CISCO-DOT11-WIDS-MIB
This MIB is intended to be implemented on the following IOS based network entities for the purpose of providing network management stations information about the various attempts to compromise the security in the 802.11-based wireless networks. (i) 802.11 Access Points that accept wireless client associations. The MIB reports the information about the following attacks that can happen either at the initial authentication phase or during normal data communication between the client and the AP. EAPOL flooding - This is an attempt made by an invalid 802.11 client to send too many EAPOL-Start messages and bring the authentication services on the Authenticator, typically the AP, down. BlackListing - This is the process of marking a client as invalid when its authentication attempts fail. The client is put in a list when its authentication attempt fails for the first time. If the number of consecutive failed authentication attempts reach a threshold, any subsequent authentication requests made by the client will be rejected from that point for a configurable period of time. Protection Failures - These kind of failures happen when the attacker injects invalid packets onto the wireless network thereby corrupting the 802.11 data traffic between an AP and its associated wireless clients. The administrator, through the NMS, can configure the thresholds on the AP using this MIB to enable the AP detect the EAPOL flood attacks and provide related statistics to the NMS. To detect protection failures, the AP provides the relevant statistics about the protection errors in the form of MIB objects, which are compared against the thresholds configured on the NMS and appropriate events are raised by the NMS, if thresholds are found to be exceeded. The hierarchy of the AP and MNs is as follows. +~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+ + + + + + + + + + AP + + AP + + AP + + AP + + + + + + + + + +~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . \/ \/ \/ \/ \/ +.....+ +.....+ +-.-.-.+ +~-~-~+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +.....+ +.....+ +-.-.-.+ +~-~-~+ +......+ The wireless connections are represented as dotted lines in the above diagram. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Service Set Identifier (SSID) The Radio Service Set ID that is used by the mobile wireless clients for identification during the association with the APs. Temporal Key Integrity Protocol (TKIP) A security protocol defined to enhance the limitations of WEP. Message Integrity Check and per-packet keying on all WEP-encrypted frames are two significant enhancements provided by TKIP to WEP. Counter mode with CBC-MAC Protocol (CCMP) A security protocol that uses the counter mode in conjunction with cipher block chaining. This method divides the data into blocks, encrypts the first block, XORs the results with the second block, encrypts the result, XORs the result with the next block and continues till all the blocks are processed. This way, this protocol derives a 64-bit MIC which is appended to the plaintext data which is again encrypted using the counter mode. Message Integrity Check (MIC) The Message Integrity Check is an improvement over the Integrity Check Function (ICV) of the 802.11 standard. MIC adds two new fields to the wireless frames - a sequence number field for detecting out-of-order frames and a MIC field to provide a frame integrity check to overcome the mathematical shortcomings of the ICV. 802.1x The IEEE ratified standard for enforcing port based access control. This was originally intended for use on wired LANs and later extended for use in 802.11 WLAN environments. This defines an architecture with three main parts - a supplicant (Ex. an 802.11 wireless client), an authenticator (the AP) and an authentication server(a Radius server). The authenticator passes messages back and forth between the supplicant and the authentication server to enable the supplicant get authenticated to the network. Extensible Authentication Protocol Over LAN (EAPOL) This is an encapsulation method defined by 802.1x passing EAP packets over Ethernet frames.