Cisco Cisco 5520 Wireless Controller 디자인 가이드
1-44
Book Title
OL-xxxxx-xx
Chapter 1 Cisco Adaptive wIPS Management Deployment Guide, Release 8.0
Adaptive WIPS Management Best Practices
•
Medium > 60%
•
Low < 50%
•
Very Low
The higher the fidelity metric value, the more accurate the signature alarm is reported. Signatures with
high fidelity have uniqueness in detection logic pattern, while ones with low fidelity can be triggered by
various false positive conditions. Thus, this is an important metric to guide administrators when
prioritizing WIPS attacks in monitoring, as well as mitigation.
high fidelity have uniqueness in detection logic pattern, while ones with low fidelity can be triggered by
various false positive conditions. Thus, this is an important metric to guide administrators when
prioritizing WIPS attacks in monitoring, as well as mitigation.
aWIPS Monitoring and Tuning
The following are few misconceptions regarding WIPS profile:
1.
There is no one-fits-all WIPS profile for all organizations because each organization's wireless
environment is different. Even within the same organization, wireless environment can change over
the time. The WIPS profile must be customized for your environment with WIPS alarms. Cisco
attempts to provide WIPS templates based on different verticals, such as Finance, Retail, Enterprise,
and so on. However, they only represent a baseline for administrators to start with.
environment is different. Even within the same organization, wireless environment can change over
the time. The WIPS profile must be customized for your environment with WIPS alarms. Cisco
attempts to provide WIPS templates based on different verticals, such as Finance, Retail, Enterprise,
and so on. However, they only represent a baseline for administrators to start with.
2.
There are no differences between various vertical WIPS templates, other than the signatures that are
enabled by default for each one. For threshold-based alarms in each vertical WIPS template, there
are no differences in the threshold settings among them.
enabled by default for each one. For threshold-based alarms in each vertical WIPS template, there
are no differences in the threshold settings among them.
Recommended Guidelines
The following table lists the recommended aWIPS signatures to be enabled along with fidelity and
default severity setting (based on software release 8.0).
default severity setting (based on software release 8.0).
Alarm Name
Alarm ID
Fidelity
Alarm Severity
Airsnarf attack
102
Very high
Major
Bad EAP-TLS frames
181
High
Warning
Broadcom RSN Out of Bounds Attack
223
Very high
Major
Crackable WEP IV key used
38
High
Major
Day-Zero attack by device security anomaly
133
High
Major
Day-Zero attack by WLAN security anomaly 135
High
Major
Device Broadcasting XSS SSID (ID:210)
210
Very high
Critical
Device Unprotected by Selected
Authentication Methods (ID:261)
Authentication Methods (ID:261)
261
High
Major
DNS Tunnel bypass detected (ID:216)
216
High
Major
DoS: Association table overflow
37
Very high
Critical
DoS: Authentication flood
52
Medium
Critical
DoS: Authentication-failure attack
10
Medium
Critical
DoS: Beacon DS Set DoS
222
High
Critical
DoS: Beacon flood
195
Medium
Warning
DoS: Block ACK flood
183
High
Warning