Cisco Cisco 5520 Wireless Controller Guida Alla Progettazione
1-43
Book Title
OL-xxxxx-xx
Chapter 1 Cisco Adaptive wIPS Management Deployment Guide, Release 8.0
Adaptive WIPS Management Best Practices
Blacklist
Different from the auto-immune, blacklist is a more aggressive mitigation action to deauthenticate the
identified attacking device if it is connected first; ignore all traffic from it afterwards as long as it is on
the blacklist. Currently, the following attacks support blacklist action:
identified attacking device if it is connected first; ignore all traffic from it afterwards as long as it is on
the blacklist. Currently, the following attacks support blacklist action:
•
Suspicious after-hours traffic detected
•
Fake DHCP server detected
•
Unauthorized association by vendor list
•
DNS Tunnel bypass detected
•
ICMP Tunnel bypass detected
Containment
Containment action in WIPS attacks is similar to rogue AP containment. It is designed to initiate
containment on SSID-related attacks to prevent legitimate clients connecting to those SSIDs set up by
attackers. Currently, the following attacks support for containment action:
containment on SSID-related attacks to prevent legitimate clients connecting to those SSIDs set up by
attackers. Currently, the following attacks support for containment action:
•
Soft AP or Host AP Detected
•
Airsnarf Attack Detected
•
Honeypot AP Detected
•
Hotspotter Tool Detected
•
Karma Tool Detected
•
Device Broadcast XSS SSID
Threshold
Some of the aWIPS alarms are threshold-based, that is, once the frames/packets match over the threshold
in a sampling period, the alarms are triggered. A sampling period in Cisco WIPS is one minute, which
is accumulated dwell time on a channel for WIPS APs.
in a sampling period, the alarms are triggered. A sampling period in Cisco WIPS is one minute, which
is accumulated dwell time on a channel for WIPS APs.
An AP in local mode with wIPS spends only 50 ms for off-channel scanning; it will take a long time if
the attacks are off-channel. This is why ELM only provides the best effort with regard to off-channels
attacks. It is recommended to use monitoring mode (MM) AP to detect off-channel attacks. On the other
hand, because ELM is on operating channel most of time, it detects on-channel attacks much faster than
MM AP.
the attacks are off-channel. This is why ELM only provides the best effort with regard to off-channels
attacks. It is recommended to use monitoring mode (MM) AP to detect off-channel attacks. On the other
hand, because ELM is on operating channel most of time, it detects on-channel attacks much faster than
MM AP.
To get the best output, ELM AP with WSM module is the recommended solution for WIPS deployment.
Threshold-based alarms tend to cause more false positives compared to non threshold-based ones. But
for some of them, the accuracy of alarms can be increased when out of sequence (OOS) logic is also
taken into consideration. Therefore, these alarms are subjects for administrators to monitor, review, and
fine-tune.
Threshold-based alarms tend to cause more false positives compared to non threshold-based ones. But
for some of them, the accuracy of alarms can be increased when out of sequence (OOS) logic is also
taken into consideration. Therefore, these alarms are subjects for administrators to monitor, review, and
fine-tune.
Fidelity
Fidelity is one key attribute missing in previous Cisco aWIPS documentations or aWIPS user interfaces.
It represents a measure of confidence level in signature accuracy. The fidelity level of WIPS alarms can
be categorized into the five categories with regard to accuracy percentage as follows:
It represents a measure of confidence level in signature accuracy. The fidelity level of WIPS alarms can
be categorized into the five categories with regard to accuracy percentage as follows:
•
Very High > 95%
•
High > 80%