Cisco gives its Wireless IPS features a major overhaul and comes out swinging

Cisco recently released a major overhaul of its Wireless IPS capabilities that it calls Cisco Adaptive WIPS. This upgrade seems timely given the recent flurry of news around wireless security vulnerabilities. The new system integrates features into the Cisco Unified Wireless framework that were previously only found in specialized wips vendors like airdefense. According to Cisco this means,

Cisco Adaptive Wireless Intrusion Prevention System (IPS) employs network analysis and signature-based techniques to protect against rogue access points and clients, network reconnaissance, eavesdropping, authentication and encryption cracking, man-in-the-middle attacks, wireless DoS attacks, and zero-day unknown attacks. It also provides automated wireless vulnerability and performance monitoring that persistently scans the wireless network to ward off attacks.
Another thing that really makes Cisco’s adaptive WIPS solution stand out is that it supports true 802.11n defense by utilizing Cisco’s 802.11n APs as wips sensors. No other WIPS vendor has this functionality yet. Cisco’s legacy wips solution only included a handful of signatures but it did have its advantages, one big one was an AP could be both a wips AP and a client AP simultaneously. The new system, because of the power required to run full blown wips, requires dedicated monitor mode APs (sensors) to be deployed. Almost any Cisco AP can be made into a monitor mode AP (sensor) for WIPS but then it can no longer service clients, its sole job is to defend against wireless attacks. The good news is that you can still mix and match dedicated monitor mode AP with legacy WIPS APs throughout your network giving you the best of both worlds. Now for the details... Cisco adaptive WIPS uses the same gear you probably already have deployed for your cisco unified wireless solution. The pieces you’ll need are unified (LWAPP) APs that are dedicated for WIPS, wireless lan controller (WLC), Wireless control System (WCS), and the mobility services engine MSE3310 with Adaptive Wireless licenses. The diagram below shows how each interacts:

Given that all WIPS monitoring, configuration, and reporting is done through your WCS, it gives you a one-stop shop for all your wireless monitoring and reporting. This means that WIPS data can be combined with spectrum analysis (spectrum expert) data and location tracking data to give you a fully unified view of how, what, and where things are happening. For example the WIPS is picking up a hacker in area A and spectrum expert is also detecting severe wireless interference in that same area. This could be a two-pronged attack, wireless hacking and wireless jammers in use. Then using location services it can pin point where he hacker client and wireless jammers are physically located (like GPS). It is sort of like a wireless self-defense system. Let’s get into the WCS screen shots of the WIPS solution. This shot shows the top security issues and the security index. The index is a number from 1-100 with 100 being the most secure.

Here is a look at the rogue AP security summary screen. It includes malicious rogues, friendly rogues, adhoc and unclassified rogues.

For each rogue AP or group of APs detected you have several options as shown in the figure below.

The next two shots show a summary of WIPS attacks detected

One of the most useful features of the WIPS solution is its robust attack dictionary and help system. Most people don’t know what a DoS: CTS Flood is. That is ok and expected in WCS. When you click on an alarm it gives you a very detailed description of what is happening, like shown below:

Additionally you can click the help button and get a full attack description and possible causes. It also provides a very nice graphical view of the attack flow like shown below (click to get a non-compressed image):

The WIPS alarm data also includes a forensic packet capture formatted in pcap so you can view it in wire shark.

Configuring Adaptive WIPS is fairly straight forward. You create one or more WIPS profiles that are attacked to SSIDS, etc. Then within each profile you select what attacks you want to look for. You then have the ability to tune each signature as appropriate for that profile/location. See below screenshot, click for a full view.

The WCS has a built in PCI Compliance report. This report goes through the 12 requirements of PCI and does a wireless centric audit and report. Here is a screen shot of requirement 4 (click for full view):

It is important to note that wireless IPS systems only defend against attacks targeted at the wireless system, unlike network IPS systems that protect against worms, malware, and other network or host based attacks. See my previous article to learn how Cisco Network IPS collaborates with Cisco Unified Wireless Controllers. The WIPS solution requires 5.2 code and is licensed on the MSE3310 by number of monitoring APs (sensors) with a max of 2000. No license based on a per wips feature is required, one license give you full functionality. There is lots more I didn’t cover like rogue AP map view, location based services, and all of the various wired and wireless containment and mitigation options available. Just not enough time to cover everything. For more info on Cisco Adaptive WIPS go here: So will you give Cisco a look for your WIPS solution?

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.






Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)