Configure Wi-Fi Cloud Intrusion Prevention
The Intrusion Prevention policy you configure here does not become active until you enable the Intrusion Prevention feature. For more information, see Activate Intrusion Prevention.
Intrusion Prevention Level
From the Current Intrusion Prevention Level drop-down list, select the level of disruption to perform (Block, Disrupt, Interrupt, Degrade).
We recommend you use the Disrupt level to balance channel coverage and effectiveness of the disruption.
In the AP Prevention section, you can prevent connections to specific classifications of APs, including rogue APs, misconfigured authorized APs, and uncategorized APs that are potentially rogue or authorized.
In the Client Prevention section, you can prevent authorized clients from connecting to guest, external and uncategorized APs.
You can also configure special handling for unapproved smart devices that connect to APs on your network, such as preventing a smart device from connecting to an Authorized or Guest AP.
Guest Client Misassociation and Unauthorized Associations
Guest clients can mistakenly associate to external or uncategorized APs. Unauthorized clients may also try to connect to your authorized and guest APs.
In this section, you can select from these options for Guest Client Misassociation, and Unauthorized Associations to Authorized APs and Guest APs:
Banned and Rogue Clients
A Banned Client is a client MAC address that you have entered in the Banned Client list. Rogue Clients are clients that have been classified as unauthorized by Wi-Fi Cloud.
In the Banned Clients section, you can prevent connections to Authorized, Guest, and Uncategorized APs from banned clients,
In the Rogue Clients section, you can prevent connections to any AP from rogue clients.
Client Bridging, ICS, and Ad hoc Connections
A bridging client is a client with packet forwarding enabled between its wired and wireless interfaces. An authorized client bridging to the enterprise LAN or an unauthorized or uncategorized bridging client connected to the enterprise LAN are serious security threats.
An ad hoc connection is a peer-to-peer connection between clients that can introduce security threats.
In the Client Bridging/ICS and Ad hoc Connections section, you can prevent these type of connections for different classifications of clients.
In the Threat Prevention section, you can enable the detection of several types of over-the-air threats such as denial of service attacks and Honeypot/Evil Twin APs.
You must have an AP configured as a dedicated WIPS Sensor to effectively prevent these over-the-air threats,
- MAC Spoofing — Prevents connections to unauthorized APs that spoof their MAC address to pretend to be an authorized AP.
- An AP with one radio for Wi-Fi access and one radio for WIPS scanning cannot detect AP MAC address spoofing of the SSIDs broadcast by the AP. A second AP with WIPS scanning is required to detect AP MAC address spoofing on this AP.
- A single dual radio AP in dedicated WIPS sensor mode can detect AP MAC address spoofing of another AP's MAC address.
- Honeypot/Evil Twin APs — Prevents authorized clients from connecting to Honeypot or Evil Twin APs that are rogue APs from nearby networks that broadcast the same SSID as an Authorized AP to appear as a legitimate AP on your network.
- Denial of Service (DoS) Attacks — Detects denial of service attacks on the wireless network while preventing false positives. This includes all types of DoS attacks, including association/dissociation and authentication broadcast flood attacks, and RTS/CTS flood attacks. When a DoS attack occurs, Wi-Fi Cloud attempts to restore legitimate communication between authorized APs and clients to reduce the impact of the attack. You can also locate clients that use spoofed or random MAC addresses to perform DoS attacks.
- WEPGuard — Prevents connections to APs that use the weaker WEP encryption keys and are under WEP key cracking attack. You can also prevent authorized clients with anomalies in their RF signature from connecting to an authorized AP. These RF anomalies can indicate the client is spoofing an authorized inactive client MAC address to gain access to the AP.