These are the questions to ask when selecting a WIPS to rapidly and reliably detect, classify, locate, and react to incidents that impede WLAN security, performance, and operation.
Even though every Wi-Fi certified product can now deliver robust, authenticated, encrypted wireless, mission-critical use by diverse devices raise the stakes, demanding vigilance to detect not just threats, but performance and operational issues. Wireless intrusion prevention systems (WIPS) can help by providing efficient 24/7 surveillance of distributed wireless LANs.
According to Gartner, global WIPS revenue spiked 50 percent last year, topping $270 million. In fact, the WIPS market is growing faster than the entire WLAN infrastructure market, driven by larger business WLAN deployments and regulations such as PCI DSS that mandate detection of unauthorized "rogue" devices.
In this buyer's guide, we examine capabilities and features offered by dedicated WIPS products. Although organizational risk tolerance varies, we look at questions every business should ask when selecting a WIPS to rapidly and reliably detect, classify, locate, and react to incidents that impede WLAN security, performance, and operation.
Most WIPS products were launched nearly a decade ago when early Wi-Fi adopters encountered a plethora of security threats. From key cracking to misconfigured and uninvited access points (APs), WLANs became an easy target for intruders.
While periodic manual scans ("net stumbling") could detect nearby active APs, it missed the vast majority of Wi-Fi activity and thus threats. As WLANs grew, manual scans became increasingly inefficient. Wi-Fi trail-blazers in healthcare and retail clamored for centralized, automated visibility; vendors such as Motorola's AirDefense, Fluke Network's AirMagnet, AirTight Networks, and Idealab's Newbury Networks rushed to fill that need.
Like wired Network IPS, early wireless IPS products were purpose-built and dedicated. Using a network of sensors to observe Wi-Fi throughout a business, a WIPS server could deliver more comprehensive surveillance, using signatures, behavior analysis, and ACL/policy comparison to spot threats. Operators could use WIPS consoles to centrally monitor, investigate, and report on alerts for example, dispatching staff to find and remove rogue APs installed by employees without permission.
Dedicated vs. integrated
When WLAN controllers began to emerge, they leveraged their network insight and control to deliver limited surveillance. Most APs can now detect rogues on the same channel or periodically scan other channels. Like manual scans, AP-based scans miss activity and threats. But these automated scans are certainly more efficient than manual scans, and arguably less expensive than a dedicated WIPS.
To address broader needs, enterprise WLAN vendors started to buy WIPS technology. Aruba acquired Network Chemistry, Motorola acquired AirDefense, Juniper/Trapeze acquired Newbury. Even Cisco moved beyond its controller-based WIPS, releasing a dedicated "aWIPS." As integrated products matured, their threat visibility improved. In particular, all learned how to convert APs into full-time WIPS sensors as-needed.
In parallel, dedicated WIPS vendors started to leverage WLAN infrastructure by pulling authorized device lists from controllers and complementing sensor observations with AP scans. Such tactics helped dedicated WIPS maintain advantages such as comprehensive threat detection and more accurate locationing.
Today, market boundaries are blurred. For example, Motorola AirDefense can monitor other-vendor WLANs using sensors, or Motorola WLANs using APs or sensors. AirTight SpectraGuard remains an infrastructure-independent dedicated WIPS, but can also run on HP ProCurve infrastructure. In short, dedicated versus integrated WIPS have given way to myriad hybrid approaches. To facilitate apples-to-apples comparison, this guide focuses on capabilities and features found in today's dedicated WIPS products.
Service assurance and efficient operation
Security concerns drove early WIPS sales, but full-time distributed WLAN surveillance can also help to detect operational and performance issues in near real time. In fact, the same root cause incidents can easily end up impacting all three areas.
For example, an AP that fails back to defaults may be missing policies that require 802.1X authentication and AES encryption. But that AP may also be missing QoS policies for voice/video handling or RF channel/power settings that avoid co-channel interference. For some organizations, service affecting incidents like this may have significant business impact and justify dedicated WIPS investment.
Similarly, wireless intrusion detection is often accompanied by automated prevention; that is, WIPS-initiated actions to insulate the network and users from further harm. But automated actions can also remedy some performance and operational problems before help desk calls start -- if not directly, then by escalating trouble tickets for rapid attention.
For these reasons, a dedicated WIPS can be well-positioned to react to security, performance, and operational events, leveraging a consolidated sensor network, server platform, and rule set, along with interfaces to WLAN controllers, wired switches, network managers, and trouble-ticketing systems. While a dedicated WIPS may not solve all problems in isolation, it can bring rapid visibility and focused attention to a variety of service-impacting events.
Use case and deployment requirements
Given this understanding, it's time to identify your own business needs and how a WIPS might be helpful. In its July 2011 MarketScope for Wireless LAN Intrusion Prevention Systems, Gartner identified four common WIPS use cases:
- Reactive detection and investigation of malicious Wi-Fi traffic, such as Evil Twin, man-in-the-middle attacks, and denial of service (DoS) attacks.
- Proactive vulnerability management to stop intruders from exploiting misconfigured APs and weakly-defended consumer-grade end user devices.
- Overall WLAN operation and health monitoring to ensure service availability and quality of service required by mobile business users and applications.
