-- *******************************************************************
-- CISCO-LWAPP-IDS-MIB.my
-- November 2005, Devesh Pujari, Prasanna Viswakumar
--
-- Copyright (c) 2005, 2006 by Cisco Systems, Inc.
-- All rights reserved.
-- *******************************************************************
--CISCO-LWAPP-IDS-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,NOTIFICATION-TYPE,Unsigned32
FROM SNMPv2-SMI
MODULE-COMPLIANCE,OBJECT-GROUP,NOTIFICATION-GROUPFROM SNMPv2-CONF
TruthValue,TimeInterval,RowStatusFROM SNMPv2-TC
SnmpAdminStringFROM SNMP-FRAMEWORK-MIB
InetAddressType,InetAddressFROM INET-ADDRESS-MIB
ciscoMgmt
FROM CISCO-SMI;--********************************************************************
--* MODULE IDENTITY
--********************************************************************ciscoLwappIdsMIB MODULE-IDENTITYLAST-UPDATED"200604100000Z"ORGANIZATION"Cisco Systems Inc."CONTACT-INFO" Cisco Systems,
Customer Service
Postal: 170 West Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
Email: cs-wnbu-snmp@cisco.com"DESCRIPTION"This MIB is intended to be implemented on all those
devices operating as Central Controllers (CC) that
terminate the Light Weight Access Point Protocol
tunnel from Light-weight LWAPP Access Points.
This MIB provides the information used to integrate
the LWAPP controller with external IDS/IPS
applications. LWAPP controllers interact with
these applications to protect the network against
various threats that would compromise the overall
security of the network.
The arrangement of the IDS / IPS applications,
controller (referred to as CC in the diagram) and the
LWAPP APs appear as follows.
+.......+ +.......+
+ + + +
+ IDS + + IDS +
+ IPS + + IPS +
+.......+ +.......+
. .
. . . .
. . . .
. . . .
+......+ +......+ +......+ +......+
+ + + + + + + +
+ CC + + CC + + CC + + CC +
+ + + + + + + +
+......+ +......+ +......+ +......+
.. . . .
.. . . .
. . . . .
. . . . .
. . . . .
. . . . .
+......+ +......+ +......+ +......+ +......+
+ + + + + + + + + +
+ AP + + AP + + AP + + AP + + AP +
+ + + + + + + + + +
+......+ +......+ +......+ +......+ +......+
. . . .
. . . . .
. . . . .
. . . . .
. . . . .
+......+ +......+ +......+ +......+ +......+
+ + + + + + + + + +
+ MN + + MN + + MN + + MN + + MN +
+ + + + + + + + + +
+......+ +......+ +......+ +......+ +......+
The LWAPP tunnel exists between the controller and
the APs. The MNs communicate with the APs through
the protocol defined by the 802.11 standard. The
controllers and the IDS systems exchange information
through Cisco proprietary event exchange mechanisms.
LWAPP APs, upon bootup, discover and join one of the
controllers and the controller pushes the configuration,
that includes the WLAN parameters, to the LWAPP APs.
The APs then encapsulate all the 802.11 frames from
wireless clients inside LWAPP frames and forward
the LWAPP frames to the controller.
One or more controllers hold logical connections to
an IDS / IPS and interact with it to enforce security
on the network.
GLOSSARY
Access Point ( AP )
An entity that contains an 802.11 medium access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.
LWAPP APs encapsulate all the 802.11 frames in
LWAPP frames and sends them to the controller to which
it is logically connected.
Central Controller ( CC )
The central entity that terminates the LWAPP protocol
tunnel from the LWAPP APs. Throughout this MIB,
this entity is also referred to as 'controller'.
HyperText Transfer Protocol Over Secure Socket Layer
(HTTPS)
HTTPS is a Web based protocol that encrypts and
decrypts user page requests as well as the pages
that are returned by the Web server. HTTPS uses
port 443 instead of HTTP port 80 in its
interactions with the lower layer, TCP/IP. SSL
uses a 40-bit key for the RC4 stream encryption
algorithm, which is considered an adequate degree
of encryption for commercial exchange.
