WLC basic IDS

Answered Question
Aug 19th, 2009
User Badges:

Hi there


will a WLC recognize some injections by an hacking tool (ex. Airsnort oder Aircrack) via the IDS basic feature? I'm sorry for this question, but at the moment I'm not able to test it.


What else would be necessary for this issue?


Thanks a lot and regards

Dominic

Correct Answer by Lucien Avramov about 7 years 11 months ago

IDS is very sensitive so it may detect any attacks from outside.

We dont discuss hacking methods, but most likely this will be detected on the network as doing knowned wrong operations when associating to the AP.


There will for example be a auth / de auth flood while it tries to get the IV from the headers.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Anonymous (not verified) Tue, 08/25/2009 - 05:56
User Badges:

Version 5.0 of the Cisco IDS introduces the ability to configure deny actions when policy violations (signatures) are detected. Based on user configuration at the IDS/IPS system, a shun request can be sent to a firewall, router, or WLC in order to block the packets from a particular IP address.


With the Cisco Unified Wireless Network Software Release 4.0 for Cisco Wireless Controllers, a shun request needs to be sent to a WLC in order to trigger the client blacklisting or exclusion behavior available on a controller. The interface the controller uses to get the shun request is the command and control interface on the Cisco IDS.


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807360fc.shtml#ov2

Dominic Stalder Thu, 08/27/2009 - 01:10
User Badges:

Thanks for your answer. But this solution requires a seperate IDS system, right? My question is, is it possible to detect this with the WLC and it's own IDS signatures?

Correct Answer
Lucien Avramov Thu, 08/27/2009 - 01:33
User Badges:
  • Red, 2250 points or more

IDS is very sensitive so it may detect any attacks from outside.

We dont discuss hacking methods, but most likely this will be detected on the network as doing knowned wrong operations when associating to the AP.


There will for example be a auth / de auth flood while it tries to get the IV from the headers.



Actions

This Discussion

 

 

Trending Topics - Security & Network