Wireless IPS Buyer's Guide
May 03, 2012
These are the questions to ask when selecting a WIPS to rapidly and reliably detect, classify, locate, and react to incidents that impede WLAN security, performance, and operation.
Even though every Wi-Fi certified product can now deliver robust, authenticated, encrypted wireless, mission-critical use by diverse devices raise the stakes, demanding vigilance to detect not just threats, but performance and operational issues. Wireless intrusion prevention systems (WIPS) can help by providing efficient 24/7 surveillance of distributed wireless LANs.
According to Gartner, global WIPS revenue spiked 50 percent last year, topping $270 million. In fact, the WIPS market is growing faster than the entire WLAN infrastructure market, driven by larger business WLAN deployments and regulations such as PCI DSS that mandate detection of unauthorized "rogue" devices.
In this buyer's guide, we examine capabilities and features offered by dedicated WIPS products. Although organizational risk tolerance varies, we look at questions every business should ask when selecting a WIPS to rapidly and reliably detect, classify, locate, and react to incidents that impede WLAN security, performance, and operation.
Most WIPS products were launched nearly a decade ago when early Wi-Fi adopters encountered a plethora of security threats. From key cracking to misconfigured and uninvited access points (APs), WLANs became an easy target for intruders.
While periodic manual scans ("net stumbling") could detect nearby active APs, it missed the vast majority of Wi-Fi activity and thus threats. As WLANs grew, manual scans became increasingly inefficient. Wi-Fi trail-blazers in healthcare and retail clamored for centralized, automated visibility; vendors such as Motorola's AirDefense, Fluke Network's AirMagnet, AirTight Networks, and Idealab's Newbury Networks rushed to fill that need.
Like wired Network IPS, early wireless IPS products were purpose-built and dedicated. Using a network of sensors to observe Wi-Fi throughout a business, a WIPS server could deliver more comprehensive surveillance, using signatures, behavior analysis, and ACL/policy comparison to spot threats. Operators could use WIPS consoles to centrally monitor, investigate, and report on alerts for example, dispatching staff to find and remove rogue APs installed by employees without permission.
Dedicated vs. integratedWhen WLAN controllers began to emerge, they leveraged their network insight and control to deliver limited surveillance. Most APs can now detect rogues on the same channel or periodically scan other channels. Like manual scans, AP-based scans miss activity and threats. But these automated scans are certainly more efficient than manual scans, and arguably less expensive than a dedicated WIPS.
To address broader needs, enterprise WLAN vendors started to buy WIPS technology. Aruba acquired Network Chemistry, Motorola acquired AirDefense, Juniper/Trapeze acquired Newbury. Even Cisco moved beyond its controller-based WIPS, releasing a dedicated "aWIPS." As integrated products matured, their threat visibility improved. In particular, all learned how to convert APs into full-time WIPS sensors as-needed.
In parallel, dedicated WIPS vendors started to leverage WLAN infrastructure by pulling authorized device lists from controllers and complementing sensor observations with AP scans. Such tactics helped dedicated WIPS maintain advantages such as comprehensive threat detection and more accurate locationing.
Today, market boundaries are blurred. For example, Motorola AirDefense can monitor other-vendor WLANs using sensors, or Motorola WLANs using APs or sensors. AirTight SpectraGuard remains an infrastructure-independent dedicated WIPS, but can also run on HP ProCurve infrastructure. In short, dedicated versus integrated WIPS have given way to myriad hybrid approaches. To facilitate apples-to-apples comparison, this guide focuses on capabilities and features found in today's dedicated WIPS products.
Service assurance and efficient operation
Security concerns drove early WIPS sales, but full-time distributed WLAN surveillance can also help to detect operational and performance issues in near real time. In fact, the same root cause incidents can easily end up impacting all three areas.
For example, an AP that fails back to defaults may be missing policies that require 802.1X authentication and AES encryption. But that AP may also be missing QoS policies for voice/video handling or RF channel/power settings that avoid co-channel interference. For some organizations, service affecting incidents like this may have significant business impact and justify dedicated WIPS investment.
Similarly, wireless intrusion detection is often accompanied by automated prevention; that is, WIPS-initiated actions to insulate the network and users from further harm. But automated actions can also remedy some performance and operational problems before help desk calls start -- if not directly, then by escalating trouble tickets for rapid attention.
For these reasons, a dedicated WIPS can be well-positioned to react to security, performance, and operational events, leveraging a consolidated sensor network, server platform, and rule set, along with interfaces to WLAN controllers, wired switches, network managers, and trouble-ticketing systems. While a dedicated WIPS may not solve all problems in isolation, it can bring rapid visibility and focused attention to a variety of service-impacting events.