Intrusion Detection System ( IDS )
An IDS performs activities like enforcing security
related policies, identifying and reporting attacks
on the network etc., thereby helping to improve
the overall security of the enterprise network.
Intrusion Prevention System ( IPS )
An IPS offers significant protection to the network
against viruses, worms, signature attacks etc. This
system detects L3 - L7 attacks. This system can also
instruct other IPS clients through standards based
protocols to allow/block network access for specific
network entities.
Light Weight Access Point Protocol ( LWAPP )
This is a generic protocol that defines the
communication between the Access Points and the
controller.
Mobile Node ( MN )
A roaming 802.11 wireless device in a wireless
network associated with an access point.
Network Management System ( NMS )
The station from which the administrator manages the
wired and wireless networks.
Secure Hash Algorithm ( SHA )
The SHA, developed by NIST for use with the Digital
Signature Standard (DSS) is specified within the
Secure Hash Standard (SHS). SHA is a cryptographic
message digest algorithm similar to the MD4 family
of hash functions developed by Rivest. It differs
from the MD4 hash functions in that it adds an
additional expansion operation, an extra round and
the whole transformation was designed to
accomodate the DSS block size for efficiency.
REFERENCE
[1] Wireless LAN Medium Access Control ( MAC ) and
Physical Layer ( PHY ) Specifications.
[2] Draft-obara-capwap-lwapp-00.txt, IETF Light
Weight Access Point Protocol "
REVISION"200604100000Z"DESCRIPTION"Initial version of this MIB module. "::={ ciscoMgmt 519}ciscoLwappIdsMIBNotifs OBJECTIDENTIFIER::={ ciscoLwappIdsMIB 0}ciscoLwappIdsMIBObjects OBJECTIDENTIFIER::={ ciscoLwappIdsMIB 1}ciscoLwappIdsMIBConform OBJECTIDENTIFIER::={ ciscoLwappIdsMIB 2}
ciscoLwappIdsConfig OBJECTIDENTIFIER::={ ciscoLwappIdsMIBObjects 1}ciscoLwappIdsStatus OBJECTIDENTIFIER::={ ciscoLwappIdsMIBObjects 2}-- ********************************************************************
-- IDS Configuration
-- ********************************************************************cLIdsIpsSensorConfigTable OBJECT-TYPESYNTAXSEQUENCEOF CLIdsIpsSensorConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"This table facilitates the configuration of a group
of IPS sensors to which the LWAPP controller would
subscribe to retrieve the IDS events from the
respective sensors.
IPS sensors are used to protect the network by helping
to detect and report threats like worms, viruses etc.
By subscribing to such a sensor, the LWAPP controller,
through appropriate interfaces, can retrieve the
events detected by the sensor and report the same
to the NMS. The controller can accept the request, to
block the packets from an IP address, from each Sensor
configured through this table and block the data
traffic originating from that particular source.
Rows are added or deleted to the table by explicit
management actions initiated by the user from a
network management station. Information about each
IPS sensor is uniquely identified by the network
address of the respective sensor. "::={ ciscoLwappIdsConfig 1}cLIdsIpsSensorConfigEntry OBJECT-TYPESYNTAX CLIdsIpsSensorConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"There is an entry in this table for each IPS sensor
identified by cLIdsIpsSensorAddressType and
cLIdsIpsSensorAddress from which the controller can
accept requests to block certain clients. "INDEX{ cLIdsIpsSensorAddressType, cLIdsIpsSensorAddress }
::={ cLIdsIpsSensorConfigTable 1}
CLIdsIpsSensorConfigEntry ::=SEQUENCE{
cLIdsIpsSensorAddressType InetAddressType,
cLIdsIpsSensorAddress InetAddress,
cLIdsIpsSensorUserName SnmpAdminString,
cLIdsIpsSensorPassword SnmpAdminString,
cLIdsIpsSensorQueryInterval TimeInterval,
cLIdsIpsSensorEnabled TruthValue,
cLIdsIpsSensorFingerPrintHex OCTETSTRING,
cLIdsIpsSensorPort Unsigned32,
cLIdsIpsSensorRowStatus RowStatus}cLIdsIpsSensorAddressType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This object represents the type of the network
address made available through
cLIdsIpsSensorAddress. "::={ cLIdsIpsSensorConfigEntry 1}
cLIdsIpsSensorAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This object represents the network address of the
IPS sensor. The type of the network address
represented by this object is determined by the
value of cLIdsIpsSensorAddressType. "::={ cLIdsIpsSensorConfigEntry 2}cLIdsIpsSensorUserName OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-create
STATUScurrentDESCRIPTION"This object represents the user name in use
by the LWAPP controller to get authenticated with
the IPS sensor. "::={ cLIdsIpsSensorConfigEntry 3}cLIdsIpsSensorPassword OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object represents the password following the
username used by the LWAPP controller to get
authenticated with the IPS sensor.
Note that the read operation on this object returns
a string in the pattern '****' for security
reasons. "::={ cLIdsIpsSensorConfigEntry 4}cLIdsIpsSensorQueryInterval OBJECT-TYPESYNTAXTimeInterval(1000..360000)UNITS"Hundredths-seconds"MAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object represents the time interval at which
the controller would query this particular IPS
sensor for IDS events. "DEFVAL{3000}::={ cLIdsIpsSensorConfigEntry 5}cLIdsIpsSensorEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object represents the status of this IPS
sensor as seen by controller for its interaction
with the sensor.
A value of 'true' indicates the controller shall
query the sensor for events and respond to the
requests from the sensor.
A value of 'false' indicates the controller's
communication with the sensor is disabled. "DEFVAL{ false }::={ cLIdsIpsSensorConfigEntry 6}cLIdsIpsSensorFingerPrintHex OBJECT-TYPESYNTAXOCTETSTRING(SIZE(40))MAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object represents the SHA1 hash done on the
sensor certificate and configured as a series of
40 hexadecimal digits. This hash value is needed
to verify the validity of the certificate to
prevent security attacks.
Note that the read operation on this object returns
a string in the pattern '****' for security
reasons. "::={ cLIdsIpsSensorConfigEntry 7}cLIdsIpsSensorPort OBJECT-TYPESYNTAXUnsigned32(1..65535)MAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object represents the HTTPS port on the
sensor on which the controller polls the
sensor. "::={ cLIdsIpsSensorConfigEntry 8}cLIdsIpsSensorRowStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"This is the status column for this row and used
to create and delete specific instances of rows
in this table. "::={ cLIdsIpsSensorConfigEntry 9}--********************************************************************
--* Status information
--********************************************************************cLIdsClientExclTable OBJECT-TYPESYNTAXSEQUENCEOF CLIdsClientExclEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This table lists those clients whose data packets
are to be blocked as requested by the IPS sensor
due to the detection of attacks at layer 3 to
layer 7 involving the particular client.
This table has an expansion dependent relationship
with cLIdsIpsSensorConfigTable. There may exist one
or more rows corresponding to the row for each
sensor configured through cLIdsIpsSensorConfigTable.
An entry is added to this row by the agent when the
controller receives the block request from one of
the IPS sensors configured through
cLIdsIpsSensorConfigTable. The controller sends
the ciscoLwappIdsShunClientUpdate notification
to indicate that the controller shall be blocking
the particular client for a period equal to
cLIdsClientTimeRemaining.
The entry corresponding to a particular client is
removed when one of the following happens.
(i) When the configuration about the particular
IPS sensor is removed from the controller, either
through an explicit management action initiated
through the NMS or when the controller reboots.
(ii) When the remaining time period for which the
client will be blocked as indicated by
cLIdsClientTimeRemaining, expires.
(iii) When the IPS sensor explicitly requests the
controller to stop blocking the client's data
packets.
