What is WIPS? – A wireless intrusion prevention system (WIPS) operates at the Layer 2 (data link layer) level of the Open Systems Interconnection model. A WIPS compares the MAC addresses of all wireless access points on a network against the known signatures of pre-authorized, known wireless access points and alerts an administrator when a discrepancy is found. To circumvent MAC address spoofing, some higher-end WIPS are able to analyze the unique radio frequency signatures that wireless devices generate and block unknown radio fingerprints.
The primary purpose of a WIPS is to prevent unauthorized network access to local area networks and other information assets by wireless devices. These systems are typically implemented as an overlay to an existing Wireless LAN infrastructure, although they may be deployed standalone to enforce no-wireless policies within an organization. Some advanced wireless infrastructure has integrated WIPS capabilities.
Large organizations with many employees are particularly vulnerable to security breaches caused by rogue access points. If an employee (trusted entity) in a location brings in an easily available wireless router, the entire network can be exposed to anyone within range of the signals.
The Challenges of Securing a Wireless Network
The growth of wireless networking and the sheer number of new mobile computing devices have blurred the traditional boundaries between trusted and untrusted networks and shifted security priorities from the network perimeter to information protection and user security. IT security concerns include rogue wireless access points creating backdoors, distributed denial-of-service (DDoS) attacks, over-the-air network reconnaissance, eavesdropping, traffic cracking, and the need to demonstrate industry compliance.
How to Implement Wireless Intrusion Detection Systems
Wireless intrusion detection systems will monitor a WLAN using a mixture of hardware and software called intrusion detection sensors. The sensor will sit on the 802.11 network and will examine all network traffic. The first challenge to be faced when installing IDS is to decide on the best place to locate the sensors.
WIPS configurations consist of three components:
- Sensors — these devices contain antennas and radios that scan the wireless spectrum for packets and are installed throughout areas to be protected.
- Management server – receives information captured by the sensors and take appropriate defense actions based on this information.
- Database Server — the WIPS server centrally analyzes packets captured by sensors.
- Console — the console provides the primary user interface into the system for administration and reporting.
A simple intrusion detection system can be a single computer, connected to a wireless signal processing device, and antennas placed throughout the facility. For huge organizations, a Multi Network Controller provides central control of multiple WIPS servers, while for SOHO or SMB customers, all the functionality of WIPS is available in single box.
In a WIPS implementation, users first define the operating wireless policies in the WIPS. The WIPS sensors then analyze the traffic in the air and send this information to WIPS server. The WIPS server correlates the information, validates it against the defined policies, and classifies if it is a threat. The administrator of the WIPS is then notified of the threat, or, if a policy has been set accordingly, the WIPS takes automatic protection measures.
WIPS is configured as either a Network Implementation or a Hosted Implementation.
In a network WIPS implementation, server, sensors and the console are all placed inside a private network and are not accessible from the Internet.
Sensors communicate with the server over a private network using a private port. Since the server resides on the private network, users can access the console only from within the private network.
A network implementation is suitable for organizations where all locations are within the private network.
In a hosted WIPS implementation, sensors are installed inside a private network. However, the server is hosted in secure data center and is accessible on the Internet. Users can access the WIPS console from anywhere on the Internet. A hosted WIPS implementation is as secure as a network implementation because the data flow is encrypted between sensors and server, as well as between server and console. A hosted WIPS implementation requires very little configuration because the sensors are programmed to automatically look for the server on the Internet over a secure TLS connection.
For a large organization with locations that are not a part of a private network, a hosted WIPS implementation simplifies deployment significantly because sensors connect to the Server over the Internet without requiring any special configuration. Additionally, the Console can be accessed securely from anywhere on the Internet.
Hosted WIPS implementations are available in an on-demand, subscription-based software as a service model. Hosted implementations may be appropriate for organizations looking to fulfill the minimum scanning requirements of PCI DSS(Payment Card Industry Data Security Standard).
The facets of a WIPS
A robust WIPS solution must cover three key areas: detection, classification and prevention:
Detection covers the ability to discover all Wi-Fi devices, both infrastructure (APs) and clients, such as smart phones, tablets and laptops.
Classification is the ability to quickly and accurately classify each AP and client device as being authorized (on the monitored network and not malicious), external (not on the monitored network such as a neighbouring café or retail Wi-Fi hotspot network), or potentially harmful (on the monitored network and malicious).
Prevention is the ability to immediately quarantine any rogue client device or access point to prevent malicious activity before it occurs.
The challenge of dense environments
For example, in a crowded inner-city environment, there can be dozens of businesses all broadcasting Wi-Fi within the same location. It is important that each business is able to manage the security of its Wi-Fi network without interfering with the service of their neighbours. Interfering with a neighbour’s Wi-Fi network is not only inconvenient for that business owner, it is also illegal.
For this reason, it is critical for a WIPS solution to be able to not only find all client devices and access points in a business’s airspace, but to also know the difference between truly rogue devices or APs and neighbouring (or external) devices or APs. Without the confidence in the classification aspect of WIPS, it is impossible to activate the prevention aspect of the tool.