Devin's article in Network World
Last Post: January 19, 2007:
Devin, I saw your post under CWNP program but I thought that further discussion should be in CWSP.
I'm glad you list 802.1X on the wire as an option, but I don't agree with the holes you poke in it either.
?¡é?€???¡é?€?| a wireless intrusion prevention system (WIPS) is still necessary to identify, locate, and mitigate rogue AP?¡é?€??s.?¡é?€??
When talking strictly about rogue AP?¡é?€??s with 802.1X on the wire, what real security concern does a rogue AP pose? Here are some facts:
- If the rogue AP is connected to an Ethernet port (with 802.1X), at best, only an individual with proper credentials can authenticate.
- If a rogue AP is installed with the same SSID as the RSN it could cause a temporary DoS, but nothing beyond that. There are much better ways for an attacker to perform a DoS without stepping foot in the building.
- If an attacker was within the vicinity of the RSN and created a software AP, they too could cause nothing more than a DoS attack. (see above DoS comment)
- If an attacker was within the vicinity of the RSN and was looking for STA?¡é?€??s probing for insecure networks, the attacker could hijack that STA and possibly gain access. However, this is not something that a WIPS can solve. This is something that has to be solved with endpoint security. Most attacks of this nature take place outside of the boundaries of the corporate network.
WIPS can stop Authorized STAs from using unauthorized APs to prevent accidental association and hijacking of STAs. But this only works if the STAs and rogue APs are within hearing range of the WIPS. The endpoints must be secure, as you stated. They are at the greatest risk when away from your protected area. An endpoint protection plan should include AD Personal, a firewall and a good uptodate anti virus program combined with user education. If the endpoint is hacked while away, the information gained could be used by an attacker later back in your protected area. As for the placement of rogue devices on your network, if there is no physical security there is no real security at all.
I think it is great that a WIPS can perform these functions. I'm just not a fan of WIPS being promoted as a prevention system of rogue AP's. Sure, they can do a decent job if you are worried about your employees bringing in an unauthorized AP but if an educated attacker brings in an AP, the WIPS is helpless. That is why I am such a big fan of 802.1X on the wire.
A WIPS has its place but continuing to focus on rogue AP's is a mistake.