Table of ContentsintroductionReference MaterialDetermine your security needsUnderstanding the Pieces of the Aruba solutionDetectionClassifying Rogue APsConfiguring IDS attack detectionRogue ContainmentAlerting and ReportingAppendix: Contacting Aruba NetworksAbout Aruba Networks, Inc.33335111213131416

technology guideWIRELESS INTRUSION PROTECTION (WIP)IntroductionThe three main wireless security areas to keep in mind whenThis document outlines the configuration and features of theevaluating a WIDS system are rogue detection, rogueWireless Intrusion Protection solution available from ArubaNetworks. For simplicity, this document assumes that theController, RFProtect license and AirWave are being used. Inmost cases, functionality similar to what is in the Controller isavailable in Aruba Instant. The concepts discussed with thecontroller can be applied to an Instant based solution.Table 1 lists the current software versions for this guide.containment and wireless intrusion detection needs. Oncethose base wireless security requirements are establishedand met, other general criteria come into play like ease ofuse, notification options, reporting depth, and data retention.Understanding the Pieces of theAruba solutionThe Aruba solution can seem overwhelming at first. Thereare a number of different optional pieces. But they really boilTable 1. Aruba Software VersionsProductVersionArubaOS (Mobility Controllers)6.4down to the type of Aruba network you deploy (controllerbased or Instant), the radio performing RF scanning (AM, APor SM) and AirWave (long term data storage).Controller or Instant? In general, this question will beanswered by the WLAN requirements of your network. BothAirWave 8.0the controller and Instant provide a secure network with awealth of IDS features. The controller gives you a few morefeatures on the automatic containment side. The differencesReference Material This guide assumes a working knowledge of Arubaproducts. This guide is based on the network detailed inthe Aruba Campus Wireless Networks VRD and theBase Designs Lab Setup for Validated ReferenceDesign. These guides are available for free at The complete suite of Aruba technical documentationis available for download from the Aruba support site.These documents present complete, detailed featureand functionality explanations. The Aruba support site ison the WIDS side are negligible.What are the required pieces of the solution? If the answerabove was a controller, then the RFProtect license may benecessary to get the most out of the WIP solution. RFProtectenables a lot of advanced features including spectrumanalysis, IDS attack detection, and advanced wirelesscontainment. The table below outlines what is providedby the base ArubaOS vs the RFProtect license for thecontroller. This guide will assume that the RFProtect licensehas been applied.located at: This siterequires a user login and is for current Aruba customerswith support contracts.Determine your security needsAn effective security solution must be monitored andupdated on a regular basis. It should alert the security teamof critical issues that merit a response without overwhelmingthem with information. It is important that the critical issuesdo not get lost in a flood of general information. Because ofthat we recommend turning on only the IDS events that aredeemed worthy of investigation and follow up.One of the first steps in deploying a security solution isdetermining the security policy that needs to be enforced byyour enterprise. Preferably this would be done beforechoosing a security solution and would determine theevaluation criteria when choosing a solution.3

technology guideFeatureWIRELESS INTRUSION PROTECTION (WIP)ArubaOS BaseRFProtect LicenseAir monitor (2.4 and 5 GHz)Wireless rogue scanning and identificationWired rogue containmentWireless rogue containment via de-authorizationWi-Fi interference detectionSpectrum analysis (Hybrid and Spectrum monitor)Wi-Fi interference classificationWi-Fi interference visualizationWireless IDS attack signatures detectionSecurity threat management visualizationWireless intrusion configuration wizardTotal Watch enhanced air monitoringAir monitoring of all bands (2.4, 4.9 and 5 GHz)Dynamic channel dwell timesIn-between channels rogue scanningAdvanced wireless rogue containment via tar-pittingDetect and contain Windows BridgeSecurity events correlation4

