Specifications
75
IPS_SDC_(EXT).1
The AP analyzes wireless network traffic, performing signature matching checks, data integrity
checks, and measuring signal strength to generate wIPS audit records and alerts, and to support
location tracking of wireless devices.
IPS_ANL_(EXT).1
The Controller has a Wireless Intrusion Prevention System (wIPS) capability that generates audit
records based on wireless networking traffic matching a set of predefined signature rules. There
is a set of standard signatures and custom signatures may be developed also. The signatures
define patterns of information in wireless network traffic that the APs use to monitor the RF
environment. wIPS profiles containing signatures are pushed onto Controllers from the wIPS
service of a Cisco Mobility Services Engine (MSE) and are stored in flash memory at the
Controller and pushed to APs that join the Controller. APs serve as monitors and send alerts to
the wIPS service via the Controller as events are detected. The AP sends the message via
CAPWAP control plane messaging to the Controller, which sends it to the Mobility Services
Engine using the Network Mobility Services Protocol (NMSP) which is built on TLS.
The Cisco wIPS is enabled by the MSE, which is an appliance-based solution that centralizes the
processing of wIPS data intelligence collected by the APs. The wIPS service on the MSE can
configure, monitor, and report wIPS policies and alarms.
wIPS policies are not configured on the controller, but can be enabled/disabled at the controller.
Instead, WCS or NCS forwards the profile configuration to the MSE’s wIPS service, which in
turn forwards the profile to the controller. The profile is stored in flash memory on the controller
and sent to access points when they join the controller. When an access point disassociates and
joins another controller, it receives the wIPS profile from the new controller.
Access points in monitor mode send alarms based on the policy profile through the controller to
the MSE’s wIPS service which stores and processes the alarms and generates SNMP traps if
further alerts are required. Alarms are transmitted individually by the APs as they are generated,
and repeated in batches periodically, so the MSE can confirm no single alarm was missed.
The following categories of attack signatures are included by default:
Broadcast deauthentication frame signatures - During a broadcast deauthentication frame
attack, a hacker sends an 802.11 deauthentication frame to the broadcast MAC
destination address of another client. This attack causes the destination client to
disassociate from the access point and lose its connection. If this action is repeated, the
client experiences a denial of service.
NULL probe response signatures - During a NULL probe response attack, a hacker sends
a NULL probe response to a wireless client adapter. As a result, the client adapter locks
up.
Management frame flood signatures - During a management frame flood attack, a hacker
floods an access point with 802.11 management frames. The result is a denial of service
to all clients associated or attempting to associate to the access point. This attack can be
implemented with different types of management frames: association requests,
authentication requests, reassociation requests, probe requests, disassociation requests,
deauthentication requests, and reserved management subtypes.
Wellenreiter signature - Wellenreiter is a wireless LAN scanning and discovery utility
that can reveal access point and client information.
EAPOL flood signature - During an EAPOL flood attack, a hacker floods the air with
EAPOL frames containing 802.1X authentication requests. As a result, the 802.1X
authentication server cannot respond to all of the requests and fails to send successful
authentication responses to valid clients. The result is a denial of service to all affected
clients.
NetStumbler signatures - NetStumbler is a wireless LAN scanning utility that reports
access point broadcast information (such as operating channel, RSSI information, adapter
manufacturer name, SSID, WEP status, and the latitude and longitude of the device