Packets 1170

Total Traffic (bytes) 396,341

Average Utilization (bits/s) 1,806

Maximum Utilization (bits/s) 68,256


OL-18385-01

Adaptive wIPS Configuration


1: Mobility Services Engine Setup

Step 1 Login with the following credentials: root/password

Step 2 Upon the initial boot up, the MSE will prompt the administrator to launch the setup script. Enter ‘yes’ to this prompt.

Note If the MSE does not prompt for setup, enter the following command: /opt/mse/setup/setup.sh

Step 3 Configure Hostname and DNS Domain Name.

Step 4 Configure Ethernet Interface Parameters.

Step 5 When prompted for ‘eth1’ interface parameters, enter ‘Skip’ to proceed to the next step as a second NIC is not required for operation.


OL-18385-01


Note The address configured must provide IP connectivity to the perspective Wireless LAN controller(s) and WCS Management system used with this appliance.

Step 6 Enter DNS Server(s) Information. Only one DNS server is required for successful domain resolution, enter backup servers for resiliency.

Step 7 Configure Time Zone. If the default time zone of New York is not applicable to your environment, browse through the location menus to set it correctly.

Step 8 Configure NTP or System Time. NTP is optional but ensures your system maintains an accurate system time. If you select ‘No’ you will be prompted to set the current time for the system.

Note It is imperative that the correct time be set on the Mobility Services Engine, Wireless LAN Controller and WCS Management System. This can be achieved by pointing all three systems to the same NTP server and ensuring they have the correct time zones configured.


OL-18385-01


Step 9 Enable local console root login. This parameter is used to enable/disable local console access to the system. This should be enabled so local troubleshooting can occur.

Step 10 (Optional) Enable SSH (Secure Shell) root login. This parameter is used to enable/disable remote console access to the system. This should be enabled so remote troubleshooting can occur however corporate security policies may mandate disabling this option.

Step 11 Configure single user mode and password strength. These configuration parameters are not required and the default setting is to skip them by entering ‘s’.

Step 12 Set Login Banner.

A login banner is used to inform users of the system’s use and present a warning to keep unauthorized users from accessing the system. Since the login banner may be a multi-line message, a single period (.) ends the message and proceeds to the next step.


OL-18385-01


Step 13 Change the root password.

This step is critical in ensuring system security, be sure to pick a strong password consisting of letters and numbers with no dictionary words. The minimum password length is 8 characters.

Step 14 (Optional) Configure a GRUB password. This configuration parameter is not required and the default setting is to skip it by entering ‘s’.

Step 15 Configure a WCS communication password.

Step 16 Save Changes and Reboot. Once the setup script has completed, save your changes when prompted. After saving, follow the prompts to reboot the MSE as well to ensure all settings are applied successfully.

Step 17 Login to the MSE using the username root and password previously configured in Step 13.

Step 18 Execute the command ‘service msed start’ to start the MSE service


OL-18385-01


Step 19 Enable the MSE Service to Start at Bootup

Execute the command: ‘chkconfig msed on’

2: Adding the MSE to WCS

Step 1 Navigate to the Mobility Services Configuration Page

Login to WCS and click Mobility Services from the “Mobility” dropdown menu.

Step 2 Add the Mobility Services Engine to WCS

From the drop down on the right hand side, select Add Mobility Services Engine and click Go.

Enter a unique device name for the MSE, the IP address previously configured during the MSE setup, a contact name for support and the “WCS Communication Password” configured during the MSE setup. Do not change the username from the default of ‘admin’.


OL-18385-01


Step 3 Select the WIPS Service to run on the MSE

Step 4 Synchronize

Step 5 Select Controllers to Synchronize

A popup will be displayed with a list of controllers to synchronize the MSE with. Select the desired controllers for synchronization and click OK.

Step 6 After the popup window has closed, click the Synchronize button at the bottom of the “Synchronize WCS and MSE(s) dialog”.


OL-18385-01


3: Configuring Access Points for wIPS Monitor Mode

Note Only Aironet 1130, 1140, 1240 and 1250 series Access Points support wIPS monitor mode.

Step 1 Disable Access Point Radios

The ability to configure the AP into wIPS monitor mode is only accessible from WCS or the Wireless LAN Controller command line.

a. From the top level WCS menu, navigate to Configure > Access Points.

b. Select the prospective Access Point radio and click on it:

c. Uncheck Admin Status to disable the radio.

d. Click the Save button at the bottom of the page.

Note Repeat these steps for each and every radio on Access Points to be configured for wIPS monitor mode. For example, an Aironet 1130 would require this step to be performed on both its '802.11a' and '802.11b/g' radios.

Step 2 Configure the Access Point for Monitor Mode:

a. Once the radios are disabled, enter the Access Point configuration menu in WCS via Configure > Access Points and then click on the Access Point’s name.


OL-18385-01


b. Change AP Mode to Monitor.'

c. Enable Enhanced WIPS Engine.

d. Change Monitor Mode Optimization to WIPS.

e. Click Save at the bottom of the page.

f. Click OK when prompted to reboot the Access Point.

Step 3 Enable Access Point Radios:

a. From the top level WCS menu, navigate to Configure > Access Points.

b. Select the perspective Access Point radio and click on it.

c. Check Admin Status to enable the Radio.

d. Click Save at the bottom of the page.

