Many security professionals understand the concepts behind Intrusion Detection and Prevention solutions IPS IDS for LAN and WAN however not Wireless WIDS WIPS. If you plan to provide network and wireless access, you need to equally secure all access avenues or you are not securing access to your network properly. Many security professionals see IDS IPS as key technology for their network so it’s important to understand the fundamentals behind wireless IDS IPS aka WIDS WIPS as well.
According to Wiki, “Intrusion Prevention Systems (IPS) are network security appliances that monitor network and/or system activities for malicious activity. The main functions of IPS is to identify malicious activity, log information, attempt to block/stop activity, and report activity.”. Wireless detection/prevention WIDS WIPS is similar however focuses on reacting to rouge wireless devices rather the security events. WIDS are wireless access points detecting and alerting when a wireless device is detected. WIPS do the same and can prevent use of the device using things like overflowing the rouge access point with 802.11 de-authentication frames. Best practice is to manually review discovered rouge devices rather than automatically killing them. You may knock down Starbuck’s network or an emergency wireless setup for FIMA.
By default, wireless is a whitelist technology meaning rouge access points are not auto added to the network. Regardless it’s important to detect rouge devices or they may end up on the network exposing you to attack. For most vendors, WIDS WIPS functions can be enforced in two ways. The first method is having access points service users and scan for rouge devices (sensor and service mode). The WIDS access point sits on one RFID channel and switches from accepting users to scanning for rouge devices every few milliseconds. The pro is you get both services however con is you only scan the RFID channel assigned to that access point. Some customers have multiple WIDS access points on different channels, which can cover the majority of channels however doesn’t mean other channels are covered. Method 2 for setting up an WIPS access point in senor only mode (dedicated WIDS WIPS access point), which scans all RFID channels for rouge devices. Best practice is to have one dedicated senor for every 5 servicing access points.
The final WIDS WIPS concept to understand is wireless channels. The common commercial channel is BGN (2.4 range), which is used by devices such as best buy routers. Best practice to avoid signal bleeding is to separate BGN by 5 channels, meaning standard BGN channels used are 1,6 and 11. Newer wireless technology uses AN (5.0 range) channels, which offer 20+ options. If you use a laptop or older access point scanning BGN for WIDS WIPS, you are only scanning that channel range meaning AN or other range access points are completely bypassing your security. Another point to note is channels are unlicensed by FTC meaning there really isn’t a way to enforce misuse of channels. This means if you kill Starbuck’s wireless network, all they can do is kill your network. So its expected that we all get along meaning being ethical about using WIDS WIPS to kill a rouge signal.
This is just a glimpse at understanding securing wireless networks using WIDS WIPS. Shout out to Bart Robinson at World Wide Technology for his input for this piece.
One thought on “WIDS WIPS 101: Wireless Intrusion Detection And Prevention Systems Wireless IDS IPS”