If your lot in life — your IT life, that is — centres on security, you may be many things, but bored and unchallenged are not among them. It is a given that security is an essential element of virtually every component of IT. If only it were equally true that detailed knowledge acquired in one area of security could easily be applied in others.
Although many network managers have spent recent years implementing intrusion-prevention system (IPS) solutions to harden their wired networks, it is only recently that vendors have begun delivering products to help deal with space invaders — intrusion threats carried out over wireless LANs (WLAN).
And, although the attackers’ goals are the same, the nature of WLANs means radically different approaches are required to protect those LANs.
To make an effective decision for wireless IPS you need to understand the challenges and solutions.
Compared with the job that wireless IPSs have to handle, their wired brethren have it easy. Wired IPS devices intercept traffic as it attempts to cross the perimeter of the network. There is no question about where the intrusion attempt originated. The IPS knows exactly which port the traffic came in on. Similarly, stopping the intrusion is simply a matter of filtering out the traffic deemed to be a threat.
A key enabler of WLAN intrusion is the rogue access point. This is a normal access point that has been plugged into the network by someone other than the IT department. Once in place, not only can unauthorized WLAN devices inside the company interact with the corporate LAN, but so can other WLAN devices within signal range outside the company.
Thus, rooting out rogue access points is typically Job No. 1 for most wireless IPSs.
A recent study revealed that the ability of a wireless IPS to detect rogues is influenced by whether they are on the same or different virtual LANs as the wireless IPS, whether Wired Equivalent Privacy is on or off, and a host of other factors. Rogue access point detection is not just a yes- or no- item on a checklist.
Once rogue access points are detected, it is a challenge to isolate and remove clients because the wireless IPS is not in the physical data path of the access point.
The wireless IPS typically has to send the equivalent of reset commands to attempt to disconnect the intruding users of the rogue access point from the network.
Access points connected outside the corporate environment can represent an equally potent risk.
Should a legitimate corporate client “mis-associate” with an access point outside the corporate network, the wireless IPS needs to spring into action.
This situation points to the need for a wireless IPS even if you haven’t implemented WLANs internally, because all of your new notebooks have built-in wireless.
–Tolly is president of The Tolly Group, a strategic consulting and independent testing company in Boca Raton, Fla. He can be reached at firstname.lastname@example.org.