Weak iv detection, Blacklist and whitelist – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 635
614
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can
affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. The system uses
an IV and a key to generate a key stream, so encryptions using the same key have different results. Also,
when a WEP frame is sent, the IV used in encrypting the frame is sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is
compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.
Blacklist and whitelist
You can configure the blacklist and whitelist functions to filter frames from WLAN clients and thereby
implement client access control.
WLAN client access control is accomplished through the following three types of lists.
•
Whitelist—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist
is used, only permitted clients can access the WLAN, and all frames from other clients are
discarded.
•
Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
configured manually.
•
Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client
is added dynamically to the list if it is considered sending attacking frames until the timer of the
entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects
any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more
information about ARP detection, see "
attack defense."
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame as follows:
1.
If the source MAC address does not match any entry in the whitelist, the frame is dropped. If there
is a match, the frame is considered valid, and is processed further.
2.
If no whitelist entries exist, the static and dynamic blacklists are searched.
3.
If the source MAC address matches an entry in any of the two lists, the frame is dropped.
4.
If there is no match, or no blacklist entries exist, the frame is considered valid, and is processed
further.
A static blacklist or whitelist configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames.