Header Only - DO NOT REMOVE - Extreme Networks

Wing 5.9. WIPS events explanation


I have just installed AP6532 (Wing 5.9). Made simple setup and enable WIPS.

In WIPS events I see event name "unencrypted-wired-leakage".

What does it means ?

Is there some guide according to WIPS ?


8 replies

Userlevel 4
Tim, I don't think that a description exist for the WiNG WIPS alarms (that I can locate right now) but AirDefense contains essentially the same alarm and does have an explanation. Here is it's explanation:

An access point is detected leaking wired traffic into the air. This indicates that the AP is not employing an encryption mechanism for multicast or broadcast traffic that originates from the wired side of the network. Multicast and broadcast traffic perform important functions that are vital for network discovery and content delivery. Since an access point acts as a bridge between the wired and the wireless medium, the AP will transmit this multicast and broadcast traffic into the air. In a typical corporate network, this data that is wirelessly transmitted should be encrypted by the AP to prevent it from being read by wireless eavesdroppers. If this multicast and broadcast traffic is not encrypted by the AP, then all layer 3 and above information in these packets will be clearly visible to wireless eavesdroppers.

Using layer 3 and above information, eavesdroppers can begin assembling a representation of the wired network, including routing protocols. In the case of NetBIOS traffic, the eavesdropper can also see devices that are located on the wired network. This type of AP misconfiguration is a security risk because the eavesdropper is able operate in a listen-only mode and may therefore go undetected for extended periods of time. In addition to the primary security concerns of wired side leakage, networks with excessive amounts of broadcast or multicast traffic could also experience a degradation in their wireless network performance due to the frequent multicast transmissions.
Thank you Chris!

In event string I see "Reporting AP" and "Originating device".

As far as I understood "Originating device" use broadcast traffic ?

How can I setup AP to avoid that ?

Userlevel 4
Correct. Reporting AP would be the 'sensor' so to speak - that was responsible for the event being able to be seen. The Originating device should be the 'Offending' device.
Userlevel 5
The below is a WING guide; in it, not much descriptive info for the wips events
Userlevel 4
There appears to be *no* description for any of the AP Anomaly events in that doc...
Yes. There is no WIPS descriptions in Reference Guide.

Could you please explain what means event - "wireless-bridge"?

There is a lot of neighbors AP near by in building. Some of them, I guess, bridged between each others.

Is there way to detect bridge to my APs ?

Userlevel 4
The description/name of this alert is a little vague, but in the basis sense, a wireless-bridge would be an access point that is wireless connected directly to another access point. If you are seeing this event alert, it should specify the access points in question. The first thing to determine is if any of the APs are 'yours'. If none of the APs are yours, then this alert can be ignored. If any of the APs are yours, you need to confirm that their bridge connection is expected behavior.
Thanks Chris.