Wireless security tools perform security analysis in sensors scattered throughout a wireless LAN or in a central server, but both options have drawbacks.
With a server-centric approach, raw data is backhauled from individual sensors to a server, where advanced analysis, such as multi-sensor correlation, is performed. However, data from thousands of sensors, each requiring multiple megabits per second of backhaul, can overwhelm a network and require large amounts of processing power on the server, making this type of solution difficult to scale.
A sensor-centric approach, in which the bulk of an analysis is performed by sensors, makes more efficient use of bandwidth because less data must be backhauled to the server and as a result is more scalable. However, this approach calls for sensors that require more processing power and memory, making this approach more expensive in large deployments. Coverage overlap can cause neighboring sensors to transmit unneeded duplicate information to a server, and this approach is unable to detect certain types of attacks, such as media access control address spoofing, that require multi-sensor correlation.
A blended approach to radio frequency security, split-analysis, avoids the problems of server- and sensor-centric solutions. Split-analysis combines intelligent, purpose-built sensors for first-stage analysis with a server that handles sophisticated data analysis and anomaly detection. Distributing intelligence in this way can improve detection accuracy, system scalability and administrative simplicity. To maximize security effectiveness, it’s important to understand which aspects of the analysis are best done by sensors and which are best done on a server.
By splitting the analysis, sensors need to perform only generic tasks that are not specific to any particular attack or vulnerability. For example, sensors can monitor all incoming WLAN activity and extract information such as Service Set Identifiers or addresses from the headers of 802.11, Extensible Authentication Protocol, IP and UDP/TDP packets. Because 802.11 communications are very chatty, duplicate traffic is identified and compressed at the sensor before getting backhauled, saving lots of bandwidth.
Sensors also can collect meta-information on channels, Received Signal Strength Indication, noise and more, as well as compress and encrypt data. The entire process reduces the amount of bandwidth required to communicate with a server to 1K to 3K bit/sec. Thus, utilizing a split-analysis approach, a backhaul network can scale to correlate WLAN surveillance and analysis information from thousands of remotely deployed sensors. Because sensors perform only a partial analysis, they can run on low-cost hardware akin to the thinnest access point.
With split-analysis, a server aggregates data generated by thousands of sensors, correlates data where two sensors have overlapping coverage, and identifies security and performance anomalies by using sophisticated anomaly-detection algorithms that look at the traffic to see whether it corresponds to a particular attack or vulnerability.
The server also archives data in a real-time database that maintains a record of the WLAN’s state; the detection algorithms use this database extensively. Finally, the server generates alerts and data containing detailed statistics, thus enabling an IT department to take appropriate and immediate action.
A split-analysis solution for wireless intrusion-detection systems (IDS) makes it easy for IT to keep up with rapidly changing threats by simply updating new alerts onto the server. There is no need to update firmware on remote sensors, because they perform only generic tasks. As a result, a split-analysis approach is considerably easier to administer.
For wireless IDS, split-analysis offers the best of both worlds. Intelligent thin sensors offload analysis from the server and consume little backhaul bandwidth, offering the highest scalability. Multi-sensor correlation and a real-time network-state database offer high detection accuracy by eliminating false positives and enabling advanced alert notification. By distributing intelligence across systems, this approach to wireless security minimizes resource bottlenecks and enables high-performance, low-cost wireless intrusion-detection prevention and analysis.
