WIPS Article from CWNP - Comments please
Last Post: October 31, 2005:
Comments please. Thanks,
Like the twist with Bluetooth , just in time for Wireless #.
Was just doing a Wireless Survey Report and we mentioned the need for a WIPS or WIDS from a vendor. With the growing use of Wifi and Bluetooth we can't be too careful.
I also downloaded a copy of the free software from Network Chemistry for Bluetooth detection and will register for AirMagnets freebee.
Thanks for the article and look forward to more , especially as they relate to the Wireless competing technologies out there. UWB, Zigbee, IRDA, Wimax, WiBro, Bluetooth, EVDO , etc, etc, etc.
You and Kevin are right; non-Wi-Fi solutions create network vulnerabilities. Not just for Wi-Fi networks but for wired ones as well. WIDS can present ways to monitor but a better solution, is prevention. This is where 802.1x-based solutions come in.
IEEE 802.1x-based solutions create client authentication mechanisms for both wired and wireless networks. 802.1x and RADIUS servers can be configured to allow ONLY valid users on the network, regardless of how they're accessing it. This solution is part of 802.11i for wireless security but .1x has been around for a long time. 802.1x is available for most enterprise capable Ethernet switches and routers where a RADUIS server exists for backend user authentication.
The key to this solution is implementing EAP-based protocols that are part of 802.11i on the wireless side and 802.1x-based solutions for the wired side as well. It's all part of a well-rounded security standard that is implemented (and enforced) by corporate IT.
Most new 802.1x implementations are coming about due to the fact that advanced security mechanisms for wireless typically far outwiegh what's been implemented on the wired side of the network. That's why it's often easier for a hacker to try and place his or her own AP (or non-Wi-Fi device) on an open Ethernet port inside the network than to try and hack a locked-down company AP. Why beat 'em when you can just join 'em?
Monitoring solutions and WIDS/WIPS will most likely advance to the stage where many types of potential wireless intrusions are scanned. But, like other advanced security monitoring products, they'll only be as good as the person who's getting the page at 4am or the person scanning the logs for problems. Prevention, in my opinion, is a much more effective way to deal with undesireables.
That's exactly what I've been seeing. When I do a lecture or teach a class on wireless security, I get heavy skepticism about the value of WIDS as it compares to preventative measures like 802.1x and wire speed firewalls. Though WIDS is valuable for identifying certain Denial of Service attacks, a far more effective way to guard against Rogue APs is by locking up wired ports.
In my view this is an important time for WIPS vendors. If they can get a foothold in the marketplace and convince IT managers that they are a luxury security item worth having, then they could thrive. If they don't gain that foothold now, it's possible that IT managers will just look to accomplish monitoring with mobile protocol analyzers and spectrum analyzers that help solve problems as they arise.