Problem solve Get help with specific problems with your technologies, process and projects.

Detect and prevent wireless intrusions with a wireless IDS

Any WLAN with multiple sites or over a dozen APs can benefit from a wireless intrusion detection system. Consultants and systems integrators can use this tip to understand how WIDS/IPS work and the functionality offered by various products.

Any WLAN with multiple sites or over a dozen APs can benefit from a wireless intrusion detection system. Consultants and systems integrators can use this tip from to understand how WIDS/IPS work and the functionality offered by various products.

Unauthorized devices pose a threat to every wireless LAN. In fact, "rogue" access points are so common that the need to defeat them has created a fertile market for wireless intrusion detection and prevention systems.

Like their wired counterparts, wireless intrusion detection systems (WIDS) are designed to monitor network traffic 24x7. Although product architectures vary, WIDS typically depend upon remote sensors, distributed throughout the monitored network. Sensors passively observe wireless activity, reporting back to a central IDS server. That server is responsible for analyzing reported activity, generating intrusion alarms and a history database. Results may be presented on the server itself, or remotely through some type of IDS client.

Today, there are many WIDS products and services, capable of detecting not only rogue devices, but dozens of common WLAN attack signatures, deviations from baselined behavior and security policy violations. Some WIDS examples include AirDefense Enterprise, AirMagnet Enterprise, AirTight SpectraGuard, Bluesocket BlueSecure, Highwall Enterprise, Network Chemistry RFprotect, Newbury Networks WiFi Watchdog, Red-M Red-Detect and VigilantMinds AirXone.

Early detection

Any WLAN with multiple sites or over a dozen APs can probably benefit from deploying a WIDS. Distributed full-time monitoring is far more timely, complete and cost-effective than ad hoc stumbling, traffic sampling and human analysis. Without a WIDS, you're unlikely to spot a war driver briefly camped in the parking lot. You may discover a rogue AP planted in the facility, but probably after damage has been done. Risky misconfiguration of legitimate stations and APs may go unnoticed indefinitely.

Early WIDS products focused exclusively on detection, generating alerts that warn about potential security and performance problems. Considerable tuning of thresholds and policies can be required to eliminate false positives -- intrusion alerts that reflect normal, innocuous behavior. But over-aggressive tuning can lead to false negatives, creating a false sense of security. Establishing proper balance is essential -- a lesson that network administrators learned long ago in with wired network intrusion detection.

A well-tuned WIDS can provide a strong foundation for defense, but alerts alone do not stop attacks or remedy underlying vulnerabilities. When someone breaks into your home, a siren is invaluable -- but not enough to safeguard you or your belongings. Similarly, WLAN owners need to look beyond intrusion detection alerts and WIDS vendors are moving quickly to fill that need.

An ounce of (wireless) prevention

Recently, several WIDS products have added strike-back capabilities to temporarily or permanently inhibit a wireless attacker's ability to communicate with your WLAN or any adjacent wired network.

Temporary wireless blocking can discourage an attacker, just as an alarm siren can scare away a burglar. Persistent blocking can give you time to find and eliminate a rogue, without continuing to jeopardize your network during investigation.

For example, a rogue station spotted using wireless reconnaisance and attack tools may be seeking a way into your network via wireless. Some WIDS can aim 802.11 deauthenticate frames at that station's MAC address, preventing association with nearby APs. Alternatively, some WIDS can jam the channel occupied by a rogue AP to prevent it from being used as a backdoor into your network.

Selective deauthentication is less disruptive to bystanders than jamming, but an incented attacker can change his own address to elude MAC-based countermeasures. When using either method, one must consider the consequences -- is that really a malicious AP, or your new neighbor's AP? You may want to start with manually-initiated termination, implementing policy-based termination after you've learned the ropes.

A pound of cure

Most WIDS offer configurable device lists to differentiate between authorized APs, neighbor APs and all others. But such lists require on-going maintenance. In densely-populated urban areas, investigating every new device is at best labor-intensive, at worst impossible. Many WLAN owners prefer to be alerted only when an unknown device has actually penetrated their network, and then take wired-side steps to neutralize that threat.

A few WIDS products are now capable of inspecting IP payload to analyze traffic streams and behavior over time to determine whether a station or AP is communicating with an upstream network. As in the wired world, payload encryption can make this task more difficult. Ideally, this "true rogue" determination should be made as fast as possible to limit your network's exposure.

Some WIDS products have added wired-side countermeasures, through direct interaction with wired network switches, or by interfacing with wired-side network management systems. For example, AirMagnet Enterprise can use SNMP and CDP to query nearby Ethernet switch CAM tables, then disable the port used by a detected rogue. AirDefense Enterprise can interface with Cisco WLSE to initiate "port suppression," based on a detected rogue's MAC address.

Wired-side countermeasures like these are attractive because they can be focused and persistent. Watch for continued innovation here, as a complement to (not replacement for) wireless blocking. Interoperability with your organization's wired network hardware and management software may be a limiting factor.

Hide and seek

Intrusion blocking -- even persistent blocking -- is a stop-loss tactic. Eventually, you'll need to find the intruder and eliminate the threat at its source. Here again, WIDS products are expanding to better support this task.

Several WIDS products now incorporate location detection to some degree. One method is to manually search around the sensor receiving the strongest signal from the transmitter. Another method is triangulation -- comparing the signal received by three or more sensors to better pinpoint a transmitter's probable location. A third method is RF fingerprinting -- modeling RF characteristics within a coverage area for comparison to received signal strength to predict the transmitter's location.

WIDS products also vary in how they present location information and what they do with that knowledge. For example, Newbury's Wi-Fi Watchdog uses device location as a criteria for WLAN access control -- stations outside authorized regions are not permitted to pass 802.1X authentication.

What you don't know CAN hurt you

Finally, automated prevention and location techniques aren't going to help much if you're blind to intrusions or missing the forest for the trees. Every WIDS must be able to accurately observe and intelligently analyze network activity.

Many WIDS products gather data from an overlay network of purpose-built sensors -- passive listening devices. But proper sensor positioning is critical, so look for tools and tips to ensure adequate coverage. For example, AirTight SpectraGuard works in tandem with SpectraPlan to help plan for sensor placement.

Some vendors argue that APs, already installed throughout the WLAN, should double as sensors. For example, the Airespace Wireless Protection System leverages Airespace APs to monitor traffic to gather both security and performance information. Ask the AP vendor about their plans (if any) to provide WIDS capabilities or integrate with the WIDS server.

Compare any new WIDS release to the previous and you'll find a longer alert list. These products will forever be playing catch-up, adding detection signatures for new attack tools and methods. A strong signature database is important, but more is not always better. Look carefully at each product's expert analysis and event correlation. A system that can accurately roll a dozen symptoms into a single root cause intrusion alert will help you stop intrusions faster.

About the author
Lisa Phifer owns Core Competence, Inc., a consulting firm specializing in network security and management technology. Core Competence produces The Internet Security Conference (TISC), an annual symposium for network security professionals. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years.

This tip originally appeared on

Dig Deeper on Managed network security services