Device Manager : Provisioning Templates : WiFi Templates : WIDS Profile
 
WIDS Profile
The Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected, a log message is recorded.
WIDS profiles can be created, edited, cloned, deleted, imported, and searched. A default profile is available by default.
To view the wireless profiles, in the Provisioning Templates tree menu, select an ADOM, then select WiFi Templates > WIDS Profiles. The WIDS profile list is displayed, with the following information is available:
Create New
Create a new WIDS profile. See “To create a new WIDS profile:”.
Delete
Select to delete the selected WIDS profiles. See “To delete a WIDS profile:”.
Import
Select to import WIDS profiles. See “To import a WIDS profile:”.
Search
Search the WIDS profiles by entering a search term in the search field.
Name
The profile’s name.
Comments
Comments about the profile.
To create a new WIDS profile:
1. From the WIDS profiles page, select Create New.
The New Wireless Intrusion Detection System Profile window opens.
Figure 109: New WIDS profile
2. Enter the following information:
Name
Enter a name for the profile.
Comment
Optionally, enter comments.
Intrusion Type
The intrusion types that can be detected. See Table 12 for information on the available types.
Status
Select the status of the intrusion type (enable it).
Threshold
If applicable, enter a threshold for reporting the intrusion.
Interval (sec)
If applicable, enter the interval for reporting the intrusion, in seconds.
3. Select OK to create the new WIDS profile.
Table 12 provides a list of intrusion types and the description.
Table 12: Intrusion types
Intrusion Type
Description
Asleap Attack
ASLEAP is a tool used to perform attacks against LEAP authentication.
Association Frame Flooding
A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.
Authentication Frame Flooding
A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.
Broadcasting De-authentication
This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.
EAPOL Packet Flooding (to AP)
Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack.
Several types of EAPOL packets can be detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, and EAPOL-SUCC.
Invalid MAC OU
Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
Long Duration Attack
To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200.
Null SSID Probe Response
When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
EAPOL Packet Flooding (to client)
Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack.
Two types of EAPOL packets can be detected: EAPOL-FAIL, and EAPOL-SUCC.
Spoofed De-authentication
Spoofed de-authentication frames form the basis for most denial of service attacks.
Weak WEP IV Detection
A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
Wireless Bridge
WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.
To edit a WIDS profile:
1. From the WIDS profiles page, double click on a profile’s name or right-click on the name and select Edit from the pop-up menu.
The Edit Wireless Intrusion Detection System Profile window opens.
2. Edit the settings as required.
3. Selected OK to apply your changes.
To delete a WIDS profile:
1. Select the WIDS profile that you would like to delete from the profile list.
2. Select Delete or right click on the profile and select Delete from the pop-up menu.
3. Select OK in the confirmation dialog box to delete the profile.
To clone a WIDS profile:
1. From the WIDS profiles page, right-click on a profile name and select Clone from the pop-up menu.
The Edit Wireless Intrusion Detection System Profile window opens.
2. Edit the name of the profile, then edit the remaining settings as required.
3. Selected OK to clone the profile.
To import a WIDS profile:
1. From the WIDS profile page, select Import.
The Import WIDS Profile dialog box opens.
Figure 110: Import WIDS profile
2. Enter the following information:
Import from device
Select a device from which to import the profile or profiles from the drop-down list. This list will include all the devices available in the ADOM.
Virtual Domain
Is applicable, select the virtual domain from which the profile will be imported.
Available Objects List
The available objects that can be imported.
Select an object or objects and then select the down arrow to move the selected object or objects to the Selected Objects List.
Selected Objects List
The objects that are to be imported.
To remove an object or objects from the list, select the object or objects and then select the up arrow. The selected items will be moved back to the Available Objects List.
New Name
Select to create a new name for the item or items that are being imported, and then enter the name in the field.
3. Select OK to import the profile or profiles.