technology guideWIRELESS INTRUSION PROTECTION (WIP)Wireless detection happens at the radio level and then getsFinally there is AirWave. AirWave is a required piece of anyfed upstream. Aruba radios can be deployed in a fewsecurity solution from Aruba. Unlike the controller or instant,different modes to fit the needs of the environment. TheseAirWave has a hard drive. This allows it to store a great dealinclude AP mode, Air Monitor (AM) mode and Spectrumof data and add a lot of value to the security solution.Monitor (SM) mode. Only the AP mode will serve clients. APAirWave can poll wired devices for additional wired roguemode will perform wireless rogue scans in 2.4 and 5 GHz, IDSdetection. AirWave has highly flexible classification rules thatdetection and opportunistic wireless containment. AP modecan and should be customized to your environment. AirWaveprioritizes client traffic over other functions. AM modealso provides alerting and reporting on security issues.focuses on security. AMs are strongly recommended ifHowever, information on configuring the controller towireless containment is to be enabled. SM mode focuses oncommunicate with AirWave is outside of the scope of thisgathering spectrum data. SMs will perform basic IDS whiledocument. At a high level, ensure that SNMP monitoring,they scan, but their scanning is focused on classifyingSNMP traps and AMON are enabled between the controllerinterferers. They cannot perform containment because ofand they need to scan to classify non-Wi-Fi interferers. Moredetails on containment can be found in the containmentDetectionchapter. More details on scanning algorithms can be found inWireless scanningthe chapter on detection.Radios in an Aruba AP can be configured to run in differentMost customers will only need standard AP mode devices formodes: AP mode, Air Monitor (AM) mode, or Spectrumsecurity. High security customers like financial customersMonitor (SM) mode. Each mode is designed to prioritizeand federal institutions may need AMs depending on theirdifferent tasks but will perform some level of all of them.requirements. Anyone planning on deploying wirelesscontainment should deploy AMs. Please see the chapter oncontainment for more information.Radio ModeServe P modeYesYesAll regulatorychannelsAll regulatorychannelsBest effortClient servingchannel onlyAir MonitorNoYesAll regulatory Rare channelsAll regulatory RareYesNoSpectrumMonitorNoYesAll regulatorychannelsAll regulatorychannelsNoAll channels5

