• United States



Contributing Writer

How to Compare and Use Wireless Intrusion Detection and Prevention Systems

Sep 17, 200913 mins
Intrusion Detection SoftwareMobile SecuritySecurity

Rogue access points? Evil twins? Wireless IDP systems aim to defeat these and other tricky hacks.

Wireless intrusion detection and protection (IDP) systems monitor enterprise airwaves with a network of wireless monitors connected to a central server. They capture data from the radio spectrum and analyze it for rogue access points (APs), unauthorized devices, unauthorized association, adherence to policy, incorrectly configured security settings, unexpected behavior and wireless attacks such as MAC spoofing and denial of service attacks.

They then provide reporting and alerts, which can be sent to workflow systems, trouble-ticketing systems or network management consoles, or they can be sent via e-mail or pager to administrators. Wireless IDP systems can also prevent against threats automatically by detecting and classifying threats.

This article examines key forces driving adoption, important criteria for comparing and choosing wireless IDP systems, plus dos and don’ts for implementation.

Also see key features and functions in Wireless Intrusion System: Selection Criteria

Wireless IDP Market Drivers

According to Gartner, the wireless intrusion prevention system market is relatively stable. Global revenue grew 18 percent between 2007 and 2008, from $119 million to $140 million, according to John Pescatore, an analyst at Gartner. He’s projecting a 14 percent to 15 percent growth in 2009.

Market drivers, however, have changed in that time span, he says. Two or three years ago, companies were buying wireless IDP to detect and disallow wireless or to protect against attacks in the few areas of the enterprise where it was allowed. With the growing acceptance of wireless, however, many companies now invest in these tools to assess their vulnerability to, for instance, incorrectly configured APs, rogue APs, foreign PCs trying to connect to the company’s APs or accidental association of corporate PCs with foreign APs.

“In any dense environment, you can connect to the network of the company upstairs or across the alleyway,” Pescatore says. “So you’re basically deploying listening sensors around the building to detect these things.”

Wireless IDP tools are also hinted at as a best practice in the PCI Data Security Standard, says John Kindervag, senior analyst at Forrester Research. “We see it as a growth area because PCI is encouraging its use for wireless scanning,” Kindervag says.

Prime Considerations and Comparison Points

Integrated versus overlay. Wireless network infrastructure vendors such as Aruba and Cisco provide integrated IDP capabilities, while other vendors offer overlay systems that are deployed and managed separately from the operational wireless system. Infrastructure vendors’ tools are tightly coupled to the vendor’s APs, which perform the dual functions of providing access and scanning for security-related information. However, they cannot perform both functions at the same time, so there are coverage gaps, Pescatore points out. Also, he says, they generally only monitor on the frequencies that the AP itself works on. Meanwhile, overlay systems provide sensors that are 100 percent in “receive” mode and provide full-time security monitoring across all frequencies.

Generally, Pescatore says, companies that want to prevent the use of wireless networks—as well as companies locked into older wireless technologies—should consider overlay products. Those that don’t have the budget for overlay security systems or that have little wireless network exposure or low security demands can meet their needs with an integrated approach, he says.

Paul DeBeasi, analyst at Burton Group, agrees that for the vast majority of enterprises, using a shared sensor is good enough. “The people who are most risk-averse and have the budget should go with a dedicated sensor,” he says.

Chris Roberts, manager of network and security operations at vehicle auction provider Adesa, chose the overlay approach from AirTight Networks because he wanted to separate the data transport function from the security function. “I like knowing that my security product is not also my data transport product,” he says. “At the end of the day, all devices are susceptible to failure, and keeping them isolated—while more expensive—is more pure, and I get much higher value.”

Smart versus thin sensor. There are differences in how wireless IDP sensors and engines work together that can affect how remote management is handled and the bandwidth burden on the network, Burton Group points out. With smart sensors, for instance, part of the data analysis is performed on the sensor, resulting in a reduction of data sent to the analysis engine. A potential downside to this architecture is that the software on the sensors may require upgrades to stay current. With thin sensors, the Burton Group says, data is forwarded to the server for analysis. Although some vendors provide bandwidth management, this architecture does result in more traffic moving across the network and heavier processing loads on the server, Burton Group says.

