Review: Wireless Intrusion-Detection/Prevention Systems
It's two years since the IEEE ratified 802.11i, slightly less since the Wi-Fi Alliance introduced the WPA2 certification. And still, insecurity over security is hindering wireless LAN deployments--security concerns nearly tied with cost as the No. 1 barrier to adoption in our reader poll for this article; lack of a clear business justification came in third.
Not surprisingly, wireless security vendors are working hard to put enterprise IT's mind at rest. The trick is, they must address two parts of the WLAN security conundrum: infrastructure, which concerns authentication, privacy using encryption and integrity; and monitoring, which requires detection and protection, not only from attackers using wireless clients and rogue access points, but from internal factors that degrade wireless network performance.
Mainstream wireless infrastructure vendors, including Aruba Networks, Cisco Systems, Meru Networks, Symbol Technologies and Trapeze Networks, are doing a good job implementing 802.11i. Many have obtained WPA2 certifications to verify that 802.11i capabilities, including 802.1X-based authentication, CBC-MAC (Cipher Block Chaining Message Authentication Code) integrity checking and AES-CCMP (AES-Counter Mode CBC-MAC Protocol) encryption, are keeping wireless traffic moving securely from client to AP or centralized controller, then on to the wired infrastructure. But mainstream vendors' offerings are less adept at identifying attacks; locating and containing rogue wireless devices; monitoring airspace for performance anomalies; and performing traffic-usage trending, remote troubleshooting and out-of-band auditing of the wireless infrastructure. For this level of enforcement, you need specialized monitoring tools.
When we first reviewed these fast-evolving monitoring products two years ago, in "Watching the Waves", we called them distributed wireless security monitors. Last year, in "Time To Tighten the Wireless Net", we went with wireless intrusion-detection systems. This year, these devices have matured enough to earn the moniker WIDPS--wireless intrusion-detection and -prevention systems.
For this WIDPS market analysis and review, we invited conventional wireless IDS/IPS players as well as WLAN infrastructure vendors that have developed their own WIDPS functionality or teamed with partners, plus wireless infrastructure management and packet-analysis vendors. We also issued three deployment scenarios to compare pricing in different-size environments. In the end, our tests included solutions from AirDefense, AirMagnet, Highwall Technologies and Network Chemistry. AirMagnet has won our Editor's Choice in this space two years running. Would we have a three-peat? For our participation requirements and test plan, see "NWC Report: WIDPSs", and check out our full review.
Small Is Beautiful?
Most WIDPS vendors we talked with for this article understand that remaining pure-play will limit their growth potential--this market is so niche, even analyst firms that track the number of KVMs sold in Africa don't have sales figures for it. Gartner calls the WLAN IPS market embryonic. Call us skeptics, but we'll be surprised if pure-play WIDPS vendors ever move beyond single-digit penetration of the overall enterprise Wi-Fi market.
There are a few reasons for this sluggish uptake. These systems are not inexpensive; pricing in our mid-range testing scenario--a campus deployment with 15 one-to-three story buildings, each with five APs and a recommended four sensors--ranged from $65,665 to $113,099.
Not surprisingly, security-conscious and regulation-minded companies have thus far represented the bulk of those investing the resources to deploy an overlay. Most organizations that maintain--and actively enforce--no-wireless policies have seen little need for sophisticated performance and security-policy monitoring. They're happy with simpler point products that identify and locate rogues and wireless clients, a market that companies like Highwall Technologies and WiMetrics have targeted (see "Over the Wire").
As enterprise wireless infrastructure products mature, they've added features and functionality--including basic WIDPS capabilities. Why invest in a specialized overlay? And finally, some infrastructure vendors have modularized their wireless IDS features and offer them as separate add-ons. Meru Networks is doing this with its Security Services Module, for example, and Aruba offers its Wireless Intrusion Protection module.
Heck, we're sold on the strengths of WIDPS devices, and here we've almost talked ourselves out of wanting one. Fortunately for their sales teams, WIDPS makers recognize that deploying a separate system of sensors to monitor the air is not an easy sell; in response, they're diversifying and adding value by building applications on top of those sensors. These apps fall along four major lines: regulatory compliance reporting, site planning, survey and verification, location tracking, and location-based access control.
