With Wi-Fi networks now a ubiquitous feature in the modern world, they have become an attractive target for cyber criminals. Keen to steal data and infect systems, they are constantly on the lookout for vulnerabilities to exploit.
A quick search of YouTube shows just how prevalent the problem has become. There are hundreds of thousands of videos on the site explaining how to compromise Wi-Fi users with simple yet highly powerful tools that are readily found online. This situation makes it no surprise that wireless intrusion prevention is a top consideration for business owners deciding when and how to implement a Wi-Fi network.
Wi-Fi vendors have responded to this challenge by introducing Wireless Intrusion Detection Systems (WIDS) and Wireless Intrusion Prevention Systems (WIPS). Unfortunately, a large number of these tools are actually ineffective at accurately classifying access points and client devices as “good” or “bad” which leads to numerous false positives and negatives and ultimately IT admins disable WIPS altogether to avoid potential legal ramifications of accidentally interfering with neighbouring Wi-Fi networks. Having a clear understanding of how they work is therefore vital.
The facets of a WIPS
A robust WIPS solution must cover three key areas: detection, classification and prevention:
Detection covers the ability to discover all Wi-Fi devices, both infrastructure (APs) and clients, such as smart phones, tablets and laptops.
Classification is the ability to quickly and accurately classify each AP and client device as being authorised (on the monitored network and not malicous), external (not on the monitored network such as a neighbouring café or retail Wi-Fi hotspot network), or potentially harmful (on the monitored network and malicious).
Prevention is the ability to immediately quarantine any rogue client device or access point to prevent malicious activity before it occurs.
Impact of wrongful classification
The ongoing development of wireless security techniques has made client device and AP discovery and prevention relatively standard, however the classification aspect of the process remains problematic. Having the ability to accurately determine whether a device or AP on a network is truly malicious or just external is critical to effective threat mitigation.
Wrongful classification of an external AP or client device as rogue and taking action to isolate it can have a number of negative consequences ranging from reputation damage to legal implications.
A good WIPS solution will detect and provide visibility into all APs and client devices on or around an organisation's airspace. By the nature of how Wi-Fi works, even if a client device or AP is not directly connected to an organisation's network, it will still show up as being in its airspace. It is very important, therefore that a business is able to not only see that device but understand if it is truly connected or just within range before they take action against that device or AP.
The challenge of dense environments
For example, in a crowded inner-city environment, there can be dozens of businesses all broadcasting Wi-Fi within the same location. It is important that each business is able to manage the security of its Wi-Fi network without interfering with the service of their neighbours. Interfering with a neighbour's Wi-Fi network is not only inconvenient for that business owner, it is also illegal.
For this reason, it is critical for a WIPS solution to be able to not only find all client devices and access points in a business's airspace, but to also know the difference between truly rogue devices or APs and neighbouring (or external) devices or APs. Without the confidence in the classification aspect of WIPS, it is impossible to activate the prevention aspect of the tool.
This issue has been brought into focus by the alarmingly high number of businesses who have downgraded their WIPS solutions to WIDS solutions, only leveraging the detection aspect of the system and then relying on manual classification of each device or AP before action is taken.
While manual intervention techniques do ultimately result in the removal of harmful APs and devices from the network, it is not an immediate remediation of the threat. Sometimes hours, days, even weeks can go by before the threat is removed.
Unlocking the Power of WIPS
Understanding the often overlooked weakness of most WIPS offerings enables businesses to quickly hone in on the right questions to ask when making a Wi-Fi purchasing decision.
First, it is important to make sure the proposed solution includes WIPS and then to understand how that system handles classification. Almost all WIPS solutions are created equal when it comes to prevention techniques, the most common being to send standard IEEE 802.11 de-authentication requests to the rogue client devices and APs. Very few WIPS can accurately classify client devices and APs with low enough false positive or negative rates for admins to have confidence to enable prevention. WIPS that utilise techniques to correlate MAC addresses of client devices seen in the air with MAC addresses seen by network switching equipment are notoriously prone to high false positive rates and rendered useless. The same situation also occurs for WIPS utilising custom IPS detection signatures where manual intervention of tuning and scripting these signatures can result in a unusable WIPS. WIPS that utilise re-broadcast packets both on ethernet cabling and over the air are the most accurate and the ones where automatic prevention can be confidently enabled.
Without accurate classification, the prevention aspect of WIPS will no longer be immediate and instead becomes a manual process for the IT team or department.
By being aware of the importance of accurate classification, businesses can be confident they will selected the best protection system for their Wi-Fi infrastructure. The result will be a secure and robust wireless service for all users.