CISCO-DOT11-WIDS-MIB

This MIB is intended to be implemented on the 
following IOS based network entities for the purpose
of providing network management stations information
about the various attempts to compromise the security
in the 802.11-based wireless networks.
   
(i) 802.11 Access Points that accept wireless client
associations.

The MIB reports the information about the following
attacks that can happen either at the initial
authentication phase or during normal data
communication between the client and the AP.

EAPOL flooding - This is an attempt made by an
invalid 802.11 client to send too many EAPOL-Start
messages and bring the authentication services
on the Authenticator, typically the AP, down.

BlackListing - This is the process of marking
a client as invalid when its authentication
attempts fail.  The client is put in a list
when its authentication attempt fails for the
first time.  If the number of consecutive
failed authentication attempts reach a threshold,
any subsequent authentication requests made by 
the client will be rejected from that point for
a configurable period of time.

Protection Failures - These kind of failures
happen when the attacker injects invalid packets
onto the wireless network thereby corrupting the
802.11 data traffic between an AP and its
associated wireless clients.
                                  
The administrator, through the NMS, can configure
the thresholds on the AP using this MIB to enable
the AP detect the EAPOL flood attacks and provide
related statistics to the NMS.

To detect protection failures, the AP provides the
relevant statistics about the protection errors in
the form of MIB objects, which are compared against
the thresholds configured on the NMS and appropriate
events are raised by the NMS, if thresholds are
found to be exceeded.

The hierarchy of the AP and MNs is as follows.

+~-~-~+      +~-~-~+       +~-~-~+           +~-~-~+
+     +      +     +       +     +           +     +
+ AP  +      + AP  +       + AP  +           + AP  +
+     +      +     +       +     +           +     +
+~-~-~+      +~-~-~+       +~-~-~+           +~-~-~+
..            .             .                 .
..            .             .                 .
.  .            .             .                 .
.    .            .             .                 .
.      .            .             .                 .
.        .            .             .                 .
\/        \/           \/            \/                \/
+.....+  +.....+      +-.-.-.+       +~-~-~+          +......+
+     +  +     +      +      +       +     +          +      +
+ MN  +  + MN  +      + MN   +       + MN  +          +  MN  +
+     +  +     +      +      +       +     +          +      +
+.....+  +.....+      +-.-.-.+       +~-~-~+          +......+


The wireless connections are represented as dotted
lines in the above diagram.

                   GLOSSARY

Access Point ( AP )

An entity that contains an 802.11 medium access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.


Mobile Node ( MN )

A roaming 802.11 wireless device in a wireless
network associated with an access point.

Service Set Identifier (SSID)

The Radio Service Set ID that is used by the mobile
wireless clients for identification during the
association with the APs.

Temporal Key Integrity Protocol (TKIP)

A security protocol defined to enhance the limitations
of WEP.  Message Integrity Check and per-packet keying
on all WEP-encrypted frames are two significant
enhancements provided by TKIP to WEP.


Counter mode with CBC-MAC Protocol (CCMP)

A security protocol that uses the counter mode in
conjunction with cipher block chaining.  This method
divides the data into blocks, encrypts the first
block, XORs the results with the second block,
encrypts the result, XORs the result with the next
block and continues till all the blocks are
processed.  This way, this protocol derives a
64-bit MIC which is appended to the plaintext data
which is again encrypted using the counter mode.


Message Integrity Check (MIC)

The Message Integrity Check is an improvement over the
Integrity Check Function (ICV) of the 802.11 standard.
MIC adds two new fields to the wireless frames - a
sequence number field for detecting out-of-order
frames and a MIC field to provide a frame integrity
check to overcome the mathematical shortcomings of
the ICV.


802.1x

The IEEE ratified standard for enforcing port based
access control.  This was originally intended for
use on wired LANs and later extended for use in
802.11 WLAN environments.  This defines an
architecture with three main parts - a supplicant
(Ex. an 802.11 wireless client), an authenticator
(the AP) and an authentication server(a Radius
server).  The authenticator passes messages back
and forth between the supplicant and the
authentication server to enable the supplicant
get authenticated to the network. 
               

Extensible Authentication Protocol Over LAN (EAPOL)

This is an encapsulation method defined by 802.1x
passing EAP packets over Ethernet frames.