IT groups subject to GLBA (Gramm-Leach Bliley Act), HIPAA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley) and other regulations and looking for an automated way to prove to auditors that their WLANs are in compliance should take note: Today's WIDPS products offer a host of descriptive regulatory reports that can be generated and e-mailed automatically. WIDPSs also address site plans and surveys.
AirMagnet's Survey product, an add-on to AirMagnet Enterprise, not only generates static "heat" maps showing predicted coverage and link rates based on sampled readings, it can recommend where sensors should be placed for best coverage, monitoring or rogue mitigation, depending on your priorities. AirTight's SpectraGuard Planner does WLAN planning for coverage and security, providing many of the same functions as AirMagnet Survey but with superior performance on sensor placement planning.
AirDefense recently announced a new entry, Architect, based on Motorola's LANPlanner, which Motorola obtained via its Wireless Valley acquisition. AirDefense's other product, Survey, can generate live heat maps from its sensors.
All the WIDPS products we evaluated offer location-tracking capabilities, but none is specialized enough to handle the daily tracking of items or people, something that Cisco's Location Appliance offers. Location-tracking systems require an authentication system and GUI designed for general-use access, APIs into inventory and other back-end apps, and an internal capabilities to scale to hundreds or thousands of objects. Newbury Networks, which declined to participate in our review, recently de-emphasized its wireless IDS product, WiFi Watchdog, and is now marketing it within a broader line of location-based applications that ride on top of its Presence Platform. We expect other WIDPS vendors to enhance their location capabilities and interfaces to make use of their installed sensor bases, a smart move. See our online slideshow , for samples of our location results and Tools Rule for WLAN Plans" for more on using these products.
Finally, location-based access control has long been offered by Newbury, but other vendors are also considering similar capabilities. Sophisticated access control is an obvious way to keep outside devices from connecting to the internal wireless network and restrict access to sensitive network resources from public areas, but the number of sensors needed and complicated implementation currently restrict this functionality to the most security-conscious environments.
Two additional value-adds remain for WIDPS vendors: standalone tools and client-side protection. Standalone offerings include, for example, the laptop-based Bluetooth scanners offered by AirDefense, AirMagnet and Network Chemistry (see our review of wireless analyzers). Most vendors are giving Bluetooth tools away or bundling them with larger systems. Take advantage of this windfall--enterprises haven't given Bluetooth much attention, even though executives and sales managers would cringe if the competition got hold of the PIM data stored on their Bluetooth-enabled smartphones.
Other standalone offerings include laptop versions of enterprise or distributed products; AirMagnet entered the wireless security space with its Laptop Analyzer, but AirDefense and Network Chemistry didn't add those products until their distributed offerings were launched.
Then there's the client-side piece. The proliferation of laptops and availability of Wi-Fi hotspots and 2.5/3G cellular data services mean more professionals enjoy remote network access than ever before; Forrester reports that in 2005, 52 percent of companies provided laptops to one in four end users, up from 44 percent in 2004.
Corporate IT departments have done a good job requiring antivirus software, pop-up blockers and host-based firewalls, but implementation of wireless policies is spotty.
It doesn't have to be that way. All WIDPS market leaders except AirMagnet offer client-side software that will enforce centrally controlled policies regarding which APs the client can associate to, limit use of ad hoc clients, prevent bridging and more. Capabilities vary widely, and integration into enterprise desktop-management systems is almost nonexistent; nevertheless, these features help WIDPSs extend their touch from just main headquarters to every laptop in the organization (see our take on securing mobile devices against wireless threats).
Beach Blanket Bingo
Mainstream wireless infrastructure vendors publicly claim to go it alone with regard to WIDPS, but in reality, all have teamed up at one time or another. AirDefense has relationships with Symbol and Trapeze, while Aruba and Xirrus team with AirMagnet (Xirrus also works with Network Chemistry). Colubris and Siemens (and by extension Extreme) work with AirTight. BlueSocket has linked up with Highwall and Network Chemistry. Keeping track of these dynamic relationships is like following the love lives of Hollywood stars. The only constant is that no man, or infrastructure player, is an island.
