Spotting Wireless Intruders: IBM
October 14, 2003
Wireless intrusion detection is a logical extension of the security measures most companies already have in place. In this three part series, we examine the offerings of three different solution providers. We start with IBM, whose solution is supported by its global research network.
Applying IDS/IPS to wireless LANs is a logical extension. Security concerns have impeded enterprise WLAN deployment. Improved 802.11 encryption and access control are chipping away at that roadblock, and periodic sniffing for war drivers and rogue WLANs have become common practice. While such measures help reduce risk, there's still plenty of room for improvement.
Wireless IDS can help by providing 24x7 WLAN surveillance, detecting attacks and on-going trends that can escape notice during spot-checks. Several new WIDS appliances emerged this year, including AirDefense, AirMagnet Distributed, Newbury Networks, VigilantMinds AirXone, and WildPackets RF Grabber.
Inevitably, a few enterprising MSSPs noticed and combined these two growth markets, delivering wireless IDS (WIDS) as a managed service to business customers concerned about WLAN security. To learn more about what managed WIDS really entails, we interviewed three MSSPs: VigilantMinds, IBM Global Services, and Vigilar.
IBM Wireless Intrusion Detection Extensions
IBM's Global Services organization has long offered a full spectrum of managed security services, ranging from managed firewall and anti-virus services to vulnerability assessment, intrusion detection, and incident management. To deliver these services, IBM combines platforms from vendors like CheckPoint and Symantec with IBM-proprietary software and tools, monitored 24x7 from IBM's Security Operations Center (SOC) in Boulder, Colorado.
IBM recently added Wireless Intrusion Detection Extensions (WIDE) [.pdf] to its Business Continuity and Recover services portfolio. When we spoke to Douglas Conorich, IBM Global Solutions Manager, at the end of August, WIDE was still undergoing beta test.
"We've deployed WIDE, both within IBM and with a few customers, and its proven viable and ready for commercial use," said Conorich. "Right now, we're seeing a lot of interest in the manufacturing industry. We're also starting to see it a lot more in the workplace where people want to be mobile, be in meetings, but still want to be able to connect back to their network and get answers, e-mail, etc."
Conorich expects existing IBM managed service customers will be the first to deploy WIDE. "If a customer has our standard IDS, vulnerability testing services, and WIDE, all of this information is correlated so that when an alarm comes up, the SOC analyst knows if it affects just WIDE or also the standard IDS, and can determine the consequences of the exploitthe actual impact and necessity for action," explained Conorich.
For analysis, IBM uses both event correlation and data mining over a period of time. "This helps us to spot attacks that occur low and slowwhat we call a Texas barbeque," said Conorich. IBM also uses visualization tools to help analysts spot patterns that are less obvious when reviewing alarm lists.
When analysts determine that corrective action is necessary, the customer is notified and a one-hour conference call is held to review the event and discuss its severity. "If we together determine that this is a red incident, we can optionally send out an emergency response/forensics team to go on-site and help determine what happened and how it can be prevented in the future," said Conorich. "For $25,000 for a 7-day period of services, we provide on-site people and people working behind the scenes, crunching data, and deliver a report on what to do to recover and harden the network." This emergency response option available to all IBM managed service customers.
Beneath it all, IBM combines commercial hardware sensors and omni or directional antennas with home-grown software developed by IBM's security research facilities. According to Conorich, "TJ Watson does hacking research, Zurich does IDS research, and WIDE combines those two." A WIDE deployment consists of placing sensors at strategic locations within the customer's network, where they can detect abnormal conditions, deviations from configured policy, or active attacks. Sensors monitor wireless traffic in promiscuous mode, shipping noteworthy frames back to the SOC for analysis.
According to Conorich, WIDE looks for unauthorized or malicious rogue access points, unknown stations, and policy violations. Even "innocent" rogue APs are a hazard because they "are usually open so that someone can use the AP to gain access to your corporate jewels," said Conorich. "We first map out where your APs are. then notify your administrator when a new AP appears or comes up without the proper security configuration." When any device with an unknown MAC address turns up, WIDE uses triangulation to identify location, based on input from two or three sensors.
Unlike some other systems, WIDE is focused exclusively on security; it does not analyze WLAN performance.
Given commercial WIDS appliances, why should customers choose an outsourced solution like WIDE? "The people who are setting up these [WLANs] may not be that experienced," said Conorich. "If you have the same people setting it up and evaluating it, pride in ownership [may] prevent them from spotting problems. They also have trouble seeing [security risks] that they don't know about. We have experts that are highly trainedand highly paid to retain them."
Conorich also argues that outsourcing reduces cost. "You're going to need at least 5 FTEs with constant training to man [your SOC]. Behind the scenes you'll need security analysts, database administrators, and data mining staff to help with correlation. Big organizations like IBM can spread these costs across a larger base." WIDE service contracts will cover one, two, or three years, with equipment cost amortized over the contract period. "This is better for customers because they get new equipment every three years without capital expense," explained Conorich.
No further pricing information was available.
Reprinted from ISP Planet.