Filter
Top Products
158
SONICWALL SONICOS STANDARD 3.0 ADMINISTRATOR’S GUIDE
C
HAPTER
27:
Configuring Wireless IDS
Access Point IDS
When the Radio Role of the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless is set to Access Point
mode, all three types of WIDS services are available, but Rogue Access Point detection, by default,
acts in a passive mode (passively listening to other Access Point Beacon frames only on the selected
channel of operation). Selecting Scan Now momentarily changes the Radio Role to allow the TZ 50
Wireless/TZ 150 Wireless/TZ 170 Wireless to perform an active scan, and may cause a brief loss of
connectivity for associated wireless clients. While in Access Point mode, the Scan Now function
should only be used if no clients are actively associated, or if the possibility of client interruption is
acceptable.
Enable Client Null Probing
The control to block Null probes is not available on the 802.11g card built into the TZ 50 Wireless/TZ
150 Wireless/TZ 170 Wireless. Instead, enabling this setting allows the TZ 50 Wireless/TZ 150
Wireless/TZ 170 Wireless to detect and log Null Probes, such as those used by Netstumbler and
other similar tools.
Association Flood Detection
Association Flood is a type of Wireless Denial of Service attack intended to interrupt wireless services
by depleting the resources of a wireless Access Point. An attacker can employ a variety of tools to
establish associations, and consequently association IDs, with an access point until it reaches its
association limit (generally set to 255). Once association saturation occurs, the access point discards
further association attempts until existing associations are terminated.
Association Flood Detection allows thresholds to be set limiting the number of association attempts a
client makes in a given span of time before its activities are considered hostile. Association attempts
default to a value of 5 (minimum value is 1, maximum value is 100) within and the time period defaults
to a value of 5 seconds (minimum value is 1 second, maximum value is 999 seconds). If association
attempts exceed the set thresholds, an event is logged according to log settings.
If the Block station's MAC address in response to an association flood option is selected and
MAC Filtering is enabled, then in addition to logging actions, the TZ 50 Wireless/TZ 150 Wireless/TZ
170 Wireless takes the countermeasure of dynamically adding the MAC address to the MAC filter list.
Any future Denial of Service attempts by the attacker are then blocked.
Enable Association Flood Detection is selected by default. The Association Flood Threshold is
set to 5 Association attempts within 5 seconds by default.
Rogue Access Point Detection
Rogue Access Points have emerged as one of the most serious and insidious threats to wireless
security. In general terms, an access point is considered rogue when it has not been authorized for
use on a network. The convenience, affordability and availability of non-secure access points, and the
ease with which they can be added to a network creates a easy environment for introducing rogue
access points. Specifically, the real threat emerges in a number of different ways, including
unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-
secure channels, and unwanted access to LAN resources. So while this doesn't represent a
deficiency in the security of a specific wireless device, it is a weakness to the overall security of
wireless networks.
The TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless can alleviate this weakness by recognizing
rogue access points potentially attempting to gain access to your network. It accomplishes this in two
ways: active scanning for access points on all 802.11b channels, and passive scanning (while in
Access Point mode) for beaconing access points on a single channel of operation.