Cisco Cisco 5520 Wireless Controller Guida Alla Progettazione
1-40
Book Title
OL-xxxxx-xx
Chapter 1 Cisco Adaptive wIPS Management Deployment Guide, Release 8.0
Adaptive WIPS Management Best Practices
Adaptive WIPS Management Best Practices
Understanding Adaptive wIPS Signatures
aWIPS Signature Compatibility Between CUWN Releases
Starting from WLC and MSE releases 7.5 through 8.0, there are new aWIPS signatures added along with
some enhanced aWIPS features, such as new mitigation actions.
some enhanced aWIPS features, such as new mitigation actions.
Refer to the table below for compatible release combinations between MSE, PI, and WLC first, with
regard to aWIPS signature support.
regard to aWIPS signature support.
To fine tune aWIPS signatures, we need to first understand configuration options available and their
recommended settings.
recommended settings.
Severity
The severity of aWIPS alarms is set based on its security threat level and operation impact on a wireless
production network. For example, for most DoS attacks, they may have an operational impact on the
wireless infrastructure. Thus, their severities are set to Critical by default. It is not necessary to change
the default severity level, but it can be changed on case-by-case basis as long as thorough investigation
and review have been done with InfoSec and Security Monitoring teams internally for customers.
production network. For example, for most DoS attacks, they may have an operational impact on the
wireless infrastructure. Thus, their severities are set to Critical by default. It is not necessary to change
the default severity level, but it can be changed on case-by-case basis as long as thorough investigation
and review have been done with InfoSec and Security Monitoring teams internally for customers.
Monitoring Objects
There are two types of monitoring objects, SSID Group and Device Group. Depending on signatures, it
can be none, either one or both available to be configured.
can be none, either one or both available to be configured.
For the Device Group, it is a list of device MAC addresses that administrators want to monitor for aWIPS
attacks. The most effective monitoring for attacks specific to infrastructure devices, such as APs and
associated clients, is to select the Internal option as the Device Group to be monitored.
attacks. The most effective monitoring for attacks specific to infrastructure devices, such as APs and
associated clients, is to select the Internal option as the Device Group to be monitored.
If specific SSID Groups are configured, it means a list of SSIDs will be monitored for SSID specific
attacks. To monitor these alarms correctly, it is critical to ensure that this list of SSIDs are configured
inside specific SSID groups, so that they can be referred later in signature configuration.
attacks. To monitor these alarms correctly, it is critical to ensure that this list of SSIDs are configured
inside specific SSID groups, so that they can be referred later in signature configuration.
To configure the Honeypot AP detected signature so that it monitors the following SSIDS, Cisco, cisco,
and cIsco, follow this two-step process:
and cIsco, follow this two-step process:
Step 1
Ensure that the specified SSIDS, Cisco, cisco, and cIsco, are configured in an SSID Group, such as
MyWLAN, which should be available in SSID Group List of wIPS profile.
MyWLAN, which should be available in SSID Group List of wIPS profile.
MSE Releases
PI Releases
Controller Releases
7.4
1.3, 2.0, 2.1
7.4
7.5
1.4
7.5
7.6
1.4.1
7.6
8.0
2.2
8.0