Even Cisco cooperated with many WIDPS vendors in the early days, when it had only standalone APs. In fact, before its purchase of Airespace last year, almost every WIDPS vendor was working to both push and pull data from Cisco's WLSE distributed AP management appliance. Information on authorized APs and clients was pulled in and used to properly set state on the WIDPS, and data about rogue APs were pushed to the WLSE for wire-side containment. On the Cisco AP side, a special mode was designed so that a constant stream of wireless data was sent back to the WIDPS management system for inspection and evaluation. For large enterprises that had standardized on Cisco APs, this was an easy way to have a single vendor in the field while maintaining flexibility in the data center.
That was then, this is now. The acquired Airespace product had a reasonably well-developed wireless IDS feature set that exceeded what was in Cisco's WLSE, and Cisco's relationships with third-party WIDPS vendors have gone cold. The only remaining WIDPS maker in the Cisco Technology Developer Program is AirTight.
Today, Cisco offers its original line of products, the autonomous APs, and the distributed gear purchased from Airespace, as discussed in "Cisco's Unified Wireless Network". The original line is as weak as ever for WIDPS, but now there are no official partners, though functionality that worked in the past should still be available. Cisco customers who want more sophisticated WIDPS features will need to upgrade to Cisco's Unified Wireless gear, which the company has promised to enhance.
We'd like to see Cisco change its position and embrace WIDPS partners again. In an interview, representatives said that the company plans to offer a more holistic, unified approach that addresses the wireless and wired infrastructure. They also claim that advances in wireless security and the work of IEEE's TGw (Task Group w), which will secure management frames through WFP (wireless frame protection), should make concerns moot. Furthermore, they contend that most attacks are on-channel and short and bursty in nature, and added that location services are "only a curiosity"... a factor that would seem to limit the market for its Location Appliance.
We'll buy the on-channel claim: Attacks against the infrastructure must indeed occur on channel. But that doesn't take into account client misassociations and ad hoc networks that may be formed on other channels, not to mention rogue APs. Even if Cisco APs cycle through channels regularly while providing service, they won't find problems as quickly as systems that assign a sensor to scan constantly, nor will they be as effective as a radio that can perform mitigation without having to serve wireless clients. If Cisco's APs could do both well, its Department of Defense customers wouldn't be buying WIDPS systems.
Cisco's vague claims that it will take a holistic approach to IDS/IPS between its wireless and wireline offerings suggest a few possibilities for future plans. It may seek to do rogue AP identification on the wire, to sort through those that are on or off network. The other option is that Cisco will work to identify wireside attacks, where wireless attackers already have found a way in.
Bottom line, because most businesses aren't willing to pay for a separate WIDPS infrastructure, Cisco's solution need only be "good enough" to satisfy the majority of its installed base. But we see the company isolating its more security-conscious customers by going it alone in the WIDPS market.
Eyes on the Prize
Don't get hung up on the ability of various wireless security systems to accurately identify myriad attacks. In our review we placed more emphasis on alarm/alert management, policy configuration, containment and location capabilities than on whether Vendor X could identify Attack Y. We recommend you do the same in your purchasing decisions--this aspect of WIDPS is relatively mature. Besides being a numbers game, in our experience, signature-based identification is only as good as vendors' attack tools. The WIDPS industry should follow Snort's lead, make signatures transparent, and focus on alarm management, presentation and response.
Open-source attacks are readily identified by all involved, but it's a coin toss as to whether one vendor's internally developed attack signatures will be picked up by other vendor's systems. An attack tool Vendor A developed to test its own product may not be identified by Vendor B's equipment--not because Vendor B hasn't written an alarm or rule to identify the attack, but because the signatures are not generic. For example, in our last look at this space, WLAN security researcher Joshua Wright (now associated with Aruba Networks) developed variations of standard attacks that fragmented packets in peculiar manners. We found that these attacks got through the devices undetected (see image).
Frank Bulk is a contributing editor to Network Computing. He works for a telecommunications company based in the Midwest. Write to him at [email protected].
Can Aruba Do It All
Readers who took part in our poll said it loud and clear: They want one infrastructure to provide secure wireless connectivity and protect it, too. In our previous testing of enterprise WLANs we found that Aruba Networks stood head and shoulders above the crowd in this area. Aruba has made security a key facet of its product set, from its centralized encryption to its integrated stateful firewall and Wireless Intrusion Protection module.
