Wireless intrusion detection and protection systems

Keeping your wireless network safe from attack requires vigilance—and the right software strategy.

By Daniel E. Capano November 20, 2015

Wireless intrusion detection systems (WIDS) and wireless intrusion protection systems (WIPS) are used to continuously protect a wireless network and in some cases, a wired network, from unauthorized users. There are some basic differences between the two systems. In a WIDS, a system of sensors is used to monitor the network for the intrusion of unauthorized devices, such as rogue access points. In a WIPS, the system not only detects unauthorized devices, but also takes steps to mitigate the threat by containing the device and detaching it from the wireless network.

WIDS and WIPS operate 24/7 and generally require no management or admin involvement. They guard the wireless local area network (WLAN) on a constant basis and listen to all radio traffic within the WLAN’s operating frequencies. There are many similarities between WIDS and WIPS, and most of the systems currently available fundamentally act as a WIPS because they are designed to detect and prevent wireless intrusion.

The typical WIPS has three components: a server, a management console, and a collection of distributed sensors. The WIPS server can be either hardware- or software-based. The server performs system management and configuration tasks, signature, behavior and protocol analysis, as well as radio frequency (RF) spectrum analysis to detect intrusion.

Signature analysis monitors traffic for patterns associated with known attacks, such as denial of service (DoS) and man-in-the-middle attacks. Behavior analysis looks for anomalies in message behavior such as the use of purposefully malformed management frames that allow an attacker to observe the network’s resulting behavior. This behavior may reveal flaws in security or application programming that would allow intrusion. While signature analysis looks for known attack patterns, behavioral analysis looks for anomalous patterns that could indicate a new attack. Behavioral analysis also compares historical usage metrics to anomalous traffic to indicate unusual traffic that may be an attempt to probe vulnerable systems.

Protocol analysis is used to inspect and disassemble layer-2 information—the MAC protocol data unit (MPDU)—to discover anomalies in the frame header and trailer. Protocol analysis is also used to dissect the layer 3 to 7 data contained in the frame body, which contains the payload. This is referred to as the MAC service data unit (MSDU). Both the MPDU and MSDU data are analyzed for spurious data that could be leveraged to compromise the security or medium arbitration functions of the system.

RF Spectrum analysis is used to monitor the frequency on which the system is operating for unwanted or damaging signals. A common DoS attack method is a transmitter continuously transmitting on the operating frequency, which can disable a Wi-Fi system. Bluetooth devices, baby monitors, and microwave ovens can be disrupted by 2.4-GHz systems. Better WIPS can do sophisticated signature analysis and identify these harmless sources of interferences and locate them for mitigation. One of the benefits of spectrum analysis is the ability to identify and locate sources of interference, whether malicious or otherwise. 

WIPS architecture types

There are three types of WIPS architecture defined as of this writing:

  • Overlay
  • Integrated
  • Integration-enabled.

Overlay systems use independent and dedicated sensors to monitor the spectrum continuously on both the 2.4- and 5-GHz bands. The sensors do not provide any WLAN connectivity; instead, they operate in the background monitoring all system traffic. This approach is applicable to both independent access point (AP) systems and to controller-based systems and requires additional cost for the sensors apart from the APs needed for system communication. An overlay system is well suited for integration into existing or older systems.

Integrated systems are typically controller-based systems employing thin or lightweight APs, which are used as WIDS/WIPS sensors, as well as providing their primary communication function. This function is integrated into the overall communication system regimen in that the APs function alternately as WIPS sensors and APs on a time-division basis. The AP will go into sensor mode for a set time slice in order to monitor the frequency spectra in use, called "off-channel scanning."

It is also possible to convert controller-based APs into fulltime sensors, with the loss of WLAN capabilities. While efficient and ultimately less expensive than an overlay system, time division of AP functionality can cause problems. An attacker with the knowledge that a firm is using part-time sensors can launch an attack brief enough to fall between the times the AP is scanning. Off-channel scanning also causes choppy audio in voice over Internet Protocol (VOIP) systems for reasons that should be obvious. Finally, when containing an intruder or rogue device, an AP will be occupied with that task until the intruder is removed, during which time it cannot provide WLAN connectivity.

