ProSafe Premium 3 x 3
Table 24. IDS/IPS policies and policy rules (continued)
Policy | Description | Policy Rule | |
|
| Threshold | Notification |
|
|
|
|
• Attack. Multiple EAPOL start frames (5 or more) are sent to the | 5 | Trap | |
| wireless access point to initiate the RADIUS authentication |
|
|
| process for clients. |
|
|
| • Result. Wireless service is disrupted. |
|
|
| • Solution. The wireless access point determines if the legitimate |
|
|
| clients have already been authenticated before processing |
|
|
| EAPOL start frames. |
|
|
|
|
|
|
• Attack. Several EAPOL logoff frames (2 or more) that use the | 2 | Trap | |
| spoofed MAC address of a legitimate client are sent to the |
|
|
| wireless access point to terminate a |
|
|
| session. |
|
|
| • Result. The client is disconnected from the wireless access |
|
|
| point. |
|
|
| • Solution. The wireless access point determines if it still |
|
|
| receives traffic from the client before disconnecting the client. |
|
|
|
|
|
|
Premature EAP | • Attack. Several premature EAP failure frames (2 or more) are | 2 | Trap |
failure attack | sent to a legitimate client to suggest RADIUS authentication |
|
|
| failure. |
|
|
| • Result. The client cannot be authenticated and cannot connect |
|
|
| to the wireless access point. |
|
|
| Note: The IDS detects this attack, but the IPS does not take action |
|
|
| against this attack. |
|
|
|
|
|
|
Premature EAP | • Attack. Several premature EAP success frames (2 or more) are | 2 | Trap |
success attack | sent to a legitimate client to suggest RADIUS authentication |
|
|
| success. |
|
|
| • Result. The client cannot be authenticated and cannot connect |
|
|
| to the wireless access point. |
|
|
| Note: The IDS detects this attack, but the IPS does not take action |
|
|
| against this attack. |
|
|
|
|
|
|
CTS flood | • Attack. Multiple | 60 | Trap |
| sent to the wireless access point. |
|
|
| • Result. Wireless service is disrupted. |
|
|
| • Solution. The wireless access point sends a channel change |
|
|
| frame to the legitimate clients and uses automatic channel |
|
|
| selection to switch to a new clear channel. |
|
|
|
|
|
|
RTS flood | • Attack. Multiple | 60 | Trap |
| sent to the wireless access point. |
|
|
| • Result. Wireless service is disrupted. |
|
|
| • Solution. The wireless access point sends a channel change |
|
|
| frame to the legitimate clients and uses automatic channel |
|
|
| selection to switch to a new clear channel. |
|
|
Management and Monitoring
91