However, using a radio to both service clients and provide wireless monitoring is tricky at best. A radio can be on only one of the 51 wireless channels at a time; even if you reduce scans to the dozen most commonly used channels, a busy wireless network will make it difficult to spend any reasonable amount of time looking for rogue devices. (For a list of the available 51 channels, and which WIDPSs cover each, click here.)
Proper containment of rogue APs, clients or accidental associations will consume resources, preventing the enterprise AP from properly servicing associated clients. For these reasons, Aruba recommends installation of Air Monitors, which are essentially APs in sensor-only mode. They needn't be installed one-for-one with the regular APs, but should be installed in a manner similar to overlay sensors. Aruba customers can maintain only one set of wireless hardware, and one management console and still gain higher-level insight into the overall state of network security because the Aruba infrastructure sees decrypted packets entering the wired network from its APs.
Aruba claims all the same features as overlay providers: rogue AP prevention, denial-of-service and MITM (man-in-the-middle) attack detection, containment, and configuration policy monitoring. Of course, because location features are becoming a standard element of wireless infrastructure systems, they, too, can provide the same for rogue AP identification. Aruba falls slightly short on wireside port tracing and termination, detailed forensic history and regulatory compliance reporting. Those limitations, however, haven't prevented a number of federal government and military installations from using Aruba's Wireless Intrusion Protection module, with several more deals in the works, according to a company representative. Microsoft, too, deployed Aruba's product for its WIDPS capabilities.
Over the Wire
Businesses that aren't confident in their ability to deploy wireless services securely--or simply can't make the business case--like to issue stern "no wireless" policies. However, even companies with production WLANs need to keep tabs on the APs accessing their networks. In our poll for this article, 68 percent of readers said they have a WLAN policy in place or are in the process of building one. Problem is, a policy alone only serves to delay the inevitable. Sooner or later, an employee will travel to the closest electronics box store, purchase a security-free SOHO AP, and then install it in the office.
Adding teeth to a no-wireless policy is no easy task. Financial services and government entities might be able to justify installing a sensor-based overlay, but companies that couldn't make the business case for WLAN deployment will be darned if they'll spend 25 percent to 50 percent of the cost of a wireless network just to protect themselves from rogue devices.
That's where rogue AP detection comes in. WiMetrics' WiSentry AP agent runs as a service on one PC per network segment, or, if you have a lot of VLANs, an agent can listen on an 802.1Q trunked port to multiple VLANs. By passively listening to the network, WiSentry detects APs and then performs additional probing of those devices. If it finds a possible rogue, the agent reports the device's MAC and IP address to the Control Server. The WiSentry Administrator Console lets IT drill down deeper.
Network Chemistry recently announced its RFprotect Scanner, a wired-only rogue scanner. It's based on a centralized database of device fingerprints, originally seeded with data Network Chemistry collected from their Endpoint client product. RogueScanner comes in two versions: an open-source tool with full scanning capabilities that the vendor hopes will build out the database, and a for-purchase appliance that can store the scanning results and also adds extensive reporting and automated remediation.
Regardless of the version, the product works by performing a ping sweep of the entire network to identify existing devices, after which it performs a target port/service scan. Details such as MAC address, SNMP, HTTP and telnet query results are collected and sent to Network Chemistry's database for analysis. Based on that input, the make and model of the device are returned to the customer. See "Distributed Wireless Security Monitors".
Admittedly, these products from won't identify wireless ad hoc clients, or uncover accidental associations of your corporate wireless clients to neighboring APs, but they will keep rogue devices off your network.
Rogues On a Sliding Scale
Not all rogue devices are created equal. When an early WIDS found a rogue device, wireless administrators would set out on a witch hunt, aiming to burn the policy violator at the stake. Inevitably though, the device would disappear along with the Sears service truck, or a walk-around would lead to the tenant a floor above.
The lesson: Not all unknown access points are rogues. Some are transients or neighbors, harmless as long as your clients don't associate with them. True rogues--unauthorized devices attached to your network or within your perimeter--can be further subdivided into three threat levels: active, passive and on-location. Active rogues have an associated client communicating with the wired network. For example, an employee attaches a SOHO AP to his network jack and associates his laptop's built-in wireless card to that AP.
Passive rogues have no clients attached, but could accept a client at any moment. This could be an AP that an employee plugs into a conference room port for guests with laptops. On-location rogues are unidentified APs within the boundaries of your organization that could be plugged into the network at any time and have devices associated to them. It might be just an innocent AP used for test purposes and not plugged into the network out of the testing cycle.
