Live Alerts: A Unique Addition to AirTight`s WIPS functionality

facebooktwittergoogle_pluslinkedinmailfacebooktwittergoogle_pluslinkedinmail

Live Alerts helps system administrators to quickly identify the ongoing vulnerabilities and performance related issues in an enterprise Wi-Fi deployment.

Before Live Alerts, it was very difficult for an administrator to identify the ongoing threats from the list of reported threats/anomalies. However, with the introduction of Live Alerts, he can now easily distinguish and prioritize between ongoing and past threats/anomalies.

Introduction:

Realizing mobility advantages in businesses, Wi-Fi is increasingly being deployed in corporate premises. However, due to the nature of Wi-Fi technology, an administrator has to face certain security and performance challenges while managing the corporate Wi-Fi space.

These challenges have led the emergence of wireless IDS/IPS solutions in recent years for corporate Wi-Fi deployments. As of now, there are quite a few of these available by various vendors which are being deployed to manage and secure corporate Wi-Fi space.

A wireless IDS/IPS solution basically sniffs the corporate Wi-Fi space followed by a thorough analysis of  sniffed data. While analyzing, if security policies (applicable to a particular Wi-Fi deployment) are violated or some other anomalies linked to performance etc are detected, suitable alerts are generated for the administrator.

Depending on the capability of the IDS/IPS solution, remedial measures can be taken proactively to prevent threats originating in a Wi-Fi deployment. However, most of these require manual intervention by an administrator to permanently remove the source of such threats. Also, a busy corporate Wi-Fi space with large number of Access Points and Wi-Fi clients (present inside the premises, outside or both) usually depicts more anomalies due to increased probability of:
• Mis-configurations of corporate Wi-Fi devices.
• Leakage of Wi-Fi signal from corporate premises to outside world and vice-versa.
Thus, for an administrator monitoring a corporate Wi-Fi space, alerts generated by wireless IDS/IPS solution becomes very important to get aware of detected anomalies and act accordingly.

Keeping in mind the importance of these alerts, AirTight recently overhauled its WIPS alert architecture to introduce the concept of Live Alerts. With Live Alerts, an administrator will be able to:

• Distinguish and Prioritize between ongoing and past security threats/performance issues.
• Quickly provide required physical intervention to prevent the ongoing threats, thereby relieving the deployed WIPS also (if it is already doing the auto prevention of these threats)
• Effectively analyze detected anomalies on time basis (as start time, stop time and duration of anomalies will now be known).

Live Alerts: Explained

To introduce the concept of Live Alerts, the new alert architecture associates lifetime to various anomalies detected by WIPS while scanning a Wi-Fi deployment. Thus, an alert has well defined start time, end time, and lifetime in between the two. This is illustrated in Figure 1.

Lifetime of an Alert (Alert is denoted by Event)

Figure 1: Lifetime of an Alert (Alert is denoted by Event)

An Alert representing a security violation or a performance issue can get started due to one or more possible conditions becoming true (constituting Start Triggers for an alert). The alert will remain active until some other condition(s) becomes true (constituting End Triggers for an alert). See Figure 2 for illustration.

Fig. 2: Rogue AP Alert (Alert is denoted by Event in the figure)

Figure 2: Rogue AP Alert (Alert is denoted by Event)

At any particular time, alerts which have not yet ended are called Active Alerts; while already ended alerts are called Past Alerts. Active Alerts are differentiated from Past Alerts on the Alerts screen of AirTight`s WIPS product Interface. Thus, an administrator will have a readily available list of alerts for ongoing anomalies/threats and he can take prompt measures to rectify them. Also, administrator can also choose to see the alerts which were active during a time slice of interest (This time slice for example can belong to time duration during which unauthorized activity was suspected to have occurred).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>