Aruba Networks Version 3.3 manual Wireless Intrusion Detection System, Wireless Attacks

Page 51

Role Variation by Authentication Method

Role assignment has many options under the umbrella of role derivation. While the system can simply use the role returned from the authentication server, it can also assign a role based on a number of attributes. When a user logs in using WPA2 they receive an open employee role, but when logging in with the same credentials using a captive portal, a reduced role is put into effect. Phones can share the same authentication as a camera but receive a different voice role after completing registration with a SIP server.

Wireless Intrusion Detection System

Due to the open nature of wireless networks they are prime targets for both unscrupulous individuals and casual hackers that happen to live in the area. To protect against unsanctioned wireless devices, use of Aruba’s Wireless Intrusion Detection System (WIDS) software module can automatically detect and defend against wireless attacks and “rogue” APs on the network.

Wireless Attacks

Acommon wireless network attack is called “man-in-the-middle.” During such an attack, a hacker masquerades as a legitimate AP using software on a laptop, and acting as a relay point, fools users and other APs into sending data through the laptop instead of the real AP. The attacker can then eavesdrop on conversations, modify or corrupt data, or run password-cracking routines.

Aruba Access Points monitor the air to detect other wireless stations masquerading as valid APs. When masquerading is detected, appropriate defense mechanisms are put into place. Aruba Mobility Controllers also track unique “signatures” for every wireless client in the network, and if a new station is introduced claiming to be a particular client, but lacks a proper signature, a station impersonation attack is declared.

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Mobility Controller Configuration 51

Image 51

Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Introduction Aruba Reference ArchitecturesReference Documents Contacting Aruba NetworksTelephone Support Aruba’s User-Centric Network Architecture Understanding Centralized Wireless LAN NetworksCentralized Wlan Model Introducing Aruba’s User-Centric NetworkArubaOS ArubaOS and Mobility ControllerMobility Controller Multi-function Thin Access Points Access PointAir Monitor Aruba’s Secure Enterprise Mesh Network Mesh Portal or Mesh PointRemote AP Mobility Management SystemMobility Management System Proof-of-Concept Network PoC Network Physical DesignVlan PoC Network Logical and RF DesignProof-of-Concept Network Proof-of-Concept Network Campus Wlan Validated Reference Design Aruba Campus Wlan Physical ArchitectureAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Understanding Master and Local Operation Mobility Controller Access Point DeploymentMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Use Special VLANs Do Not Make Aruba the Default RouterVlan Vlan PoolsVLANs 10, 20, 30 User Mobility and Mobility DomainsMD1 ArubaOS Mobility DomainMaster Controller Placement Mobility Controller Physical Placement and ConnectivityAP Placement, Power, and Connectivity Local Controller PlacementMobility Controller and Thin AP Communication AP Power and Connectivity AP Location and Density ConsiderationsOffice Deployment Active Rfid Tag Deployment Voice DeploymentRequired Licenses Configuration Profiles and AP GroupsMobility Controller Configuration Configuration ProfilesAP group Profile TypesSSIDs, VLANs and Role Derivation AP GroupsProfile Planning VLANs SSIDsRole Derivation Secure Authentication MethodsAuthenticating with Corporate Authentication Methods for Legacy Devices Authenticating with Captive PortalEmployee Role Configuring Roles for Employee, Guest and Application UsersGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Wireless Intrusion Detection System Role Variation by Authentication MethodWireless Attacks Rogue APs Page Mobility Controller Configuration RF Planning and Operation RF Plan ToolAdaptive Radio Management Page Minimum Scan Time Sec Voice over Wi-Fi Quality of ServiceWMM and QoS Voice-Aware RF Management Voice Functionality and FeaturesTraffic Prioritization Network Wide QoSComprehensive Voice Management Voice over Wi-Fi LAN / WAN Controller Clusters Mobility Management SystemMultiple Master/Local Clusters Page Multiple Master/Local Clusters Licenses Appendix aLicenses Wlan Extension with Remote AP Appendix BWlan Extension with Remote AP Alternative Deployment Architectures Small Network DeploymentMobility Controller located in the network data center Medium Network DeploymentBranch Office Deployment Corporate data center DMZ Pure Remote Access Deployment