The WIDPS products we reviewed failed to differentiate among access points that were on-location or neighbors, but previews of AirDefense's Survey suggest such capabilities will be forthcoming. Network Chemistry's RFprotect can be configured to ignore rogue devices that are not connected to your network.
One method vendors identify whether an unauthorized AP is on the wired network by sending Layer 2 broadcast messages on the wired side to see whether the AP repeats that traffic into the air. If the AP does so, wireless sensors pick up the traffic and identify the rogue's Layer 2 network.
AirDefense, AirMagnet and Network Chemistry poll network switches over SNMP to determine MAC addresses associated with each port on the switch. In the case of wireless bridges, the MAC address of the wireless client will be found on that interface, making it elementary to correlate that, if Wireless Client A's MAC address is on Switch Port 10 and associated to AP X, then AP X must be on Switch Port 10. With some wireless routers, the MAC address of the WAN port may only be a few bits off--say, 00:0015:44:90 versus 00:0015:44:88--from the BSSID, or wireless MAC address, usually one per radio. Again, an easy correlation.
If the AP is not encrypted, a WIDPS sensor will associate with the rogue, obtain an IP address and send a special packet to the WIDPS server. The server then knows the rogue AP is on the network. If it's on the same Layer 2 network, the server can identify the switch port.
If the rogue is a hop or two away, it can harvest the router's ARP table to find the device's MAC address or use an agent on the remote network segment to do it. What about the worst case, a secured wireless router with disparate WAN and MAC addresses? In testing we set up a Linksys WRT55AG to play exactly that role. No WIDPS could identify the specific port, though miraculously three said the rogue was somewhere on the wired network.
Fortunately, most WIDPS vendors do a reasonable job locating rogue devices--at least within a 400 square foot area--and those same vendors usually offer a mobile system for zeroing in over the last few feet.
NWC Reports: WDIPSs
To qualify for this review, products must be suitable for geographical and distributed operation over a WAN and provide:
» Wireless rogue-device detection capabilities over the air and wire » Wireless attack or intrusion-detection and automated mitigation capabilities » Integrated location tracking of wireless devices » Performance and traffic monitoring capabilities
Participating Vendors:
AirDefense, AirMagnet, Highwall Technologies and Network Chemistry
Testing Scenario:
We performed location-detection testing in a large three-story office building. » We used several enterprise switches with multiple VLANs to test wire-side detection and blocking. » We set a WAN connection to simulate remote sensors. » We set up different SOHO APs and routers--including pre devices--to test rogue discovery and containment.
Scoring Criteria
» Installation, Architecture and Design: 15 percent This category incorporated scalability, auditing, reporting and help. » Security Policy Monitoring and Enforcement: 40 percent We broke this category down into Alarms and Alerts (15 percent), Rogue Device Discovery (10 percent) and Containment (15 percent). » Configuration and Performance Policy Monitoring: 10 percent Here we rated level of detail in performance metrics; granularity in applying configuration policies; ease of defining, working with and applying policies; and troubleshooting and packet capture tools. » Location: 15 percent We evaluated 11a and 11b/g location, as well as ease of setup and use. » Sensor/Probe Design and Implementation: 5 percent This category rated channel and PoE support, link utilization and coverage area » Cost of Ownership: 15 percent Results were based on three pricing scenarios.
Results
Network Chemistry eked out a first-place finish due primarily to its consistent performance in our security policy monitoring and enforcement tests, as well as its reasonable cost. AirDefense, in contrast, was hurt by its pricing, which was highest across all three scenarios. AirDefense and AirMagnet effectively tied for second, but showed different strengths. AirMagnet stumbled with some location tests, and we had minor issues with the capabilities and performance of its sensor. Still, our top three had the tightest point spread we've seen in a while. Highwall's product was unique enough that it didn't place well in testing, but for the right deployment it could be a fit. It scored well in device location, and its pricing was lowest in two of our three scenarios.
E-Poll Results
- What kind of IDS IPS does your organization have in place?
- Does your organization have a clearly defined policy for the deployment and use of wireless APs and gateways inside your organization?
- How important are the following WLAN security threats?
- How big a barrier are the following factors to WLAN infrastructure adoption?