WLAN Security Hardening Guide (V200)
Wireless Attack Detection and Containment
Security Policy
WLANs are vulnerable to threats from unauthorized APs, STAs, and ad-hoc networks. Huawei WLAN devices use the following technologies to detect and contain rogue and interfering devices:
- The Wireless Intrusion Detection System (WIDS) can detect rogue and interfering APs, bridges, and STAs, as well as ad-hoc devices.
- The Wireless Intrusion Prevention System (WIPS) can disconnect authorized users from rogue APs, disconnect rogue and interfering devices from the WLAN, and contain such devices.
The WIDS and WIPS can also detect attacks such as flood attacks, weak IV attacks, spoofing attacks, brute force WPA/WPA2/WAPI PSK cracking, and brute force WEP shared key cracking in a timely manner. The two systems then record logs, statistics, and alarms to notify network administrators of such attacks. The WLAN device adds devices that initiate flood attacks and brute force key cracking attacks to the dynamic blacklist and rejects packets from such devices within the aging time of the dynamic blacklist.
Configuration Method
- Rogue or interfering AP using open authentication
- Rogue or interfering AP with a spoofing SSID
- Rogue or interfering STA
- Ad-hoc device
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] radio 0 [HUAWEI-wlan-group-radio-ap-group1/0] work-mode normal [HUAWEI-wlan-group-radio-ap-group1/0] wids device detect enable [HUAWEI-wlan-group-radio-ap-group1/0] wids contain enable [HUAWEI-wlan-group-radio-ap-group1/0] quit [HUAWEI-wlan-view] wids-profile name default [HUAWEI-wlan-wids-prof-default] contain-mode open-ap [HUAWEI-wlan-wids-prof-default] contain-mode spoof-ssid-ap [HUAWEI-wlan-wids-prof-default] contain-mode client [HUAWEI-wlan-wids-prof-default] contain-mode adhoc [HUAWEI-wlan-wids-prof-default] quit [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] wids-profile default [HUAWEI-wlan-ap-group-ap-group1] quit
Configure attack detection and a dynamic blacklist. The device can detect flood attacks, weak IV attacks, spoofing attacks, and brute force key cracking attacks, and adds devices that initiate flood attacks and brute force key cracking attacks into the dynamic blacklist.
In V200R019C00 and earlier versions:
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] radio 0 [HUAWEI-wlan-group-radio-ap-group1/0] wids attack detect enable all [HUAWEI-wlan-group-radio-ap-group1/0] quit [HUAWEI-wlan-ap-group-ap-group1] quit [HUAWEI-wlan-view] wids-profile name default [HUAWEI-wlan-wids-prof-default] dynamic-blacklist enable [HUAWEI-wlan-wids-prof-default] quit [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] wids-profile default [HUAWEI-wlan-ap-group-ap-group1] quit
In V200R019C10:
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] radio 0 [HUAWEI-wlan-group-radio-ap-group1/0] wids attack detect all enable [HUAWEI-wlan-group-radio-ap-group1/0] quit [HUAWEI-wlan-ap-group-ap-group1] quit [HUAWEI-wlan-view] wids-profile name default [HUAWEI-wlan-wids-prof-default] undo dynamic-blacklist disable [HUAWEI-wlan-wids-prof-default] quit [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] wids-profile default [HUAWEI-wlan-ap-group-ap-group1] quit
In versions later than V200R019C10:
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] radio 0 [HUAWEI-wlan-group-radio-ap-group1/0] wids attack detect all enable [HUAWEI-wlan-group-radio-ap-group1/0] quit [HUAWEI-wlan-ap-group-ap-group1] quit [HUAWEI-wlan-view] wids-profile name default [HUAWEI-wlan-wids-prof-default] undo dynamic-blacklist disable [HUAWEI-wlan-wids-prof-default] quit
Verifying the Security Hardening Result
- Run the display wids-profile name profile-name command to check the containment mode based on the Contain rogue mode field and whether the dynamic blacklist function is enabled based on the Dynamic blacklist field.
- Run the display wids-profile name profile-name command to check the AP working mode based on the Work mode field, the types of attacks for which detection is enabled based on the WIDS attack detect field, whether device detection is enabled based on the WIDS device detect field, and whether device containment is enabled based on the WIDS contain switch field.
- Run the display ap config-info { ap-id ap-id | ap-name ap-name } command to check the AP working mode based on the Work mode field, the types of attacks for which detection is enabled based on the WIDS attack detect field, whether device detection is enabled based on the WIDS device detect field, and whether device containment is enabled based on the WIDS contain switch field.
- Run the display references wids-profile name profile-name command to check reference information about the WIDS profile.