WIPS/WIDS is an access point (AP) internal service that detects and prevents wireless intrusion.
This mechanism monitors the AP radio spectrum for the presence of security risks, alerts the system administrator whenever a threat is detected and takes countermeasures if necessary.
In the current version (1.17.0), the following functionality is available:
- DDoS attack detection;
- Brute force attack detection;
- Mis-configured AP detection;
- SSID-spoofing AP detection;
- MAC-spoofing AP detection;
- Client disconnection from rogue APs.
eltex-wids-service — an external service on the server side that distributes white/black lists of "rogue" APs between WIPS/WIDS.
Licensing
The license restricts the WIPS/WIDS service configuration and monitoring in the Management system.
The service can be enabled on 2 APs under the demo (default) license.
The number of available and applied licenses can be found in Help - Licenses section of GUI EMS or directly in /usr/lib/eltex-ems/conf/licence/licence.xml license file.
<group>
<title>Wireless WIPSWIDS</title>
<count>10</count>
<typeList>
<type>WiFi</type>
</typeList>
</group>
If the license for WIPS/WIDS is in the list, the "WIDS manager" tab will be available in the "Wireless" menu of GUI EMS:
Relevant checkboxes will be available in the "Access" tab of an APs' menu.
Enabling the service on APs
The AP to which the license can be applied is explicitly defined in GUI EMS. In the "Access" tab, the following two settings can be found:
- The "On WIPS/WIDS service" parameter that defines the AP that will use the service. Once the checkbox is set, the number of available licenses will be one less. By default, the checkbox is not set, which means that WIPS/WIDS service is not available.
- The "Really used WIPS/WIDS" parameter is a non-editable checkbox that shows if the system has enabled the service. It may happen that the "On WIPS/WIDS service" checkbox is set for more APs that are permitted under the license — then the checkbox will be deselected for some APs, although the "On WIPS/WIDS service" checkbox is set.
If the service has been enabled successfully, that is, both checkboxes are set in the "Access", then:
- the new section "WIDS/WIPS" will appear in the "Configuration" tab
- events related to WIDS/WIPS service will be displayed in "Events log" and "Active alerts" sections of the "Monitoring" tab
Service configuration on access points and low-level logic
All access points in a spectrum can be divided into three groups:
- "untrusted" APs — access points that are in a spectrum, but nothing is known about them;
- "trusted" APs — access points that are installed and managed by an operator;
- "rogue" APs — access points that definitely threaten the network (spoof MAC address or SSID of original APs).
To identify all "untrusted" access points in a spectrum explicitly, a dynamically changed encrypted entry is added to the Beacon packet of the AP that uses WIDS.
Only those access points that have the same Shared key in service configuration can decrypt the packet.
If the entry is missing, or if the result is not as expected initially, the access point will be considered as "untrusted" one. Otherwise, as "trusted" one.
If an "untrusted" AP has the same MAC address or SSID as a scanning AP has, it will be considered as "rogue", and a relevant trap will be sent to the Management system.
For the service to operate more flexibly, the list of access points that should or should not be considered as "trusted" can be specified. The list is disseminated between access points by the supporting service — eltex-wids-service.
Most eltex-wids-service configuration is done in "WIDS/WIPS" tab of "Configuration" menu.
Parameter | Values | Description |
WIDS Parameters | ||
Status | Down/Full/Key-only | Down - disable the service (default value). Full - enable the attack detecting service. Key-only - enable the service, but disable threat detection. In the "Key-only" mode, an AP will add an encrypted entry to Beacon packets to be included into "trusted" AP lists of opposite APs, but it will not detect threats on its own. In this mode, only the Shared key field is available. |
Shared key | ASCII string of length from 10 to 32 | A shared key used for detecting trusted APs in a spectrum. By default, it is not specified. The service will not be enabled until Shared key is specified. |
WIDS list URL | ws://<ip>:<port>/MacLists | The path to eltex-wids-service. Optional setting. |
WIDS MAC list | The name of MAC address list | The opportunity to choose one of the MAC address lists created in "Wireless - WIDS Manager" is provided. Optional setting. |
Scan mode | Passive/Sentry | Spectrum scanning mode. Passive - in this mode, an AP will change its current channel (where client services are implemented) to another channel from the list for short time intervals (Passive scan duration) over certain periods of time (Passive scan interval) in order to detect other APs in a spectrum (default value). Sentry - scan mode. Interaction between an AP and clients is not intended. An AP is constantly scanning the channel list and detects threats as quickly as possible. |
Passive scan interval, sec | 5..3600 | Passive scan interval (by default): 20 sec |
Passive scan duration, ms | 10..2000 | Passive scan duration (by default): 100 ms |
Prevention mode | None/Rogue/All | Threat prevention mode. None - disabled (default value). Rogue - a scanning AP detects MAC addresses of the clients connected to "rogue" APs and sends a DeAuth packet on behalf of the "rogue" AP to the client and vice versa. All - in this mode, a forced DeAuth is sent to "rogue" APs, "untrusted" APs and clients connected to them. |
DoS Detection Parameters | ||
Mode | Up/Down | Down — DoS attack detection disabled (default value). Up - DoS attack detection enabled. If the limit of managing frames it the spectrum is exceeded, it is a DoS attack. Only the frames, destination MAC of which is the same as the address of a scanning AP are analysed (Beacon is an exception). |
Interval, sec | 1..86400 | The interval during which frame counting is conducted. If during this time the specified limit is exceeded, the SNMP trap on attack detection will be generated. 1 second by default |
... threshold | 1..10000 | Threshold for each type of management frames (Assoc, ReAssoc, DiAssoc, Auth, DeAuth, RTS, CTS, Prob, Beacon, BlockAck, BlockAckReq, Pspoll). Default values:
|
Bruteforce Detection Parameters | ||
Interval, sec | 0..86400 | Brute force detection function. During the interval, the number of unsuccessful authorizations on SSIDs with encryption (Personal and Enterprise) that are used by a scanning AP is counted. At exceeding of the Threshold, a brute force attack detection trap is sent to the Management system. Default value: 5 sec If set to 0 - Brute force attack detection will be disabled. |
Threshold | 1..10000 | Unsuccessful authorization threshold. Default value: 25 |
If WIPS/WIDS service is enabled, an AP automatically sends traps to the Management system on each configuration change if the final configuration is unsafe.
Criteria for unsafe configuration can be found here
eltex-wids-service configuration
Redefinition of "trusted" and "rogue" APs is usually done by specifying the lists explicitly in "Wireless - WIDS Manager" section of GUI EMS and defining them in "WIDS MAC list" field in "WIDS/WIPS" tab of "APConfiguration" menu.
Service configuration file — /etc/eltex-wids-service/config.json:
{
"ServicePort": 9095,
"Database": "wids",
"MongoConnectionString": "mongodb://localhost:27017",
"FileLog": "/var/log/eltex-wids-service/log.log",
"Environment": "production",
"LogLevel": "debug",
"MaxAge": 7,
"MaxSize": 5,
"MaxBackups": 14,
"SleepDaemonQueueTime": 50000,
"FoulTime": 60,
"GelfHost": "lab3-test.eltex.loc:12201"