Manualshelf

User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000
451452453454455456457458459460
459 | Wireless Intrusion Prevention Dell Networking W-Series ArubaOS 6.4.x| User Guide
Understanding Discovered-AP-Count specification
Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or
maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the
Discovered-AP-count is specified. The default setting is to check for the minimum discovered-AP-count.
Sample Rules
If SSID equals xyz AND SNR > 40 then classify AP as suspected-rogue with conf-level-increment of 20
If SNR > 60 and DISCOVERING_APS > 2, then classify AP as suspected-rogue with conf-level increment of 35
If SSID equals ‘XYZ’, then classify AP as known-neighbor
Understanding Rule Matching
A rule must be enabled before it is matched. A maximum of 32 rules can be created with a maximum of 16
rules active simultaneously. If a rule matches, an AP is classified to:
l Suspected-Rogue—an associated confidence-level is provided (minimum is 5%)
l Neighbor
The following mechanism is used for rule matching.
l When all the conditions specified in the rule evaluate to true, the rule matches.
l If multiple rules match causing the AP to be classified as a Suspected-Rogue, the confidence level of each
rule is aggregated to determine the confidence level of the classification.
l When multiple rules match and any one of those matching rules cause the AP to be classified as a Neighbor,
then the AP is classified as Neighbor.
l APs classified as either Neighbor or Suspected-Rogue will attempted to match any configured AP rule.
l Once a rule matches an AP, the same rule will not be checked for the AP.
l When the controller reboots, no attempt to match a previously matched AP is made.
l If a rule is disabled or modified, all APs that were previously classified based on that rule will continue to be
in the newly classified state.
Working with Intrusion Detection
This section covers Infrastructure and Client Intrusion Detections.
Understanding Infrastructure Intrusion Detection
Detecting attacks against the infrastructure is critical in avoiding attacks that may lead to a large-scale Denial of
Service (DOS) attack or a security breach. This group of features detects attacks against the WLAN
infrastructure, which consists of authorized APs, the RF medium, and the wired network. An authorized or
valid-AP is defined as an AP that belongs to the WLAN infrastructure. The AP is either a Dell AP or a third party
AP. ArubaOS automatically learns authorized Dell APs.
Table 86 presents a summary of the Intrusion infrastructure detection features with their related commands,
traps, and syslog identification. Feature details follow the table.