Home » Data Protection » Wireless/Mobile

How to Compare and Use Wireless Intrusion Detection and Prevention Systems

Rogue access points? Evil twins? Wireless IDP systems aim to defeat these and other tricky hacks.

Wireless intrusion detection and protection (IDP) systems monitor enterprise airwaves with a network of wireless monitors connected to a central server. They capture data from the radio spectrum and analyze it for rogue access points (APs), unauthorized devices, unauthorized association, adherence to policy, incorrectly configured security settings, unexpected behavior and wireless attacks such as MAC spoofing and denial of service attacks.

They then provide reporting and alerts, which can be sent to workflow systems, trouble-ticketing systems or network management consoles, or they can be sent via e-mail or pager to administrators. Wireless IDP systems can also prevent against threats automatically by detecting and classifying threats.

This article examines key forces driving adoption, important criteria for comparing and choosing wireless IDP systems, plus dos and don'ts for implementation.

Also see key features and functions in Wireless Intrusion System: Selection Criteria

Wireless IDP Market Drivers

According to Gartner, the wireless intrusion prevention system market is relatively stable. Global revenue grew 18 percent between 2007 and 2008, from $119 million to $140 million, according to John Pescatore, an analyst at Gartner. He's projecting a 14 percent to 15 percent growth in 2009.

Market drivers, however, have changed in that time span, he says. Two or three years ago, companies were buying wireless IDP to detect and disallow wireless or to protect against attacks in the few areas of the enterprise where it was allowed. With the growing acceptance of wireless, however, many companies now invest in these tools to assess their vulnerability to, for instance, incorrectly configured APs, rogue APs, foreign PCs trying to connect to the company's APs or accidental association of corporate PCs with foreign APs.

"In any dense environment, you can connect to the network of the company upstairs or across the alleyway," Pescatore says. "So you're basically deploying listening sensors around the building to detect these things."

Wireless IDP tools are also hinted at as a best practice in the PCI Data Security Standard, says John Kindervag, senior analyst at Forrester Research. "We see it as a growth area because PCI is encouraging its use for wireless scanning," Kindervag says.

Prime Considerations and Comparison Points

Integrated versus overlay. Wireless network infrastructure vendors such as Aruba and Cisco provide integrated IDP capabilities, while other vendors offer overlay systems that are deployed and managed separately from the operational wireless system. Infrastructure vendors' tools are tightly coupled to the vendor's APs, which perform the dual functions of providing access and scanning for security-related information. However, they cannot perform both functions at the same time, so there are coverage gaps, Pescatore points out. Also, he says, they generally only monitor on the frequencies that the AP itself works on. Meanwhile, overlay systems provide sensors that are 100 percent in "receive" mode and provide full-time security monitoring across all frequencies.

Generally, Pescatore says, companies that want to prevent the use of wireless networks—as well as companies locked into older wireless technologies—should consider overlay products. Those that don't have the budget for overlay security systems or that have little wireless network exposure or low security demands can meet their needs with an inte