...
eltex-wids-service — an external service on the server side that distributes white/black lists of "rogue" APs between WIPS/WIDS.
Licensing
The license restricts the WIPS/WIDS service configuration and monitoring in the Management system.
...
Relevant checkboxes will be available in the "Access" tab of an APs' menu.
Enabling the service on APs
The AP to which the license can be applied is explicitly defined in GUI EMS. In the "Access" tab, the following two settings can be found:
...
- the new section "WIDS/WIPS" will appear in the "Configuration" tab
- events related to WIDS/WIPS service will be displayed in "Events log" and "Active alerts" sections of the "Monitoring" tab
Service configuration on access points and low-level logic
All access points in a spectrum can be divided into three groups:
...
Most eltex-wids-service configuration is done in "WIDS/WIPS" tab of "Configuration" menu.
Parameter | Values | Description | ||||||||||||
WIDS Parameters | ||||||||||||||
Status | Down/Full/Key-only | Down - disable the service (default value). Full - enable the attack detecting service. Key-only - enable the service, but disable threat detection. In the "Key-only" mode, an AP will add an encrypted entry to Beacon packets to be included into "trusted" AP lists of opposite APs, but it will not detect threats on its own. In this mode, only the Shared key field is available. | ||||||||||||
Shared key | ASCII string of length from 10 to 32 | A shared key used for detecting trusted APs in a spectrum. By default, it is not specified. The service will not be enabled until Shared key is specified. | ||||||||||||
WIDS list URL | ws://<ip>:<port>/MacLists | The path to eltex-wids-service. Optional setting. | ||||||||||||
WIDS MAC list | The name of MAC address list | The opportunity to choose one of the MAC address lists created in "Wireless - WIDS Manager" is provided. Optional setting. | ||||||||||||
Scan mode | Passive/Sentry | Spectrum scanning mode. Passive - in this mode, an AP will change its current channel (where client services are implemented) to another channel from the list for short time intervals (Passive scan duration) over certain periods of time (Passive scan interval) in order to detect other APs in a spectrum (default value). Sentry - scan mode. Interaction between an AP and clients is not intended. An AP is constantly scanning the channel list and detects threats as quickly as possible. | ||||||||||||
Passive scan interval, sec | 5..3600 | Passive scan interval (by default): 20 sec | ||||||||||||
Passive scan duration, ms | 10..2000 | Passive scan duration (by default): 100 ms | ||||||||||||
Prevention mode | None/Rogue/All | Threat prevention mode. None - disabled (default value). Rogue - a scanning AP detects MAC addresses of the clients connected to "rogue" APs and sends a DeAuth packet on behalf of the "rogue" AP to the client and vice versa. All - in this mode, a forced DeAuth is sent to "rogue" APs, "untrusted" APs and clients connected to them. | ||||||||||||
DoS Detection Parameters | ||||||||||||||
Mode | Up/Down | Down — DoS attack detection disabled (default value). Up - DoS attack detection enabled. If the limit of managing frames it the spectrum is exceeded, it is a DoS attack. Only the frames, destination MAC of which is the same as the address of a scanning AP are analysed (Beacon is an exception). | ||||||||||||
Interval, sec | 1..86400 | The interval during which frame counting is conducted. If during this time the specified limit is exceeded, the SNMP trap on attack detection will be generated.
1 second by default | ||||||||||||
... threshold | 1..10000 | Threshold for each type of management frames (Assoc, ReAssoc, DiAssoc, Auth, DeAuth, RTS, CTS, Prob, Beacon, BlockAck, BlockAckReq, Pspoll). Default values:
| ||||||||||||
Bruteforce Detection Parameters | ||||||||||||||
Interval, sec | 0..86400 | Brute force detection function. During the interval, the number of unsuccessful authorizations on SSIDs with encryption (Personal and Enterprise) that are used by a scanning AP is counted. At exceeding of the Threshold, a brute force attack detection trap is sent to the Management system.
Default value: 5 sec If set to 0 - Brute force attack detection will be disabled. | ||||||||||||
Threshold | 1..10000 | Unsuccessful authorization threshold. Default value: 25 |
...
Criteria for unsafe configuration can be found here
eltex-wids-service configuration
Redefinition of "trusted" and "rogue" APs is usually done by specifying the lists explicitly in "Wireless - WIDS Manager" section of GUI EMS and defining them in "WIDS MAC list" field in "WIDS/WIPS" tab of "APConfiguration" menu.
Service configuration file — /etc/eltex-wids-service/config.json:
...