CISCO-LWAPP-IDS-MIB: View SNMP OID List / Download MIB

This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight Access Point Protocol tunnel from Light-weight LWAPP Access Points. This MIB provides the information used to integrate the LWAPP controller with external IDS/IPS applications. LWAPP controllers interact with these applications to protect the network against various threats that would compromise the overall security of the network. The arrangement of the IDS / IPS applications, controller (referred to as CC in the diagram) and the LWAPP APs appear as follows. +.......+ +.......+ + + + + + IDS + + IDS + + IPS + + IPS + +.......+ +.......+ . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ + + + + + + + + + CC + + CC + + CC + + CC + + + + + + + + + +......+ +......+ +......+ +......+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + AP + + AP + + AP + + AP + + AP + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. The controllers and the IDS systems exchange information through Cisco proprietary event exchange mechanisms. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, that includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. One or more controllers hold logical connections to an IDS / IPS and interact with it to enforce security on the network. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity is also referred to as 'controller'. HyperText Transfer Protocol Over Secure Socket Layer (HTTPS) HTTPS is a Web based protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP. SSL uses a 40-bit key for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange. Intrusion Detection System ( IDS ) An IDS performs activities like enforcing security related policies, identifying and reporting attacks on the network etc., thereby helping to improve the overall security of the enterprise network. Intrusion Prevention System ( IPS ) An IPS offers significant protection to the network against viruses, worms, signature attacks etc. This system detects L3 - L7 attacks. This system can also instruct other IPS clients through standards based protocols to allow/block network access for specific network entities. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the controller. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Network Management System ( NMS ) The station from which the administrator manages the wired and wireless networks. Secure Hash Algorithm ( SHA ) The SHA, developed by NIST for use with the Digital Signature Standard (DSS) is specified within the Secure Hash Standard (SHS). SHA is a cryptographic message digest algorithm similar to the MD4 family of hash functions developed by Rivest. It differs from the MD4 hash functions in that it adds an additional expansion operation, an extra round and the whole transformation was designed to accomodate the DSS block size for efficiency. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications. [2] Draft-obara-capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol

This notification is sent by the agent with cLIdsClientTimeRemaining indicating a value greater than 0, whenever it adds a row to cLIdsClientExclTable. The agent also sends this notification with cLIdsClientTimeRemaining equal to 0, when it removes a row from cLIdsClientExclTable.

This table facilitates the configuration of a group of IPS sensors to which the LWAPP controller would subscribe to retrieve the IDS events from the respective sensors. IPS sensors are used to protect the network by helping to detect and report threats like worms, viruses etc. By subscribing to such a sensor, the LWAPP controller, through appropriate interfaces, can retrieve the events detected by the sensor and report the same to the NMS. The controller can accept the request, to block the packets from an IP address, from each Sensor configured through this table and block the data traffic originating from that particular source. Rows are added or deleted to the table by explicit management actions initiated by the user from a network management station. Information about each IPS sensor is uniquely identified by the network address of the respective sensor.

There is an entry in this table for each IPS sensor identified by cLIdsIpsSensorAddressType and cLIdsIpsSensorAddress from which the controller can accept requests to block certain clients.

This object represents the type of the network address made available through cLIdsIpsSensorAddress.

This object represents the network address of the IPS sensor. The type of the network address represented by this object is determined by the value of cLIdsIpsSensorAddressType.

This object represents the user name in use by the LWAPP controller to get authenticated with the IPS sensor.

This object represents the password following the username used by the LWAPP controller to get authenticated with the IPS sensor. Note that the read operation on this object returns a string in the pattern '****' for security reasons.

This object represents the time interval at which the controller would query this particular IPS sensor for IDS events.

This object represents the status of this IPS sensor as seen by controller for its interaction with the sensor. A value of 'true' indicates the controller shall query the sensor for events and respond to the requests from the sensor. A value of 'false' indicates the controller's communication with the sensor is disabled.

This object represents the SHA1 hash done on the sensor certificate and configured as a series of 40 hexadecimal digits. This hash value is needed to verify the validity of the certificate to prevent security attacks. Note that the read operation on this object returns a string in the pattern '****' for security reasons.

This object represents the HTTPS port on the sensor on which the controller polls the sensor.

This is the status column for this row and used to create and delete specific instances of rows in this table.

This table lists those clients whose data packets are to be blocked as requested by the IPS sensor due to the detection of attacks at layer 3 to layer 7 involving the particular client. This table has an expansion dependent relationship with cLIdsIpsSensorConfigTable. There may exist one or more rows corresponding to the row for each sensor configured through cLIdsIpsSensorConfigTable. An entry is added to this row by the agent when the controller receives the block request from one of the IPS sensors configured through cLIdsIpsSensorConfigTable. The controller sends the ciscoLwappIdsShunClientUpdate notification to indicate that the controller shall be blocking the particular client for a period equal to cLIdsClientTimeRemaining. The entry corresponding to a particular client is removed when one of the following happens. (i) When the configuration about the particular IPS sensor is removed from the controller, either through an explicit management action initiated through the NMS or when the controller reboots. (ii) When the remaining time period for which the client will be blocked as indicated by cLIdsClientTimeRemaining, expires. (iii) When the IPS sensor explicitly requests the controller to stop blocking the client's data packets. The controller sends the ciscoLwappIdsShunClientUpdate notification with cLIdsClientTimeRemaining equal to 0 to indicate that the client won't be blocked any further, on one of the three conditions for entry removal mentioned above.

Each entry in this table represents the information about a wireless client whose data packets are requested to be blocked by the controller. The request is made by the IPS sensor identified by cLIdsIpsSensorAddress.

This object identifies the type of the network address being populated by cLIdsClientAddress.

This object identifies the network address of the wireless client whose data packets have been requested to be blocked by the controller. The type of the network address represented by this object is determined by the value of cLIdsClientAddressType.

This object indicates the remaining time for which the client's data packets are going to be blocked by the controller.

The compliance statement for the SNMP entities that implement the ciscoLwappIdsMIB module.

This collection of objects provides the information used to integrate a controller with external IDS/IPS applications.

This collection of objects provides the status of the various operations the controller performs together with external IDS/IPS applications.

This collection of objects provides the information about the notifications sent by the agent related to IDS.