technology guideWIRELESS INTRUSION PROTECTION (WIP)AP mode radios focus on serving clients and pushing wirelessBecause of the adaptive nature of the scanning algorithm it istraffic but they also perform IDS detection, Rogue detectionvery difficult to give an answer to the question ‘how long doesand spectrum analysis. The information provided by the APsit take to scan all channels’. Typically all channels will beprovides the base for detection. Most customers only needscanned at least once in less than an hour with activeAPs and do not need to deploy any AMs or SMs. IDS detectionchannels getting scanned much more frequently. Starting inoccurs 100% of the time that the AP is serving clients. ThisAOS 6.4.3, the 2xx series APs will scan 80 MHz in the 5 GHZmeans you have full IDS attack detection against yourspectrum when possible. This significantly decreases thedeployed network. The off channel scanning will find rogueamount of time it takes for an AP to detect rogue devices indevices and IDS attacks outside of your network.the 5 GHz band.Typically an AP will perform off channel scanning every 10APs can perform wireless containment but they will prioritizeseconds for slightly less than 100 milliseconds. This allows thepushing client traffic over containment. This is a veryAP to see what is occurring around it, without missing beaconsimportant distinction and the reason why AMs areand causing problems for clients. A lot of logic has been builtrecommended if wireless containment is enabled. If the AP isinto the Aruba scanning algorithm. It will pause scanning for anyserving clients on channel 1 and the rogue is on channel 6, thedetected voice or video on a particular radio to ensure the bestAP will not change channels to contain the rogue. If the roguequality for the clients. These settings can be configured usinghappens to be on channel 1, the AP will perform wirelessthe VoIP Aware Scan, Video Aware Scan and Power Save Awarecontainment while serving clients. If there are no clients on theScan options in the ARM profile. PEF firewall rules can also beAP, it can be configured to change channel to contain thedefined to pause scanning based on a type of traffic runningrogue device by enabling the ‘Rogue AP Aware’ setting in thethrough the network. This typically isn’t needed but can beARM profile.useful to ensure QoS for specific latency sensitive applications. Itis important to note that the off channel scanning is used formore than just WIP. It is also a key piece of Aruba’s AdaptiveRadio Management (ARM). All Aruba APs ship with scanningenabled by default. All published Aruba performance numbershave scanning enabled unless otherwise noted.APs can also perform spectrum analysis on the channel wherethey are serving clients. This gives the AP the ability to detectand classify non-Wi-Fi interferers that are impacting thedeployed wireless network. APs are not able to scan andprocess spectrum data off of the home channel due to theshort dwell times and relatively infrequent visits to otherThe AP can be configured to scan different sets of channels bychannels. Spectrum Monitors are designed to scan everychanging the ‘Scan Mode’ setting in the scanning section of thechannel within 1 second.ARM profile. Scanning all regulatory domain channels isrecommended. That will include any channel valid in anyregulatory domain, not just the regulatory domain of the AP.This is recommended since attackers typically don’t feel theneed to follow the law. Please note that the AP cannotperform containment on the channels outside of its regulatoryAMs are dedicated to wireless security. They do not serveclients. AMs typically do not need to be deployed at the samedensity an AP would since they do not serve clients. In mostcases a 4 to 1 or 5 to 1 ratio of APs to AMs is recommended,but that varies heavily based on AP density and environment.domain. The set of channels can be restricted to use thoseAMs use a channel scanning algorithm that is similar to an APwithin the AP’s regulatory domain but that is notbut has an extra bucket for ‘Rare’ channels. In raw MHz that isrecommended for security conscious customers.2412-2484 and 4900 through 5895 in 5 MHz increments. RareThe AP uses a bucketing based algorithm for channelscanning. When the AP boots, all channels are divided into 2different buckets, regulatory channels and non-regulatorychannels. The regulatory channels are scanned morefrequently than the non-regulatory channels. The thirdchannel bucket, active channels, is populated as the AP scansand detects channels with wireless traffic. The active bucket isscanned more frequently than all of the others. This allows thechannels include the 4.9 GHz spectrum which is a licensedpublic safety band in many countries. AMs will also scan the5 GHz spectrum in 5 MHz increments. Due to the analoguenature of wireless, we have found that the natural bleedthrough of RF signals will allow us to find rogues that areconfigured in between channels by scanning every 5 MHz. Thechannels scanned by an AM are configured in the AM scanningprofile which is part of the radio profile.AP to spend most of its time on channels where a threat islikely and the least amount of time on channels that are notlikely to see attacks.6

technology guideWIRELESS INTRUSION PROTECTION (WIP)Scan dwell times are based on the bucketing system. When inbucketing system used by APs and AMs. They rapidly cycleAP mode, the off channel’s dwell time is quite short so that thethrough all of the channels making sure they are all visitedAP doesn’t miss a beacon. Since the AM is not serving clients,every second. SMs will not perform any wireless containmentit does not send beacons and hence does not need to be onsince the time spent containing a rogue would impact theany particular channel. The AM will spend 500 millisecondsaccuracy of the spectrum classifications. Typically, SMs areon active channels, 250 on channels in the regulatoryused as a point troubleshooting. A full spectrum monitordomain, 200 in any regulatory domain and 100 on rareoverlay is not needed in most cases since the APs can performchannels. Channels will be promoted to the active channel listhybrid spectrum any time based on the detection of Wi-Fi activity. If noactivity is seen for a significant period of time, the channel willbe demoted back to its original bucket.While we generally don’t recommend single radio APs, a singleradio AM or SM can make sense. An AP-93, which is a singleradio 11n device, provides a low cost option for an AM or SM.AMs will scan the active channels bucket more frequently thanAll of the Aruba single radio APs can be tuned to both 2.4 GHzthe regulatory channels which will be scanned more frequentlyand 5 GHz. Using a single radio will slightly increase thethan the all regulatory channels which will be scanned moreamount of time it takes to detect a rogue, but it can stillfrequently than the rare channels. The exact channel that iseffectively detect and contain them. If a single radio device isscanned will be chosen randomly and will not incrementdeployed as an AM, be sure to verify that ‘Multi Band Scan’ isexactly. The dwell times listed above are slightly randomizedenabled in the ARM profile. Multi Band Scan tells the singleto ensure that a rogue cannot predict exactly when it can andradio AP to scan both the 2.4 GHz and 5 GHz band. Multi Bandcannot transmit to avoid detection.Scan can enable a single radio device in AP mode to scan bothAMs are very effective at wireless containment. They will altertheir scanning algorithm when containing to make sure they visitbands, but isn’t recommended since a robust wireless networkwill simultaneously support 2.4 and 5 GHz clients.the channel where containment is occurring frequently. They willYou can verify which channels are scanned and howcontinue to scan for additional threats on other channels.frequently they are getting scanned by running the ‘Show aparm scan times ap-name’ command, or by using AirWave toSMs are designed for spectrum classification. They willperform IDS detection and rogue detection while they arescanning for spectrum analysis, but they do not follow therun the command on the controller. You will see an outputthat looks like:Channel Scan 27370841081391830126534430DACLUX27375887

