'No-Wireless' Policies?

user-pic
What if I have a no-wireless policy in my enterprise - how many sensors will I need then?
 

13 Comments

A rule of thumb is that an AirMagnet sensor can cover 80,000 to 90,000 square feet.

Again, this is dependent on customer’s RF environment but typically our 802.11n Sensor can cover 15,000 to 20,000 square foot (in a typical enterprise office building).

Sensor coverage area varies from 15,000 to 60,000 square feet per sensor based on indoor propagation characteristics and deployment objectives (e.g., location tracking requires higher sensor density than rogue detection). An average coverage estimate of 37,500 square feet per sensor is typical for “no wireless” installations.

Hi folks... I have a couple of questions.

1) Does a "no wireless" policy usually mean "no wireless at all" or "no authorized wireless"?

2) With the rapid proliferation of devices like the Novatel "MiFi" that's a "personal hot spot," how much of a problem will this create? For instance, I often take my MiFi and my iPod Touch with me wherever I go for checking email, etc. Is it realistic to think that the corporate "wireless police" are going to detect my hot spot and come drag me off for this infraction?

Steve - No wireless policies typically mean no wireless at all because
most IT and security teams don't want end-users in the network to bring
their WiFi habits in from home. This is one of the classic sources of
rogue APs in an environment...company has a "no wireless" policy, so
employees bring their own access points from home, plug them in to the
network and create unapproved access points directly into the corporate
network.

Your example is a little less threatening because your MiFi is
connecting up to a cellular network as opposed to plugging in to the
enterprise ethernet jack. This limits some of the risk that your
company will have of others breaking into the wired network directly.
However, that said, there are still risks on the end-user side (i.e.
there are still risks for you).

Hotspot connections are prime candidates for spoofing and evil twin
attacks. For example, the Karma hacking tool is incredibly efficient at
luring user laptops into fake connections by making the hacker look
like the user's hotspot. If you do get lured into that bad connection,
the hacker can start learning things about you like any web passwords,
SMTP passwords, etc. Obviously this would be bad if it were to happen
in the office, because a hacker could be sitting back learning the MAC
addresses of employees while building a list of potential passwords for
those users. So with all of that said, I think it will depend on your
specific wireless policy on how they would deal with personal hotspots,
because they are in a bit of a grey area. They aren't traditional rogue
APs, but any time you have an unmanaged network access layer in an
enterprise there is going to be the potential for problems.

Followup question:

Among the three of you, you've indicated that a single WIPS sensor can cover somewhere between 15,000 and 90,000 square feet. Math has never been my strong suit, so help me: An 802.11-standard device can reach somewhere between 230 and 850 feet (depending on whether it's indoor or outdoor, what flavor of 802.11 is in use, and the nature of the environment). So how can a single sensor cover many thousands of feet? Thanks in advance!

Joanie,

This is a good question and it points to the very real challenge of guessing coverage areas without knowing anything about the physical characteristics of an environment. First, lets address the issue of why coverage areas can vary so widely. First, we are talking about the coverage area of something that is essentially a circle, and going all the way back to our basic geometry we know that our coverage area is going to change as a square (as in Pi*r2) of the range of the sensor. So to cover 20k sq ft, a sensor would need to be able to detect and block all threats within a radius of 80 ft. To cover 80k sq ft, the sensor would need to cover a radius of 160 sq ft (a four-fold change in coverage area based on a two-fold change in listening range). So that initial coverage range is very important and will vary based on the environment. A hospital with obstructions and heavy walls could be on the low end 15k square feet, whereas an airport with much more open space could be closer to 80-90k range.

As for the prevention ranges related to 11n, purpose-built sensors will have the ability to select the frame rate at which the prevention commands are sent. So even if you are blocking a device that is transmitting at a high data rate (say 200Mb), it does not mean that your blocking message must be at 200Mb. Your blocking messages can use lower data rates, which can cover larger areas.

Question for you on your comment Wade. If your sensor is not close enough to a 11N threat transmitting at 200 Mb, how are you going to detect it? I agree with you that prevention can be done at lower data rates but unless you can detect the threat, how will the sensor prevent it?

