Home » Data Protection » Wireless/Mobile Security

How to Compare and Use Wireless Intrusion Detection and Prevention Systems

Rogue access points? Evil twins? Wireless IDP systems aim to defeat these and other tricky hacks.

By Mary Brandel

September 17, 2009 — CSO —

Wireless intrusion detection and protection (IDP) systems monitor enterprise airwaves with a network of wireless monitors connected to a central server. They capture data from the radio spectrum and analyze it for rogue access points (APs), unauthorized devices, unauthorized association, adherence to policy, incorrectly configured security settings, unexpected behavior and wireless attacks such as MAC spoofing and denial of service attacks.

They then provide reporting and alerts, which can be sent to workflow systems, trouble-ticketing systems or network management consoles, or they can be sent via e-mail or pager to administrators. Wireless IDP systems can also prevent against threats automatically by detecting and classifying threats.

This article examines key forces driving adoption, important criteria for comparing and choosing wireless IDP systems, plus dos and don'ts for implementation.

Also see key features and functions in Wireless Intrusion System: Selection Criteria

Wireless IDP Market Drivers

According to Gartner, the wireless intrusion prevention system market is relatively stable. Global revenue grew 18 percent between 2007 and 2008, from $119 million to $140 million, according to John Pescatore, an analyst at Gartner. He's projecting a 14 percent to 15 percent growth in 2009.

Market drivers, however, have changed in that time span, he says. Two or three years ago, companies were buying wireless IDP to detect and disallow wireless or to protect against attacks in the few areas of the enterprise where it was allowed. With the growing acceptance of wireless, however, many companies now invest in these tools to assess their vulnerability to, for instance, incorrectly configured APs, rogue APs, foreign PCs trying to connect to the company's APs or accidental association of corporate PCs with foreign APs.

"In any dense environment, you can connect to the network of the company upstairs or across the alleyway," Pescatore says. "So you're basically deploying listening sensors around the building to detect these things."

Wireless IDP tools are also hinted at as a best practice in the PCI Data Security Standard, says John Kindervag, senior analyst at Forrester Research. "We see it as a growth area because PCI is encouraging its use for wireless scanning," Kindervag says.

Prime Considerations and Comparison Points

Integrated versus overlay. Wireless network infrastructure vendors such as Aruba and Cisco provide integrated IDP capabilities, while other vendors offer overlay systems that are deployed and managed separately from the operational wireless system. Infrastructure vendors' tools are tightly coupled to the vendor's APs, which perform the dual functions of providing access and scanning for security-related information. However, they cannot perform both functions at the same time, so there are coverage gaps, Pescatore points out. Also, he says, they generally only monitor on the frequencies that the AP itself works on. Meanwhile, overlay systems provide sensors that are 100 percent in "receive" mode and provide full-time security monitoring across all frequencies.

Generally, Pescatore says, companies that want to prevent the use of wireless networks—as well as companies locked into older wireless technologies—should consider overlay products. Those that don't have the budget for overlay security systems or that have little wireless network exposure or low security demands can meet their needs with an integrated approach, he says.

Paul DeBeasi, analyst at Burton Group, agrees that for the vast majority of enterprises, using a shared sensor is good enough. "The people who are most risk-averse and have the budget should go with a dedicated sensor," he says.

Chris Roberts, manager of network and security operations at vehicle auction provider Adesa, chose the overlay approach from AirTight Networks because he wanted to separate the data transport function from the security function. "I like knowing that my security product is not also my data transport product," he says. "At the end of the day, all devices are susceptible to failure, and keeping them isolated—while more expensive—is more pure, and I get much higher value."

Smart versus thin sensor. There are differences in how wireless IDP sensors and engines work together that can affect how remote management is handled and the bandwidth burden on the network, Burton Group points out. With smart sensors, for instance, part of the data analysis is performed on the sensor, resulting in a reduction of data sent to the analysis engine. A potential downside to this architecture is that the software on the sensors may require upgrades to stay current. With thin sensors, the Burton Group says, data is forwarded to the server for analysis. Although some vendors provide bandwidth management, this architecture does result in more traffic moving across the network and heavier processing loads on the server, Burton Group says.

Wireless Intrusion Detection Dos and Don'ts

DO plan on spending time setting up the tool. For Ryan Holland, network engineer at The Ohio State University, a key success factor of using the wireless IDP system from Aruba was to use the tool's custom rules to define what a rogue AP is. With the university located close to many shops, apartment buildings and departments that also deploy wireless networks, he narrowly defines rogue APs as those that use the university's network identifiers but do not appear on the list of APs managed by his organization. "We can see APs from McDonald's and Panera Bread, but we don't want to take action against those because they're our known neighbors," he says.

With Aruba's acquisition of AirWave—which provides a rogue detection module within its wireless management suite—Holland says there is even more granularity to the system's rule customization. For instance, he can define rogues based on characteristics such as signal-level thresholds or whether the AP is connected to both the wireless and wired networks. Holland also likes that once he's shaped his policies and alerts, the system automatically provides a breakdown, classifying the types of APs on the network. This helped reduce the thousands of APs that the system reported on to about 30. "We could weed out the stuff we don't care about and report on what we do care about," he says. "It brings it to a human level."

Jon Covington, senior network engineer at UCLA Medical, says the university dedicates a full-time resource to leverage the Motorola AirDefense tool. "We want to know what that button does, what that bell or whistle does," he says. "There are also levels above myself who need to know there's good ROI and TCO, that it's not just a gadget." It's been worth it, he says. "We've been able to draft a security policy with teeth behind it to comply with HIPAA standards," he says.

Covington also agrees that it takes time to work with the system to help make sense of the volumes of data collected. "As it listens, it records everything it sees, but you only have a fixed volume of disk space," he says. "You have to be aggressive about knowing what you want."

In this way, he says, wireless IDP is not for the faint of heart. Covington estimates that in two years time, his group has graduated to using about 65 percent of the tool's features. "You can't just hang it up and let it run by itself," he says. "To get the 'wow' experience, you have to work with it."

Also see Wireless Security: The Basics

• Print

• Wireless Intrusion Detection and Prevention Systems: Selection Criteria
• Wireless Security: The Basics
• Cisco Wireless LAN Vulnerability Could Open 'Back Door'