These days, certain terms are often used to characterize Wireless Intrusion Detection/Prevention System (WIDS/WIPS) architectures – overlay and integrated being most commonly used and that too with variable meanings. This post explains what these terms mean or should mean to be consistent with fundamental underpinnings of WIDS/WIPS architectures and functions.
Clarifying the terms WIDS and WIPS themselves will also be useful but will be left for different post. For now, let us say that WIDS/WIPS is wireless security system comprising of channel scanning sensors and scan data processing server.
What is Overlay WIDS/WIPS?
The term Overlay should be used to indicate dedicated sensing radios (also called as Full-time Scanning radios) for wireless security monitoring, either on separate sensor hardware or on an access point (AP) itself. The dedicated sensing radios continuously scan all channels, i.e. one channel at a time in rotating fashion, in 2.4 GHz and 5 GHz bands to detect, block and locate the wireless security threats. It is necessary to scan all channels (over 200+ of them) and not just authorized traffic channels as wireless threats such as rogues, client misbehavior, WiPhishing, Evil Twin and man-in-the-middle can come on any off-traffic channel. The dedicated sensing radios do not perform wireless traffic forwarding function. The sensing radios forward scan data to server for further analysis, detection, notification, and archiving.
Overlay WIDS/WIPS can be of two types:
1) Separate hardware for sensor: AP and sensor hardware are separate from each other. Sensor is typically a dual radio hardware platform. This architecture is suitable for WLAN vendor agnostic Overlay WIPS and it also permits better optimized placement of APs and sensors.
2) AP and sensor combo: In this architecture, one of the radios in dual radio hardware platform is dedicated for sensing (via software configuration) while the other radio operates as AP to support wireless traffic forwarding. This architecture is suitable for low capacity installations where both radios on AP hardware may not be needed to support wireless traffic. It is also possible to configure both radios on the AP for sensing function and not allocate any to traffic.
So, what is the other (Non-Overlay) WIPS architecture?
In the other WIDS/WIPS architecture (also called as Hybrid, Part-time Scanning or Time Sharing radios), traffic forwarding radios on APs occasionally scan off-traffic channels for threat monitoring. The AP radios spend almost 99% of the time on the traffic channel, and spend only about 1% of time for scanning off-traffic channels. Such rare scanning of off-traffic channels is however insufficient for reliable threat detection (there are 200+ off-traffic channels that need to be scanned for threats). Moreover, blocking of wireless threats (intrusion prevention) is not possible with occasional scanning as the blocking of threats requires frequent visits to channel where threat has been detected.
Some people call this non-overlay architecture as Integrated WIDS/WIPS. However, I think a better characterization of Integrated WIDS/WIPS will be as described next.
What is Integrated WIDS/WIPS?
This term is should be used to indicate some level of integration between WIDS/WIPS application and AP management application. Some common integration points are as follows:
- Synchronization of device inventory between AP management engine (controller) and WIDS/WIPS engine (WIDS/WIPS server)
- Combining RSSI measurements performed by APs with those performed by sensors for improved triangulation location tracking
- Accessing WIPS functions (configuration, alerts etc.) from AP management console
- Performing AP management functions from WIPS console