Wireless Intrusion Detection Dos and Don’ts

DO plan on spending time setting up the tool. For Ryan Holland, network engineer at The Ohio State University, a key success factor of using the wireless IDP system from Aruba was to use the tool’s custom rules to define what a rogue AP is. With the university located close to many shops, apartment buildings and departments that also deploy wireless networks, he narrowly defines rogue APs as those that use the university’s network identifiers but do not appear on the list of APs managed by his organization. “We can see APs from McDonald’s and Panera Bread, but we don’t want to take action against those because they’re our known neighbors,” he says.

With Aruba’s acquisition of AirWave—which provides a rogue detection module within its wireless management suite—Holland says there is even more granularity to the system’s rule customization. For instance, he can define rogues based on characteristics such as signal-level thresholds or whether the AP is connected to both the wireless and wired networks. Holland also likes that once he’s shaped his policies and alerts, the system automatically provides a breakdown, classifying the types of APs on the network. This helped reduce the thousands of APs that the system reported on to about 30. “We could weed out the stuff we don’t care about and report on what we do care about,” he says. “It brings it to a human level.”

Jon Covington, senior network engineer at UCLA Medical, says the university dedicates a full-time resource to leverage the Motorola AirDefense tool. “We want to know what that button does, what that bell or whistle does,” he says. “There are also levels above myself who need to know there’s good ROI and TCO, that it’s not just a gadget.” It’s been worth it, he says. “We’ve been able to draft a security policy with teeth behind it to comply with HIPAA standards,” he says.

Covington also agrees that it takes time to work with the system to help make sense of the volumes of data collected. “As it listens, it records everything it sees, but you only have a fixed volume of disk space,” he says. “You have to be aggressive about knowing what you want.”

In this way, he says, wireless IDP is not for the faint of heart. Covington estimates that in two years time, his group has graduated to using about 65 percent of the tool’s features. “You can’t just hang it up and let it run by itself,” he says. “To get the ‘wow’ experience, you have to work with it.”

Also see Wireless Security: The Basics

DO consider integration with a management tool. Pescatore recommends that the security and operations groups try working together on choosing a system that covers both wireless monitoring and security. That’s because once the company decides to fully support wireless, it’s not long before the help desk begins getting calls from users unable to get on the network, and operations needs to determine what the problem is—whether it’s the access point, interference or the client PC. Air Magnet is a vendor that originated on the performance and capacity side of the house and added security capabilities, he points out.

Roberts says AirTight’s management capabilities were a big reason he was able to justify the cost of an overlay solution, especially in his outdoor environment, where installation of wireless IDP and access points was particularly costly, requiring the use of a scissor lift and specialized personnel.

“When we made the decision to use a standalone system, we knew were going to absorb extra costs to do the job,” he says. However, because AirTight’s system also performs management tasks, Roberts says he found $40,000 in cost savings in not having to install wireless analyzers, which sell for about $1,000 per device.

“With AirTight sensors, they give you direct access to data, so you’re pulling packets out of the air and bringing them down to the software analyzer on the PC. You’re getting two features that the industry hadn’t put together before.” Adesa network engineers also love having the ability to do real-time troubleshooting with clients, he says.

At Ohio State, the Aruba sensors send data to the AirWave controller, which provides monitoring, reporting, configuration, visualization and rogue detection. Although Holland has not yet taken advantage of all these capabilities, he can see its future potential in the university’s decentralized environment. For instance, if another department that uses a different wireless infrastructure vendor like Cisco wants to be managed by Holland’s centralized services group, he could accommodate that because AirWave works with multiple vendors. “We’d be able to manage it from one place,” he says.

DON’T overlook the impact on bandwidth. Holland says it’s important to balance data granularity with bandwidth concerns. While the Aruba system isn’t bandwidth-intensive, he says, it does add management overhead and additional processing on the controllers, “so you need to consider whether the network can support that increase,” he says.

