Factors to Compare Integrated and Overlay WIPSBy CWNP On 01/12/2011 - 16 Comments
Last time I wrote about the WIPS evaluation factors on this blog, I focused on the WIPS features and did not discuss the topic of integrated/overlay WIPS. While that post was well received, readers also wanted to see the discussion on the integrated/overlay WIPS architectures. I hear them, since almost everyone planning the WIPS project in the enterprise network is faced with making the choice between these two architectures. So the question arises: Are there any objective criteria that can be used to make the judicious decision on the WIPS architecture that is right for the particular environment? Yes there are, and that is precisely the topic of this post. In this post, I will lay out some factors which can help compare these two WIPS architectures for your environment.
For the purpose of this post, the “Integrated” WIPS means the WIPS provided along with the WLAN infrastructure by the same vendor as the infrastructure vendor, while the “Overlay” WIPS means the WIPS provided as a security layer separate from the WLAN infrastructure. These definitions are in line with how people use these terms in the marketplace.
The following discussion mainly addresses the architectural and operational aspects, since I have already discussed the features and the security aspects in the earlier post. Also, the discussion below is with respect to how the leading integrated and overlay WIPS currently available in the market are architected.
Factor 1: “Background scanning” vs “dedicated radio scanning”
In the background scanning WIPS approach, the APs provide WIPS features using background scanning of off-traffic channels. Since the APs need to stay on the traffic channels most of the time (99% of the time or higher), the background scanning WIPS has about 1% or less time to scan the off-traffic channels. Lesser time spent in scanning the off-traffic channels in the background scanning approach, results in following:
- Latency in detecting active threats and policy violations on the off-traffic channels, often ranging into tens of minutes. Also, there is a chance of missing short lived or bursty threats and violations.
- Over the air prevention is not possible on the off-traffic channels with the background scanning, since over the air prevention requires frequent and/or prolonged visits to the channel where the undesirable communication is to be blocked. Note that certain security violations such as ad hoc connections and client associations to the neighborhood APs can only be blocked with over the air prevention.
- Advanced features such as forensics can take a hit, since enough data about wireless activity on the off-traffic channels may not be collected with infrequent visits to those channels.
- Monitoring comprehensive channel set (e.g., channels outside the regulatory domain, non-standard channels, etc.) is difficult, since it increases the off-channel scanning cycle significantly.
With these limitations in mind, if the background scanning is still sufficient for you, you should probably go for the integrated WIPS. On the other hand, if the background scanning is insufficient to meet your security goals, you should go for the dedicated radio WIPS. When you decide to go for the dedicated radio WIPS, you face making choice between the integrated and the overlay WIPS architectures. This is because, while the overlay WIPS always operates in the dedicated radio WIPS mode, the APs from the leading WLAN vendors can also be configured to operate in the dedicated radio WIPS mode (i.e., APs configured as dedicated sensors).
Factor 2: WIPS equipment and deployment cost
When you decide to go for the dedicated radio WIPS, you will have to compare the equipment and deployment cost of the integrated WIPS and the overlay WIPS. Following are the major equipment cost contributors in each approach:
- APs in the dedicated radio WIPS mode required to cover your facility.
- Controller capacity required to manage the APs in the WIPS monitoring mode. If you have spare AP management capacity on the controllers already deployed, it can be allocated to managing the APs in the WIPS monitoring mode. Else, new controller hardware is required to manage the WIPS mode APs.
- WIPS server required to provide processing and/or storage intensive WIPS features such as full set of alerts, long-term storage of alerts, forensics, and generation of compliance reports.
- Sensors required to cover your facility.
- WIPS server that manages the sensors and also provides the WIPS feature set.
In addition to the equipment cost, you should also factor in the deployment costs related to cabling, Ethernet ports, rack space, cooling, and similar requirements. These factors will vary in accordance with the current infrastructure and the hardware BOM as discussed above.
Factor 3: Operational overhead
The integrated WIPS can provide a single management console into the WLAN infrastructure and the WLAN security; while with the overlay WIPS, the WLAN security console will be separate from the WLAN infrastructure console. While that is a valid point to weigh, that consideration alone would be too simplistic to give a real idea of how much actual operational overhead the WIPS may introduce. The following factors must also be considered while evaluating the operational overhead of the WIPS:
- Amount of initial and ongoing configuration required by the WIPS.
- Level of automation built into the WIPS to avoid ongoing manual intervention.
- Rate of false alarms the WIPS generates.
- Availability of any APIs between the overlay WIPS and the WLAN infrastructure to synchronize the two consoles. For example, the WIPS needs to know the managed WLAN baseline (properties of the managed APs and clients) in order to perform security analysis on rogue APs, rogue clients, unauthorized connections of managed clients etc. The integrated WIPS obviously has the managed WLAN baseline readily available to it. Though the overlay WIPS does not have this luxury, specific overlay WIPS offerings provide SNMP-based integration APIs with the WLAN controllers to fetch the managed WLAN baseline and the RSSI measurements performed by the managed AP (to aid in triangulation location tracking of devices without requiring fully dense sensor deployment) from the controllers.
- Training time associated with different products. The WIPS feature-centric training requirements are there in both approaches, since you are basically introducing new functionality in the network. Though, the actual feature training effort will depend on how the WIPS feature workflows are designed in different systems. As to the equipment-centric training, both approaches bring in new equipment – the integrated WIPS requires the WIPS server to provide full WIPS feature set; while the overlay WIPS brings in new radio devices and the WIPS server. The training curve will also depend on the type of training assistance the vendor can offer.
As you compare specific solutions in the overlay or integrated camps, these factors will help you estimate, realistically, the operational overhead of the WIPS.
Factor 4: Enterprise sourcing policy
This factor has to do more with the policy, rather than technical and architectural considerations. Typical policy considerations include:
- Preferred vendor policy: Having the same vendor provide different components in the network typically brings in the benefits such as same point of contact, uniform support processes, preferred customer pricing etc.
- Vendor diversity policy: Some organizations, on the other hand, seek specialized expertise for each aspect of the network solution and are also picky about vendor independence in their network design.
- No Wi-Fi policy (i.e., WIPS to be deployed to enforce no Wi-Fi policy), in which case there is no incumbent WLAN vendor in the network.
Overall, the above factors can serve as guideposts in objectively evaluating the two approaches to the WIPS, and in making a choice that best suits specific environment.
Finally, one thing I want to mention in passing is that the above discussion is focused on the onsite WIPS deployments to keep the comparison factors apples-to-apples; but there is also a cloud-based (SaaS) WIPS deployment alternative available. In the cloud-based WIPS deployment, the WIPS sensors are used onsite, but the WIPS server is hosted in the cloud. Its economics works differently than the full onsite WIPS, since it eliminates the onsite WIPS server hardware, as well as provides hosted operational model and usage based charging model, which are typical to any SaaS offerings. As to the detailed pros and cons between the onsite and the cloud models, maybe that is a good topic for another post.