BTW, I can give you several examples where threat (i.e. device) is only operating at 11N data-rates... This includes rogue APs, client Adhoc-connecivity, etc.

Hi Sri,

I definitely understand and agree with your point, but that logic would seem to imply that the only way to size a generic sensor deployment would be based on the smallest possible footprint of a potential rogue or threatening device. Certainly, this is a good view to consider, but it also will get infinitely small. Take your own example a step further. Instead of a device transmitting at 200 Mbps, what if we set a device to only connect at 300 Mbps and then also turned the transmit power down to 5 mW. You can make the rogue’s coverage area so small that a sensor deployed every 15k sq ft would also never see it. Admittedly, this is a pretty impractical hack, because of course, if you can't hear the rogue to detect him due to poor range, that same rogue will also not be able to transmit data very far. In other words, if you can’t hear a rogue from 30 feet away, then that rogue isn’t not going to be able to pump data very far either. But my point in all of this is that setting sensor coverage area based on the smallest potential coverage area of hacker is a very slippery slope and one that certainly does not stop at 80k, 40k or even 15k sq ft. You can always make your net finer.

However, in the real world, 11n devices have a similar range to legacy 11a/b/g devices and they are designed to be heard at those ranges because they will need to probe and beacon in order to find connections (management traffic typically uses lower speeds to ensure good range). Look at this way, if 11n devices were only using the highest 11n data rates, then customers that are migrating from 11a/b/g to 11n would all have to be deploying three or four 11n APs for every legacy 11a/b/g device that they are replacing. This is the exact opposite of what we see in real deployments where network owners are deploying the same or fewer APs when they move to 802.11n.

So to be clear, these are issues that apply pretty equally to all of us as WIDS/WIPS solutions. One vendor’s sensors don’t listen 3 times further than the others - we all play by the same basic RF rules. But the follow up question from Joanie was trying to determine the source of the big variance in sensor coverage. That variance stems from whether you answer the question based on how far the sensor can actually listen (a large distance), or how far your weakest threat can transmit (a smaller distance). I answered the original question with the coverage area of the sensor because it is a repeatable constant. The physical characteristics of the sensor do not change, whereas the smallest-threat footprint is much more open-ended.

Great, thanks Wade for your detailed answer. I do want to point out I am not talking about corner case scenarios here. The most common threats we find in the enterprise today are insiders (i.e. authorized users) plugging in consumer-grade 11N rogue APs, Adhoc connections between 11N enabled laptops, etc. Reality is that we are not in 11abg world anymore as we have moved to 11N technology. If you walk into your nearest electronics store, all you can buy today are 11N consumer Wi-Fi devices. So my point is deploying a sensor at 80K-90K sq ft (i.e. listening range of 160 ft) sets up an enterprise customer for failure as far as detecting & preventing common 11N threats.

I also want to point out there are limitations on catching management frames at lower data rates for detecting and managing 11N threats. While you may be able to catch the beacons at the lower data rates and identify the 11N rogue AP, you are going to miss critical information on who is associating with the rogue AP, etc (who/what/when as far as forensics data). As far as client related threats (example: client misassociation where an authorized client connects to a neighbor AP) all bets are off if the client devices use 11N data rates only. Bottom line here again is you need to be able to listen to 11N data rates.

Lastly, AirTight recommends the 15-20K range because this is a listening rage of 70-80 ft that detects most of the common 11N threats that are relevant to enterprise customers. This means being able to catch most of the associations to an 11N rogue AP, 11N adhoc connections between 11N-eanbled laptops, etc. This is not a corner case scenario; this is real world scenarios we find in our customer deployments.

Sri,

Good post and good points. I think we are largely in agreement, especially on the effective ranges of the various 11n data rates. The only area that I would split hairs a bit is around the hard minimum coverage area for the sensors. From a security standpoint, I would argue that you do not need to see all 11n data rates in order to provide good security. We will detect the presence of rogue devices via probes and beacons, will be able to correlate those devices in terms of presence on the wire and also be able to block those devices, all at distances far greater than 70 feet. This type of detection, correlation and remediation is a core capability that many customers are looking for in their WIPS solutions, and as such we could meet their needs while keeping sensor costs low.