Repeat this for each Access Point and its respective radios that have been configured into wIPS Monitor Mode.


OL-18385-01


4: Configuring wIPS ProfilesBy default, the MSE and corresponding wIPS Access Points inherit the default wIPS profile from WCS. This profile comes pre-tuned with a majority of attack alarms enabled by default and will monitor attacks against Access Points within the same RF-Group as the wIPS Access Points. In this manner, the system comes pre-setup to monitor attacks against a deployment model that utilizes an integrated solution in which both the WLAN infrastructure and wIPS Access Points are intermixed on the same controller.

Note Some of the steps below are marked as Overlay-Only and are only to be undertaken when deploying the Adaptive wIPS solution to monitor an existing WLAN Infrastructure such as an autonomous or completely separate controller-based WLAN.

Step 1 Navigate to wIPS Profiles.

Step 2 From the top-level WCS menu, click Configure > wIPS Profiles.

Step 3 Create a new Profile.

a. Click Profile List on the left hand side.

b. Select Add Profile from the upper right-hand drop down menu.

Step 4 Select a profile template

Cisco’s Adaptive wIPS system comes with a pre-defined set of profile templates of which customers can use as a starting place to create their own custom profiles. Each one is tailored to a specific vertical and varies in regards to which specific alarms are enabled.

Step 5 After selecting a profile and providing a name, click Save and Edit.


OL-18385-01


Step 6 (Optional) Configure the SSIDs to Monitor.

By default, the system monitors attacks launched against the local Wireless LAN Infrastructure (as defined by APs which have the same ‘RF Group’ name). If the system should also be required to monitor attacks against another network, such as when deployed in an overlay deployment model, the SSID groups feature must be utilized.

Note If this step is not required, simply click ‘Next’

a. Check the box next to MyWLAN and select Edit Group from the drop down in the upper right hand corner then click Go.

b. Enter SSIDs to Monitor.

c. Enter the SSID(s) (separated by a single space if there are more than one) and click Save.

The SSID Groups page will now look like the following screen shot, confirming the SSID(s) were added successfully.


OL-18385-01


d. Click Next.

Step 7 Edit the Profile.

This configuration screen allows specific attacks to be enabled or disabled. It also permits the administrator to drill down to specific alarms and edit their specific thresholds or even turn on forensics.

To enable or disable alarms, simply click the box next to the specific alarm in question.

Step 8 To edit the policy parameters, click on an alarm, which modifies the right hand frame to represent the point configuration of that attack.

Step 9 Editing Policy Rules.

Once a specific alarm is selected, the policy rules associated to that alarm can be modified.

a. To edit a policy rule, check the box next to the rule and click Edit.

The policy rule window allows the severity of the alarm to be modified in addition to a number of other parameters.


OL-18385-01


b. The notification item is a check box which defines whether forensic (packet captures) are taken for this particular alarm. There is also a specific threshold for this alarm, which in this case is defined as the number of active associations but this is different for every alarm. Next, the type parameter defines what WLAN infrastructure the system will monitor attacks against. By default this is configured to ‘Device Group’ and ‘Internal’ which specifies all APs in the same ‘RF Group’ name as the wIPS APs. Changing the type to ‘SSID’ allows the system to monitor a separate network which is typical of an overlay deployment and this configuration is discussed below.

Step 10 (Optional) Add Policy Rules.

Adding a policy rule would typically only be needed in an overlay deployment where the system is to be configured to monitor another WLAN infrastructure by SSID.

a. To add a policy rule, click Add.

The policy rule window allows the severity of the alarm to be modified in addition to a number of other parameters.

b. The notification item is a check box which defines whether forensic (packet captures) are taken for this particular alarm. There is also a specific threshold for this alarm, which in this case is defined as the number of active associations but this is different for every alarm. Next, the type parameter defines what SSIDs the system will monitor. If the type is changed to ‘Device Group’ then the system will monitor attacks only against APs in the same ‘RF Group’. In the case that ‘SSID’ is selected, then the system can be utilized to monitor attacks against a separate WLAN infrastructure as defined by the SSID Groups earlier in the setup.


OL-18385-01


c. After any changes have been made, click Save.

Step 11 (Optional) Configuring Additional Policy Rules.

If the system is to be configured to monitor another WLAN infrastructure by SSID, then changes will need to be made for each and every policy rule to monitor by SSID. A policy rule will need to created under each separate alarm which defines the system to monitor attacks against the SSID Group created earlier.


OL-18385-01


Step 12 Save the Profile.

After any changes are made, click Save to save the profile on WCS and then click Next when done.

Step 13 Apply the Profile.

Select the MSE/Controller combinations to apply the profile to and then click Apply.

5. Disabling Controller-based IDSOnce the Adaptive wIPS system has been pervasively installed across the entire area to be monitored, it is recommended that Cisco's traditional Wireless LAN Controller IDS be disabled. Executing this step prevents duplicate alerts being triggered on both the Adaptive wIPS and existing IDS systems.

Step 1 Login to the Controller(s).

Step 2 Click on the Security tab from the top-level controller menu.

Step 3 On the left hand-side, click Wireless Protection Policies > Standard Signatures.

Step 4 Uncheck the standard signatures as depicted in the below screenshot.


OL-18385-01



OL-18385-01

Documents

Cisco Adaptive wIPS Deployment Guide