- No-wireless-zone enforcement in selected areas of schools, government agencies, or other facilities worried about unapproved voice/video relay over Wi-Fi.
Intended use directly impacts product fit. For example, dedicated WIPS is needed if you are seeking no-wireless enforcement, while integrated WIPS may be sufficient to monitor WLAN operation. In addition, your desired deployment model and existing WLAN infrastructure will influence WIPS selection:
- Most dedicated WIPS are designed for on-premise server deployment in data centers, but a few can also be delivered as cloud service. The latter can be attractive to SMBs and businesses with numerous small branch offices (e.g., retail).
- Integrated WIPS products may or may not be capable of monitoring other-vendor APs. While dedicated WIPS products cater to heterogeneous WLANs, not all can leverage your APs as sensors or understand unusual RF schemes (e.g., Meru).
After you have established your own use case requirements and WIPS short-list, drill down into individual WIPS capabilities and features. Here are some questions to consider when reviewing spec sheets and consulting with prospective vendors:
- RF monitoring: Every WIPS can scan RF bands used by 802.11, but look closely at which channels can be scanned. For example, can the WIPS detect rogues hiding on channels not defined for use in your country or non-Wi-Fi interferers? Ask each vendor how many sensors or converted APs you will need to monitor and respond to incidents at each site, and how much bandwidth will be consumed by WIPS.
- Classification: Every WIPS tries to differentiate between friend and foe, but may need manual help or WLAN integration to do so. Furthermore, results may not be accurate enough to permit automated threat remediation. Beware of labor-intensive ACL maintenance, auto-classification blind spots, ambiguities or latencies, high false positive and negative alert rates, and inability to adapt to new or custom threats.
- Locationing: Every WIPS should be able to plot AP and client locations on a map, helping you visualize where an intruder was at the time of the event and perhaps tracking movement thereafter. However, accuracy varies greatly by product and number of observation points (sensors and APs). Options may well be available to improve accuracy -- at added cost. Look for time saving integration with WLAN planning and mobile tools and the ability to incorporate device location in policies.
- Forensics: A good WIPS should do more than alert you to problems. It must deliver actionable insight to facilitate fast, efficient resolution. Like wired IPS, a WIPS can collect volumes of raw data that is useless without analysis and context. Ask vendors to demonstrate how important incidents and troubles are investigated; watch for efficiency aids such as wizards, context-sensitive help, and remote diagnostic tools.
- Remediation: Many WIPS are actually deployed in "WIDS" mode; that is, generating alerts to be investigated and resolved by humans. But a WIPS must be capable of taking policy-driven stop-loss actions, such as wireless connection blocking, wired port disablement, and perhaps triggering network or endpoint-based access controls. Beware of remediation features that your business would not be able to use because of unreliable classification or organizational boundaries. Look for techniques that enable as-needed "surgical strikes," and ask about effectiveness and side effects given your network's topology and device mix.
- Rogue investigation: Given high degree of interest in defending against this threat, WIPS vendors have developed patented methods to trace network connectivity, improve classification, and help remote staff physically locate rogues. Beware of classification barriers like NAT, VLAN, and rogues using encryption. Ask how neighbors and guests can be eliminated from triggering potential rogue alerts.
- Attack surveillance: Today, malicious intruders are more likely to prey upon unusual or unmanaged bring-your-own devices, or take advantage of alternatives like mobile hotspots and virtual APs to circumvent wired network security measures. Ask vendors to describe how they have adapted their WIPS to address these new needs.
- Policy enforcement: The ability to detect misconfigured devices can facilitate regulatory compliance, proper WLAN deployment, and help IT root out cranky consumer Wi-Fi devices. Look for WIPS features that help you spot and remedy deviations from policy; this may even include spotting risky user behavior offsite.
- QoS and spectrum optimization: Dedicated WIPS products are growing more sophisticated when it comes to service assurance. Ask about features such as VoIP or video performance measurement, integrated spectrum analysis, and other tools intended to leverage WIPS as a distributed foundation for optimizing service delivery.
- Compliance reporting: Every WIPS can generate a slew of scheduled or on-demand reports. Ask vendors to generate reports that would be of interest to your business and then assess outputs for usability and completeness. Look for canned reports that document compliance with specific industry regulations and ability to export data to your own reporting tools.
- Security certifications: If appropriate for your business, ask vendors about certifications such as FIPS 140-2 and Common Criteria EAL2, which may be important to safeguard data exchanged by and stored by WIPS components.
- Manageability: This is an important characteristic for any product. Factors like purchase price, maintenance fees, server and sensor installation, and routine maintenance all impact total cost of ownership (TCO). For WIPS, ask about on-going maintenance required to classify rogue devices and fine-tune policies -- these Opex costs can quickly dwarf any Capex savings.
- High availability and scalability: Enterprise-class WIPS products offer high-availability and scalability options, such high-volume event storage, regional WIPS servers under a common manager, and role-based console access. Ask vendors how sensors behave during loss of server connectivity and how long forensic data and audit reports will remain available.
Wireless IPS products
These are just some of the many features and capabilities currently found in WIPS products. As with other network infrastructure products, multi-vendor benchmark test reports can be helpful when evaluating WIPS. However, WLAN composition and security policies and practices vary so much that in-situ pilots are often a more effective way to evaluate the relative merits and limitations of prospective products.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.