|Read about Lisa|
Like their wired counterparts, wireless intrusion detection systems (WIDS) are designed to monitor network traffic 24x7. Although product architectures vary, WIDS typically depend upon remote sensors, distributed throughout the monitored network. Sensors passively observe wireless activity, reporting back to a central IDS server. That server is responsible for analyzing reported activity, generating intrusion alarms and a history database....
Results may be presented on the server itself, or remotely through some type of IDS client.
Today, there are many WIDS products and services, capable of detecting not only rogue devices, but dozens of common WLAN attack signatures, deviations from baselined behavior, and security policy violations. Some WIDS examples include AirDefense Enterprise, AirMagnet Enterprise, AirTight SpectraGuard, Bluesocket BlueSecure, Highwall Enterprise, Network Chemistry RFprotect, Newbury Networks WiFi Watchdog, Red-M Red-Detect, and VigilantMinds AirXone.
Early WIDS products focused exclusively on detection, generating alerts that warn about potential security and performance problems. Considerable tuning of thresholds and policies can be required to eliminate false positives -- intrusion alerts that reflect normal, innocuous behavior. But over-aggressive tuning can lead to false negatives, creating a false sense of security. Establishing proper balance is essential -- a lesson that network administrators learned long ago in with wired network intrusion detection.
A well-tuned WIDS can provide a strong foundation for defense, but alerts alone do not stop attacks or remedy underlying vulnerabilities. When someone breaks into your home, a siren is invaluable -- but not enough to safeguard you or your belongings. Similarly, WLAN owners need to look beyond intrusion detection alerts and WIDS vendors are moving quickly to fill that need.
An ounce of (wireless) prevention
Temporary wireless blocking can discourage an attacker, just as an alarm siren can scare away a burglar. Persistent blocking can give you time to find and eliminate a rogue, without continuing to jeopardize your network during investigation.
For example, a rogue station spotted using wireless reconnaisance and attack tools may be seeking a way into your network via wireless. Some WIDS can aim 802.11 deauthenticate frames at that station's MAC address, preventing association with nearby APs. Alternatively, some WIDS can jam the channel occupied by a rogue AP to prevent it from being used as a backdoor into your network.
Selective deauthentication is less disruptive to bystanders than jamming, but an incented attacker can change his own address to elude MAC-based countermeasures. When using either method, one must consider the consequences -- is that really a malicious AP, or your new neighbor's AP? You may want to start with manually-initiated termination, implementing policy-based termination after you've learned the ropes.
A pound of cure
A few WIDS products are now capable of inspecting IP payload to analyze traffic streams and behavior over time to determine whether a station or AP is communicating with an upstream network. As in the wired world, payload encryption can make this task more difficult. Ideally, this "true rogue" determination should be made as fast as possible to limit your network's exposure.
Some WIDS products have added wired-side countermeasures, through direct interaction with wired network switches, or by interfacing with wired-side network management systems. For example, AirMagnet Enterprise can use SNMP and CDP to query nearby Ethernet switch CAM tables, then disable the port used by a detected rogue. AirDefense Enterprise can interface with Cisco WLSE to initiate "port suppression," based on a detected rogue's MAC address.
Wired-side countermeasures like these are attractive because they can be focused and persistent. Watch for continued innovation here, as a complement to (not replacement for) wireless blocking. Interoperability with your organization's wired network hardware and management software may be a limiting factor.
Hide and seek
Several WIDS products now incorporate location detection to some degree. One method is to manually search around the sensor receiving the strongest signal from the transmitter. Another method is triangulation -- comparing the signal received by three or more sensors to better pinpoint a transmitter's probable location. A third method is RF fingerprinting -- modeling RF characteristics within a coverage area for comparison to received signal strength to predict the transmitter's location.
WIDS products also vary in how they present location information and what they do with that knowledge. For example, Newbury's Wi-Fi Watchdog uses device location as a criteria for WLAN access control -- stations outside authorized regions are not permitted to pass 802.1X authentication.
What you don't know CAN hurt you
Many WIDS products gather data from an overlay network of purpose-built sensors – passive listening devices. But proper sensor positioning is critical, so look for tools and tips to ensure adequate coverage. For example, AirTight SpectraGuard works in tandem with SpectraPlan to help plan for sensor placement.
Some vendors argue that APs, already installed throughout your WLAN, should double as sensors. For example, the Airespace Wireless Protection System leverages Airespace APs to monitor traffic to gather both security and performance information. Ask your AP vendor about their plans (if any) to provide WIDS capabilities or integrate with your WIDS server.
Compare any new WIDS release to the previous and you'll find a longer alert list. These products will forever be playing catch-up, adding detection signatures for new attack tools and methods. A strong signature database is important, but more is not always better. Look carefully at each product's expert analysis and event correlation. A system that can accurately roll a dozen symptoms into a single root cause intrusion alert will help you stop intrusions faster.
About the author