CISCO-DOT11-WIDS-MIB

This MIB is intended to be implemented on the 
        following IOS based network entities for the purpose
        of providing network management stations information
        about the various attempts to compromise the security
        in the 802.11-based wireless networks.
           
        (i) 802.11 Access Points that accept wireless client
        associations.
        
        The MIB reports the information about the following
        attacks that can happen either at the initial
        authentication phase or during normal data
        communication between the client and the AP.
        
        EAPOL flooding - This is an attempt made by an
        invalid 802.11 client to send too many EAPOL-Start
        messages and bring the authentication services
        on the Authenticator, typically the AP, down.
        
        BlackListing - This is the process of marking
        a client as invalid when its authentication
        attempts fail.  The client is put in a list
        when its authentication attempt fails for the
        first time.  If the number of consecutive
        failed authentication attempts reach a threshold,
        any subsequent authentication requests made by 
        the client will be rejected from that point for
        a configurable period of time.
        
        Protection Failures - These kind of failures
        happen when the attacker injects invalid packets
        onto the wireless network thereby corrupting the
        802.11 data traffic between an AP and its
        associated wireless clients.
                                          
        The administrator, through the NMS, can configure
        the thresholds on the AP using this MIB to enable
        the AP detect the EAPOL flood attacks and provide
        related statistics to the NMS.
        
        To detect protection failures, the AP provides the
        relevant statistics about the protection errors in
        the form of MIB objects, which are compared against
        the thresholds configured on the NMS and appropriate
        events are raised by the NMS, if thresholds are
        found to be exceeded.
        
        The hierarchy of the AP and MNs is as follows.
        
        +~-~-~+      +~-~-~+       +~-~-~+           +~-~-~+
        +     +      +     +       +     +           +     +
        + AP  +      + AP  +       + AP  +           + AP  +
        +     +      +     +       +     +           +     +
        +~-~-~+      +~-~-~+       +~-~-~+           +~-~-~+
        ..            .             .                 .
        ..            .             .                 .
        .  .            .             .                 .
        .    .            .             .                 .
        .      .            .             .                 .
        .        .            .             .                 .
        \/        \/           \/            \/                \/
        +.....+  +.....+      +-.-.-.+       +~-~-~+          +......+
        +     +  +     +      +      +       +     +          +      +
        + MN  +  + MN  +      + MN   +       + MN  +          +  MN  +
        +     +  +     +      +      +       +     +          +      +
        +.....+  +.....+      +-.-.-.+       +~-~-~+          +......+
        
        
        The wireless connections are represented as dotted
        lines in the above diagram.
        
                           GLOSSARY
        
        Access Point ( AP )
        
        An entity that contains an 802.11 medium access
        control ( MAC ) and physical layer ( PHY ) interface
        and provides access to the distribution services via
        the wireless medium for associated clients.
        
        
        Mobile Node ( MN )
        
        A roaming 802.11 wireless device in a wireless
        network associated with an access point.
        
        Service Set Identifier (SSID)
        
        The Radio Service Set ID that is used by the mobile
        wireless clients for identification during the
        association with the APs.
        
        Temporal Key Integrity Protocol (TKIP)
        
        A security protocol defined to enhance the limitations
        of WEP.  Message Integrity Check and per-packet keying
        on all WEP-encrypted frames are two significant
        enhancements provided by TKIP to WEP.
        
        
        Counter mode with CBC-MAC Protocol (CCMP)
        
        A security protocol that uses the counter mode in
        conjunction with cipher block chaining.  This method
        divides the data into blocks, encrypts the first
        block, XORs the results with the second block,
        encrypts the result, XORs the result with the next
        block and continues till all the blocks are
        processed.  This way, this protocol derives a
        64-bit MIC which is appended to the plaintext data
        which is again encrypted using the counter mode.
        
        
        Message Integrity Check (MIC)
        
        The Message Integrity Check is an improvement over the
        Integrity Check Function (ICV) of the 802.11 standard.
        MIC adds two new fields to the wireless frames - a
        sequence number field for detecting out-of-order
        frames and a MIC field to provide a frame integrity
        check to overcome the mathematical shortcomings of
        the ICV.
        
        
        802.1x
        
        The IEEE ratified standard for enforcing port based
        access control.  This was originally intended for
        use on wired LANs and later extended for use in
        802.11 WLAN environments.  This defines an
        architecture with three main parts - a supplicant
        (Ex. an 802.11 wireless client), an authenticator
        (the AP) and an authentication server(a Radius
        server).  The authenticator passes messages back
        and forth between the supplicant and the
        authentication server to enable the supplicant
        get authenticated to the network. 
                       
