I'll be watching you: Wireless IPS

Interested in implementing wireless IPS? Lisa Phifer of Core Competence Inc. explains how to use WIPS for wireless rogue server detection, as well as creating a Wi-Fi location map and wireless IPS information for compliance reporting.

Wireless Security Lunchtime Learning

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

I'll be watching you: Wireless IPS

Caroline Gibney:         Hello, and welcome to today's SearchSecurity.com Lunchtime Learning Video Presentation, ‘I’ll Be Watching You: Wireless IPS,’ with special guest speaker Lisa Pfeiffer. My name is Carolyn Gibney, and I will be your host. The goal of SearchSecurity.com's Wireless Lunchtime Learning Security School is to equip you with strategies and tactics for defending your organization’s wireless LAN in a format that fits your busy schedule. Today's presentation focuses on wireless intrusion prevention systems, including some of their common features and how they differ from their wired counterparts. Our expert speaker, Lisa Pfeiffer, has been involved in the design, implementation, and evaluation of data communications, internet working, security and network management products for over 25 years. Lisa owns Core Competency Inc., a consulting firm specializing in network security and management technology, and teaches about wireless LANs, mobile security, and virtual private networking at many industry conferences and online webinars. Thank you for joining us today, Lisa.

Lisa Pfeiffer:   Thank you Carolyn. I am glad to be here.

Caroline Gibney:         As a reminder, you can see all the tips and videos in our Wireless Lunchtime Learning Security School at any time by navigating to SearchSecurity.com/WirelessLunchtimeLearning. We are now ready for your presentation, Lisa; take it away.

Lisa Pfeiffer:   All right, Carolyn. Intrusion prevention systems are now standard operating procedure in today's enterprise network, and that should include enterprise wireless LANs. From policing no fly-zones to detecting airborne attacks, wireless intrusion prevention systems can help companies see what is being transmitted over the air inside their own offices. A wireless IPS not only monitors the airwaves, it lets you take corrective action when intruders are spotted or policies are violated. With enterprise adoption of 802.11n, wireless LANs are growing bigger, faster, and increasingly essential. In some places, WiFi has even replaced wired Ethernet as the preferred access method. In short, the business case for wireless intrusion prevention is really never been more compelling. We will explain the role of wireless IPS and enterprise networks, and look at what a wireless IPS could do to augment your company's overall security posture.

Most of our listeners are probably familiar with network intrusion prevention systems. A wireless IPS is a kind of network IPS focused on the security needs and challenges posed by 802.11. Like a wired network IPS, a wireless IPS is designed to provide full-time centralized surveillance to a geographically distributed network composed of numerous wireless LANs. At each office, traffic is monitored by distributed agents. Those are devices that have been positioned to observe network activity and forward summaries to a central server for analysis. That wireless IPS server is actually responsible for aggregating traffic summaries, correlating events received from all agents, then isolating potential security or performance conditions that require attention. Like a wired network IPS, a lith server generates alerts that get recorded in a database and probably displayed on an administrator console. Some intrusion alerts can even trigger investigative or strike-back actions that are intended to block or contain a wireless attack. At this meta level we can see that wired and wireless IPS share business goals and distributed architectures, but if we look under the covers we will start to see that these systems actually have entirely different tasks and responsibilities.

In a wireless IPS, access points and sensors actually scan every radio band that your company wants to monitor, listening for both 802.11 transmissions, as well as other radio frequency energy. They need to understand how the 2.4, 5, and perhaps even a 4.9 gigahertz band are organized as a channel and they must be able to decode what they hear. That includes 802.11 b, g, a and n pre-ambles, Mac headers, and payloads. From time to time, these agents may also transmit 802.11 frames, for example, to trace rogue device’s connectivity. When these physical observations are reported a width server, the server needs to understand 802.11 and 802.1X protocol states and behaviors well enough to spot either atypical or hostile transmissions. The width server also needs to understand observable elements of your wireless security policy. For example, it might verify that the data transmitted on each authorized SSID and access point is actually encrypted the way that you expect it to be. Beyond typical IPS-style intrusion alerts and reports, a wireless IPS must be able to detect the transient relationships that exist between mobile devices and must also be able to estimate their physical location. For example, as a wireless voice handset roams from one access point to another, a wireless IPS should be able to track that movement, plotting both current and past position on a floor plan.

Clearly, a wireless IPS cannot do its job without agents that can overhear transmissions. Those agents must be deployed throughout the area to be monitored and that includes locations with either weak or absent WiFi coverage, unauthorized connections are more likely to occur in those venues. Intruders may also try to hide in plain site by transmitting on bands and protocols that are not used by your own authorized LAN. In most deployments, wireless IPS agents are configured to passively scan all channels on both bands, building upon each frequency just long enough to reliably detect attacks and abuse. When an incident is detected, the server may ask a nearby agent to stop scanning and take some action, for example, capturing packets sent by a specific device or trying to actually break an intruder’s connection with your network. In fact, this scan breadth and duration play critical roles in how effective a wireless IPS will be. Today, most business access points can perform periodic background scans when they are not otherwise busy servicing wireless clients. That method is sufficient to generate a list of unknown access points, but it will miss the vast majority of transmissions that actually occur in between scans, or on channels that are not otherwise supported by your access point. This is why most enterprise wireless vendors now support wireless IPS sensors. These are devices that are dedicated to 24 x 7 scanning. In fact, several enterprise wireless LAN controllers are now able to actually convert ordinary access points into full-time wireless IPS sensors.

Once you have gathered that traffic with sensor or agents, what can a wireless IPS do with that intel? A contemporary enterprise wireless IPS can be expected to support most of the tasks listed here: Device discovery and classification that goes far beyond basic rogue detection. Monitoring, to provide an external perspective on just how well your controller and access point is performing. Attack detection and prevention based on signatures and deviations from baseline behavior. Configuration of security policies, surveillance and enforcement. Mapping and tracking the physical location of wireless devices throughout your business airspace. Remote analysis and diagnostic tools for use by both security and help desk staff. Finally, canned and custom reports that document intrusions, outages, network utilization, compliance with industry regulations, and many other things. Let us take a closer look at each of these common capabilities.

Every wireless IPS maintains a list of access points, stations, and ad-hoc clients that are heard by one or more width agents. Some wireless IPSs can even document RF interference sources, for example, microwave ovens, cordless phones, radar systems. Note that older wireless IPS systems may hear but may not fully understand some new 802.11 end devices, especially green field access points that transmit preambles that are not fully understood by older 11 ABG sensors. Some discovered devices will belong to you and some will belong to your neighbors, visitors, or actual intruders. Given how frequently WiFi devices come and go today, automated accurate device classification has become essential, specifically a wireless IPS should be able to differentiate between authorized assets, harmless strangers, and those real threats. You should be able to do this based on what it can observe. For example, is the device operating on a channel that is authorized for use in that specific location? If the device is needing access control address in your asset inventory as a new client successfully associated to one of your authorized access points thereby demonstrating that the user of that device knows how to authenticate to your network. Is the received signal strength that is reported by all agents actually low enough to suggest that an unknown access point probably belongs to a neighbor, or does that access point appear to be cabled to a subnet network that is actually yours? These and other vital statistics not only help classify each new device, as we will see, they also come in handy for future incident investigation and troubleshooting.

Device parameters and relationships might be critical for security analysis but the uni-cast, multi-cast, and broadcast frames that those devices send and receive can also be used to detect the central wireless LAN operational and performance problems. By examining managing frames sent by access points, a wireless IPS can actually alert you to an access point that has been reset to default or seems to be over loaded. By comparing the capabilities included in beacons and probes, your wireless IPS may be able to warn you about mismatches between access points and clients that have a tendency to result in sub-optimal performance. For example, an 802.11 access point operating in a vicinity of 802.11 B devices is required to use protection to avoid collision. Alternatively you might decide to move your 802.11 N access point to a different channel or band to improve performance. By monitoring errors, retransmissions, and data rates, a wireless IPS can pinpoint locations and devices that are actually experiencing these kinds of problems. For example, you may find that a very slow legacy client is actually consuming far more than its fair share of airtime and degrading an otherwise high frequent wireless LAN, or you might notice that an error rate spikes for short durations in a specific location on a regular basis, and that could suggest a nearby source of co-channel interference. This information could be very helpful for planning, as well as troubleshooting; however, you do need to keep in mind that wireless IPS agents usually do not monitor any one channel for a full-time basis. Channel statistics, therefore, tend to reflect traffic samples, a lot of them, but still samples. For example, you might see the ratio of control management in data frames but you should not expect to see a total frame counter for any of these.

Precisely how wireless IPS agents and centers servers actually analyze traffic to generate alerts is basically the secret sauce that vendors use to differentiate their products from one another. While details differ, there are actually four methods commonly used to trigger alert. First, a wireless IPS can match observed traffic to signatures, to detect either a well-known type of attack or common attack tool. For example, most wireless IPS systems today can spot traffic patterns associated with tools like NetStumbler, ARP replay-based key crackers, or software access points that may actually be evil twin access points. Second, a wireless IPS can inspect 802.11 and 802.1 X protocol, looking for out of sequence or badly formatted frames. For example, most wireless IPSs’ can tell you when 802.11 data frames are being injected by a client that is not actively associated to your network, or when an attacker is actually sending a specially crafted frame designed to trigger an attack, an example this would be the 802.11 N Block Attack, which is a denial of service attack. Third, a wireless IPS can compare observed traffic to configured security performance and device policies. For example, most wireless IPSs’ can generate alerts whenever they see an ad-hoc connection form between clients. Finally, a wireless IPS may notice sudden or significant changes in traffic volume as compared to figure thresholds or past behavior. For example, attackers can send large numbers of clear descend control frames or de-authenticate management frames as a method of denying wireless network use by legitimate clients.

As I said, policy enforcement is one common method of alert generation, a width may detect violations and respond automatically to enforce policies, but establishing those rules is really up to you. When a wireless IPS is first put into service, it will probably generate many alerts. Some tuning is usually required to disable the alerts that are of no interest to you and to refine default filters and thresholds. For example, which access points, SSIDs, and channels actually correspond to your own wireless network? Breach of those SSIDs, which 802.11 N security or quality-of-service methods you expect clients to use, and how many associations do you expect each access point to support under normal circumstances. Inversely, how many would you expect actually constitutes a flood attack? In addition, you might want to refine defaults severities so that you can flag alerts that of greater importance to your business, escalate unresolved alerts, and trigger automated responses. For example, warnings may simply be logged, minor alerts might be logged and forwarded as a trap and only critical alerts might be used, maybe to trigger an SMS or an e-mail notification while simultaneously launching some kind of action, like a connectivity trace to facilitate threat assessment. While most wireless IPSs can execute these kinds of steps, your configured wireless IPS policy is what determines when, where, and how these actions occur.

Most administrators consider rogue prevention to be a top priority. Every new unknown device is potential rogue but a wireless IPS can actually auto-classify most discovered devices so that they can flag only those that pose a real business threat. For example, a true rogue might be an employee-installed access point that opens an unsecured back door into your wired network. Now, that is very different than a neighbor-installed access point that it not actually connected to your network. A wireless IPS should be able to tell the difference, and if not, to permanently classify each new device then at least it should be able to organize them into probable categories that facilitate response. Managing the business threats posed by true rogues is essential, but doing so can present challenges. First of all, a high throughput rogue can do damage very quickly, so your wireless IPS has to be able to contain threats in real-time. Second, a rogue might be a mobile device that moves and disappears, so your wireless IPS must be able to investigate the incident when it occurs. Finally, it can be hard to reliably differentiate between neighbors and attackers in congested areas based simply on signal strength. For this reason, a good wireless IPS must consider other criteria, like network connectivity and deviation from your defined policies and practices. Today, all wireless IPSs provide manual and/or automated tools to disable a rogue’s ability to communicate with your network or your users. For example, a width may disable a nearby Ethernet switch board to actually close down that rogue’s back door, it may also flood a rogue to de-authenticate frames intended to prevent useful communication. Another method is actually just to connect to a rogue and keep it very busy so that it cannot do much of anything else.

Once you have contained a rogue, permanent remediation usually does require finding that device. Here again, a wireless IPS will come in handy, whether you are looking for legitimate user or an unknown access point. Locationing varies widely in wireless IPS products, but there are several common methods. NearestAgent is the simplest to understand, and it is also the least accurate. In this method, the received signal strength supported by each agent gives you a rough idea of proximity. Triangulation combines reports from three or more agents to identify the interception between them; this method yields a smaller more reliable search area. RF fingerprinting does one better by comparing baseline reading taken from many agents so the readings currently reported by each access point in order to predict a device's location. Finally, site calibration uses previously generated readings to create a very detailed RF map of the area that can be used to narrow down a device location to about four feet. As you can see, accuracy increases with the number of past and current observations. In fact, some wireless IPSs can combine access points scans with dedicated sets of reports, and sometimes, even RFID reading, delivering a highly accurate plot where the intruder is now located, and where it was when the alert was first generated. Estimating a wireless IPS alert subject’s physical location is just one investigative tool.

Today, most wireless IPSs provide a rich toolbox for investigation, initiated from a central site, using agents for remote observation or action. For example, you might start by using a wireless IPS database and report to review everything that you already know about a device or an affected location. Next, you might want to pick a remote sensor to launch a full-time packet capture that lets you watch the device more closely to see what it is really up to. You might also ask a remote sensor to issue wireless or wired commands to determine whether a device that you are watching is really connected to your company’s network. Finally, when troubleshooting a performance or operational problem, it can also be handy to ask a remote sensor to execute diagnostic tools like ping and trace route. These remote tools cannot actually eliminate the need for on-site staff, but they can help you gather more timely evidence and decide which alerts actually warrant on-site investigation.

Every wireless IPS maintains a database of devices and alerts that serves as a wonderful foundation for wireless history and compliance reporting. Most products include some canned reports, for example, security threat or configuration vulnerability summaries will identify the most frequent alerts over a given period of time, possibly broken down by site or device; No Wireless policy enforcement and rogue report are also very common. Today, most wireless IPS servers can also generate canned compliance reports. These reports are designed to show if and how your wireless activity deviates from industry regulations that govern activity, like PCI and HIPPA, letting you and your security auditors usually spot problem areas that require remedial attention. These are just a few of many reports that a wireless IPS might be able to generate. You may also be able to extract record database, create your own custom report.

Now that we have seen what a wireless IPS can do, let us consider how it fits into your overall wireless LAN security management and monitoring plan. Site survey tools are used to plot authorized access point and sensor locations, and perhaps to document initial device inventory, but thereafter, your wireless IPS will actually monitor your airwaves full-time, and it will detect and classify any differences. You may require that access points and clients use authentication encryption to secure data sent over the air, but by watching that traffic, your wireless IPS can warn you if and when those policies are violated. As an independent observer, your wireless IPS can provide a check and balance verifying that the service and security needs you have expressed have actually been satisfied. While network troubleshooting and investigation usually do require a detailed drill-down perspective that are provided by mobile handheld tools like LAN analyzers, a wireless IPS can provide a longer or a broader perspective. Also, firewalls and network intrusion detection systems are still required to deflect attacks and assert policy on traffic that actually enters into your wired network. A wireless IPS can complement that by providing a first line of defense that filters out inappropriate and malicious traffic while it is still in the air.

At the outset of this webcast, I said that a wireless IPS lets you regain visibility and assert control over the airwave. To me, operating an enterprise wireless LAN without a wireless IPS is like driving a car without being able to see or control where you are going. Companies who do not use a wireless IPS are not immune to wireless intrusions, they just do not know when that happens. They also lack the ability to respond and remediate those incidents effectively. To learn more about using wireless IPS capabilities that we discussed, please consult our Wireless Security Lunchtime Learning tips. There, you are going to find advice on using a wireless IPS to find site and wireless denial of service attacks, use rogue contaminant methods to block attackers, use wireless IPSs to monitor and tune the performance of your network, and also tips on selecting the right wireless IPS for architecture. In closing, we would like to thank you for listening to this series, and do not forget to take our securities final exam, where you will exercise the lessons that you learned by solving 10 hypothetical wireless LAN security problems.

Carolyn Gibney:          All right. Great presentation, Lisa, thank you. This brings us to the end of today's video presentation. Once again, we would like to thank Lisa Pfeiffer, of Core Competence for joining us. For more information on WIPS, as Lisa mentioned, you can read her exclusive companion tip on fighting wireless denial of service attacks. All those tips and the other great learning materials in our Wireless Lunchtime Learning Security School can be found at SearchSecurity.com/WirelessLunchtimeLearning. A final thank you to all our listeners for joining us today. I am Carolyn Gibney. Have a great day.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.