Making Sense Of Wireless IPSs

All wireless intrusion prevention system (IPS) vendors claim that their solutions offer comprehensive intrusion prevention. The truth? Each vendor defines wireless IPS differently. Thus, the vendors products differ in design, attack detection method, and how they deal with attackers. Moreover, one size does not fit all. For example, the best product for a downtown office could be overkill for a suburban campus.

Choosing the Right Wireless IPS Solution for You

Wired and wireless intrusion detection and prevention solutions have a lot in common. Both monitor their surroundings, look for bad behavior patterns, and act accordingly. Both also seek to minimize false positives and concentrate resources on dealing with real problems. However, thats where the similarity ends. Wired IPSs monitor behavior of devices already operating on the network and then detect and block potentially harmful activity. In contrast, wireless IPSs seek to ensure that only authorized devices participate in your network.

Consequently, wireless IPS solutions focus primarily on the moment when wireless devices connect to the network, rather than on what those devices do once theyve associated with the network. As such, most good wireless IPS solutions work at the data link layer or lower to take into account prevailing circumstances in the wireless environments in which they operate.¹ This is especially important in an urban environment where neighboring offices, homes, and even passing delivery vans each equipped with wireless access points play havoc with simpler rogue access point detection solutions.²

Your Pre-RFP Checklist For Wireless IPS

Before creating your list of potential wireless IPS vendors, ask yourself these questions:

• What problem do you really need to solve with wireless IPS? Clarifying your objectives for implementing wireless intrusion detection system (IDS) or IPS will help narrow your list early. Vendors like AirMagnet, Network Chemistry, and AirDefense aim to detect and block egregious behavior on the WLAN, such as rogue access points or probes from common attack tools like NetStumbler or AirSnort.³ Others, such as AirTight Networks and Newbury Networks, concentrate more on keeping unauthorized wireless devices off the network based on factors like their location.
• What is your wider strategy for wireless infrastructure? A wireless IDS is but one part of a comprehensive wireless security strategy.⁴ Vendors like Aruba Wireless Networks and AireSpace combine wireless IPS capabilities with wider infrastructure functions, such as performance and device management. However, because these products are less focused, their methods for attack detection and prevention tend to be less well-developed.
• What is your appetite for vendor risk? Many of the vendors currently working in the wireless space are small startups. Thus, buyers must expect mergers and acquisitions. The big networking players, such as Cisco, 3Com, and Hewlett-Packard, may eventually move into this space, but buyers should be skeptical the networking giants will always prioritize functionality and speed over security.

The Most Important Questions To Ask Potential Vendors

Once youve clarified your implementation priorities for wireless IPS and received responses from the vendors on your shortlist, youll quickly realize that vendors approaches to the problem differ widely. Here are the four crucial questions you must ask:

1. How does it work? Solutions, such as AirMagnets, process traffic information at the network sensor. This decreases the required network bandwidth between the sensor and the central server, but it means that managing and updating sensors becomes more critical. AirDefenses and Network Chemistrys wireless IDSs perform preliminary data analysis and cleaning at the sensor before forwarding to a central server for examination. This increases the burden on the network and the central server but allows for more complex correlation of data from multiple access points.
2. How does it detect attacks? Some wireless IPSs primarily use signature-based attack detection. However, the sophistication of these signature-based solutions varies widely. For example, functionality within CiscoWorks Wireless LAN Solution Engine (WLSE) does little more than detect rogue access points. In contrast, AirMagnet, AirDefense, and Network Chemistry augment their signatures with firmware-based detection for more complex denial of service (DoS) attacks. Newbury Networks and AirTight Networks adopt a more policy-based approach to detecting attacks, using databases of known devices and technology for determining devices physical location to detect unauthorized actions on the wireless network.
3. How does it handle attacks? Wireless IPSs employ many different methods of isolating devices associated with unauthorized activity. Simpler solutions can only deactivate the wired ports on which they find rogue access points. Other solutions, such as AirMagnets and Network Chemistrys, send disassociate or de-auth packets either to disconnect clients from unauthorized access points or to target unauthorized clients. More complex solutions, including AirDefenses and AirTight Networks, identify the make and model of the attacker and send a combination of packets that will target that device most effectively to maximize the length of time before it can launch another attack.⁵
4. Whom does the vendor partner with? The web of partnerships among wireless IPS, wireless networking, and other vendors is complex. Ensure that the partners with whom your shortlist vendors interoperate work to your advantage more easily. For example, AirMagnet has well-established partnerships with AirLink Communications and Wavelink, and AirDefense has recently announced a partnership to integrate its offering with Ciscos Aironet WLAN infrastructure product. Confusingly, vendors often resell each others components on an OEM or cobranded basis; wireless IPS products from Newbury Networks and Bluesocket incorporate Network Chemistrys sensors.

Recommendations: One Size Does Not Fit All

Finding the right wireless IPS for your environment depends on a number of factors, such as users connection methods, corporate security standards, and the size of your budget.

• Establish your wireless priorities. The best product for you will depend on your wireless policy.⁶ If you have a no-wireless policy, or if you run an open wireless network that requires a VPN client to connect to corporate resources, then you must make rogue access point detection your top priority. For a locked-down WLAN that acts as part of the corporate network, you should instead worry most about mitigating attacks on clients and access points.
• Choose a system that fits your network and physical environment. Evaluate the technical strengths and weaknesses of products relative to your environment. An office in a crowded urban environment will require a more sophisticated solution for distinguishing neighboring wireless network activities from genuine attacks than a suburban campus environment will. Also, if interoffice network traffic is already crowding your wide-area network (WAN), choose a more decentralized solution.
• Consider hidden costs. When comparing costs of different wireless IPS solutions, remember to include the cost of installing new network hardware. If the solution requires separate IPS sensors, installation costs can be significant because the sensors often need to be deployed in inaccessible places. In these hard-to-reach places, power over Ethernet (PoE) can bring costs down significantly.⁷ You should also consider the cost of hardware and software youll need to support any central server-based data processing the solution requires.

Endnotes

¹The term data link layer refers to the Layer 2 of the International Organization for Standardizations (ISO) 7 Layer Open System Interconnect (OSI) Model. For more information on the OSI Model, see www.webopedia.com/quick_ref/OSI_Layers.asp.

²There are a number of methods for identifying rogue access points, ranging from handheld devices to existing network components performing regular scans. See the May 12, 2003, IdeaByte Identifying Rogue Access Points And Protecting The Wireless LAN.

³Wireless attacks are one of the biggest threats facing businesses today. See the June 5, 2002, Planning Assumption Building Wireless LAN Security: Tier By Tier.

⁴Authentication, authorization, and encryption are also essential components in a comprehensive wireless security architecture. See the December 18, 2003, Planning Assumption Wireless LAN Security: Best Practices.

⁵Once a client has disassociated from an access point, the clients system will automatically continue to try to reconnect. To minimize the effort needed on an ongoing basis to stop the client from reconnecting, more complex solutions customize the method they use to terminate the connection depending on the devices involved.

⁶A set of policies to control wireless devices in its environment is critical to safeguard valuable corporate network resources. See the March 26, 2004, Best Practices Wireless LAN Policies.

⁷PoE injectors cost around $50 each, plus installation costs. A good ROI calculator for PoE can be found at www.powerdsine.com/roi/roi.asp.