I would agree however that it is certainly better if the sensors can see more 11n data rates. And again, just splitting hairs at this point, I certainly don’t think you need to see ALL 11n data rates in order to provide excellent intrusion detection. For instance, I don’t personally know of intrusion detection methods that would be successful based on seeing 240Mbps frames and not if you could only see 216Mbps frames. By and large, normal traffic has a naturally wide blend of data rates, so you are going to see the traffic you need in order to detect threats. Where we DO see the need to analyze all of the higher 11n data rates is in the area of performance analysis. If you are using the AirMagnet system to monitor and optimize your 11n deployment and you need the system to automatically tell you how to improve your performance from 130Mbps to 200+, then you certainly want to see all those data rates, and for those customers we do recommend a more dense deployment of sensors for that purpose.

So again, I think you are spot on that there are advantages of seeing higher 11n data rates. I just think that it’s hard to set a real rigid minimum or maximum sensor coverage area without understanding the environment, what the customer needs to accomplish and the costs of those trade-offs.

Good question Joanie. We get lots of questions from our customers regarding this as there is lots of misinformation out there. What customers need to understand is that an 802.11n sensor can detect & prevent devices connecting using legacy data rates (i.e. 11abg data rates) at longer range than devices using 11n data rates. Due to this, detection & prevention range for 11n devices is considerably smaller than 11abg devices. If you try to deploy a sensor per 60K or 90K square feet for that matter, you will not be able to detect and/or prevent 11n devices at this range. Our real life testing has shown required density is 15K to 20K sq feet per sensor in a typical office building such that all threats (including 11n devices) can be addressed.

There seems to be a lot of discussion on this thread. Here are some of my comments/observations:

1. Sensor coverage is very dependent on the RF characteristics of a given facility. Given an installation, we use the Motorola LANPlanner tool to accurately determine the number and location of sensors. LANPlanner uses a 3D RF simulation that can account for the attenuation and propagation characteristics of various obstacles (dry wall, concrete, glass, etc.), as well as model the effects of multipath fading given actual 3D geometry (elevator shafts, atriums, cubicle walls, etc.).
http://www.motorola.com/business/v/index.jsp?vgnextoid=061220d9881a6110VgnVCM1000008406b00aRCRD

2. For WIPS detection purposes, most of the management frames are transmitted at legacy 802.11a/g rates, that have a much larger range (given lower SNR requirements) than the High Throughput (HT) rates of 802.11n. I do agree with Wade. You do not always have to design sensor deployments for receiving the highest data rates. In the 2.4 GHz band, legacy protection almost always kicks in and you see a lot of chatter using legacy rates.

3. RF design of the sensor DOES matter. For example, the Motorola AirDefense AP7131N based sensor has a radio capable of transmitting 27.7 dBm (588 mW conducted) of output power compared to the traditional 200 mW aggregate 802.11n radios. This means that it can terminate clients further off, translating to a 60% coverage increase. In addition, careless receiver design can easily result in degraded system noise figure, resulting in reduced sensitivity and ultimately reduced sensor listening range. There is a difference between enterprise class WLAN radios and consumer grade equipment. Bottomline is that all sensors are not made equal.
http://investor.motorola.com/releasedetail.cfm?ReleaseID=444062

4. #Steve – No wireless typically means “no unsanctioned wireless, connected to the wired network”. If you try to enforce a “no wireless” policy in the middle of Manhattan, you will see a lot of neighboring traffic. The trick is to be able to detect “neighbors” from “real rogues” that are physically connected to the corporate wired network. Rogue devices come in various flavors (routers, bridges, etc.), they may have encryption enabled, they may be on isolated LAN segments. The key is to be able to detect all rogue scenarios without requiring a wired sensor on all segments. AirDefense has several “no wireless” deployments such as the Federal Aviation Administration (FAA) and the US Army. The following links will give you more details on the requirements and solutions.
http://www.airdefense.net/newsandpress/11_27_06.php
http://www.airdefense.net/newsandpress/02_06_07.php