Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy |57
14. Mitigation of Other Attacks
Mitigation of other attacks involves multiple defensive techniques including identification of connected devices not
meeting administrator approved configurations and taking actions to resolve, use of administrator approved
methods to block unauthorized connection attempts to the network, detection and reporting of intrusion attempts,
and use of policies with administrator approved methods to identify and defend against network attack attempts.
Aruba Instant includes the Intrusion Detection (IDS) feature that monitors the network for the presence of
unauthorized Instant APs and clients, logs information about the unauthorized Instant APs and clients, and
generates reports based on the logged information.
Network operation attacks can come from rogue Instant APs, interfering Instant APs, and other devices on the
network.
A rogue Instant AP is an unauthorized Instant AP plugged into the wired side of the network.
An interfering Instant AP is an Instant AP seen in the RF environment but it is not connected to the wired
network. While the interfering Instant AP can potentially cause RF interference, it is not considered a direct
security threat, because it is not connected to the wired network. However, an interfering Instant AP may
be reclassified as a rogue Instant AP.
The Aruba Instant IDS feature scans for access points that are not controlled by the virtual controller. These are
listed and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your
network.
The Aruba Instant IDS OS Fingerprinting feature gathers information about the client that is connected to the
Instant network to find the operating system that the client is running on to allow:
Identifying rogue clients — Helps to identify clients that are running on forbidden operating systems.
Identifying outdated operating systems — Helps to locate outdated and unexpected OS in the company
network.
Locating and patching vulnerable operating systems — Assists in locating and patching specific operating
system versions on the network that have known vulnerabilities, thereby securing the company network.
The Aruba Instant IDS Wireless Intrusion Protection (WIP) feature includes a variety of pre-defined default and
administrator restricted customizable Infrastructure and Client policies, each with different levels based on
administrator selectable Detection/Protection Levels (High, Medium, Low or Off):
Infrastructure Detection Policies — Specifies the policy for detecting wireless attacks on access points.
o
Attack attempts detected include Instant AP spoofing or impersonation, Windows Bridge, IDS
Signature Deauthentication Broadcast and Deassociation Broadcast, ad hoc networks using VALID
SSID misuse (Valid SSID list is autoconfigured based on Instant AP configuration), 802.11 40 MHz
intolerance settings, Active 802.11n Greenfield Mode, Instant AP Flood Attack, Client Flood Attack,
Bad WEP, CTS or RTS Rate Anomaly, Invalid Address Combination, Malformed Frame (Large
Duration, HT IE, Association Request or Auth), Overflow IE or EAPOL Key, Beacon Wrong
Channel, and devices with invalid MAC OUI
Client Detection Policies — Specifies the policy for detecting wireless attacks on clients.
o
Attack attempts detected include EAP Rate Anomaly, Chop Chop Attack, Rate Anomaly, TKIP
Replay Attack, IDS Signature (Air Jack or ASLEAP), Disconnect Station Attack, Omerta Attack,
FATA-Jack Attack, Block ACK DOS, Hotspotter Attack, unencrypted Valid Client, Power Save DOS
Attack, and Valid Client Misassociation