Integration-enabled architecture describes a WIPS system that uses controller-based APs as dedicated full-time sensors in addition to dedicated APs used exclusively for WLAN functions. This differs from integrated systems in that functionality is strictly enforced; an AP provides WLAN connectivity, while an AP sensor provides monitoring and mitigation. Each type of AP is dedicated to a specific functionality. 

Authorized devices and rogue containment

Sensor quantity and placement varies by vendor, but an accepted rule of thumb is one sensor to every five APs. Sensors should not be placed in a straight line across the facility, but t rather in a staggered fashion and close to the perimeter in order to enhance triangulation internally and intruder detection externally. Highly secured sites will use a 1:1 ratio of sensors to APs and utilize a much denser placement. As with all deployments, a thorough professional site survey is highly recommended. The survey will identify existing WLANs, sources of interference, and even the presence of rogue or unauthorized WLAN devices.

WLAN devices fall into four basic groups. Authorized devices are those devices that have been authenticated as valid clients through the access security methods being used. These devices are authorized to access WLAN resources. Unauthorized devices are those devices that are not rogues, but have been detected and are not authenticated to the protected WLAN. The third class of device is a "neighbor" device. A neighbor device is a known device that is associated to a neighboring AP belonging to a nearby business or other entity. A neighbor device is most often first detected as an unauthorized device which, upon further investigation, can be manually classified as a neighbor device. A rogue device is an unauthorized device that is either deliberately interfering with the operation of the WLAN or is considered a viable threat to the network. A rogue device is either unknown or unmanaged by the system and is often an illegally wired device.

Rogue containment and mitigation are capabilities of a sophisticated WIPS. After an unauthorized device is found to be a rogue device, it is formally classified as such. The WIPS typically uses spoofed de-authentication frames to terminate the rogue device’s ability to connect to any other device. The WIPS will transmit these spoofed frames to the rogue’s MAC address and jam it. It is essential that the device is definitively determined to be a rogue device; if it is a legitimate neighbor device and your WIPS disables it, you could be in for legal problems. For wired rogue devices, the technique of port suppression using simple network management protocol (SNMP) is employed.

However, it should be understood that no intruder detection system is capable of detecting or preventing eavesdropping. Passive intrusion is a unique hazard of wireless communication. Being an unbounded medium, over-the-air data is available for reception by anyone with the proper equipment. An intruder can easily intercept wireless transmissions by simply being in range of the AP or WLAN. The best defense is using strong security. In the enterprise, strict adherence to 802.1x RSNA techniques should be followed; at the small office, home office (SOHO) level, using strong passwords is the best defense.

In either case, a strong security policy must be developed and adhered to on all levels. Remember that most security breaches are inside jobs. Most people can be persuaded or duped into exposing their network credentials. A WIPS cannot prevent or mitigate this type of breach.

Depending upon the sophistication of the WIDS/WIPS, continuous monitoring and/or intruder mitigation is available, and there are systems to fit all budgets and levels. However, the need for escalating to the sophistication and capabilities (and expense) of a WIPS should be fully considered, and a full site survey should be completed before deployment. Using a WIPS for a SOHO environment would be drastic overkill whereas in a bank, hospital, or sensitive military installation it would be considered essential. 

– Daniel E. Capano, owner and president, Diversified Technical Services Inc. of Stamford, Conn., is a certified wireless network administrator (CWNA); dcapano@sbcglobal.net. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, cvavra@cfemedia.com.

ONLINE extras 

Wireless has other wireless tutorials from Capano on the following topics:

Integrating a wireless LAN into an existing wired LAN

Choosing between single and multi-channel architecture

Virtual and physical WLAN site surveys

Upcoming Webcasts has wireless webcasts, some for PDH credit.

Control Engineering has a wireless page

Author Bio: Daniel E. Capano is senior project manager, Gannett Fleming Engineers and Architects, P.C. and a Control Engineering Editorial Advisory Board member