Making Sense Of Wireless IPSes

Choosing the right intrusion prevention system is not a case of one size fits all.

All wireless intrusion prevention system (IPS) vendors claim that their solutions offer comprehensive intrusion prevention. The truth? Each vendor defines wireless IPS differently. Thus, the vendors' products differ in design, attack detection method, and how they deal with attackers. Moreover, one size does not fit all. For example, the best product for a downtown office could be overkill for a suburban campus.

Choosing the Right Wireless IPS Solution for You

Wired and wireless intrusion detection and prevention solutions have a lot in common. Both monitor their surroundings, look for bad behaviour patterns, and act accordingly. Both also seek to minimize false positives and concentrate resources on dealing with real problems. However, that's where the similarity ends. Wired IPSes monitor behaviour of devices already operating on the network and then detect and block potentially harmful activity. In contrast, wireless IPSes seek to ensure that only authorized devices participate in your network.

Consequently, wireless IPS solutions focus primarily on the moment when wireless devices connect to the network, rather than on what those devices do once they've associated with the network. As such, most good wireless IPS solutions work at the data link layer or lower to take into account prevailing circumstances in the wireless environments in which they operate.1 This is especially important in an urban environment where neighbouring offices, homes, and even passing delivery vans - each equipped with wireless access points - play havoc with simpler rogue access point detection solutions.2

Your Pre-RFP Checklist for Wireless IPS

Before creating your list of potential wireless IPS vendors, ask yourself these questions:

» What problem do you really need to solve with wireless IPS? Clarifying your objectives for implementing wireless intrusion detection system (IDS) or IPS will help narrow your list early. Vendors like AirMagnet, Network Chemistry, and AirDefense aim to detect and block egregious behaviour on the WLAN, such as rogue access points or probes from common attack tools like NetStumbler or AirSnort.3 Others, such as AirTight Networks and Newbury Networks, concentrate more on keeping unauthorized wireless devices off the network based on factors like their location.

» What is your wider strategy for wireless infrastructure? A wireless IDS is but one part of a comprehensive wireless security strategy.4 Vendors like Aruba Wireless Networks and AireSpace combine wireless IPS capabilities with wider infrastructure functions, such as performance and device management. However, because these products are less focused, their methods for attack detection and prevention tend to be less well-developed.

» What is your appetite for vendor risk? Many of the vendors currently working in the wireless space are small start-ups. Thus, buyers must expect mergers and acquisitions. The big networking players, such as Cisco, 3Com, and Hewlett-Packard, may eventually move into this space, but buyers should be sceptical - the networking giants will always prioritize functionality and speed over security.

The Most Important Questions to Ask Vendors

Once you've clarified your implementation priorities for wireless IPS and received responses from the vendors on your shortlist, you'll quickly realize that vendors' approaches to the problem differ widely. Here are the four crucial questions you must ask:

1. How does it work? Solutions, such as AirMagnet's, process traffic information at the network sensor. This decreases the required network bandwidth between the sensor and the central server, but it means that managing and updating sensors becomes more critical. AirDefense's and Network Chemistry's wireless IDSes perform preliminary data analysis and cleaning at the sensor before forwarding to a central server for examination. This increases the burden on the network and the central server but allows for more complex correlation of data from multiple access points.

2. How does it detect attacks? Some wireless IPSes primarily use signature-based attack detection. However, the sophistication of these signature-based solutions varies widely. For example, functionality within CiscoWorks Wireless LAN Solution Engine (WLSE) does little more than detect rogue access points. In contrast, AirMagnet, AirDefense, and Network Chemistry augment their signatures with firmware-based detection for more complex denial of service (DoS) attacks. Newbury Networks and AirTight Networks adopt a more policy-based approach to detecting attacks, using databases of known devices and technology for determining devices' physical location to detect unauthorized actions on the wireless network.

3. How does it handle attacks? Wireless IPSes employ many different methods of isolating devices associated with unauthorized activity. Simpler solutions can only deactivate the wired ports on which they find rogue access points. Other solutions, such as AirMagnet's and Network Chemistry's, send "disassociate" or "de-auth" packets either to disconnect clients from unauthorized access points or to target unauthorized clients. More complex solutions, including AirDefense's and AirTight Networks, identify the make and model of the attacker and send a combination of packets that will target that device most effectively to maximize the length of time before it can launch another attack.5

4. Whom does the vendor partner with? The web of partnerships among wireless IPS, wireless networking, and other vendors is complex. Ensure that the partners with whom your shortlist vendors interoperate work to your advantage more easily. For example, AirMagnet has well-established partnerships with AirLink Communications and Wavelink, and AirDefense has recently announced a partnership to integrate its offering with Cisco's Aironet WLAN infrastructure product. Confusingly, vendors often resell each others' components on an OEM or cobranded basis; wireless IPS products from Newbury Networks and Bluesocket incorporate Network Chemistry's sensors.

Recommendations:

One Size Does Not Fit All

Finding the right wireless IPS for your environment depends on a number of factors, such as users' connection methods, corporate security standards, and the size of your budget.

» Establish your wireless priorities. The best product for you will depend on your wireless policy.6 If you have a no-wireless policy, or if you run an open wireless network that requires a VPN client to connect to corporate resources, then you must make rogue access point detection your top priority. For a locked-down WLAN that acts as part of the corporate network, you should instead worry most about mitigating attacks on clients and access points.

» Choose a system that fits your network and physical environment. Evaluate the technical strengths and weaknesses of products relative to your environment. An office in a crowded urban environment will require a more sophisticated solution for distinguishing neighbouring wireless network activities from genuine attacks than a suburban campus environment will. Also, if interoffice network traffic is already crowding your wide-area network (WAN), choose a more decentralized solution.

» Consider hidden costs. When comparing costs of different wireless IPS solutions, remember to include the cost of installing new network hardware. If the solution requires separate IPS sensors, installation costs can be significant because the sensors often need to be deployed in inaccessible places. In these hard-to-reach places, power over Ethernet (PoE) can bring costs down significantly.7 You should also consider the cost of hardware and software you'll need to support any central server-based data processing the solution requires. 

Endnotes

1 The term "data link layer" refers to the Layer 2 of the International Organization for Standardization's (ISO) 7 Layer Open System Interconnect (OSI) Model. For more information on the OSI Model, see www.webopedia.com/quick_ref/OSI_Layers.asp.

2 There are a number of methods for identifying rogue access points, ranging from handheld devices to existing network components performing regular scans. See the May 12, 2003, IdeaByte "Identifying Rogue Access Points And Protecting The Wireless LAN."

3 Wireless attacks are one of the biggest threats facing businesses today.

4 Authentication, authorization, and encryption are also essential components in a comprehensive wireless security architecture. See the December 18, 2003, Planning Assumption "Wireless LAN Security: Best Practices".

5 Once a client has disassociated from an access point, the client's system will automatically continue to try to reconnect. To minimize the effort needed on an ongoing basis to stop the client from reconnecting, more complex solutions customize the method they use to terminate the connection depending on the devices involved.

6 A set of policies to control wireless devices in its environment is critical to safeguard valuable corporate network resources.

7 PoE injectors cost around $50 each, plus installation costs. A good ROI calculator for PoE can be found at www.powerdsine.com/roi/roi.asp.

Join the newsletter!

Error: Please check your email address.

More about 3Com Australia3Com AustraliaACTAirMagnetAironetCiscoHewlett-Packard AustraliaIPSISOPLUSPowerDsineSpeedWavelink Communications

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Stamp

Latest Videos

More videos

Blog Posts

Market Place