Imported Objects

ciscoMgmtCISCO-SMI
ifIndexIF-MIB
MODULE-COMPLIANCE, OBJECT-GROUPSNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Integer32, Counter32SNMPv2-SMI
MacAddress, TimeStamp, TruthValueSNMPv2-TC
ciscoDot11WidsMIB.1.3.6.1.4.1.9.9.456
ciscoDot11WidsMIBNotifs .1.3.6.1.4.1.9.9.456.0
ciscoDot11WidsMIBObjects .1.3.6.1.4.1.9.9.456.1
ciscoDot11WidsAuthFailures .1.3.6.1.4.1.9.9.456.1.1
cDot11WidsFloodDetectEnable .1.3.6.1.4.1.9.9.456.1.1.1
cDot11WidsEapolFloodThreshold .1.3.6.1.4.1.9.9.456.1.1.2
cDot11WidsEapolFloodInterval .1.3.6.1.4.1.9.9.456.1.1.3
cDot11WidsBlackListThreshold .1.3.6.1.4.1.9.9.456.1.1.4
cDot11WidsBlackListDuration .1.3.6.1.4.1.9.9.456.1.1.5
cDot11WidsFloodMaxEntriesPerIntf .1.3.6.1.4.1.9.9.456.1.1.6
cDot11WidsEapolFloodTable .1.3.6.1.4.1.9.9.456.1.1.7
cDot11WidsEapolFloodEntry .1.3.6.1.4.1.9.9.456.1.1.7.1
cDot11WidsEapolFloodIndex .1.3.6.1.4.1.9.9.456.1.1.7.1.1
cDot11WidsEapolFloodClientMac .1.3.6.1.4.1.9.9.456.1.1.7.1.2
cDot11WidsEapolFloodClientCount .1.3.6.1.4.1.9.9.456.1.1.7.1.3
cDot11WidsEapolFloodStartTime .1.3.6.1.4.1.9.9.456.1.1.7.1.4
cDot11WidsEapolFloodStopTime .1.3.6.1.4.1.9.9.456.1.1.7.1.5
cDot11WidsEapolFloodTotalCount .1.3.6.1.4.1.9.9.456.1.1.7.1.6
cDot11WidsBlackListTable .1.3.6.1.4.1.9.9.456.1.1.8
cDot11WidsBlackListEntry .1.3.6.1.4.1.9.9.456.1.1.8.1
cDot11WidsBlackListClientMac .1.3.6.1.4.1.9.9.456.1.1.8.1.1
cDot11WidsBlackListAttemptCount .1.3.6.1.4.1.9.9.456.1.1.8.1.2
cDot11WidsBlackListTime .1.3.6.1.4.1.9.9.456.1.1.8.1.3
ciscoDot11WidsProtectFailures .1.3.6.1.4.1.9.9.456.1.2
cDot11WidsProtectFailClientTable .1.3.6.1.4.1.9.9.456.1.2.1
cDot11WidsProtectFailClientEntry .1.3.6.1.4.1.9.9.456.1.2.1.1
cDot11WidsSsid .1.3.6.1.4.1.9.9.456.1.2.1.1.1
cDot11WidsWepReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.10
cDot11WidsWepIcvErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.11
cDot11WidsCkipReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.12
cDot11WidsCkipCmicErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.13
cDot11WidsClientMacAddress .1.3.6.1.4.1.9.9.456.1.2.1.1.2
cDot11WidsSelPairWiseCipher .1.3.6.1.4.1.9.9.456.1.2.1.1.3
cDot11WidsTkipIcvErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.4
cDot11WidsTkipLocalMicFailures .1.3.6.1.4.1.9.9.456.1.2.1.1.5
cDot11WidsTkipRemoteMicFailures .1.3.6.1.4.1.9.9.456.1.2.1.1.6
cDot11WidsCcmpReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.7
cDot11WidsCcmpDecryptErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.8
cDot11WidsTkipReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.9
ciscoDot11WidsMIBConform .1.3.6.1.4.1.9.9.456.2
ciscoDot11WidsMIBCompliances .1.3.6.1.4.1.9.9.456.2.1
ciscoDot11WidsMIBGroups .1.3.6.1.4.1.9.9.456.2.2