Fortinet white logo
Fortinet white logo

FortiLAN Cloud User Guide

Adding a WIDS Profile

Adding a WIDS Profile

The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting possible intrusion attempts. When an attack is detected, FortiLAN Cloud records a log message. The FortiAPs that have a dedicated radio for scanning, use that same radio for WIDS scanning. Create a WIDS profile to configure the wireless intrusion monitoring and detection parameters, and then associate the WIDS profile with radios in the Platform Profile. This association causes FortiLAN Cloud to push the configured WIDS profile to all FortiAP radios linked with the platform profile.

Navigate to Wireless > Configuration > WIDS Profile.

You can configure WIDS against the the following types of intrusions.

Type of Attack

Description

ASLEAP Attack Detection The attacker uses the ASLEAP tool to attack clients against LEAP authentication.
Association Frame Flooding Detection This is a Denial-of-Service (DoS) attack using a large number of association requests. The default detection threshold is 30 requests (range is 1 to 100 requests) in 10 seconds interval (range is 5 to 120 seconds).
Authentication Frame Flooding Detection This is a DoS attack using a large number of authentication requests. The default detection threshold is 30 requests (range is 1 to 100 requests) in 10 seconds interval (range is 5 to 120 seconds).
Broadcasting Deauth to Clients Detection This is a DoS attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.
Invalid MAC OUI Detection Some attackers use randomly generated MAC addresses. The first 3 bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged when this field is enabled.
Long Duration Attack Detection To share radio bandwidth, Wi-Fi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a DoS attack. You can set a threshold between 1,000 and 32,767 microseconds (default = 8200).
Null SSID Probe Response Detection In this attack, when a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
Spoofed Deauthentication Attack Detection The attacker sends spoofed de-authentication messages to the FortiAP on behalf of the client. These spoofed de-authentication frames form the basis for most DoS attacks, disconnecting all clients from the FortiAP.

Weak WEP IV Detection

A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs), that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.

Wireless Bridge Detection

Wi-Fi frames with both FromDS and ToDS fields set indicate a wireless bridge. This also detects a wireless bridge that you intentionally configured in your network.

De-Auth Unknown Source For Dos Attack

This is a DoS attack where an unknown client sends a large number of de-authentication requests in quick succession. In an aggressive attack, this de-authentication activity can prevent packet processing from valid clients. As part of mitigating a DoS attack, the FortiAP sends de-authentication packets to unknown clients. In an aggressive attack, this de-authentication activity can prevent the processing of packets from valid clients. The threshold value set is a measure of the number of de-authorizations per second. It can be 0 to 65535 (default = 10 and 0 means no limit).

Enabling Override Radio Scan Parameters overrides the radio scan parameters defined at the network level (Configuration > Network).

Adding a WIDS Profile

Adding a WIDS Profile

The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting possible intrusion attempts. When an attack is detected, FortiLAN Cloud records a log message. The FortiAPs that have a dedicated radio for scanning, use that same radio for WIDS scanning. Create a WIDS profile to configure the wireless intrusion monitoring and detection parameters, and then associate the WIDS profile with radios in the Platform Profile. This association causes FortiLAN Cloud to push the configured WIDS profile to all FortiAP radios linked with the platform profile.

Navigate to Wireless > Configuration > WIDS Profile.

You can configure WIDS against the the following types of intrusions.

Type of Attack

Description

ASLEAP Attack Detection The attacker uses the ASLEAP tool to attack clients against LEAP authentication.
Association Frame Flooding Detection This is a Denial-of-Service (DoS) attack using a large number of association requests. The default detection threshold is 30 requests (range is 1 to 100 requests) in 10 seconds interval (range is 5 to 120 seconds).
Authentication Frame Flooding Detection This is a DoS attack using a large number of authentication requests. The default detection threshold is 30 requests (range is 1 to 100 requests) in 10 seconds interval (range is 5 to 120 seconds).
Broadcasting Deauth to Clients Detection This is a DoS attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.
Invalid MAC OUI Detection Some attackers use randomly generated MAC addresses. The first 3 bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged when this field is enabled.
Long Duration Attack Detection To share radio bandwidth, Wi-Fi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a DoS attack. You can set a threshold between 1,000 and 32,767 microseconds (default = 8200).
Null SSID Probe Response Detection In this attack, when a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
Spoofed Deauthentication Attack Detection The attacker sends spoofed de-authentication messages to the FortiAP on behalf of the client. These spoofed de-authentication frames form the basis for most DoS attacks, disconnecting all clients from the FortiAP.

Weak WEP IV Detection

A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs), that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.

Wireless Bridge Detection

Wi-Fi frames with both FromDS and ToDS fields set indicate a wireless bridge. This also detects a wireless bridge that you intentionally configured in your network.

De-Auth Unknown Source For Dos Attack

This is a DoS attack where an unknown client sends a large number of de-authentication requests in quick succession. In an aggressive attack, this de-authentication activity can prevent packet processing from valid clients. As part of mitigating a DoS attack, the FortiAP sends de-authentication packets to unknown clients. In an aggressive attack, this de-authentication activity can prevent the processing of packets from valid clients. The threshold value set is a measure of the number of de-authorizations per second. It can be 0 to 65535 (default = 10 and 0 means no limit).

Enabling Override Radio Scan Parameters overrides the radio scan parameters defined at the network level (Configuration > Network).