technology guideWIRELESS INTRUSION PROTECTION 00D2737354Channel Flags: D: All-Reg-Domain Channel, C: Reg-Domain Channel, A: Activity PresentL: Scan 40MHz Lower, U: Scan 40MHz Upper, Z: Rare ChannelV: Valid, T: Valid 20MHZ Channel, F: Valid 40MHz Channel,O: DOS Channel, K: DOS 40MHz Upper, H: DOS 40MHz LowerR: Radar detected in last 30 min, X: DFS requiredThe scanning configuration of an AP or AM can be confirmedfor scanning and a little information about the scans. Theby running the ‘show ap monitor scan-info ap-name’output will look similar to:command. It will give you a view of how the radio is configuredWIF Scanning State: wifi0: -----------ParameterValue--------------Probe TypesapPhy Type80211a-HT-20Scan Modeall-reg-domainScan Channelno8

technology guideWIRELESS INTRUSION PROTECTION (WIP)Disable ScanningyesRegDomain Scan CompletedyesDOS Channel Count0Current Channel48Current Scan Channel124 Current Channel Index18Current Scan Start Milli Tick-1787802966Current Dwell Time110Current Scan ------------------------------Dwell Times500250200100500Last Scan Channel124 124-60-00Wired Rogue AP DetectionThe controller has a few different methods for determiningthat an AP is connected to the wire. The most basic is a /- 1MAC address check of traffic that has been on the wire andseen wirelessly. If wired traffic is observed with a MAC addressthat is within 1 of wireless traffic, that device will be tagged asa wired connected rogue.There are a few more sophisticated methods as well. The APsand AMs will monitor all the traffic heard over the air to see ifany of it is originating on the wired network. It is determinedthat the traffic originated on the wire if the from ds field of thewireless traffic matches any of the known wired gateway MACaddresses. The list of known wired gateway MAC addresses isbuilt up by the controller, APs and AMs. All client facing VLANsshould be trunked to either the controller or an AP or AM.The traffic only needs to be trunked to 1 AP or AM for thedetection to work. It doesn’t hurt to trunk the VLANs to allof the APs or AMs that are deployed. That is actually requiredfor wired containment which is discussed in the chaptertwo MAC addresses are within a configurable offset, they willbe considered the same device and linked together. The sizeof the correlation window can be configured in RAPIDS Setuppage in the ‘wired to wireless MAC address correlation’ setting.There is also a wired to wireless correlation window that canbe configured on the RAPIDS Setup page. It defaults to 6hours. This can help limit false positives for devices that havesimilar MAC addresses but are not on the network at thesame time.If AirWave is able to get an IP address for a rogue, it canperform an NMAP scan on the device to determine theoperating system. While the scan isn’t able to classify 100% ofthe operating systems, it does give valuable insight into thetype of device on the network. It is worth noting that there isalso a wireless BSSID correlation window. That window will linkwireless BSSIDs that are numerically close together into thesame device. This means that neighboring networks that arebroadcasting multiple SSIDs from the same AP will be linkedinto a single rogue record.All of the information gathered by AirWave can be used toclassify a rogue device. More information on that is included inregarding containment.the section detailing classification.AirWave should be configured to poll routers and switches onAdding switches to AirWave has additional value outside of thethe network via SNMP. AirWave will poll the bridge forwardingtables and the ARP tables to gather rogue information aboutthe network. The bridge forwarding table gives AirWave amapping of wired MAC addresses to switch ports. The ARPsecurity realm. AirWave can perform upstream eventcorrelation to identify wired causes to AP problems. It can alsoprovide visibility into the switch ports that are serving APs sowired problems can be easily identified.table gives a mapping of wired MAC addresses and IPaddresses. AirWave will then correlate the list of wired MACaddresses with everything that has been heard over the air. If9