This is especially true in organizations with remote offices. “If you have a field location with a 180-kilobit link back to headquarters and the sensor starts using the entire 180 kilobits, you can’t live that way,” Pescatore says. If you have low-bandwidth networks, you should focus on vendors that do more processing at the access point and reduce data on the network.

DON’T expect precision from location services. Many wireless IDP tools offer location services, which rely on triangulation technology to estimate the physical location of a wireless device, ensuring accuracy within three meters if three access points can detect the signal, according to InfoTech.

Some have also added location and zone-based authentication, which enables clients to access data from specific APs on the network or create authentication zones based on client location. This technology is in high demand, according to InfoTech.

However, Holland points out that a product’s location capabilities are completely dependent on sound design. At the university, for instance, he says the APs are placed in such a way that they’re unable to determine rogue location through triangulation.

Indeed, while vendors claim they can give you the precise location of rogue or misconfigured APs, Pescatore says, they are more likely to narrow it down to a couple of cubicles or the corner of a building. That’s because there are many things in buildings, like metal, that can block AP signals, and placement often has more to do with where you have power or Ethernet connections than optimal triangulation. As Pescatore says, “don’t fall in love with location abilities.”

Holland was able to use Aruba’s location services and time stamps to aid with an investigation into a student who was spamming university e-mail accounts. “It helped the detectives to be able to say, ‘We know you were here at this time,'” he says. “With that information, it’s hard for the attacker to deny what he did.”

Roberts says he was impressed with the location services that AirTight inadvertently was able to display during a product demo. The tool detected a rogue AP three offices away that—it turned out—his team had installed during another test a month before and had forgotten to dismantle. “They were just four feet away from the actual location,” he says.

DO use automatic prevention sparingly. Holland does not use Aruba’s automatic prevention capabilities at all. Instead, he reviews weekly reports that classify rogue APs detected on the network. He investigates these instances as to when they were discovered, by which APs, signal strength and duration on the network. If it’s warranted, his group goes to the site where the rogue was detected for a physical investigation. “Experience has shown that most cases are someone misconfiguring their laptop when they’re trying to connect,” he says.

Holland can also remotely “contain” APs that meet certain criteria, which protects users from joining that AP while Holland’s group begins an investigation.

Also see Accountability in Enterprise Wireless Networks

DO consider ease of use, ownership and operation. Roberts says AirTight’s automated management and setup features were a big reason he eventually selected that product, including the need to input known devices and access points. With 800 access points, it could take 15 minutes per device to log in, review log data and detect vulnerabilities, not to mention security audits. With AirTight, however, device management does not even require a full-time position. “It’s part of the wireless person’s job, requiring about 20 percent of their time,” he says. “AirTight’s automation has been in the high 90 percent range.”

“Now that wireless is pretty well accepted, people are finding out they don’t always need the best system in terms of security; they need one they can afford,” Pescatore agrees. Examine available tools for their reporting, user interface and the additional information they provide to help isolate issues such as denial-of-service attack versus interference from a leaky microwave, he says.

Covington says he appreciates Motorola AirDefense’s user-friendly reporting capabilities. While other tools require you to export data into a separate reporting system, it enables you to build the visual graphics that executives prefer, customize reports and send them easily to the people who need to see them. For the features that are less intuitive, he says his group works with Motorola directly to point out where they could increase ease of use. “Without that feedback, they wouldn’t know,”

he says.

DON’T overlook nonsoftware costs. When it comes to wireless IDP cost, hardware is only one element, Roberts says. It’s easy to overlook the cost of cabling, solar panels and battery packs to power the sensors, especially for outdoor implementations. “It’s not the hardware costs you need to be concerned with,” he says. “It’s the electrical costs of providing power and connectivity back to the network.”

DO evaluate new wireless technology coverage. As new wireless technologies such as 802.11n, WiMAX and 3G cell data services appear, users bringing rogue APs to the workplace will once again become more prevalent, as in the early days of wireless, Pescatore says.

“There are faster forms of wireless working their way in beyond 802.11 and WiFi,” he says. Air cards are another element that employees or visitors may introduce through their laptops, either inadvertently by leaving them running or purposefully to bypass URL blocking. Some wireless IDP tools do detect these newer technologies, while others don’t, Pescatore says.