Cisco Cisco 5520 Wireless Controller デザインガイド
1-42
Book Title
OL-xxxxx-xx
Chapter 1 Cisco Adaptive wIPS Management Deployment Guide, Release 8.0
Adaptive WIPS Management Best Practices
It is not recommended to enable Forensic for all alarms, because it will potentially increase the aWIPS
alarm-related traffic throughput dramatically, especially in case WLC and MSE are separated in different
locations and communicate over a WAN link. However, the Forensic option can be enabled on specific
alarms, in case of troubleshooting and validating fidelity of alarms.
alarm-related traffic throughput dramatically, especially in case WLC and MSE are separated in different
locations and communicate over a WAN link. However, the Forensic option can be enabled on specific
alarms, in case of troubleshooting and validating fidelity of alarms.
When the captured forensic file is not sufficient for troubleshooting, administrators can use third-party
sniffing tools (such as AirMagnet Wi-Fi Analyzer or Wireshark AirPcap) to capture for a longer
duration.
sniffing tools (such as AirMagnet Wi-Fi Analyzer or Wireshark AirPcap) to capture for a longer
duration.
If you do not have sniffing tools, Cisco TAC offers OmniPeek Remote Assistant (ORA) for capturing.
To capture traffic through sniffing tools, administrators can follow the steps given below:
1.
From the triggered alarm, find the alarm MAC, reporting AP, last reporting time, and alarm channel
if applicable.
if applicable.
2.
Schedule a site visit time close to the last reporting time, especially when it is a recurring alarm.
3.
Start the capture at or close to the reporting AP’s area.
4.
Obtain two captures:
a.
Enable all channels in 2.4 GHz and 5 GHz; scan for at least 30 minutes and save the capture.
Note that not all sniffing tools can do this capture.
Note that not all sniffing tools can do this capture.
b.
Focus on the alarm channel; scan for at least 30 minutes and save the capture.
After collecting enough traces, submit the file to Cisco TAC for further analysis.
Action
Action refers to the mitigation action that can be taken by aWIPS when an attack is detected. Up-to-date,
there are four mitigation actions in Cisco aWIPS such as location, auto-immune, blacklist, and
containment. The last three actions are only available in WLC and MSE releases 7.5 or 7.6 and PI
releases 1.4 or 1.4.1.
there are four mitigation actions in Cisco aWIPS such as location, auto-immune, blacklist, and
containment. The last three actions are only available in WLC and MSE releases 7.5 or 7.6 and PI
releases 1.4 or 1.4.1.
Location
For most aWIPS alarms, location is still the only mitigation scheme available unless the other schemes
are specified. This mitigation option is not configurable explicitly. It takes advantage of another service
hosted by MSE, context aware, to help locate attackers or alarm sources, so that they can be physically
removed later.
are specified. This mitigation option is not configurable explicitly. It takes advantage of another service
hosted by MSE, context aware, to help locate attackers or alarm sources, so that they can be physically
removed later.
Auto-Immune
For some DoS attacks, a potential attacker can use specially crafted packets to mislead WIPS to treat a
legitimate client as an attacker. It causes the controller to disconnect the legitimate client. The
auto-immune feature is designed to ignore the crafted packets from an attacker and protect the legitimate
client from loss of connectivity. Currently, there is only one attack that supports auto-immune action:
legitimate client as an attacker. It causes the controller to disconnect the legitimate client. The
auto-immune feature is designed to ignore the crafted packets from an attacker and protect the legitimate
client from loss of connectivity. Currently, there is only one attack that supports auto-immune action:
•
DoS: Re-association request flood
Note
It is not recommended to enable auto-immune, especially in Cisco 792x phone deployment
because it may cause communication disruption during roaming.
because it may cause communication disruption during roaming.