technology guideWIRELESS INTRUSION PROTECTION (WIP)802.11ac Rogue DetectionEarlier it was mentioned that the wired rogue detection was802.11ac devices are backwards compatible withbased on looking at the source MAC address of frames802.11a/b/g/n devices. For 11ac devices to be backwardscoming out of the rogue AP. Those are the data frames. Withcompatible, the management frames, like beacons, will go outan 11ac rogue and an 11ac client, they may not be visible toat 20 MHz. That way non-11ac clients can detect the AP and11a/b/g/n devices. If a legacy client connects to the 11acconnect to them. This means that legacy a/b/g/n APs can alsorogue, then it can be detected by the legacy AP since thewirelessly detect rogue 11ac access points. But the legacy APslegacy radio can understand the traffic.won’t necessarily have visibility into the data coming out of arogue 11ac AP.Because of these limitations, an 11ac overlay or 11ac networkis recommended for high security customers. 11ac is requiredIf the rogue is communicating with an 11ac client, the datato make sure that all potential threats are detected.frames may have a channel that is too wide, or a modulationthat the legacy AP cannot decode. That means legacy APs areunable to always determine if a client is associated to therogue. That detection is critical for more advanced featuressuch as wireless containment and wired rogue detection. If anAP can’t hear the client on the rogue, then it cannot contain it.FeatureLegacy Network11ac Overlay11ac NetworkWireless rogue detectionSupportedSupportedSupportedBasic wired rogue detectionSupportedSupportedSupportedAdvanced wired rogue detectionVulnerableSupportedSupportedBasic IDS attack detectionSupportedSupportedSupportedAdvanced IDS attack detectionVulnerableSupportedSupportedCustom IDS signature detectionVulnerableSupportedSupportedFull IDS attack detectionVulnerableSupportedSupportedWired containmentSupportedSupportedSupported10

technology guideWIRELESS INTRUSION PROTECTION (WIP)Classifying Rogue APsThe rules are displayed in a list form. They act similar toRogue classification should happen in AirWave. The controllerfirewall rules. The first rule in the list that is matched, is thecan perform some basic device classification but AirWaveprovides a more robust and configurable solution. The heartof the Aruba classification system is configured on theclassification a device will receive. If a device does not matchany rule, it will get the default classification specified in thedrop down above the rules list.Rapids Rules page in AirWave.Devices will get continuously reclassified as new informationThe rules above are pretty much the default rules you will seecomes in about them. But they will only be reclassified up thein RAPIDS. The rules should be customized for your uniquelist into a more specific rule. It is important that more specificenvironment. They should be updated based on the securityand detailed rules are at the top of the list and that genericpolicies implemented by your enterprise. It is a recommendedcatch-all rules are at the practice to make sure that anything classified into theIf a neighboring AP is heard with a weak signal strength itwould fall to the ‘Detected wirelessly’ rule and get classified asa suspect neighbor. If a week later the device suddenly had astrong signal strength of -60 dBm, it would be promoted up toa suspect rogue. At that point an alert could fire, but more on‘Rogue’ classification is considered a significant security threatand will be investigated by the security team right away. It isimportant to focus that classification down into things thatneed to be investigated so that the true threats don’t get lostin a flood of neighboring devices.alerts in the alerting and reporting chapter. Now if that deviceOnce the customized security policy rules are in place, it iswere to be detected on the wire a day later, it would berecommended that you take a look at the classified devices.classified by the ‘Detected Wirelessly and on LAN’ rule andYou can often find sets of devices that can be reclassified intoreclassified as a rogue.the neighbor classification without creating any security risk. ItThreat level is an optional additional bucketing system within asingle classification. It has no set definition. A threat level of 1or 10 can be considered the most dangerous. However, beis both common and recommended to create general rules tomatch neighboring devices so that they can be pushed downthe danger meter into less threatening classifications.sure to keep the rules in sync so that a specific threat level isalways considered the most dangerous. The threat level canbe used to change the alerting options within AirWave.11

