cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
5
Helpful
4
Replies

IDS Signature Attack

Lumbee
Level 1
Level 1

All,

what happens when an IDS Signature Attack is detected? What is the response of the Wireless Controller? Does this lock out all users on that AP for a time period or just that individual user for a period of time?

 

thanks

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Its all depends on what you using 802.1x then ISE can take some action here and block the client.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BB,

thanks for the quick response. Just to be clear this IDS Signature Attack is 802.1x based? 

Since SSID is publicly available, there may be many attacks on SSID, that need to be verified based on the information generated on the Wireless controller, if you have a strong authentication system in place, these attacks can be blocked for while (if the system in place).

some reference how the logs looks like :

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arshad Safrulla
VIP Alumni
VIP Alumni

Hi Lumbee,

When it comes to wireless world there are very few intrusion attacks which can be contained automatically. For example if someone is advertising a rogue SSID in the vicinity you can configure the WLC to perform a legitimate deauth attack to contain the rogue AP. If a rogue AP seen on your LAN it can follow the same suit to contain it. If there is a client who is trying to spoof a MAC address of a legitimate client you can block the access to MAC address, but this will impact the legitimate client as well, the list goes on. 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/b_wl_17_11_cg_chapter_010001100.html

 

But however most of the attacks which happens at the RF level cannot be contained, rather we can configure the wireless infra to identify these attacks and alert us. based on the severity of the attack then as per the defined security policy you may have to act manually. There are many attacks which can be categorized as DOS attacks which can be identified by wireless infra (probe floods, beacon floods, CTS/RTS floods etc.) but from your wireless infra I do not think you can automate to contain the attacks. As I said before this requires human to interact manually and act. 

 

It is always recommended to have visibility in to your wireless infra as this will provide you with required forensics in case of an attack. However due to the medium behavior only certain attacks can be mitigated or contained, and others can be only identified. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: