Understanding Wireless Intrusion Prevention Systems

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

While the 802.11i -- or WPA2 -- wireless security standard does a fine job of authenticating users to the corporate network and encrypting both authentication and user data over the air, many of the latest wireless security threats aren't specifically related to authentication.

Today's Wi-Fi threats revolve more around client devices and rogue APs with custom embedded attack systems and are usually detectable only in the air. Enterprises need a way to uncover and thwart unwanted attempts to inject denial of service attacks, lure Wi-Fi client devices to malicious APs, piggyback onto a user's already established wireless connection, and more.

ROUNDUP: iPhone security, IP route hijack prevention on tap at RSA Conference

Detecting all of this type of activity requires a smart monitoring system that scans the WLAN channels, notifies personnel of suspicious activity, and sometimes, automatically blocks activity it discovers. Wireless Intrusion Prevention Systems (WIPS) solutions are the most popular and effective approach to secure and monitor an active corporate WLAN.

WIPS solutions use one of three fundamentally different architectures, each offering distinct tradeoffs that should be part of any security assessment. Which one is right for you will depend on the individual emphasis put on cost, security and vendor lock-in.

The first and most rudimentary WIPS architecture leverages an access point's (AP) existing radio for WIPS scanning. In other words, the AP momentarily slips from serving connectivity to Wi-Fi clients, to scanning for intrusion, and back to serving clients. In this approach, Wi-Fi APs are doing double duty: as APs forwarding traffic and as security sensors scanning the air for anomalies.

This shared approach is called time slicing, because a WIPS module gets a very small time slice (or RF sample) from the AP radio to conduct its security scanning. The impact of the WIPS time slice on wireless client service is designed to be minimal, both in terms of performance and infrastructure, allowing an organization to implement WIPS functionalities at a very low cost. The main advantage (or pro) to this approach is exactly that -- low cost WIPS functionality. However, that low cost can come at a huge price.

Time slicing uses limited scanning, usually sampling less than one second for each minute period. So for 98%-plus of every day -- 23 hours and 36 minutes -- there is essentially no wireless security scanning being conducted. As a result, the time-sliced configuration can only catch problems that are obvious and can be conclusively identified by a single packet or two -- situations that are few and far between. Of course the hope is that an exploit or attempt will be detected because it spans across multiple time slices.

Yet many of today's worst exploits use quick hits to get in and out, making this security approach a roll of the dice. Because of this weakness, major WLAN infrastructure vendors have all moved away from claiming this architecture is a good WIPS solution, although it is still available on the lower end.

The second WIPS architecture is an integrated solution where a dedicated WIPS scanning radio is collocated in the client serving AP. The dedicated radio means the WIPS solution is always scanning the air, addressing the limitation of time slicing.

The advantage to this approach is that all WIPS functionality can be supported with the deployed APs, holding costs down. However, the disadvantage is readily apparent: This consolidated functionality means a single AP is simultaneously servicing clients and policing itself. The AP isn't powerful enough to do both functions well, so configuring it with dual personalities will result in either lower WLAN performance, less effective security monitoring or perhaps both. That creates a single point of failure, which both presents a security risk and represents a violation of the layered security model.

This architecture also dictates that the WLAN infrastructure vendor be a WIPS vendor and has typical single vendor limitations. What happens if you want to move away from that particular vendor? And, it is typically unworkable in a heterogeneous, multi-vendor deployment.

The third WIPS architecture is an overlay solution where dedicated WIPS sensors are deployed. These dedicated sensors provide the "always on" scanning necessary for tight security and are completely independent from serving wireless clients. Dedicated overlay WIPS are offered by a third party, which creates another vendor for enterprises to manage. However, the advantage is the separation between the WLAN infrastructure and the WIPS architecture.

These overlays were designed specifically to combat intrusions and threats to the wireless network and they have been outfitted with greater security depth and features. Dedicated systems offer sophisticated capabilities that generally aren't available in integrated solutions, such as 24x7 multi-channel scanning and forensics analysis. This allows the orthogonal implementations to maximize the independence of the WIPS security solution on the WLAN infrastructure. This overlay WIPS architecture also allows an organization to independently select not only a best-of-breed WIPS solution, but also WLAN infrastructure.

An overlay solution is also the only acceptable approach if an organization has mixed WLAN infrastructure deployed (or plans to have a mix in the future). By having the security layer separated from the network itself, managers can easily update the security system on demand without risking an upgrade to the entire infrastructure. The disadvantage to this approach is cost: extra sensors represent an additional investment. While the initial investment may be higher, this approach has the potential to lower total cost of ownership in the long term by reducing exposure.

Unfortunately, the number of tools and exploits for hacking into a wireless network are, as always, on the rise. As vendors make tradeoffs to improve the flexibility or lower the cost of wireless infrastructure, it is important to take a step back and assess the security impact on your enterprise and ask: How far am I willing to compromise?

Read more about anti-malware in Network World's Anti-malware section.

This story, "Understanding Wireless Intrusion Prevention Systems" was originally published by Network World.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon