Wireless intrusion prevention systems: Overlay vs. embedded sensors

WIPSes rely on sensors to observe and forward traffic summaries to a central analysis server. Overlay WIPS use special-purpose sensors, dedicated to this monitoring task. Embedded WIPS use APs to monitor the WLAN in their spare time. This tip compares these two WIPS approaches so that you can choose the one that best fits your network and security needs.

Wireless Intrusion Prevention Systems (WIPS) monitor and forward 802.11 traffic summaries to a central server to detect attacks, unauthorized use, and policy violations. Classic overlay WIPS products (e.g., Motorola AirDefense, AirMagnet, AirTight) use a dedicated server and sensors for monitoring. Controller-embedded WIPS (e.g., Aruba, Cisco WLC, Belkin/Trapeze) have long used ordinary access points to monitor the WLAN in their spare time. This tip compares these approaches so that you can understand why enterprise WLAN products have evolved to embrace full-time security monitoring.


In principal, using ordinary APs for security monitoring might reduce cost by leveraging existing hardware, Ethernet switch ports, Cat6 cable runs, and power drops. Also, if your WLAN Controller were acting as your embedded WIPS server, you would not need another platform on which to run an overlay WIPS server.

But, in practice, each system can only do so much. In many embedded deployments, it becomes necessary to install more APs to shoulder the burden of WIPS, or to completely cover vulnerable areas. Because the I/O and CPU load placed on a WIPS server can be quite heavy, WLAN Controllers may also need to be scaled up to do both jobs at once.

In addition to dedicated sensors, most overlay WIPS can now use selected APs for part or full-time monitoring. On the flip side, most controller-embedded WIPS now allow APs to be configured as full-time monitors. So don't get hung up on labels: determine how many security monitoring devices you'll need and then compare installed per-unit cost.


For companies using WIPS to enforce a "no wireless" policy, overlay WIPS is the only real option -- there are no existing APs to reuse. Other companies with installed WLANs should take a hard look at their security monitoring coverage needs.

Your monitoring footprint should be slightly larger than your WLAN footprint. Rogues may lurk just beyond the reach of legitimate APs, luring users into associating with them or launching attacks that you cannot otherwise see. Either dedicated sensors or monitor-only APs can be added to extend spatial coverage.

APs use specific frequency bands and assigned channels within those bands. For security purposes, you should always scan beyond those channels, because unauthorized APs and Ad Hoc stations are more likely to occupy unused channels. An old 802.11b/g AP cannot monitor 5GHz 802.11a/n channels, or frequencies in the 2.4 GHz band used only in other countries. On the other hand, an old 802.11a/b/g sensor will hear but cannot decode traffic sent by new 802.11n rogues. Start by identifying the bands/channels you want to monitor and then determine the most effective and pragmatic way to scan them.

Attention span

In early controller-embedded WIPS solutions, ordinary APs spent their spare time monitoring an assigned channel or scanning all channels. In early overlay WIPS, monitoring traffic was each dedicated sensor's primary task. This difference fostered a big debate about part-time vs. full-time monitoring.

In reality, some traffic is going to be missed by every monitoring point -- the intruder may be too distant, the signal may be too weak, the transmission may be too short. In fact, any device scanning channels in RFMON mode is sequentially sampling traffic on every channel in the list. The goal is always to listen long enough, often enough, to have a decent chance of spotting attacks, policy violations, and rogue devices.

However, in a busy WLAN, a full-time observer is clearly going to hear more traffic. Short-duration attacks are more likely to be missed by background scans, as are relatively quiet rogue devices like bridges. This is the rationale that lead overlay WIPS products to use dedicated sensors in the first place.

On the other hand, in a lightly-used WLAN, a dedicated WIPS sensor can't put spare cycles to good use, while an AP might have enough horse power to do two jobs well.

Impact on WLAN 

But AP time-slicing not only impacts WIPS effectiveness -- it also impacts the WLAN's performance. But this can be difficult to quantify. Potential impact depends on AP loading, client density, application traffic, scan list/duration, and other WIPS tasks.

Dedicated sensors or full-time monitor-only APs cannot adversely impact the WLAN's performance. In fact, because they gather more complete information, they may be more helpful when it comes to trouble-shooting WLAN performance problems.

On the other hand, when push comes to shove -- an AP fails, or client demand suddenly spikes -- a dedicated sensor cannot be temporarily placed into active duty to boost a struggling WLAN's performance. From a security perspective, keeping your monitoring infrastructure intact is an asset. But from an operations perspective, service availability is usually top priority.

To balance cost vs. risk, most enterprise WLAN products evolved to embrace full-time monitoring. Specifically, while APs can still be configured to scan for rogues part-time, many can now be converted to operate in full-time monitor-only mode. Furthermore, most APs can feed part or full-time observations to a WLAN Controller and/or an overlay WIPS. As a result, today's debate is really more about WIPS functionality.


Purpose-built sensors support WIPS functions not found in commercial APs. Ability to scan "off" channels is one such function. A purpose-built sensor may even be able to scan non-802.11 traffic to fingerprint RF interference sources like microwave ovens and Bluetooth.

Furthermore, any AP can generate deauthenticate or disassociate packets, but some sensors are now being used as wireless clients. For example, a sensor may associate to a rogue AP to trace back network connectivity. A sensor may try to lure a rogue Ad Hoc, keeping it busy while responders try to find and eliminate that device.

APs that can be converted to full-time monitor-only mode can of course be augmented to provide these additional capabilities, but realistically, developing new WLAN functions may take priority over new WIPS functions. Furthermore, no matter how much an AP is capable of doing, a part-time AP is not well-suited for performing security tasks that require sustained activity (e.g., creating a traffic capture for a designated channel or device, persistently deauthenticating a large number of rogues).


Another concern regarding any type of overlay is proliferation of consoles and databases and integrating them to facilitate coordination and avoid duplication.

A controller-embedded WIPS is more likely to provide a single, integrated management interface through which you can both configure and monitor your WLAN. An embedded WIPS has built-in criteria with which to differentiate between legitimate APs and rogues, while an overlay WIPS must be configured with (or import) a list of legitimate APs. When an embedded WIPS decides to disable a rogue's wired network access, that WLAN Controller may be directly responsible for managing the port anyway. While many overlay WIPS can send SNMP requests directly to Ethernet switches, it may be preferable to relay switch configuration requests to the responsible management system.

This difference is becoming less clear-cut as product acquisition and integration increases. For example, Motorola WLAN customers can use that vendor's RF Management System for controller/AP embedded rogue detection and/or the overlay Motorola AirDefense WIPS for broader security monitoring.

Segregation of duties

Finally, look beyond differences in approaches and products to consider organizational impacts and policy requirements. In some companies, network operations and security compliance are the responsibility of different organizations. WLAN components may be chosen based on their ability to deliver network, not security, services. The organization responsible for security monitoring may not be authorized to use existing APs for WIPS. In fact, some companies explicitly require Segregation of Duties for security audit personnel and tools.


Choosing a WIPS should be based on many factors -- embedded vs. overlay is just one (albeit important) consideration. We hope this tip helps you to better understand that consideration, so that you can match available security monitoring solutions to your company's requirements.

>> Read the next tip: How to monitor WLAN performance with WIPS

This was last published in July 2009

Dig Deeper on Wireless network security