The controller sends the ciscoLwappIdsShunClientUpdate
notification with cLIdsClientTimeRemaining equal to
0 to indicate that the client won't be blocked any
further, on one of the three conditions for entry
removal mentioned above. "::={ ciscoLwappIdsStatus 1}cLIdsClientExclEntry OBJECT-TYPESYNTAX CLIdsClientExclEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION
"Each entry in this table represents the information
about a wireless client whose data packets are
requested to be blocked by the controller. The
request is made by the IPS sensor identified by
cLIdsIpsSensorAddress. "INDEX{ cLIdsIpsSensorAddressType,
cLIdsIpsSensorAddress,
cLIdsClientAddressType,
cLIdsClientAddress
}::={ cLIdsClientExclTable 1}
CLIdsClientExclEntry ::=SEQUENCE{
cLIdsClientAddressType InetAddressType,
cLIdsClientAddress InetAddress,
cLIdsClientTimeRemaining TimeInterval}cLIdsClientAddressType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This object identifies the type of the network
address being populated by cLIdsClientAddress. "::={ cLIdsClientExclEntry 1}cLIdsClientAddress OBJECT-TYPESYNTAXInetAddress
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This object identifies the network address of the
wireless client whose data packets have been
requested to be blocked by the controller. The
type of the network address represented by this
object is determined by the value of
cLIdsClientAddressType. "::={ cLIdsClientExclEntry 2}cLIdsClientTimeRemaining OBJECT-TYPESYNTAXTimeIntervalUNITS"hundredths-seconds"
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object indicates the remaining time for which
the client's data packets are going to be blocked by
the controller. "::={ cLIdsClientExclEntry 3}--********************************************************************
--* NOTIFICATIONS
--********************************************************************ciscoLwappIdsShunClientUpdate NOTIFICATION-TYPEOBJECTS{
cLIdsClientTimeRemaining
}STATUScurrent
DESCRIPTION"This notification is sent by the agent with
cLIdsClientTimeRemaining indicating a value
greater than 0, whenever it adds a row to
cLIdsClientExclTable.
The agent also sends this notification with
cLIdsClientTimeRemaining equal to 0, when it
removes a row from cLIdsClientExclTable. "::={ ciscoLwappIdsMIBNotifs 1}--********************************************************************
--* Compliance statements
--********************************************************************ciscoLwappIdsMIBCompliances OBJECTIDENTIFIER::={ ciscoLwappIdsMIBConform 1}
ciscoLwappIdsMIBGroups OBJECTIDENTIFIER::={ ciscoLwappIdsMIBConform 2}ciscoLwappIdsMIBCompliance MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for the SNMP entities that
implement the ciscoLwappIdsMIB module. "MODULEMANDATORY-GROUPS{
ciscoLwappIdsConfigGroup,
ciscoLwappIdsStatusGroup,
ciscoLwappIdsNotifsGroup
}
::={ ciscoLwappIdsMIBCompliances 1}--********************************************************************
--* Units of conformance
--********************************************************************ciscoLwappIdsConfigGroup OBJECT-GROUPOBJECTS{
cLIdsIpsSensorUserName,
cLIdsIpsSensorPassword,
cLIdsIpsSensorQueryInterval,
cLIdsIpsSensorEnabled,
cLIdsIpsSensorFingerPrintHex,
cLIdsIpsSensorPort,
cLIdsIpsSensorRowStatus
}STATUScurrent
DESCRIPTION"This collection of objects provides the
information used to integrate a controller with
external IDS/IPS applications. "::={ ciscoLwappIdsMIBGroups 1}ciscoLwappIdsStatusGroup OBJECT-GROUPOBJECTS{
cLIdsClientTimeRemaining
}STATUScurrentDESCRIPTION"This collection of objects provides the status
of the various operations the controller performs
together with external IDS/IPS applications. "::={ ciscoLwappIdsMIBGroups 2}
ciscoLwappIdsNotifsGroup NOTIFICATION-GROUPNOTIFICATIONS{
ciscoLwappIdsShunClientUpdate
}STATUScurrentDESCRIPTION"This collection of objects provides the information
about the notifications sent by the agent related
to IDS. "::={ ciscoLwappIdsMIBGroups 3}END