5 Wireless Intrusion Prevention Questions You Should Ask
In my previous blog post (5 Wireless Intrusion Detection Questions You Need to Worry About), I talked about the key questions that are related to the detection of Wireless (WiFi) based intrusions in your enterprise. Today, let’s turn the focus on to the other important aspect of WiFi security – Intrusion Prevention. Here are the 5 questions you should ask on wireless intrusion prevention in your enterprise. Let me know if your answer to all of these questions is in the affirmative.
- Does my wireless security solution provide accurate and automatic prevention? If your solution requires a manual intervention for blocking a detected intrusion, you may be too late. Hence, the key to any intrusion prevention solution is the ability to automatically block the intruder. Although this requirement may seem obvious, it is interesting to note that getting this right is non trivial. For example, a poor implementation can end up blocking your neighbor’s communication - highly undesirable and in certain regions, illegal. Unless your security solution can accurately classify WiFi communication (authorized, unauthorized and don’t care/external), you will not be able to achieve this key functionality.
- Does my wireless security solution prevent all types of WiFi intrusions? As mentioned in my previous post, WiFi intrusions come in different flavors – Access Point (AP) based intrusions (e.g., Rogue AP), client based intrusions (e.g., Evil Twin, adhoc connections) and attacks on your WiFi infrastructure (e.g., Denial of Service (DoS) attacks). The reality is that these intrusions are intrinsically different from one another and hence, there is no one-size-fits-all blocking solution. For example, Evil Twin & Adhoc connections can not be blocked using certain wired blocking techniques such as switch port disabling – the simple reason being that there is no associated switch port to disable! Similarly, DoS attacks cannot be blocked by certain Over-The-Air (OTA) prevention techniques that rely on breaking AP/client associations – DoS attack can be launched without associating with an AP. Therefore, any security solution should consist of a collection of mechanisms to protect against all types of WiFi intrusions.
- Does my wireless security solution prevent devices from all of the popular vendors? Research (802.11 MAC Level Heterogeneity) concludes that WiFi devices from different vendors can behave differently. This is due to the fact that the IEEE 802.11 standard does not mandate all portions of the implementation (e.g., channel scanning behavior of clients). Or, it may be a case of plain non-conformance on the part of the vendor due to a bug (tell me as to who isn’t aware of the time-to-market pressures!). In any case, this device heterogeneity provides an important challenge to intrusion prevention. A prevention mechanism that works against the devices from one vendor, may not work against those from another. Hence, it is important to ascertain that your solution addresses this issue comprehensively.
- How does my wireless security solution scale with the number of intrusions? Let’s look at the evolution of wireless intrusion prevention solutions. Initially, we started with detection-only systems. The detection was achieved by dedicated or part-time WiFi scanners or sensing units (also known as “security sensors”). The 2nd generation did bring in some prevention capabilities with it, but, was severely limited in its ability to handle multiple intrusions. For example, a security sensor involved in prevention would loose all of its ability to detect additional threats (let alone, prevent them)! The challenge being that the common hardware platforms used as sensors do not support “wideband” transceivers. Hence, sensors have to adopt intelligent software solutions to deal with intrusions that can occur on multiple 802.11 frequency bands (channels). Some of the current generation of intrusion prevention systems adopt such software solutions and are able to continue to detect new threats while reliably blocking a threat. Further, some of them are also able to block multiple simultaneous threats with a reasonable degree of blocking. You can measure the scalability of your system by looking at the maximum number of intrusions that a single sensing unit can block. The higher it is, the higher is the value for your money.
- Does my wireless security solution protect enterprise endpoints that are away from the enterprise? It is equally important to protect your endpoints (clients) while they are away from your enterprise network (e.g., at a hotspot, at an airport, at home). Yes, we are talking of an endpoint agent that resides on the client and implements a policy as to what communication is allowed on the client. For example, allow client communication with “secure” hotspots (that support Virtual Private Network (VPN) connections) and block connections to other “insecure” hotspots. Such an agent can possibly enforce non-WiFi security policies as well (e.g., Bluetooth, EVDO). From an ease-of-management perspective, you should be able to centrally manage the agents – installation, upgrades, policy configuration and report generation.
In short, any wireless intrusion prevention solution that you employ should provide robust, reliable, comprehensive and scalable intrusion prevention. Let me know your comments and your experiences with wireless intrusion prevention in your enterprise network.