Preventing Interference and Intrusion
If you’ve worked in the WLAN industry very long, you have likely seen or worked with a wireless intrusion detection system. A wireless intrusion detection system (WIDS) is used to detect and classify wireless network devices, such as access points and wireless clients. Classification examples are “valid known device,” “rogue device,” “monitored device” or “neighbor device.” A WIDS gives the security professional the ability to see what is happening on the RF network across the entire organization.
Wireless intrusion detection systems quickly evolved into wireless intrusion protection systems (WIPS) when manufacturers realized that they could use the WIDS to perform deauthentication attacks against rogue devices. From this point, the WIPS became more than just a passive listener on the network—it became an enforcer of security policy. While there are a number of ways to perform a deauthentication attack against rogue devices, the premise is the same in each case: deny device association through a protocol-based attack. Using deauthentication frames to prevent rogue clients from connecting to your authorized APs (or vice versa) is a clever and effective means of protecting the wireless network.
There’s no doubt that this sort of tool is both useful and necessary in today’s wireless-centric, network-based world. In fact, it’s so popular that most wireless infrastructure providers have integrated this functionality to some degree. If deploying a WIPS gives you a warm fuzzy feeling about your wireless network’s security, keep reading.
Wireless intrusion prevention systems can see all 802.11 frames transmitted within their field of view on the channel to which they are tuned. WIPS sensors may either have a single 802.11a/b/g radio or two separate radios—one for 802.11a and one for 802.11b/g. They are critically limited by the type of transmissions that their internal radios can understand. If the sensors can only understand 802.11 frame types using OFDM or DSSS modulation, then FHSS systems such as Bluetooth, OpenAir and 802.11 FHSS will go undetected. This is a serious problem considering the availability and low cost of these FHSS systems. FHSS systems can be obtained via manufacturers such as Alvarion, and much of the old Proxim RangeLAN/2 equipment is still available through eBay. Other wireless systems are also available, such as infrared and licensed wireless, which would be equally adept at escaping detection by Wi-Fi-capable WIPS.
Several manufacturers have recently released Bluetooth scanning software at costs ranging from free to a few hundred dollars. This software is simple to operate, but lacks the enterprise-wide field of view of a Wi-Fi WIPS. Instead of being able to see an entire building or campus at one time, these stand-alone scanners are installed on a laptop computer that must be carried around a facility to manually scan for rogue, non-Wi-Fi devices. This technique takes us back to the days of using stand-alone Wi-Fi protocol analyzers as enterprise-wide WIDS. If you are trying to control wireless security in a small area, stand-alone scanners such as these may work fine, but in most cases, roaming around the facility would be required for an enterprise-level security scan.
The next question you might ask is, “So when do the all-seeing wireless sensors arrive?” That’s a very good question, and the likely answer is, “Never.” Because WIPS manufacturers must be able to purchase the radios for their sensors at a reasonable price, they must buy them from radio card manufacturers that are making the radios in huge quantities. The problem here is that there are no manufacturers making 900 MHz, 802.11 FHSS and OpenAir FHSS radios in quantity because the only possible use would be for WIPS. 802.11a/g radios are produced in large quantity by many manufacturers, making it economical to place these radios into access points, PC cards, WIPS sensors, etc. So far, we have not seen Bluetooth integrated into WIPS sensors, but that should change, considering that Bluetooth radios are produced in massive quantities and are very inexpensive.
The next logical question is, “Since a Wi-Fi-based WIPS is unable to detect and prevent attacks from non-Wi-Fi rogue devices, why spend the tens, or even hundreds of thousands of dollars to deploy large-scale WIPS?” The answer is simple really. It’s better to detect and possibly prevent a large portion of intruders than none at all. This statement is even more appropriate when the wireless infrastructure equipment has integrated WIPS because the cost model is not quite as daunting as with an overlay system. With an integrated system, you get the WIPS feature set as part of the wireless infrastructure device, such as a WLAN switch.
What does this mean for the wireless security professional? It means that he or she will always have to prioritize physical security, technical and end-user staff training, and security policy enforcement. By increasing physical security of the premises, rogue infrastructure devices such as access points will be placed onto the network less and will be found more. By increasing technical and end-user staff training, the entire organization can participate in the process of enforcing wireless LAN security.
Kevin Sandlin is the CEO and primary business and marketing manager for Planet3 Wireless, which administers the CWNP certification program. Devin Akin is Planet3 Wireless’ chief technology officer. They can be reached at firstname.lastname@example.org.