CISCO-LWAPP-IDS-MIB

File: CISCO-LWAPP-IDS-MIB.mib (24707 bytes)

Imported modules

SNMPv2-SMI SNMPv2-CONF SNMPv2-TC
SNMP-FRAMEWORK-MIB INET-ADDRESS-MIB CISCO-SMI

Imported symbols

MODULE-IDENTITY OBJECT-TYPE NOTIFICATION-TYPE
Unsigned32 MODULE-COMPLIANCE OBJECT-GROUP
NOTIFICATION-GROUP TruthValue TimeInterval
RowStatus SnmpAdminString InetAddressType
InetAddress ciscoMgmt

Defined Types

CLIdsIpsSensorConfigEntry  
SEQUENCE    
  cLIdsIpsSensorAddressType InetAddressType
  cLIdsIpsSensorAddress InetAddress
  cLIdsIpsSensorUserName SnmpAdminString
  cLIdsIpsSensorPassword SnmpAdminString
  cLIdsIpsSensorQueryInterval TimeInterval
  cLIdsIpsSensorEnabled TruthValue
  cLIdsIpsSensorFingerPrintHex OCTET STRING
  cLIdsIpsSensorPort Unsigned32
  cLIdsIpsSensorRowStatus RowStatus

CLIdsClientExclEntry  
SEQUENCE    
  cLIdsClientAddressType InetAddressType
  cLIdsClientAddress InetAddress
  cLIdsClientTimeRemaining TimeInterval

Defined Values

ciscoLwappIdsMIB 1.3.6.1.4.1.9.9.519
This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight Access Point Protocol tunnel from Light-weight LWAPP Access Points. This MIB provides the information used to integrate the LWAPP controller with external IDS/IPS applications. LWAPP controllers interact with these applications to protect the network against various threats that would compromise the overall security of the network. The arrangement of the IDS / IPS applications, controller (referred to as CC in the diagram) and the LWAPP APs appear as follows. +.......+ +.......+ + + + + + IDS + + IDS + + IPS + + IPS + +.......+ +.......+ . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ + + + + + + + + + CC + + CC + + CC + + CC + + + + + + + + + +......+ +......+ +......+ +......+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + AP + + AP + + AP + + AP + + AP + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. The controllers and the IDS systems exchange information through Cisco proprietary event exchange mechanisms. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, that includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. One or more controllers hold logical connections to an IDS / IPS and interact with it to enforce security on the network. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity is also referred to as 'controller'. HyperText Transfer Protocol Over Secure Socket Layer (HTTPS) HTTPS is a Web based protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP. SSL uses a 40-bit key for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange. Intrusion Detection System ( IDS ) An IDS performs activities like enforcing security related policies, identifying and reporting attacks on the network etc., thereby helping to improve the overall security of the enterprise network. Intrusion Prevention System ( IPS ) An IPS offers significant protection to the network against viruses, worms, signature attacks etc. This system detects L3 - L7 attacks. This system can also instruct other IPS clients through standards based protocols to allow/block network access for specific network entities. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the controller. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Network Management System ( NMS ) The station from which the administrator manages the wired and wireless networks. Secure Hash Algorithm ( SHA ) The SHA, developed by NIST for use with the Digital Signature Standard (DSS) is specified within the Secure Hash Standard (SHS). SHA is a cryptographic message digest algorithm similar to the MD4 family of hash functions developed by Rivest. It differs from the MD4 hash functions in that it adds an additional expansion operation, an extra round and the whole transformation was designed to accomodate the DSS block size for efficiency. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications. [2] Draft-obara-capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol
MODULE-IDENTITY    

