Wireless intrusion prevention systems: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
Enterprise wireless intrusion prevention systems have been helping organizations detect and block wireless local area network (LAN) attacks for quite some time. In the early days, wireless intrusion prevention products were most often used to detect rogue wireless access points (APs), but they have since evolved to handle a wide variety of wireless LAN (WLAN) attacks. With the sharp increase in reliance on wireless technologies, particularly for laptops, smartphones and tablets, organizations find it increasingly important to use wireless intrusion prevention systems.
A wireless intrusion prevention system (WIPS) can stop WLAN threats quickly so as to prevent unauthorized access to WLANs and client devices, for example. Such access, in turn, could be leveraged to gain unauthorized access to the organization's wired networks, systems and data.
There are three deployment models for WIPS:
- The AP performs WIPS functions part of the time, alternating them with its regular network connectivity functions.
- The AP has dedicated WIPS functionality built into it, so it's able to perform network connectivity functions and WIPS functions all of the time.
- The WIPS is deployed through dedicated sensors instead of the APs.
Because it can cause significant network slowdowns and it is also the least effective at detecting attacks, the first deployment model has largely fallen out of use. The other two models -- dedicated WIPS built into APs, and dedicated WIPS sensors -- are both widely used, and they will be the focus of this article. This article evaluates several popular WIPS products based on publicly available information, against seven criteria: device management, attack discovery, policy compliance, forensic data, attack defense, performance and price.
These criteria are not intended to be comprehensive, and they alone should not serve as the complete basis for performing an evaluation to determine the best WIPS product for you. Rather, they are meant to be used as data to help feed an evaluation process. Every organization has its own unique security requirements, as well as different WLAN technologies and architectures, so each organization must conduct its own evaluation process to ensure the solution will be optimal for it.
The following products were analyzed for this article: AirTight WIPS, Aruba (now HP) RFProtect, Cisco Adaptive Wireless IPS, Fluke Networks AirMagnet Enterprise, HP Mobility Security IDS/IPS and Zebra Technologies AirDefense (formerly from Motorola).
Criteria #1: Device management
There are two aspects of device management to consider when evaluating WIPS products: the management of the WIPS devices themselves, such as sensors, and the management of the WLAN APs, client devices and other components.
In terms of WIPS device management, all the WIPS products that use dedicated sensors offer a centralized mechanism for managing those sensors. Similarly, for the products implemented via WIPS capabilities built into APs, there are centralized management mechanisms.
Using a WIPS to manage the WLAN components themselves is a capability that many products do not offer. Aruba RFProtect is an exception; it allows wireless device configurations to be locked down from a central console, for example. Also, the AirTight WIPS and HP Mobility Security IDS/IPS products allow customized security policies to be centrally implemented. However, most organizations already have other means in place for configuring and monitoring the security of their wireless devices, so this particular device management capability is often unnecessary. Make sure to take into account existing wireless device management capabilities when planning a WIPS product evaluation.
Criteria #2: Attack discovery
Most WIPS products offer a wide variety of attack discovery capabilities. Some, in fact, promote their recognition of hundreds of WLAN attack signatures, although none of the vendors provide public listings of what these signatures are. This makes a detailed comparison of attack discovery capabilities infeasible. Instead, it's possible to compare the products at a high level by looking at the most common attack types.
All of the products analyzed for this article have the most basic WIPS attack discovery abilities: to detect rogue APs and to detect rogue connections, including unauthorized client devices and unauthorized ad hoc networks. No other details were available on what Zebra Technologies AirDefense can do in terms of attack discovery, but the other products all offer one or more additional capabilities, including the following:
- Detecting denial-of-service attacks;
- Detecting man-in-the-middle and client impersonation attacks; and
- Mapping the physical locations of WLAN devices, including client devices and APs (both authorized and rogue).
Two products, Cisco Adaptive Wireless IPS and HP Mobility Security IDS/IPS, also promote the ability to detect active authentication and encryption cracking attempts. In fact, these two products are the only ones analyzed that support the full range of attack discovery capabilities investigated for this criterion.
Criteria #3: Policy compliance
It is important to be able to perform granular policy compliance reporting on a WIPS to document adherence to various compliance initiatives. A single organization may be subject to several of these initiatives, so for these organizations, having compliance reports predefined for each initiative can be a significant time saver. An organization is also likely to need policy compliance reporting for other purposes, such as internal or external audits.
While all of the products offer some sort of reporting capability, five specifically promote their native support of regulatory compliance reporting: Aruba RFProtect, Cisco Adaptive Wireless IPS, Fluke Networks AirMagnet Enterprise, HP Mobility Security IDS/IPS and Zebra Technologies AirDefense. Organizations that are subject to one or more compliance initiatives should check with each WIPS vendor to determine which of those initiatives are natively supported by the WIPS reporting and -- more importantly -- to determine if the WIPS reporting can be customized to meet any other identified reporting requirements.
Criteria #4: Forensic data
Few details are available on forensic data recorded by any of the WIPS products. A few products, such as Cisco Adaptive Wireless IPS and Fluke Networks AirMagnet Enterprise, offer packet capture capabilities; these can be very helpful in reviewing an attack session in detail and analyzing what happened. Other products, such as AirTight WIPS and Zebra Technologies AirDefense, have the ability to record basic information on observed events and to log all actions performed by the WIPS itself.
