Intrusion prevention strategies for 11n

* Accuracy and cost are among top WIPS criteria

There are several ways to scan your 802.11n air environment for nasty goings-on. At a glance, the options seem pretty straightforward. However, you need to look carefully under the hood to draw a true apples-to-apples comparison of the accuracy and cost of the various offerings.

Wireless intrusion prevention systems (WIPS), of course, are intended to keep unauthorized devices from connecting to your wired and wireless networks. WIPS can also keep your internal wireless client devices from associating with unauthorized (and potentially dangerous) access points (AP). You can get WIPS capabilities in three primary ways:

* Already baked into the 802.11n system you procure

* As a third-party system overlay system that you connect to your wireless LAN

* As a WIPS "software as a service" (SaaS)

In the days of 802.11a/b/g networks only, option 2 (the overlay) was pretty much it for dedicated WIPS alternatives. True, some vendors’ APs would use time-slicing mechanisms allowing the AP to shift back and forth between jobs as a data-forwarding device and a sensor. In fact, some still use time slicing, and some even offer the capability free of charge with their systems.

Most, though, have begun dedicating sensors to security scanning, because the time-slicing approach leaves the airwaves vulnerable for brief periods when the device is in AP mode.

So the first question to ask yourself: Is a part-time WIPS function secure enough? If not, what system or service offers the highest degree of protection? And are you willing to pay for it?

Full-time scanning is the way to go if you can afford it. From there, some systems might simply be more accurate than others.

Pravin Bhagwat, CTO of WIPS maker AirTight Networks, points out that there are several types of APs that a system should be able to identify:

* APs in bridge mode

* APs in Network Address Translation (NAT) mode

* Open APs

* Encrypted APs

* APs that use adjacent MAC addresses for their radio and wired interfaces

* APs that use completely different MAC addresses for their radio and wired interfaces (usually consumer-grade APs)

* APs with different combinations of the above traits

Bhagwat, whose company sells a dedicated overlay sensor system, a WIPS SaaS, and provides a WIPS module that began shipping last month for HP ProCurve WLANs, asserts that it’s rare for a vendor to be able to identify and classify all of them.

This often results in false negatives, false positives, or both. So this is something to discuss with your potential WIPS vendor, whether that vendor is also the maker of your 11n equipment or a third-party sensor company like AirTight or AirMagnet.

And don’t assume that an overlay WIPS system is necessarily more expensive than an integrated one. Vendors can get pretty creative with their math, as I’ve learned in my own research, which I’ll share with you in the near future.

Meantime, I’d like to ask for your help in my research: If you are using a WIPS system, approximately what percentage of its alerts are false positives? False negatives? Please e-mail me with information about your WIPS experiences and let me know if you are on or off the record.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10