ciscoLwappIdsMIBNotifs 1.3.6.1.4.1.9.9.519.0
OBJECT IDENTIFIER    

ciscoLwappIdsMIBObjects 1.3.6.1.4.1.9.9.519.1
OBJECT IDENTIFIER    

ciscoLwappIdsMIBConform 1.3.6.1.4.1.9.9.519.2
OBJECT IDENTIFIER    

ciscoLwappIdsConfig 1.3.6.1.4.1.9.9.519.1.1
OBJECT IDENTIFIER    

ciscoLwappIdsStatus 1.3.6.1.4.1.9.9.519.1.2
OBJECT IDENTIFIER    

cLIdsIpsSensorConfigTable 1.3.6.1.4.1.9.9.519.1.1.1
This table facilitates the configuration of a group of IPS sensors to which the LWAPP controller would subscribe to retrieve the IDS events from the respective sensors. IPS sensors are used to protect the network by helping to detect and report threats like worms, viruses etc. By subscribing to such a sensor, the LWAPP controller, through appropriate interfaces, can retrieve the events detected by the sensor and report the same to the NMS. The controller can accept the request, to block the packets from an IP address, from each Sensor configured through this table and block the data traffic originating from that particular source. Rows are added or deleted to the table by explicit management actions initiated by the user from a network management station. Information about each IPS sensor is uniquely identified by the network address of the respective sensor.
OBJECT-TYPE    
  SEQUENCE OF  
    CLIdsIpsSensorConfigEntry

cLIdsIpsSensorConfigEntry 1.3.6.1.4.1.9.9.519.1.1.1.1
There is an entry in this table for each IPS sensor identified by cLIdsIpsSensorAddressType and cLIdsIpsSensorAddress from which the controller can accept requests to block certain clients.
OBJECT-TYPE    
  CLIdsIpsSensorConfigEntry  

cLIdsIpsSensorAddressType 1.3.6.1.4.1.9.9.519.1.1.1.1.1
This object represents the type of the network address made available through cLIdsIpsSensorAddress.
OBJECT-TYPE    
  InetAddressType  

cLIdsIpsSensorAddress 1.3.6.1.4.1.9.9.519.1.1.1.1.2
This object represents the network address of the IPS sensor. The type of the network address represented by this object is determined by the value of cLIdsIpsSensorAddressType.
OBJECT-TYPE    
  InetAddress  

cLIdsIpsSensorUserName 1.3.6.1.4.1.9.9.519.1.1.1.1.3
This object represents the user name in use by the LWAPP controller to get authenticated with the IPS sensor.
OBJECT-TYPE    
  SnmpAdminString  

cLIdsIpsSensorPassword 1.3.6.1.4.1.9.9.519.1.1.1.1.4
This object represents the password following the username used by the LWAPP controller to get authenticated with the IPS sensor. Note that the read operation on this object returns a string in the pattern '****' for security reasons.
OBJECT-TYPE    
  SnmpAdminString  

cLIdsIpsSensorQueryInterval 1.3.6.1.4.1.9.9.519.1.1.1.1.5
This object represents the time interval at which the controller would query this particular IPS sensor for IDS events.
OBJECT-TYPE    
  TimeInterval 1000..360000  

cLIdsIpsSensorEnabled 1.3.6.1.4.1.9.9.519.1.1.1.1.6
This object represents the status of this IPS sensor as seen by controller for its interaction with the sensor. A value of 'true' indicates the controller shall query the sensor for events and respond to the requests from the sensor. A value of 'false' indicates the controller's communication with the sensor is disabled.
OBJECT-TYPE    
  TruthValue  

cLIdsIpsSensorFingerPrintHex 1.3.6.1.4.1.9.9.519.1.1.1.1.7
This object represents the SHA1 hash done on the sensor certificate and configured as a series of 40 hexadecimal digits. This hash value is needed to verify the validity of the certificate to prevent security attacks. Note that the read operation on this object returns a string in the pattern '****' for security reasons.
OBJECT-TYPE    
  OCTET STRING Size(40)  

cLIdsIpsSensorPort 1.3.6.1.4.1.9.9.519.1.1.1.1.8
This object represents the HTTPS port on the sensor on which the controller polls the sensor.
OBJECT-TYPE    
  Unsigned32 1..65535  

cLIdsIpsSensorRowStatus 1.3.6.1.4.1.9.9.519.1.1.1.1.9
This is the status column for this row and used to create and delete specific instances of rows in this table.
OBJECT-TYPE    
  RowStatus  

