Skip Links

Understanding Wireless Intrusion Prevention Systems

By Chia Chee Kuan, CTO, SVP of engineering, AirMagnet, special to Network World
February 14, 2011 11:28 AM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

While the 802.11i -- or WPA2 -- wireless security standard does a fine job of authenticating users to the corporate network and encrypting both authentication and user data over the air, many of the latest wireless security threats aren't specifically related to authentication.

Today's Wi-Fi threats revolve more around client devices and rogue APs with custom embedded attack systems and are usually detectable only in the air. Enterprises need a way to uncover and thwart unwanted attempts to inject denial of service attacks, lure Wi-Fi client devices to malicious APs, piggyback onto a user's already established wireless connection, and more.

ROUNDUP: iPhone security, IP route hijack prevention on tap at RSA Conference

Detecting all of this type of activity requires a smart monitoring system that scans the WLAN channels, notifies personnel of suspicious activity, and sometimes, automatically blocks activity it discovers. Wireless Intrusion Prevention Systems (WIPS) solutions are the most popular and effective approach to secure and monitor an active corporate WLAN.

WIPS solutions use one of three fundamentally different architectures, each offering distinct tradeoffs that should be part of any security assessment. Which one is right for you will depend on the individual emphasis put on cost, security and vendor lock-in.

The first and most rudimentary WIPS architecture leverages an access point's (AP) existing radio for WIPS scanning. In other words, the AP momentarily slips from serving connectivity to Wi-Fi clients, to scanning for intrusion, and back to serving clients. In this approach, Wi-Fi APs are doing double duty: as APs forwarding traffic and as security sensors scanning the air for anomalies.

This shared approach is called time slicing, because a WIPS module gets a very small time slice (or RF sample) from the AP radio to conduct its security scanning. The impact of the WIPS time slice on wireless client service is designed to be minimal, both in terms of performance and infrastructure, allowing an organization to implement WIPS functionalities at a very low cost. The main advantage (or pro) to this approach is exactly that -- low cost WIPS functionality. However, that low cost can come at a huge price.

Time slicing uses limited scanning, usually sampling less than one second for each minute period. So for 98%-plus of every day -- 23 hours and 36 minutes -- there is essentially no wireless security scanning being conducted. As a result, the time-sliced configuration can only catch problems that are obvious and can be conclusively identified by a single packet or two -- situations that are few and far between. Of course the hope is that an exploit or attempt will be detected because it spans across multiple time slices.

Yet many of today's worst exploits use quick hits to get in and out, making this security approach a roll of the dice. Because of this weakness, major WLAN infrastructure vendors have all moved away from claiming this architecture is a good WIPS solution, although it is still available on the lower end.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News