        
        Extensible Authentication Protocol Over LAN (EAPOL)
        
        This is an encapsulation method defined by 802.1x
        passing EAP packets over Ethernet frames.

Imported Objects

ciscoMgmtCISCO-SMI
ifIndexIF-MIB
MODULE-COMPLIANCE, OBJECT-GROUPSNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Integer32, Counter32SNMPv2-SMI
MacAddress, TimeStamp, TruthValueSNMPv2-TC
ciscoDot11WidsMIB .1.3.6.1.4.1.9.9.456
ciscoDot11WidsMIBNotifs .1.3.6.1.4.1.9.9.456.0
ciscoDot11WidsMIBObjects .1.3.6.1.4.1.9.9.456.1
ciscoDot11WidsAuthFailures .1.3.6.1.4.1.9.9.456.1.1
cDot11WidsFloodDetectEnable .1.3.6.1.4.1.9.9.456.1.1.1
cDot11WidsEapolFloodThreshold .1.3.6.1.4.1.9.9.456.1.1.2
cDot11WidsEapolFloodInterval .1.3.6.1.4.1.9.9.456.1.1.3
cDot11WidsBlackListThreshold .1.3.6.1.4.1.9.9.456.1.1.4
cDot11WidsBlackListDuration .1.3.6.1.4.1.9.9.456.1.1.5
cDot11WidsFloodMaxEntriesPerIntf .1.3.6.1.4.1.9.9.456.1.1.6
cDot11WidsEapolFloodTable .1.3.6.1.4.1.9.9.456.1.1.7
cDot11WidsEapolFloodEntry .1.3.6.1.4.1.9.9.456.1.1.7.1
cDot11WidsEapolFloodIndex .1.3.6.1.4.1.9.9.456.1.1.7.1.1
cDot11WidsEapolFloodClientMac .1.3.6.1.4.1.9.9.456.1.1.7.1.2
cDot11WidsEapolFloodClientCount .1.3.6.1.4.1.9.9.456.1.1.7.1.3
cDot11WidsEapolFloodStartTime .1.3.6.1.4.1.9.9.456.1.1.7.1.4
cDot11WidsEapolFloodStopTime .1.3.6.1.4.1.9.9.456.1.1.7.1.5
cDot11WidsEapolFloodTotalCount .1.3.6.1.4.1.9.9.456.1.1.7.1.6
cDot11WidsBlackListTable .1.3.6.1.4.1.9.9.456.1.1.8
cDot11WidsBlackListEntry .1.3.6.1.4.1.9.9.456.1.1.8.1
cDot11WidsBlackListClientMac .1.3.6.1.4.1.9.9.456.1.1.8.1.1
cDot11WidsBlackListAttemptCount .1.3.6.1.4.1.9.9.456.1.1.8.1.2
cDot11WidsBlackListTime .1.3.6.1.4.1.9.9.456.1.1.8.1.3
ciscoDot11WidsProtectFailures .1.3.6.1.4.1.9.9.456.1.2
cDot11WidsProtectFailClientTable .1.3.6.1.4.1.9.9.456.1.2.1
cDot11WidsProtectFailClientEntry .1.3.6.1.4.1.9.9.456.1.2.1.1
cDot11WidsSsid .1.3.6.1.4.1.9.9.456.1.2.1.1.1
cDot11WidsWepReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.10
cDot11WidsWepIcvErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.11
cDot11WidsCkipReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.12
cDot11WidsCkipCmicErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.13
cDot11WidsClientMacAddress .1.3.6.1.4.1.9.9.456.1.2.1.1.2
cDot11WidsSelPairWiseCipher .1.3.6.1.4.1.9.9.456.1.2.1.1.3
cDot11WidsTkipIcvErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.4
cDot11WidsTkipLocalMicFailures .1.3.6.1.4.1.9.9.456.1.2.1.1.5
cDot11WidsTkipRemoteMicFailures .1.3.6.1.4.1.9.9.456.1.2.1.1.6
cDot11WidsCcmpReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.7
cDot11WidsCcmpDecryptErrors .1.3.6.1.4.1.9.9.456.1.2.1.1.8
cDot11WidsTkipReplays .1.3.6.1.4.1.9.9.456.1.2.1.1.9
ciscoDot11WidsMIBConform .1.3.6.1.4.1.9.9.456.2
ciscoDot11WidsMIBCompliances .1.3.6.1.4.1.9.9.456.2.1
ciscoDot11WidsMIBGroups .1.3.6.1.4.1.9.9.456.2.2