安全协作:思科IPS和思科无线

很多人都不知道思科IPS 4200系列传感器可以与思科无线局域网控制器(WLC)协作来保护网络。这个解决方案允许您扩展您的安全保护方式，超出嵌入式无线签名所能提供的。它将您的无线攻击检测/预防能力从单独的第2层领域，嵌入式无线签名提供，到第2-7层领域。由于层2-7的保护可以说是你想要/需要的，这个解决方案可以帮你达到目的。那么它是如何工作的呢?想象一下这个例子;感染了蠕虫病毒的用户连接到您的无线网络。蠕虫试图通过第七层攻击扩散到数据中心的一些内部服务器。无线IDS签名看不到攻击，因为它们只寻找第2层攻击。但是，保护数据中心服务器的IPS传感器确实能看到攻击。 The IPS sensor communicates the attackers IP address to the Wireless controller. The Wireless controller does the IP address to MAC address correlation and finds the attacker is currently connected to Access Point XYZ. At that point the controller disassociates (kicks off) the attacker on the wireless network for a period of time. The wireless controller will also alert all other controllers in the same mobility group to not allow the attacker access. This behavior, in effect, will deny the attacker’s MAC address from re-connecting via wireless anywhere at your site for a set period of time. The previous example demonstrates precisely how the Cisco IPS-Wireless collaboration works. A single Wireless controller can collaborate with up to 5 Cisco IPS sensors simultaneously. This increases the protection/detection envelope that a single controller can cover. One of the nice things about this solution is it doesn’t require you to put an IPS sensor inline behind every controller. You can use any sensor that is IP reachable from the controller. This allows you to leverage any existing Cisco sensors you may already have. It also allows you the flexibility to be able to deploy your sensors in either IDS mode or IPS mode since the controller is doing the blocking. Once a client is disassociated from a controller due to the IPS collaboration a message is sent both via the sensor platform and from the controller itself. So if wireless and security are being managed by different groups both groups will see the event. The solution is granular enough so that it only disassociates users that have fired certain high risk IPS signatures of your choice. Or one better, only disassociate users that have fired an event that has a Risk Rating of between 80-100. If you are not familiar with how Cisco IPS calculates Risk Rating see here http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_white_paper0900aecd80191021.shtml . The Cisco IPS-Wireless collaboration solution works with any Cisco WLC running code 4.x or later and any Cisco IPS sensor platform running code 5.x or later. For more details see here http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807360fc.shtml I think this is a pretty compelling solution, especially for current Cisco wireless and IPS customers. What do you think?