This content is part of the Buyer's Guide: Wireless intrusion prevention systems: A buyer's guide

Seven criteria for purchasing a wireless intrusion prevention system

Expert George V. Hulme details the important criteria to weigh when evaluating wireless intrusion prevention systems for enterprise security.

When organizations get serious about protecting their wireless networks, selecting the right wireless intrusion prevention system (WIPS) isn't a decision that comes out of thin air. There is a lot to consider when buying a WIPS, such as whether the WIPS functionality built into the organization's access points (APs) provides enough wireless security, or if -- as is often the case -- those abilities just aren't comprehensive enough. Taking the time to select the right dedicated WIPS for the job pays off significantly in risk reduction and improved manageability.

When starting to investigate a WIPS purchase, it is important to become familiar with the evaluation criteria for comparing and contrasting WIPS products; everything from cost to how the devices will be managed need to be taken under careful consideration. The more an organization knows about what it is looking for in a WIPS, the more likely it will be to pick a wireless security system that meets its particular needs and wireless environment.

WIPS criteria #1: Device management

It's hard, if not impossible, to secure what an organization can't manage. So it is very important to carefully look at how well the WIPs software enables the management of sensors, maps the wireless network and AP locations, and makes it easy to send out updates, modify policies or limit access (or even segment portions) of a network under attack. Good management software should also make it easy to set granular policies.

Not only does adequate device management make it straightforward to set, change and monitor policies, it also helps to strengthen security through making swift and necessary adjustments to policies when necessary, as well as helps to keep ongoing operational costs low. Unfortunately, this is an area many businesses overlook, and they end up lacking the ability to centrally manage their access points.

Don't become one of those organizations. Centralized management ensures security and infrastructure teams know where authorized APs exist, and can quickly spot when systems are under attack, or when rogue APs arise.

WIPS criteria #2: Attack discovery

Any time an enterprise establishes barriers or builds walls, someone is going to try -- and will all too often succeed in -- circumventing them. This could be as non-threatening as a user installing a rogue AP for unfettered Internet access in the office, to malicious denial-of-service (DoS) attacks launched at network availability. It's also important that organizations know what classes of attacks any prospective WIPS product purports to defend against.

These include, for example, in addition to the ability to spot and block attack types such as spoofing, rogue connections and the aforementioned DoS attacks, as well as the detection of encryption cracking tools and so on.

WIPS criteria #3: Policy compliance

In addition to security risks, it's also important that regulatory compliance risks associated with APs and wireless networks be managed by WIPS. Typically, these controls are an extension of security efforts, but the more granularly the WIPS can report on the settings and configurations of the enterprise Aps -- as well as the access control policies in place -- the better. An example would be reporting on what administrators have access to which APs and which users have access to the wireless network.

WIPS criteria #4: Forensics data

Like all of security devices, WIPS amass a trove of data that will need to be analyzed. This data includes, but isn't limited to, access logs, times of access and who accessed the wireless network.

Carefully evaluate how the WIPS management software helps extract insight from all this data. How are reports displayed, are they customizable? What analysis tools are made available?

WIPS criteria #5: Attack defense

Just as is the case with traditional prevention and detection systems, there are many instances when a WIPS is run in "monitor" mode (as an attack detection and alerting device, rather than blocking attacks in-line). How well devices identify attacks and issue alerts needs to be investigated when evaluating WIPS products. Examples would be few false positives (issuing alerts for attacks that are not actually occurring) or false negatives (missing attacks altogether).

The more an organization knows about what it is looking for in a WIPS, the more likely it will be to pick a wireless security system that meets its particular needs and wireless environment.

However, since we are discussing the procuring of WIPS devices, if a WIPS can actually proactively block attacks without disrupting legitimate traffic, all the better. This makes the ability to tune the prevention aspect of WIPS essential.

For example, if a worm starts scanning an organization's network, a wireless intrusion prevention system could allow for the disconnection of infected endpoints. Or, if a subnet is infected, a WIPS could segment it from the core network until malware infections or compromised systems can be cleaned. Be sure to test these capabilities on non-production networks for all WIPSes being considered.

WIPS criteria #6: Performance

On large and -- especially -- mission-critical networks, scalability and high availability matter. Make sure the WIPS high-availability capabilities meet the needs of the enterprise. For example, as the business grows, organizations will want to easily grow its WIPS defenses; or, in the event of a device failure, it will want to smoothly failover to a redundant network equipped with a redundant WIPS device so its wireless systems are always protected. Relatedly, be sure to ask WIPS vendors how failovers and loss of network access are managed.

WIPS criteria #7: Price

Commonly, dedicated WIPS products are purchased as a server or appliance. In addition, WIPS deployments include wireless network sensors, installation services and maintenance.

Costs for these can vary wildly, with the server/WIPS appliances running $5,000 or more, and the price of sensors changing all the time. So be sure to call all WIPS vendors under consideration to get their current pricing levels. And, of course, the more servers and sensors purchased, the more likely it will be that volume discounts will apply.

If it's determined that intrusion detection system/intrusion prevention system capabilities built-in to the AP will do, expect to pay an annual subscription to turn the WIPS functionality in each AP.

To calculate the cost of WIPS deployment, estimate the number of servers and sensors the organization will need (it varies, but the rule of thumb is often cited as a ratio of four or five APs to every WIPS sensor), the cost of the installation and the cost of maintenance.

Tips for researching WIPS

The very first step to researching WIPS is to determine what features and capabilities are most important to the organization: security, cost, manageability, preferred vendor(s) and so on. Then rate each WIPS product under consideration per each criteria outlined in this article.

To begin WIPS research, visit the leading vendors' websites, read analyst reports and -- most important -- reach out to peers to see what products they are deploying. Ask peers about WIPS costs, their ease of use, ability to get data from the logs, support and performance, as well as the other criteria that are important to the organization. Keep careful notes.

Another great resource is community forums, where an organization can reach out to others who have recently faced the same WIPS purchase decision. Ask for suggestions on how to best negotiate with specific vendors, how reliable their products are and how responsive support tends to be, for example.

Testing a proposed endpoint security product

Experts suggest evaluating a wireless intrusion prevention system on an organization's shortlist on a test network, or a small subnet. Run the WIPS in monitor rather than block mode and study how it performs in the organization's environment.

Don't be afraid to ask vendors for pilot equipment. This will provide firsthand experience on how the WIPS is deployed, managed and run. If on a test network the organization controls, go ahead and try to run a number of the types of attacks it is concerned about against the system to see how the WIPS performs.

If test equipment isn't available for some reason, interview customers who are using the WIPS. If possible, try to find these customers without input from the WIPS vendor (customers that are fed by the WIPS provider are likely to be the best customers). Either way, however, whether you find the customers on your own or through the assistance of the WIPS vendor, customer input can still be a viable resource when answering questions about the product and support.

Research is a must when choosing a WIPS

The decision on what wireless intrusion prevention system to purchase will not come right away, or overnight. But if an organization does its research and follows the criteria laid out in this feature, then it will be able to narrow down the list of choices to only those WIPSes that best meet its established needs.

Next Steps

Learn how to monitor WLAN performance with WIPS

Read about thetwo different approaches to WIPS(overlay vs. embedded sensors) and how to choose between them

This was last published in June 2015

Dig Deeper on Network device security: Appliances, firewalls and switches