ProSafe Premium 3 x 3
Table 24. IDS/IPS policies and policy rules (continued)
Policy | Description | Policy Rule | |
|
| Threshold | Notification |
|
|
|
|
Unauthenticated | • Attack. Multiple unauthenticated association requests (5 or | 5 | Trap |
association | more) that use spoofed MAC addresses of legitimate clients are |
|
|
| sent to the wireless access point. |
|
|
| • Result. The client association table overflows, causing |
|
|
| authentication requests from legitimate clients to be denied. |
|
|
| • Solution. The oldest clients that are stuck in the authentication |
|
|
| phase are removed from the table. |
|
|
|
|
|
|
Association table | • Attack. Multiple clients (5 or more) that use spoofed MAC | 5 | Trap |
overflow | addresses of legitimate clients attempt to connect to the |
|
|
| wireless access point. |
|
|
| • Result. The client association table overflows, causing |
|
|
| association requests from legitimate clients to be denied. |
|
|
| • Solution. The oldest associations are removed from the table. |
|
|
|
|
|
|
Authentication | • Attack. Multiple invalid authentication requests (5 or more) that | 5 | Trap |
failure attack | use the spoofed MAC address of a legitimate client are sent to |
|
|
| the wireless access point. |
|
|
| • Result. The client is disconnected from the wireless access |
|
|
| point. |
|
|
| • Solution. The wireless access point determines if the legitimate |
|
|
| client is already connected before processing an authentication |
|
|
| request. |
|
|
|
|
|
|
Deauthentication | • Attack. Multiple deauthentication frames (5 or more) that use | 5 | Trap |
broadcast attack | the spoofed MAC address of the wireless access point are sent |
|
|
| to legitimate clients. |
|
|
| • Result. Clients are disconnected from the wireless access |
|
|
| point. |
|
|
| Note: The IDS detects this attack, but the IPS does not take action |
|
|
| against this attack. |
|
|
|
|
|
|
Disassociation flood | • Attack. Multiple disassociation frames (5 or more) that use the | 5 | Trap |
| spoofed MAC address of the wireless access point are sent to a |
|
|
| legitimate client. |
|
|
| • Result. The client is disconnected from the wireless access |
|
|
| point. |
|
|
| Note: The IDS detects this attack, but the IPS does not take action |
|
|
| against this attack. |
|
|
|
|
|
|
Malformed 802.11 | • Detection. Multiple malformed packets (5 or more) are sent to | 5 | Trap |
packets detected | the wireless access point. |
|
|
| • Result. Clients behave unexpectedly or crash. |
|
|
| • Solution. The wireless access point drops the malformed |
|
|
| packets. |
|
|
Management and Monitoring
90
