Cisco beefs up WIPS capabilities

Adds time-slicing security option to APs

Cisco has enhanced its Adaptive Wireless Intrusion Prevention System (wIPS) so that its Wi-Fi access points can both forward traffic and scan for security anomalies. The company contends that the move should make it more affordable for enterprises to add the wireless intrusion prevention capabilities required to better protect their airwaves.

The new Enhanced Local Mode (ELM) is available as a free software download to Cisco 802.11n APs. ELM lets the AP serve as a security sensor in a time-sliced configuration, alternating from data forwarding mode to monitoring mode, explains Chris Kozup, director of mobility and borderless networks marketing at Cisco.

Previously, Cisco enterprise customers deployed dedicated APs for forwarding and separate sensors for security scanning, though they could purchase a single device and configure it in either mode they chose.

By combining the scanning and forwarding functions, Cisco knocks off some of the capex associated with securing a Cisco wireless LAN environment by reducing the overall number of devices required. Cisco cites up to a possible 50% reduction in capex.

Note that as a general rule of thumb, most large enterprises would deploy one sensor for every three to six APs, not in a one-for-one configuration. In 3:1 and 6:1 deployments, then, the decrease in capex would be about 33% and 17%, respectively.

However, Cisco made its announcement in the context of the recent National Retailer Federation show, where the need to affordably comply with the latest Payment Card Industry Data Security Standard (PCI DSS) standards was rampant. It's more likely for small retail branches to require just one or two APs for coverage and capacity but also want a device for security monitoring. So in these environments, the 50% capex savings is plausible.

Cisco advises that PCI DSS -- which now requires not only over-the-air data encryption, but also network admission control and the ability to associate a cable connection with a legitimate device -- is a good start for securing customer and transaction data across wireless networks. But it isn't comprehensive enough on its own to truly secure the wireless networks of retailers and others.

Kozup says: "We're making it more cost-effective to get beyond [just] the PCI DSS checkbox" with WIPS monitoring, which can find rogue devices attached to the network and signature-based attacks.

The company also indicated in an announcement document that ELM should obviate the need for overlay, third-party wireless security systems. Such offerings are available from the likes of AirMagnet, AirTight Networks and AirDefense/Motorola.

That presumption will likely raise the hackles of these companies, which believe that part-time monitoring such as is being supported by ELM is likely to miss anomalies and render networks less secure. A recent white paper by AirMagnet, for example, estimates that shared sensors using time slicing listen for intrusions for less than 1 second per minute. As a result, they are likely only to catch obvious problems identifiable by a single packet or two, the paper deduces.

But if the overlays are too expensive, is it better to get "partial" security by investing in fewer devices that each serve two masters? That's a philosophy battle likely to persevere, though Cisco clearly feels the answer is "yes."

Says Kozup: "Does finding an [anomaly] .1 seconds faster justify a whole overlay network? We advocate that no, it doesn't."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: 10 new UI features coming to Windows 10