5 Wireless Intrusion Detection Questions You Should Worry About

If you own an enterprise grade local area network (LAN), you need to be aware that wireless (WiFi) based intrusions can potentially be exploited to create security backdoors into your network. This is true even if you have not rolled out your wireless LAN (WLAN) or have rolled out a WLAN that adopts the best-in-breed cryptographic security.

Today, Chief Security Officers (CSOs), Chief Information Officers (CIOs) and network security administrators have different perceptions on the extent of WiFi based intrusions. Hence, they have adopted different solutions to secure their enterprise network from WiFi intrusions.

1. At the one end of the spectrum, there are users that believe that wired IDS/IPS and Networks Access Control (NAC) solutions are adequate to thwart this threat.
2. Next, there is a class of user who are believe in “moderate security”. They have adopted part time wireless intrusion detection capabilities in their networks.
3. At the other end of the spectrum, there are users that believe in dedicated & specialized wireless intrusion detection and prevention (WIPS) systems to defend against this threat. 

Independent of which of the above groups you may belong to, here is my list of 5 intrusion detection questions that you need to worry about. If you don’t agree, I would love to hear your views.

1. Does my security solution detect all WiFi Access Point (AP) based intrusions? Access Point (AP) based intrusions can occur via poorly configured authorized WLAN APs or via unauthorized (Rogue) APs. Rogue APs are APs that are deployed without the consent of the authority owning the network. The intent need not be malicious always (e.g., an employee deploying a Rogue AP for convenient network access). Nevertheless, they are a serious threat to the network security. Rogue APs come from multiple vendors and possess widely varying characteristics in terms of their operation (e.g., 802.11 Bridge/NAT AP, Open/Encrypted Communication). The key challenge for any intrusion detection solution is to accurately identify the operation of such an unauthorized AP in your network. Further, it should allow you to specify your WiFi security policy & have the capability to automatically classify APs as authorized, unauthorized and “don’t’ care” (neighbor/external).

 

2. Does my security solution detect all WiFi endpoint based intrusions? Endpoint (client) based intrusions occur when authorized clients are involved in unauthorized connections. Such unauthorized connections can be with “evil twin” APs (APs that are similar in configuration to Authorized APs) or “adhoc” connections with malicious clients. Further, inadvertent connection with a neighbor’s AP or a Hotspot/Metro WiFi AP is also not desirable. The key challenge for any intrusion detection solution is to accurately identify such connections involving authorized clients (based on your policy definition), while ignoring other “don’t care” (e.g., neighbor) connections. 

 

3. Does my security solution detect all attacks against the WiFi infrastructure? WiFi infrastructure is vulnerable to several attacks such as the Denial of Service (DoS) attacks and attacks on cryptographic techniques used for authentication/encryption. DoS attacks affect the uptime of WLANs running mission critical applications while cryptographic attacks can compromise the security of your entire infrastructure (including the wired network). Hence, it is important that you have a solution that can detect these attacks and raise appropriate alarms. 

 

4. Does my security solution provide enough information to comply with various security audits? Depending on their business model and the exact vertical, enterprises need to comply with security audits prescribed by various regulatory bodies – PCI, HIPAA, SOX etc. Such audits require an enterprise to store historical data on the WiFi activity in its premise. One of the key components of this historical data is WiFi intrusions that have occurred during the period of compliance. Hence, your security solution needs to enable you to generate historical reports to help the compliance process. 

 

5. Does my security solution provide  “lean back” comfort? This is probably the most important question from an ease-of-use perspective. Network security/monitoring teams are usually heavily loaded with their day-to-day activities. Whatever wireless security solution you deploy should not require tons of manual effort in terms of monitoring it. One network administrator that I was talking to mentioned that he has deployed “fool proof” security – his security solution throws tons of alerts every hour and there is a dedicated “junior” team to monitor these alerts round the clock. Further, there is another “senior” member team that continuously monitors the output the “junior” team. I did not ask him if there was a “super senior” team that monitors the output of the “senior team” – but, I am sure you get the point. Your security solution should not be prone to false alerts. That is, it should not “cry wolf” too often, nor miss any actual threats.

In short, any wireless intrusion detection solution that you employ should provide reliable, accurate and comprehensive detection capabilities. The next natural question is whether plain detection is good enough? The obvious answer is no and any solution should provide automatic remediation or prevention capabilities. That is the topic for my next post. Meanwhile, I would love to hear your comments.

Thanks, Gopi (Gopi@LinkedIn, @gopinathkn)

K N Gopinath Compliance, Wireless security LAN Security, Rogue AP, Wireless Intrusion Detection, Wireless security