technology guideWIRELESS INTRUSION PROTECTION (WIP)A common example are 2Wire APs. 2Wire makes home DSLConfiguring IDS attack detectionrouters that are often used by AT&T or SBC for wireless. IfHow you choose to configure your controllers is a largeryou have a campus near an apartment building or residentialarea, you will see a lot of 2Wire devices. Within RAPIDS youcan create a rule that will reclassify any 2Wire device to bea neighbor without manually inspecting it. This can save agreat deal of time and make it much easier to keep up withthe wirelessly detected devices in your RF environment. Thecommon 2Wire rule is to classify any device manufacturedby 2Wire with a 2Wire SSID, running encryption, heard witha weak signal strength and not connected to the LAN asa neighbor.discussion than WIP. The easiest way to configure IDS attackdetection is to use the WIP wizard in the controller. Onceyou have gone through the wizard, you can have AirWave pullthe configuration from the controller and use that as thegolden sample.The wizard is straight forward and will prompt for which IDSattacks and automatic containment should be enabled as partof step 4. It is recommended to start with a small list ofserious threats, and slowly grow that list. A lot of teams makethe mistake of turning on everything they can detect. Thenthey get overwhelmed by the number of alerts and fail tofollow up on any of it.12

technology guideWIRELESS INTRUSION PROTECTION (WIP)It is recommended that you only turn on attack detection thatdisconnects and starts over. The important thing is thatis worth investigating. High security customers should chooserealization can take anywhere from 500 millisecondsthe ‘High’ option. The high option does not enable every eventto requiring user intervention. This makes tar-pitting athat can be detected by the Aruba system. For example,significantly more efficient mechanism to containNetstumbler detection isn’t turned on by default. Netstumblerrogue devices.detection means that a client device is running an oldscanning system. It doesn’t necessarily mean they are trying tobreak into the network. Custom settings can be chosen thatallow you to enable or disable every attack detectionindividually if you wish to see everything.AMs are always recommended when wireless containment isenabled. APs will perform containment, but only if the roguedevice or client is on the same channel as the AP. APs maychange channel to contain a rogue if there are no clients onthe AP and ‘Rogue AP Aware’ is enabled in the ARM profile.If you prefer, the IDS detection can be configured through theAMs will mark a channel for DOS and will alternate between itprofiles but correct configuration requires a deeperand the channels it is scanning. This allows an AM to spend aknowledge of AOS and the profile structure. Please see thelot more time containing rogues.User Guide for more information.Rogue ContainmentNot all customers are comfortable running roguecontainment. Some types of rogue containment may impactneighboring networks while others will only protect yournetwork and pose no threat to neighbors.There are a lot of automatic rogue containment options thatgo beyond ‘contain if the device is classified as a rogue’. Thesafest and most common options are ‘Protect Valid Stations’and ‘Protect SSID’. Any station that has authenticated to theAruba network with encryption will be automatically classifiedas valid. Once this happens, the Aruba network will not allowthem to connect to any other network if Protect Valid StationsJust like IDS, containment is most easily configured throughis enabled. This protects the network by preventing users withthe wizard. Containment may also be referred to as shieldingsensitive data from connecting to neighboring networks thator mitigation. They all mean the same thing. Breaking themay be snooping the data.rogue’s or client’s ability to connect to the network. There aretwo main types of containment, wired and wireless.Protect SSID will automatically contain any non-valid APs thatare broadcasting the SSIDs on the controller. This can be veryWir

traffic but they also perform IDS detection, Rogue detection and spectrum analysis. The information provided by the aPs provides the base for detection. Most customers only need aPs and do not need to deploy any aMs or SMs. IdS detection occurs 100% of the time that the aP is serving clients. This mean