Wireless IPS Buyer's Guide
May 03, 2012
These are the questions to ask when selecting a WIPS to rapidly and reliably detect, classify, locate, and react to incidents that impede WLAN security, performance, and operation.
Use case and deployment requirements
Given this understanding, it's time to identify your own business needs and how a WIPS might be helpful. In its July 2011 MarketScope for Wireless LAN Intrusion Prevention Systems, Gartner identified four common WIPS use cases:
- Reactive detection and investigation of malicious Wi-Fi traffic, such as Evil Twin, man-in-the-middle attacks, and denial of service (DoS) attacks.
- Proactive vulnerability management to stop intruders from exploiting misconfigured APs and weakly-defended consumer-grade end user devices.
- Overall WLAN operation and health monitoring to ensure service availability and quality of service required by mobile business users and applications.
- No-wireless-zone enforcement in selected areas of schools, government agencies, or other facilities worried about unapproved voice/video relay over Wi-Fi.
- Most dedicated WIPS are designed for on-premise server deployment in data centers, but a few can also be delivered as cloud service. The latter can be attractive to SMBs and businesses with numerous small branch offices (e.g., retail).
- Integrated WIPS products may or may not be capable of monitoring other-vendor APs. While dedicated WIPS products cater to heterogeneous WLANs, not all can leverage your APs as sensors or understand unusual RF schemes (e.g., Meru).
After you have established your own use case requirements and WIPS short-list, drill down into individual WIPS capabilities and features. Here are some questions to consider when reviewing spec sheets and consulting with prospective vendors:
- RF monitoring: Every WIPS can scan RF bands used by 802.11, but look closely at which channels can be scanned. For example, can the WIPS detect rogues hiding on channels not defined for use in your country or non-Wi-Fi interferers? Ask each vendor how many sensors or converted APs you will need to monitor and respond to incidents at each site, and how much bandwidth will be consumed by WIPS.
- Classification: Every WIPS tries to differentiate between friend and foe, but may need manual help or WLAN integration to do so. Furthermore, results may not be accurate enough to permit automated threat remediation. Beware of labor-intensive ACL maintenance, auto-classification blind spots, ambiguities or latencies, high false positive and negative alert rates, and inability to adapt to new or custom threats.
- Locationing: Every WIPS should be able to plot AP and client locations on a map, helping you visualize where an intruder was at the time of the event and perhaps tracking movement thereafter. However, accuracy varies greatly by product and number of observation points (sensors and APs). Options may well be available to improve accuracy -- at added cost. Look for time saving integration with WLAN planning and mobile tools and the ability to incorporate device location in policies.
- Forensics: A good WIPS should do more than alert you to problems. It must deliver actionable insight to facilitate fast, efficient resolution. Like wired IPS, a WIPS can collect volumes of raw data that is useless without analysis and context. Ask vendors to demonstrate how important incidents and troubles are investigated; watch for efficiency aids such as wizards, context-sensitive help, and remote diagnostic tools.
- Remediation: Many WIPS are actually deployed in "WIDS" mode; that is, generating alerts to be investigated and resolved by humans. But a WIPS must be capable of taking policy-driven stop-loss actions, such as wireless connection blocking, wired port disablement, and perhaps triggering network or endpoint-based access controls. Beware of remediation features that your business would not be able to use because of unreliable classification or organizational boundaries. Look for techniques that enable as-needed "surgical strikes," and ask about effectiveness and side effects given your network's topology and device mix.
- Rogue investigation: Given high degree of interest in defending against this threat, WIPS vendors have developed patented methods to trace network connectivity, improve classification, and help remote staff physically locate rogues. Beware of classification barriers like NAT, VLAN, and rogues using encryption. Ask how neighbors and guests can be eliminated from triggering potential rogue alerts.
- Attack surveillance: Today, malicious intruders are more likely to prey upon unusual or unmanaged bring-your-own devices, or take advantage of alternatives like mobile hotspots and virtual APs to circumvent wired network security measures. Ask vendors to describe how they have adapted their WIPS to address these new needs.
- Policy enforcement: The ability to detect misconfigured devices can facilitate regulatory compliance, proper WLAN deployment, and help IT root out cranky consumer Wi-Fi devices. Look for WIPS features that help you spot and remedy deviations from policy; this may even include spotting risky user behavior offsite.