Protecting the WiFi network

Wireless IDS

WiFi data channel encryption

Protected Management Frames and Opportunisitc Key Caching support

Preventing local bridge traffic from reaching the LAN

FortiAP-S UTM support

DHCP snooping and option 82 (circuit -id) options for wireless access points

Wireless IDS

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

• Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
• Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
• Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
• Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-athenticate, then re-authenticate with their AP.
• EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
• Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
• Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200. l Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
• Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
• Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
• Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable wireless IDS by selecting a WIDS Profile in your FortiAP profile.

To create a WIDS Profile

1. Go to WiFi & Switch Controller > WIDS Profiles.
2. Select a profile to edit or select Create New.
3. Select the types of intrusion to protect against. By default, all types are selected.
4. Select Apply.

You can also configure a WIDS profile in the CLI using the config wireless-controller widsprofile command.

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Wireless network monitoring on page 115.

WIDS client deauthentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the deauthentication rate.

config wireless-controller wids-profile edit default set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of deathorizations per second. 0 means no limit. The default is 10.

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

Configuring encryption on the FortiGate unit

You can use the CLI to configure data channel encryption.

Enabling encryption

In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:

config wireless-controller wtp-profile edit profile1 set dtls-policy dtls-enabled

end

Configuring encryption on the FortiAP unit

The FortiAP unit has its own settings for data channel encryption.

Enabling CAPWAP encryption – FortiAP web-based manager

1. On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:

l Clear Text l DTLS Enabled l Clear Text or DTLS Enabled (default)

2. Select Apply.

Enabling encryption – FortiAP CLI

You can set the data channel encryption using the AP_DATA_CHAN_SEC variable: ‘clear’, or ‘ipsec’, or ‘dtls’.

For example, to set security to DTLS and then save the setting, enter:

cfg -a AP_DATA_CHAN_SEC=dtls cfg -c

Protected Management Frames and Opportunisitc Key Caching support

Protected Management Frames (PMF) protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

Use of PMF and OKC on an SSID is configurable only in the CLI:

config wireless-controller vap edit <vap_name> set pmf {disable | enable | optional} set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next end

Protected Management Frames and Opportunisitc Key Caching support

When pmf is set to optional, it is considered enabled, but will allow clients that do not use PMF. When pmf is set to enable, PMF is required by all clients.

Bluetooth Low Energy (BLE) Scan

The FortiGate can configure FortiAP Bluetooth Low Energy (BLE) scan, incorporating Google’s BLE beacon profile known as Eddystone, used to identify groups of devices and individual devices.

Use the following syntax to configure BLE profiles, configure BLE report intervals, and assign BLE profiles to WTP profiles.

CLI syntax – Configure BLE profiles

config wireless-controller ble-profile edit <name> set comment <comment>

set advertising {ibeacon | eddystone-uid | eddystone-url} set ibeacon-uuid <uuid> set major-id <0 – 65535> – (default = 1000) set minor-id <0 – 65535> – (default = 1000) set eddystone-namespace <10-byte namespace> set eddystone-instance <device id> set eddystone-url <url> set txpower <0 – 12> – (default = 0) set beacon-interval <40 – 3500> – (default = 100) set ble-scanning {enable | disable} – (default = disable)

next

end

Note that txpower determines the transmit power level on a scale of 0-12:

CLI syntax – Configure BLE report intervals

config wireless-controller timers set ble-scan-report-intv – (default = 30 sec)

end

CLI syntax – Assign BLE profiles to WTP profiles

config wireless-controller wtp-profile edit <name> set ble-profile <name> next

end

Preventing local bridge traffic from reaching the LAN

The following command can be enabled so that when a client connects to a VAP, and its traffic is not tunneled to the controller, the admin can control whether the client can access the local network.

Note that this entry is only available when local-standalone-nat is set to enable.

Syntax:

config wireless-controller vap edit <name> set local-lan {allow | deny}

next

end

FortiAP-S UTM support

When a FortiAP-S is managed by a FortiGate in Bridge mode, support is provided for the following UTM functions: AntiVirus, IPS, Botnet, Web Filtering, and Application Control.

config wireless-controller utm-profile edit <name> set comment “Default configuration for offloading WiFi traffic.” set ips-sensor “wifi-default” set application-list “wifi-default” set antivirus-profile “wifi-default” set webfilter-profile “wifi-default”

set firewall-profile-protocol-options “wifi-default” set firewall-ssl-ssh-profile “wifi-default”

next

end

config wireless-controller vap edit <name> set utm-profile

end

end

DHCP snooping and option 82 (circuit -id) options for wireless access points

New commands are available to enable or disable (by default) DHCP 82 option insertion for wireless access points. DHCP snooping is used to prevent rogue DHCP servers from offering IP addresses to DHCP clients.

Syntax

config wireless-controll vap edit wifi set dhcp-option82-insertion {enable | disable}

set dhcp-option82-circuit-id-insertion {style-1 | style-2 | disable}

DHCP snooping and option 82 (circuit -id) options for wireless access points

set dhcp-option82-remote-id-insertion {style-1 | disable}

next end