Introduction to wireless intrusion prevention systems in the enterprise
Expert contributor George V. Hulme explains how wireless intrusion prevention systems (WIPS) protect enterprise networks from attacks and prying eyes.
As hard as it is to fathom today, there once was a time when organizations (mostly) trusted that the traffic on local area networks was secure. For network security, all anyone really "needed" back then was antivirus software installed on the endpoints and firewalls guarding the network perimeter. After all, everyone could see who had their Ethernet ports plugged into the network.
Those days are long gone, and so is the idea of a network perimeter. All of that changed when any device could connect to the Internet from anywhere. Users started to come and go as they pleased with portable devices; the use of Web applications skyrocketed; and local area networks went wireless, which allowed anyone to sit nearby and plug themselves into any network broadcasting a wireless signal.
The advent of wireless detection and prevention systems
In the early days of wireless networks, security was done primarily through encryption and wireless intrusion detection systems (WIDS). Today, it's a combination of encryption for the wireless traffic (most often built directly into wireless access points and appliances) and -- as WIDS evolved -- so-called wireless intrusion prevention systems (WIPS) produce wireless LANs.
So, while both WIDS and WIPS work by monitoring the wireless LAN radio spectrum for unauthorized devices and attacks, as the names imply, WIPS also attempts to block attacks inline just as traditional host- and network-based intrusion prevention systems would. Some organizations don't trust the automated blocking capabilities of WIPS, so they choose to leave their WIPS devices in an intrusion detection, or WIDS, monitoring and alerting mode.
WIPSes typically work with three components: sensors that monitor the network, a management system or console used to deploy and manage the system, and a centralized server.
Sometimes the WIPS provider hosts the server; other time it's on-site. The sensors always reside on the local network.
WIPS deployment types
There are three approaches to WIPS deployment.
The first, primarily found at the lower-end of the market, is known as time slicing. Here, the access point slices between providing network traffic connectivity to attempting to detect intrusions. The advantage to this approach to WIPS is that it's cheaper.
Another method is when WIPS functionality (the sensor that scans radio frequencies looking for attack patterns) is built into the access point and provides dedicated WIPS scanning.
Lastly, there's the WIPS overlay architecture. Here, single-purpose sensors are deployed throughout the office. Vendors of dedicated WIPS sensors contend that they provide best-in-breed capabilities that integrated WIPS access points do not match.
WIPS purchase options
With the pervasiveness of wireless networks, this type of defense is used by organizations of all sizes, from small networks with a handful of endpoints and home offices, all the way up to large corporations. Big companies use this equipment to protect their main campuses, as well as far-flung remote offices.
WIPS can be purchased separately from the wireless network infrastructure equipment. Increasingly, however, it's sold as a subscription service up-sell on a wireless network appliance or unified threat management appliance. Meaning, the additional WIPS functionality is paid separately from the cost of other services on the network device.
The cost of these add-ons can add up to a shocking expense if many offices in the organization require a WIPS. So it's imperative to consider what features and services will be needed upfront when looking to buy any wireless networking gear.
Some vendor pricing models nickel and dime customers for every extra feature, while others bundle a lot of them, including WIPS technology, in the price. So it's important to consider this when making your purchase. The cost of deploying a WIPS can range from free to hundreds of dollars per location, depending on vendor pricing models.
Wireless network security threats
Many types of attacks can be levied against wireless LANs that enterprises need to be concerned about. These range from attacks on the wireless access points themselves, to the creation of an in-office network denial-of-service attack, to hackers and other untrusted intruders eavesdropping on -- or "sniffing" up -- the traffic flowing on the network.
Anyone who doubts that wireless LAN security isn't a big deal need only look at the data breach historical record; it shows that many breaches have begun with an intrusion on a wireless network and rapidly escalated from there. For instance, one of the most notable breaches of all time was the 2007 TJX Companies Inc. breach, which was widely reported to have started with an unsecured wireless network at one of its stores.
Malicious attacks aren't the only concerns that WIPSes address. There are also so-called accidental association issues, especially in populated office areas. This is where users, instead of connecting to the intended corporate network, accidently end up connecting to a nearby network. This is a legitimate security problem. With such accidental associations, the corporate data that users have on their systems are at risk on that unknown -- and untrusted -- network.
In addition, those who are maliciously inclined have plenty of ways to try to attack wireless users directly. They can set up rogue access points, which look legitimate and trick users into connecting to them. There is media access control spoofing, which is an attack that occurs when an attacker manages to grab the MAC address of a computer that is permitted access to the network and uses that address to gain entry. There are many other types of attacks, but the point is this: Wireless networks, when not properly buttoned down, can pose a significant risk to organizations of any size.
It's accurate to say that wireless network access is limited by how far the network signal travels, which isn't very far geographically. But it is far enough for eavesdroppers within the building, or walking down a hallway, or working in the office next door, or even sitting out in the street or parking lot to exploit it.
Most of the time, all these "attackers" want to do is gain free access to the Internet, check their email or perform other non-malicious activities. But even such freeloaders are also a security risk. Why? Because their systems may be infected with malware and can then infect the network. Worse, they may intend to use the free Internet access to conduct illegal activity that can't be tracked back to them, but certainly can be tracked back to and associated with the network owner. All of these risks and the associated threats fuel the demand to secure wireless networks.
WIPS can be valuable for a variety of reasons, including monitoring WLAN performance.
Comparing embedded WIPS vs. overlay WIPS to discover which system is right for your network and security needs.