cLIdsClientExclTable 1.3.6.1.4.1.9.9.519.1.2.1
This table lists those clients whose data packets are to be blocked as requested by the IPS sensor due to the detection of attacks at layer 3 to layer 7 involving the particular client. This table has an expansion dependent relationship with cLIdsIpsSensorConfigTable. There may exist one or more rows corresponding to the row for each sensor configured through cLIdsIpsSensorConfigTable. An entry is added to this row by the agent when the controller receives the block request from one of the IPS sensors configured through cLIdsIpsSensorConfigTable. The controller sends the ciscoLwappIdsShunClientUpdate notification to indicate that the controller shall be blocking the particular client for a period equal to cLIdsClientTimeRemaining. The entry corresponding to a particular client is removed when one of the following happens. (i) When the configuration about the particular IPS sensor is removed from the controller, either through an explicit management action initiated through the NMS or when the controller reboots. (ii) When the remaining time period for which the client will be blocked as indicated by cLIdsClientTimeRemaining, expires. (iii) When the IPS sensor explicitly requests the controller to stop blocking the client's data packets. The controller sends the ciscoLwappIdsShunClientUpdate notification with cLIdsClientTimeRemaining equal to 0 to indicate that the client won't be blocked any further, on one of the three conditions for entry removal mentioned above.
OBJECT-TYPE    
  SEQUENCE OF  
    CLIdsClientExclEntry

cLIdsClientExclEntry 1.3.6.1.4.1.9.9.519.1.2.1.1
Each entry in this table represents the information about a wireless client whose data packets are requested to be blocked by the controller. The request is made by the IPS sensor identified by cLIdsIpsSensorAddress.
OBJECT-TYPE    
  CLIdsClientExclEntry  

cLIdsClientAddressType 1.3.6.1.4.1.9.9.519.1.2.1.1.1
This object identifies the type of the network address being populated by cLIdsClientAddress.
OBJECT-TYPE    
  InetAddressType  

cLIdsClientAddress 1.3.6.1.4.1.9.9.519.1.2.1.1.2
This object identifies the network address of the wireless client whose data packets have been requested to be blocked by the controller. The type of the network address represented by this object is determined by the value of cLIdsClientAddressType.
OBJECT-TYPE    
  InetAddress  

cLIdsClientTimeRemaining 1.3.6.1.4.1.9.9.519.1.2.1.1.3
This object indicates the remaining time for which the client's data packets are going to be blocked by the controller.
OBJECT-TYPE    
  TimeInterval  

ciscoLwappIdsShunClientUpdate 1.3.6.1.4.1.9.9.519.0.1
This notification is sent by the agent with cLIdsClientTimeRemaining indicating a value greater than 0, whenever it adds a row to cLIdsClientExclTable. The agent also sends this notification with cLIdsClientTimeRemaining equal to 0, when it removes a row from cLIdsClientExclTable.
NOTIFICATION-TYPE    

ciscoLwappIdsMIBCompliances 1.3.6.1.4.1.9.9.519.2.1
OBJECT IDENTIFIER    

ciscoLwappIdsMIBGroups 1.3.6.1.4.1.9.9.519.2.2
OBJECT IDENTIFIER    

ciscoLwappIdsMIBCompliance 1.3.6.1.4.1.9.9.519.2.1.1
The compliance statement for the SNMP entities that implement the ciscoLwappIdsMIB module.
MODULE-COMPLIANCE    

ciscoLwappIdsConfigGroup 1.3.6.1.4.1.9.9.519.2.2.1
This collection of objects provides the information used to integrate a controller with external IDS/IPS applications.
OBJECT-GROUP    

ciscoLwappIdsStatusGroup 1.3.6.1.4.1.9.9.519.2.2.2
This collection of objects provides the status of the various operations the controller performs together with external IDS/IPS applications.
OBJECT-GROUP    

ciscoLwappIdsNotifsGroup 1.3.6.1.4.1.9.9.519.2.2.3
This collection of objects provides the information about the notifications sent by the agent related to IDS.
NOTIFICATION-GROUP