RSA inspired thoughts on wireless security

With the RSA conference in full swing, the theme of the week is definitely security.  However, RSA focuses on traditional security products and not my niche, which is wireless & mobile security.  Nevertheless, all the security related blogging and tweets did get me thinking about mechanisms for wireless security in the enterprise.  One of the main instruments for enterprise class wireless security is a wireless intrusion detection system (WIDS) or wireless intrusion prevention system (WIPS).

What are some of the main considerations when choosing a WIDS/WIPS design?  There are three main options: stand-alone systems, integrated systems, and overlay systems.   In this post, I will discuss the pros and cons of each.

Stand-alone Systems

A stand-alone WIDS/WIPS is where devices, separate from your existing access points, are used for threat detection.  There are many vendors that specialize in this architecture, such as AirMagnet, AirDefense, AirTight, etc.  Since these vendors concentrate on wireless intrusion detection and prevention, they often have a much larger number of security metrics they can measure when compared to an integrated system. 

On the other hand, the acquisition cost of purchasing a WIDS/WIPS server and stand-alone sensors (along with the associated costs of additional cabling, switch ports, power, etc.) is much higher than solutions that leverage existing access points. 

Integrated Systems

Another option would be to use existing access points to provide WIDS/WIPS functionality.  Most WLAN manufacturers offer this functionality, including Cisco, Aruba, and Motorola. (NOTE: This is actually a simplistic view of the vendor space as many WLAN vendors have either developed partnerships with or acquired stand-alone WIDS/WIPS vendors.  I am trying to focus on the design aspects, not on vendors).

At any rate, utilizing existing access points cuts down on the system cost.  Often there is an additional charge for a WIDS/WIPS "license", although there is no cost for additional devices, cables, etc.  There are also some efficiencies that can be gained by using the same vendor for access points and security sensors (for example support costs, training costs, etc.)   

However, the main drawback to integrated WIDS/WIPS is that they usually rely on time slicing.  Many access points on the market today are dual radio -- one for the 2.4 GHz frequency band and the other for the 5 GHz band.  Since they need to provide client access on these radios, they use a mechanism called "time-slicing" where the radios scan off-channel for a small period of time to look for security threats.  A common algorithm scans for 50 milliseconds for every 16 seconds.  While this may sound fine upon a first pass, if you extrapolate the data, it equates to only 4.5 minutes of scanning for every 24 hour period.    

Overlay Systems

This is where the same manufacturer provides both the access points and dedicated security sensors.  They are usually deployed in a ratio of approximately 3:1 as the signal quality needed to classify security threats can be much lower than what is required to reliably send and receive client data. Another overlay system design would be to dedicate one radio from a multi-radio device for WIDS/WIPS functions. 

Depending on the particular implementation, overlay systems can either be a good compromise between functionality and cost, or they can be a middle of the road system that offers no real advantages. 

Conclusion

There are many different system designs for wireless intrusion detection and prevention systems.  They each have their own pros and cons.  What design would I suggest?  That really depends on the unique business and technical requirements of your organization.  Which architecture do YOU think is best?  Sound off in the comments section below!

Douglas J. Haider is a Principal Technologist with Xirrus.  He hosts a personal blog at WiFiJedi.com, and micro-blogs on Twitter @wifijedi