Cisco Cisco 5520 Wireless Controller デザインガイド
1-46
Book Title
OL-xxxxx-xx
Chapter 1 Cisco Adaptive wIPS Management Deployment Guide, Release 8.0
Adaptive WIPS Management Best Practices
3.
Focus selective effort on alarms with lower severity (Minor and below) or lower fidelity (Medium
and below). Administrators must first understand the security and operation impact of these alarms
in order to outline the priority list. With this list, administrators can prioritize on validating and
mitigation effort if needed. For example, the DoS: De-Auth flood alarm is one such alarm. Its
fidelity level is Medium because it is threshold-based. But its severity is Critical because this attack
will cause the legitimate client lose connectivity. In case of such alarms, administrators must
validate whether it is false positive through troubleshooting. Then proceed with mitigation if
needed.
and below). Administrators must first understand the security and operation impact of these alarms
in order to outline the priority list. With this list, administrators can prioritize on validating and
mitigation effort if needed. For example, the DoS: De-Auth flood alarm is one such alarm. Its
fidelity level is Medium because it is threshold-based. But its severity is Critical because this attack
will cause the legitimate client lose connectivity. In case of such alarms, administrators must
validate whether it is false positive through troubleshooting. Then proceed with mitigation if
needed.
4.
Ignore or turn off alarms with the combination of low severity (Minor and below) and low fidelity
(Medium and below). For example, the NetStumbler detected alarm is one such alarm. From the
field experience, it can be easily triggered by some chatty clients that send a large number of probe
requests. It is a threshold-based alarm. Even if it is triggered, it does not mean that devices using the
Netstumbler tool are detected. For administrators, it is fairly safe to ignore or even turn off this
alarm.
(Medium and below). For example, the NetStumbler detected alarm is one such alarm. From the
field experience, it can be easily triggered by some chatty clients that send a large number of probe
requests. It is a threshold-based alarm. Even if it is triggered, it does not mean that devices using the
Netstumbler tool are detected. For administrators, it is fairly safe to ignore or even turn off this
alarm.
5.
Tune on threshold-based alarms if necessary. As discussed earlier, threshold-based alarms tend to
trigger false positives. It requires administrators to adjust the threshold for some false positive
scenarios. For example, the DoS: CTS flood alarm is one such alarm. In a mixed deployment of
802.11n and non-802.11n devices, CTS-to-Self frames of protection scheme for non-802.11n
devices tend to trigger false positives for this alarm. In such cases, administrators should increase
the threshold value to avoid this alarm being triggered in the future.
trigger false positives. It requires administrators to adjust the threshold for some false positive
scenarios. For example, the DoS: CTS flood alarm is one such alarm. In a mixed deployment of
802.11n and non-802.11n devices, CTS-to-Self frames of protection scheme for non-802.11n
devices tend to trigger false positives for this alarm. In such cases, administrators should increase
the threshold value to avoid this alarm being triggered in the future.
6.
Auto mitigation action should be implemented only for alarms with the combination of high severity
(above Major) and high fidelity (above High). For example, for any devices using your corporate
SSIDS that trigger Honeypot AP detected alarms, administrators can implement containment as
action to automate the mitigation effort. On the other hand, for alarms such as Hotspotter tool
detected with Minor severity, it is not necessary to implement the containment action.
(above Major) and high fidelity (above High). For example, for any devices using your corporate
SSIDS that trigger Honeypot AP detected alarms, administrators can implement containment as
action to automate the mitigation effort. On the other hand, for alarms such as Hotspotter tool
detected with Minor severity, it is not necessary to implement the containment action.
7.
Study WIPS alarm trending and history to identify the “usual suspects” as baseline. Then proceed
with troubleshooting, tuning, and mitigation if needed.
with troubleshooting, tuning, and mitigation if needed.
Given the dynamic nature of a wireless environment, WIPS monitoring and tuning is an on-going
process. To study WIPS alarms trending and history, you can use the following two methods:
process. To study WIPS alarms trending and history, you can use the following two methods:
•
Leverage PI native report templates for WIPS alarms.
•
Use third-party Security Information and Event Management (SIEM) as a northbound notification
receiver of PI.
receiver of PI.
In this document, we illustrate the use of PI native report templates to study WIPS alarm trending and
history.
history.
In PI, you can generate the aWIPS alarm summary over a period of time through Report > Report
Launch Pad > Security > Adaptive wIPS Alarm Summary as below:
Launch Pad > Security > Adaptive wIPS Alarm Summary as below: