Xirrus Defense Module (XDM)
  | |
Overview
Value Delivered
|
Successful enterprise Wi-Fi deployments must implement multiple levels of security to ensure confidentiality of information and protection from malicious attacks. The industry has taken extraordinary steps to ensure such security is obtainable and standardized. The result is the ability when using best practices to build Wi-Fi networks that exceed the security level of even wired networks.
The Xirrus Defense Module (XDM) ensures the security of a Wi-Fi Array network by implementation of a comprehensive Intrusion Detection/Intrusion Prevention (IDS/IPS) system. The XDM leverages a dedicated, integrated RF threat sensor on each Array to provide proactive monitoring and threat mitigation in the RF environment. In contrast, competitive Wi-Fi systems require either 1) radios to time share between monitoring and supporting wireless users; or 2) dedicated sensor hardware overlaid on the Wi-Fi network to implement proactive IDS/IPS. The dedicated and integrated threat monitoring and mitigation functionality of Xirrus Arrays optimizes user performance, reduces costs, and simplify management.
Key Features
- Continuous 24x7 monitoring of the wireless RF environment without "time-sharing" radios with Wi-Fi client stations
- Leverages embedded RF threat sensor built into each Xirrus Array for threat/attack detection and prevention
- Detection of potential rogue or malicious APs, ad hoc, and stations
- Central correlation and anomaly detection of over 130 different wireless threats, attacks, and vulnerabilities
- Automated shielding of rogue devices by Array radios to contain threatening devices when detected, while still scanning for new threats
- Ensures compliance with wireless security policies and regulations through automated reporting
- Multi-user client-server architecture allows remote access to the XDM console and scales to the largest of deployments
Complete Threat Monitoring
The XDM offers a complete wireless IDS/IPS implementation, providing the ability to scan over 220 channels across the frequency spectrum usable by 802.11 networks. The system's comprehensive scanning capabilities are enabled by dedicated threat sensor hardware on each Array purpose-built for wireless surveillance. Unlike sensors using "off-the-shelf" access point (AP) hardware that is limited to scanning one region at a time, Xirrus scans all 802.11a/b/g channels in the regulatory domains of the U.S., Europe, and Asia. The ability to scan all regions simultaneously is particularly important to global organizations, where employees are more likely to introduce 'out-of-region' rogues.
Policy-based Threat Prioritization
Through its Policy Enforcement facilities, the XDM can be used to enforce corporate policy via easy-to-use, automated threat prioritization. Fully definable threat assessment criteria enable multiple security policies to be defined, including classifications such as location, device, configuration and time.
Fully Automated Threat Mitigation
Active shielding provides stateful technology that ensures the highest level of threat mitigation. This robust, fully automated functionality contains rogue devices and locks down mobile device configurations while simultaneously scanning for new threats. The shielding feature actively participates in the network state– first luring malicious devices and then completely isolating them from the rest of the wireless network. The patent-pending technology contains any AP or client, even the most difficult to contain ad-hocs and 'Centrino' laptops. These prevention techniques will contain multiple devices simultaneously even when they are roaming, and will not deny service to other authorized Wi-Fi users. Shielding may be initiated manually or automatically according to a central prevention-activation policy.
Automated Compliance Reporting
The Xirrus XDM ensures compliance with wireless security policies and regulations through automated report generation and distribution. Reporting functionality includes pre-configured compliance reports such as PCI, DoD 8100.2, HIPAA, and GLBA. The AutoReports feature enables automated report scheduling and forwarding, and customized delivery to multiple locations, users, and formats.General Specifications
| Classification | Classify wireless users and access points as unclassified, authorized, neighbor, and unauthorized. |
| Policies | Detailed shielding policies enable automatic response to threats |
| Alerts and Alarms | Built-in alarm definition and user-definable priority |
| Notification | Policy-based notification system via email, pager and other devices |
Wireless Threats / Issues Detected
| Threat | Issue Detected |
|---|---|
| Client BSSID Changed | Client (Rogue) Connected to Authorized AP |
| AP is Using Default SSID | Client Probing for Any Access Point |
| AirJack Attack Detected | Authorized AP is Down |
| Wellenreiter Detected | Authorized AP Denied Association |
| AP SSID Changed | Constant Traffic Sent/Received by Rogue Client |
| AP Channel Change | Authorized AP Denied Authentication |
| Unauthorized AP Detected | Fake AP Operating |
| Unauthorized Client Detected | Fake Client Operating |
| Unauthorized Ad-hoc Client Detected | Initiating Containment of AP |
| Station is Operating As Unauthorized Type | Initiating Containment of Client |
| AP Broadcasting SSID | Hotspotter Attack Detected |
| AP Reported a Problem to a Client | Airsnarf Attack Detected |
| Ad-hoc Network Operating | WEPWedgie Attack Detected |
| AP Is Not Using Encryption | Channel with Excessive Errors |
| Station is Using Weak WEP IVs | Constant Traffic Sent/Received by Authorized Client |
| Station with Excess Retransmissions | Engine Started |
| Service Van Nearby | Engine Stopped |
| Station is Using Random MAC Address | Channel with Excessive Errors |
| Fata-Jack Attack Detected | Constant Traffic Sent/Received by Authorized Client |
| Spoofed MAC Address | Engine Started |
| Deauthentication Storm | Engine Stopped |
| New AP Discovered | Client Prevented from Using AP |
| New Client Discovered | Unmodified Omerta Attack |
| New Adhoc Client Discovered | Omerta Attack |
| Access Point Restarted | Possible ARP Worm Traffic |
| ASLEAP Attack Detected | Possible IP Worm Traffic |
| AP Overloaded | Possible ARP Poison - IP hijack |
| Client Rate Support Mismatch | Aruba Attack |
| Spurious Traffic Sent by Client | Possible Aireplay WEP Attack in use |
| Disassociation Storm | Wrong Beacon Channel Number Reported |
| Association Storm | Rogue Access Point Connected to LAN |
| Authentication Storm | Client Notified AP That It’s Leaving |
| RF Jamming Detected | Radar Interference Detected |
| EAPoL Start Storm | Client not Using Encryption |
| EAPoL Logoff Storm | AP Sending Both Encrypted & Unencrypted Data |
| Adhoc SSID Same as Authorized AP | Client sending both encrypted and unencrypted data |
| Channel with too Many APs | Spurious Traffic Sent by AP |
| Client (Authorized) Connected to Rogue AP | Unauthorized AP Using Same SSID as Authorized AP |
| Netstumbler Detected | Suspected Evil Twin Attack |
| Duration Attack Detected | Client Reported a Problem to an AP |
| WDS in Operation/Bridging | Possible ARP Poison - Multi IP Hijack |
| AP Supports Multiple SSIDs | Policy Enforce Alert |
| Sensor Missed Keep-alive | Detected Soft AP |
| Sensor Failed to Start | Detected AP/Client State Change |
| AP is Using Hotspot SSID | Broadcast Disassociation Packet |
| Hotspotter Attack Detected | Broadcast Deauthentication Packet |
| Airsnarf Attack Detected | Improper Broadcast Packet |
| WEPWedgie Attack Detected | Turbocell Detected |
| NetBIOS Traffic |
Monitoring Features
| RF | Scans all 802.11 frequencies View channel, signal strength, noise and utilization statistics |
| Devices | View access points, ad hocs, and stations Detailed data on every detected device, including signal strength, estimated distance from sensor, channel, security setting, throughput statistics |
| Dashboard | IDS/IPS summary of attacks, threats, vulnerabilities, and shields over time Device summary of rogue, ad hoc, and stations Performance summary of busiest access points and stations RF summary of devices per channel |
Shielding Features
| RF Shielding | Disassociate users from unauthorized access points and keep them off Disassociate unauthorized users from any access point Disassociate users from unauthorized ad-hoc connections |
| Network Shielding | Discover unauthorized access points on the wired network Disable network switch ports for that rogue access point |
Reporting Features
| Reporting Features | Pre-configured Reports for the most common report types |
| Automated Reports | Automatic Report generation and distribution via email |
| Customized Reports | User-Definable Reports |
Packet Analysis
| Packet Capture | Capture and decode all packets for a specific user |
Sensor Discovery
| Sensor Discovery Features | Automatic Array sensor discovery |
Backup and Restore
| Backup and Restore Features | Save and Restore all policy definitions and other application data |
System Requirements
| Server Hardware Minimum Requirements | Windows 2003 Server or Windows XP (SP1 or later required) 2.4GHz or greater CPU 1GB RAM memory 10GB or greater disk |
| Client Hardware Minimum Requirements | Windows XP SP1 or Windows Server 2000 1.8GHz or greater CPU 256MB RAM memory 100MB or greater disk |
Software Warranty
| Software | 90 days (extendable) |
Product Ordering Information
Xirrus Defense Module
| XA-3300-IDS-10 | XDM (Xirrus Defense Module) IDS/IPS Software and 10 Wi-Fi Array License, or Additional 10 Wi-Fi Array License |