Avoid ‘false positives’ during Wi-Fi intrusion monitoring

Recently, a “Wireless in the Enterprise” reader reported being forced to disable intrusion-prevention monitoring within shared, multi-tenant locations because the wireless scanning system was generating a confusing abundance of red herrings, or “false positives,” from neighboring access points.

The thought of anyone forced to turn off security caused my anxiety level to spike.

It turns out that economics preclude the use of a third-party overlay monitoring system at the reader’s company, which opted instead for a combination access point (AP)/scanning system built by its Wi-Fi systems vendor. This is a pure example of the “insurance policy” nature of network security, which boils down to balancing how much you invest with the potential impact of a compromise to your organization.

You can fix the red herring problem if you are willing to spend a bit; you have to decide how much security you can justify “buying.” Most of today’s overlay systems support policy enforcement engines that automatically discover and classify nearby devices that aren’t connected to your network as unauthorized but not troublesome. Once the device has been classified as non-threatening, the system doesn’t continue generating alerts about its existence.

Among the vendors providing such systems are AirDefense, AirMagnet, AirTight Networks, Highwall Technologies, Network Chemistry and Newbury Networks. (AirDefense and AirTight are currently in patent litigation over a different component of their systems, the remote security event-filtering and transmission mechanism.)

A Network Chemistry system, for example, would identify all known APs as authorized, then use a variable such as signal strength to differentiate between threatening devices in the facility and non-threatening neighboring devices, explains Brian deHaaf, vice president of product marketing.

“For example, any AP with a signal weaker than -70db might be known to be outside of the facility. A stronger signal might indicate that it is inside the facility and, if not authorized, is a threat to be addressed.”

The automatic classification of unknown APs as rogue APs by some systems can also be problematic, adds Sri Sundaralingam, director of product management and technical marketing at AirTight. The reason is that someone with a handheld wireless analyzer will have to find and check all the “unknowns,” which can cause a scalability problem, he says.

Dilip Advani, technical marketing engineer at AirMagnet, has some advice that could fit my reader’s budget. He observes that the reader’s neighboring tenants should also be concerned that their devices are leaking wireless signals.

“Ideally, neighboring stores could resolve this diplomatically by sharing their network information to come up with a wireless non-interfering environment,” he suggests. “This might require neighbors to change channels, lower their power settings” or make other network adjustments, he notes.