As wireless enterprise networks become more pervasive, increasingly sophisticated attacks are developed to exploit these networks. An 802.11 network is vulnerable to threats from unauthorized AP users, Ad hoc networks, and denial of service (Do’s) attacks. Rogue APs pose security threats on enterprise networks. In addition to secure WLAN access, a large-sized network requires a system that can detect rogue wireless devices and reject access from these devices to protect services for authorized users.
WIDS can detect intrusions to a wireless network from malicious users. WIPS protects an enterprise network and users on the network against intrusions from unauthorized wireless devices. These systems can offer sophisticated monitoring and reporting capabilities to identify attacks against wireless infrastructure while stopping multiple classes of attack before they are successful against a network.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.
Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion prevention systems (IPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.
At a basic level, all wireless networks are vulnerable to denial-of-service attacks caused by jamming, flooding of traffic, or malicious manipulation of control and management network traffic. A WIPS can detect such attacks, localize them, and notify an administrator. Next, some types of Wi-Fi networks particularly open networks or those based on WEP encryption, are vulnerable to a class of attacks such as impersonation, man-in-the-middle, and injection. A WIPS will detect and prevent these types of attacks.
WIPS classification happens on following aspects:
- Wired Rogue Detection – Focused on scanning wired and wireless networking equipment to identify rogue APs. Does not use any wireless sensors of its own.
- On-demand systems – Offer portable, on-demand scanning and monitoring for situations where full-time monitoring is not required. Installed on a laptop.
- Overlay – Infrastructure (permanently installed) system that can enforce “no-wireless” policies or monitor and protect an already-installed WLAN through a network of sensors communicating with a central server. An overlay WIPS is not part of the WLAN access network and thus can be used with any vendor’s WLAN equipment.
- Integrated – Infrastructure (permanently installed) system that can enforce “no-wireless” policies or monitor and protect an installed WLAN. In an integrated system, the WIPS is part of the WLAN access network – Apps can act as hybrid devices by simultaneously serving wireless clients while monitoring for WIPS events
The main types of events which can be detected by wireless intrusion prevention systems are:
- Unauthorized WLANs and WLAN devices (rogue APs, unauthorized stations, unauthorized WLANs)
- Poorly secured WLAN devices (misconfigurations, use of weak WLAN protocols and implementations)
- Unusual usage patterns (using anomaly-based detection)
- Use of wireless network scanners – obviously only active scanners can be detected
- Denial of Service (DoS) attacks (flooding, jamming)
- Impersonation and man-in-the-middle attacks.
Organizations have many options for WIDS/ WIPS service offerings, each presenting various strengths and weaknesses. Overall, a hybrid approach offers distinct advantages over alternative models by offering deployment flexibility, focused analysis and improved attack detection and response capabilities. When selecting a vendor to add intrusion detection and protection to the wireless infrastructure, carefully consider the architecture of the vendor’s offering to truly understand the strengths and limitations of the product.