Tip

The what, why and how of wireless intrusion-prevention systems

When wireless technology made it possible to extend enterprise networks over the airwaves, it also opened the networks to additional security threats -- such as rogue access points, denial-of-service attacks and MAC address spoofing. To combat these threats, many organizations implemented wireless intrusion prevention systems to protect against unauthorized access to secure resources.

But wireless intrusion prevention systems (WIPS) don't come cheap, and they're not 100% foolproof. An organization that implements multi-tiered security on its LAN but no security on its wireless network is like a family that locks its back door with a dead bolt but leaves the front one wide open.

What is a WIPS solution?
A WIPS solution serves two primary purposes: intrusion detection and intrusion prevention. Intrusion detection is the process of monitoring the wireless network for possible threats, logging information about observed events and reporting those events to security administrators. Intrusion prevention is the process of taking the steps necessary to stop possible threats.

Such systems can vary widely in terms of architecture, the types of threats they guard against and the steps taken to stop those threats. The most effective systems are generally those that overlay the existing wireless network with a dedicated application whose sole purpose is to mitigate malicious events. Most of these systems share the same fundamental components:

  • Sensors -- scanners that monitor the radio spectrum and report their findings back to a central management server. The number of sensors needed depends on the size of the physical area being covered.
  • Management server -- one or more central servers that coordinate the monitoring process and manage the WIPS components. The server receives information captured by the sensors and takes appropriate action based on its analysis.
  • Database server -- a repository for the information captured by the sensors as well as information that supports systems management.
  • Console -- an interface that lets users and administrators manage the WIPS product.

An overlay WIPS solution provides 24/7 multichannel scanning to analyze network protocols, which is essential to identifying possible threats. Still, even the best systems cannot guarantee full protection. They cannot detect certain types of attacks, attackers can sometimes exploit the techniques used by the sensors, and the sensors themselves can be vulnerable to physical attacks, depending on their location. Even so, given the number of threats hitting the airwaves, many enterprises believe that some security is better than none at all.

Why should you implement WIPS?
If an organization uses a wireless network to permit access to secure resources -- and in some cases, even if it doesn't -- it's at risk if it doesn't implement a WIPS solution. Wireless networks face many of the same threats as their LAN counterparts, but also face their own challenges:

  • Rogue access points -- unauthorized wireless access devices connected to the network, such as a wireless router brought in by an employee. These devices can act as easy gateways for would-be attackers, even if the organization has not implemented its own wireless network.
  • Misconfigured access points -- wireless devices incorrectly configured as a result of bugs in the device's software or because of human error. Hackers can detect and exploit such devices and gain access to internal resources.
  • Ad hoc networks -- networks formed by client devices connecting wirelessly to one another. For instance, if an employee connects a laptop to the company LAN but leaves the wireless interface enabled, a hacker can connect wirelessly to the laptop and gain access not only to the computer, but also to resources on the LAN.
  • Denial-of-service attacks -- malicious attacks that disrupt services by jamming frequencies, flooding client-association tables or spoofing authentication mechanisms.
  • Offline dictionary attacks -- attempts to capture wireless data and crack encryption keys. Attackers may then be able to use those keys to access network resources.
  • Man-in-the-middle attacks -- attempts to disassociate clients from access points and re-associate the clients with unauthorized access points. The attackers then try to capture authentication information in order to connect to the enterprise network.
  • MAC address spoofing -- attempts to impersonate client devices whose Media Access Control (MAC) addresses are authorized by an access point. MAC addresses are often broadcast, and hackers can change their MAC addresses to ones that are authorized.

This list certainly isn't complete, but it should contain enough to convince any organization that to leave their wireless network unprotected is asking for trouble -- and that there are plenty of malicious attackers out there happy to oblige.

How much is a WIPS solution going to cost?
Trying to estimate the price tag for a WIPS solution is a lot like buying a car. There's the price of the car itself, and then there are all the hidden costs. In addition to the software package, a fully functioning WIPS can include a number of other expenses:

  • Equipment -- additional appliances and network devices, plus sensors and other specialty gear.
  • Training -- training that's not part of the original purchase agreement, including periodic training that might be needed in the future, such as when new employees come into the organization, software is upgraded or new hardware is deployed.
  • Setup -- installation and configuration labor costs, including both internal and external resources. This also includes costs associated with customization efforts, such as developing custom scripts or reports.
  • Licensing fees -- fees for the WIPS app itself, as well as supporting software, subscription fees, technical support subscriptions and maintenance contracts.
  • Professional services -- special consulting or technical support that's not included in the sales agreement.
  • Labor -- resources needed in addition to those necessary for the initial installation and configuration, such as labor associated with ongoing maintenance, administration and analysis.

According to some estimates, an enterprise supporting 250 wireless access points can spend well over $100,000 to implement WIPS, assuming that it picks an overlay system. There are cheaper alternatives, of course, but you might pay a price in terms of higher risk. In fact, when evaluating the costs of any WIPS solution, look at the possible costs of inadequate protection or none at all should your network be compromised.

There are no easy answers when it comes to determining whether to implement a wireless intrusion prevention system. You must balance risks against costs. But the place to start is to acknowledge that the risks are out there and to recognize that leaving your wireless network unprotected is no better than forgetting to shut the front door.

Read more from R.H. Sheldon

ABOUT THE AUTHOR:
R.H. Sheldon
is a technical consultant and freelance technology writer. He has authored numerous books, articles and training material related to Microsoft Windows, relational database management systems, and business intelligence design and implementation. You can find more information at http://rhsheldon.com.

This was first published in October 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.