CISCO-LWAPP-IDS-MIB
This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight Access Point Protocol tunnel from Light-weight LWAPP Access Points. This MIB provides the information used to integrate the LWAPP controller with external IDS/IPS applications. LWAPP controllers interact with these applications to protect the network against various threats that would compromise the overall security of the network. The arrangement of the IDS / IPS applications, controller (referred to as CC in the diagram) and the LWAPP APs appear as follows. +.......+ +.......+ + + + + + IDS + + IDS + + IPS + + IPS + +.......+ +.......+ . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ + + + + + + + + + CC + + CC + + CC + + CC + + + + + + + + + +......+ +......+ +......+ +......+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + AP + + AP + + AP + + AP + + AP + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. The controllers and the IDS systems exchange information through Cisco proprietary event exchange mechanisms. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, that includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. One or more controllers hold logical connections to an IDS / IPS and interact with it to enforce security on the network. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity is also referred to as 'controller'. HyperText Transfer Protocol Over Secure Socket Layer (HTTPS) HTTPS is a Web based protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP. SSL uses a 40-bit key for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange. Intrusion Detection System ( IDS ) An IDS performs activities like enforcing security related policies, identifying and reporting attacks on the network etc., thereby helping to improve the overall security of the enterprise network. Intrusion Prevention System ( IPS ) An IPS offers significant protection to the network against viruses, worms, signature attacks etc. This system detects L3 - L7 attacks. This system can also instruct other IPS clients through standards based protocols to allow/block network access for specific network entities. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the controller. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Network Management System ( NMS ) The station from which the administrator manages the wired and wireless networks. Secure Hash Algorithm ( SHA ) The SHA, developed by NIST for use with the Digital Signature Standard (DSS) is specified within the Secure Hash Standard (SHS). SHA is a cryptographic message digest algorithm similar to the MD4 family of hash functions developed by Rivest. It differs from the MD4 hash functions in that it adds an additional expansion operation, an extra round and the whole transformation was designed to accomodate the DSS block size for efficiency. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications. [2] Draft-obara-capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol