Wireless IDS/IPS horror stories from the field
These are some recent stories of the IT organizations who brought in wireless intrusion prevention systems (WIPS) to secure their network environments against Wi-Fi vulnerabilities and attacks, and what they encountered was the incessant flow of security alerts that they could not keep up with. That is because, the systems constantly crunched signatures and thresholds from wireless traffic to generate volume of alerts for the security admins to consume. Admins could not grasp the enormity of problems that they would face in the production deployments based on the product previews done in the tiny lab setups and based on the marketing material they saw (hey look, we have Gazillion attack signatures, configuration settings, and thresholds in here!). Learn from their experiences, and avoid the destiny they faced by asking the right questions and making the right technology choices early on. AirTight Networks to date has helped thousands of customers avoid such misery by helping them with the strongest WIPS protection without the overhead of ongoing system management.
Big data analytics to process wireless IDS/IPS alarms
This organization – a government contractor in US – deployed 1000+ wireless IDS monitors from one vendor hoping to get wireless security, but it actually turned out that they were constantly sitting on the big heap of IDS alerts. So they thought of channeling these alerts to ArcSight and writing scripts to try to extract usable information from then, but quickly realized that the security system did not provide ArcSight connector natively (what kind of security system does not support ArcSight integration!). Finally, they brought in Splunk (yes, the machine data analytics application) to process those alerts in pursuit of finding usable information in them. Still, they get dinged by auditors because there is always large number of unattended alerts in the system.
Big IT resources to manage wireless IDS/IPS on a continuous basis
Another organization – a big commercial group in Mexico – deployed wireless IDS from one vendor, without initially realizing how miserable life can become when IDS monitors start spitting alerts in production network. They ended up having 2 full time admins to constantly manage wireless security system with just 200 IDS monitors. The operational cost for the system has become twice as much they paid for the system. They failed to anticipate such high operational cost when they chose to bring in this system. Also the system collects so much raw data to crunch alerts and show statistics without any security value in them that the system stability has also become a nagging issue.
Turn on rogue containment, face legal consequences
This organization – a bank in Korea – wanted protection from rogue APs, who doesn’t? They had large number of sites and hence large number of unknown APs would show up in their aggregate neighborhood on constant basis. They thought they would install wireless IPS which would smoke out rogues from the heap of unknown APs and block those rogues (and just the rogues!). When they tried to enable automated rogue prevention in the system, the system showed the warning: “turning on this feature may have legal consequences”. The system was telling them that it may accidently (routinely?) block neighborhood APs because it can’t precisely differentiate between rogues and friendly neighbors. They did not want legal mess, so they did not turn on the prevention. They did not get the very thing they wanted and purchased the system for. Now their security admins have to constantly review heap of unknowns APs and make manual decisions on whether any AP needs to be contained or not. They have lot of work cut out for them for years, since Wi-Fi penetration around them is only going to grow by the day!
Moral of these stories
Make sure you don’t bring in unmanageable baggage of alerts and system management when you bring in wireless security for your network. Is automated wireless security without the overhead of ongoing administration possible? Yes, but only if you ask the right questions when you evaluate any wireless IDS/IPS and make the right technology choice. Typical questions to ask: What is the principle on which wireless IDS/IPS operates? What types of alerts are generated? Are the alerts actionable? How much manual intervention is required to act on alerts on day to day basis? Can the security be automated? How big the deployment you are looking at? How does the system cut raw information? If you ask the right questions when you evaluate, you will avoid jumping through lot of hoops when the wireless IDS/IPS goes in production. Wish you all happy 2013 free from the pest IDS alerts!