Organizations evaluating potential WIPSes are encouraged to perform their own testing of each product to determine how accurate and complete its forensic data-recording capabilities are. For example, does the product record complete attack sessions, or does it only start recording a session after an attack has been discovered? Having robust forensic data collection and recording capabilities is critical to the effectiveness of incident response actions involving WLANs.
Criteria #5: Attack defense
Every WIPS product offers built-in attack defense capabilities, otherwise it would be a wireless intrusion detection system (WIDS) and not a WIPS. However, there are different defense techniques for different kinds of attacks, and sometimes there are multiple options for stopping a single type of attack. Some techniques cause less disruption to other users and devices when compared to other techniques, but are easier to circumvent. So depending on the organization's security needs, one technique might be preferable to another.
Just as there are no detailed lists of WLAN attack signatures provided by the WIPS vendors, there are no corresponding lists of attack defense technique options for stopping each type of WLAN attack. And even if there were, it would take a great deal of effort to review the options and evaluate the relative strengths and weaknesses of each one across all the WIPS possibilities. What is more realistic is to ask the WIPS vendors for insights as to the basic techniques that they use to stop attacks and to then ensure these techniques meet the organization's requirements.
Another important consideration related to attack defense is detection accuracy in terms of false positives and false negatives. Unlike wired network and host-based IPS vendors, who often differentiate their products by citing false positive and negative rate statistics, WIPS vendors across the board do not provide estimates of these rates. Organizations interested in acquiring WIPS products should pay particular attention to their support for customizing attack detection and responses, which should allow the organization to minimize false positives and negatives, thus better facilitating the blocking of attacks.
Criteria #6: Performance
There are many aspects of WIPS performance to consider, and two of the most significant are scalability and high availability. In terms of scalability, a WIPS component, such as a centralized management server, is going to be able to support a limited number of sensors or APs. This may vary widely by product; for example, the HP Mobility Security IDS/IPS can support up to 250 WIPS sensors per hardware appliance and up to 600 WIPS sensors per virtual appliance, while the Cisco Adaptive Wireless IPS can handle up to 3000 APs per Cisco Mobility Services Engine device.
Going hand in hand with scalability is high availability. Organizations often want to split the sensor or AP management and monitoring across multiple management servers so the failure of one management server does not essentially bring down the entire WIPS capability. Most products have some sort of fault tolerance built into their components or architecture. For example, the Fluke Networks AirMagnet Enterprise sensors are designed to have redundant, fault-tolerant components, and these sensors and the HP Mobility Security IDS/IPS sensors can continue to work effectively even when they lose connectivity to their management server.
Some products -- such as Aruba RFProtect, Cisco Adaptive Wireless IPS and Fluke Networks AirMagnet Enterprise -- offer high-availability architectures for the WIPS management servers themselves. When a server failure occurs, operations automatically fail over to another server. Server load balancing options are also supported by the Aruba RFProtect product.
Criteria #7: Price
Pricing models vary widely across WIPS products. This is due, in large part, to the different architectures that they employ. Some products, such as Aruba RFProtect, come in the form of a software module to be installed and activated on existing hardware; in this case, the software is licensed based on how many APs are being supported. Other products offer both hardware and virtual appliance options; these products may require licenses to be bought for each sensor that is supported. In addition to these appliance options, AirTight WIPS provides cloud-based services, and the pricing model for these would be completely different from software-based or hardware-based implementations.
When evaluating wireless intrusion prevention systems, it is certainly important to identify management server, console and sensor/AP software purchase and installation costs. However, maintenance costs should not be overlooked. Any WIPS is going to require constant monitoring so administrators can respond to successful attacks, and frequent tuning and customization of the WIPS attack detection signatures and rules is also critically important to improving the accuracy of detection and minimizing false positives and negatives.
Finding the best WIPS
There are many factors to consider when evaluating wireless intrusion prevention systems. Some, such as price and performance, are highly variable for each organization depending on the WIPS architecture selected (such as APs with built-in WIPS, dedicated WIPS sensors), the existing nature of the WLAN infrastructure, and the WIPS deployment model (software, hardware appliance, virtual appliance, cloud-based service).
Other factors are more straightforward to compare. For example, the Cisco Adaptive Wireless IPS and HP Mobility Security IDS/IPS products offer the widest range of high-level attack detection capabilities, including active authentication and encryption-cracking detection. The Cisco Adaptive Wireless IPS and Fluke Networks AirMagnet Enterprise products both provide packet capture capabilities. And the Aruba RFProtect, Cisco Adaptive Wireless IPS and Fluke Networks AirMagnet Enterprise products all offer high-availability architectures with automatic failover between management servers.
Based on these criteria, the Cisco Adaptive Wireless IPS product should be carefully considered by any organization seeking a robust WIPS product. It tends to be better suited for larger organizations, however, so small and midsize organizations should be sure to evaluate the Fluke Networks AirMagnet Enterprise and HP Mobility Security IDS/IPS System Series products. These three products all offer a strong balance of attack detection features, forensic data capabilities, and scalability and high-availability options.
Introduction to wireless intrusion prevention systems in the enterprise
Learn about the six enterprise use cases for WIPS
Find out what the seven criteria for purchasing WIPS products are