Dedicated vs. Integrated WIPS?

user-pic
What are the tradeoffs, functional or monetary, for using dedicated WIPS sensors versus a WLAN AP doing double duty as both AP and security sensor?
 

5 Comments

There are several reasons that you would not want to have an AP do double duty as both an AP and a security sensor. First and foremost, if you are using the same AP radio to perform IPS functions and serve client data, you are grossly limited in what you can detect and enforce.

 

For example, most APs that use this so-called "time-slicing" approach to security spend less than 1 second per minute doing scanning for security issues. This means you can only catch problems that are obvious and that can be conclusively determined with just a single packet or two. This means that you will miss the vast majority of exploits and hacks that require impersonation, traffic injection or multiple steps. Think of it this way, how good would your firewall and wired IPS be is it only sampled traffic once a minute. Not good.  Additionally, there is a host of best-of-breed features in dedicated WIDS systems that simply aren't available in integrated solutions such as regulatory compliance reporting, forensic analysis and event troubleshooting, in addition to the hundreds of additional threat detections that you get as part of a dedicated solution.

 

Next, and just as importantly is the fact that by combining your access layer and security layer into a single box, you have created a single point of failure that is open to attack. All APs are subject to DoS attacks despite various technologies like protected frames, packet dropping and the like. An access point's fundamental job is to talk to stations and there are always ways to knock over a data-serving device.  It is obviously a bad idea to have your security and monitoring capabilities fail every time your network fails, that's actually when you need those functions the most. This, not incidentally, is why these functions are always separated in an enterprise wired network.

 

Additionally, WLAN security is chaning rapidly with all new forms of attacks that require regular updates to stay current with the state of the art and changes in the hacking community. This could be a new hack or intrusion technique, or it could be a new client that is resistant to blocking. By having the security layer separated from the network itself, managers can easily update the security system on demand without risking an upgrade to the entire infrastructure.

 

The obvious perceived advantage of integrating security into the access point is the perceived cost advantage. However, if we use the part-time security method described above, we are really getting a false sense of security by looking only at a snapshot of traffic. On the other hand, we could have an AP with a extra radios dedicated to full-time scanning. These devices are significantly more expensive than a standard AP, have very high power requirements and we are still subject to the DoS attacks and single point of failure issues. The real solution is to dedicate an AP to be a full-time, non-data sensor that only does WIDS/WIPS. This typically leads to a solution that is more expensive than a best-of-breed WIDS/WIPS solution and with a fraction of the functionality.

 

This is question of whether part-time security is good enough. Will you be able to sleep at night knowing your firewall may protect you 50% of the time but not sure otherwise? Same goes for WLAN security.

Functional trade-offs when a WLAN AP is doing double duty as both an AP and security sensor: AP can do reliable detection of threats on serving channels only, cannot spend significant amount of time on other channels, and administrator cannot enable prevention for various threats. Even if the AP is able to scan non-serving channels, this introduces a significant delay in threat detection and can miss instantaneous threats like client mis-association which typically lasts for shorter time duration. As far as prevention, it is nearly impossible for an AP to do effective threat prevention given its primary role is to server end-users. Lastly, # of techniques used for threat detection & classification tend to be minimal on the AP (as well as on the controller), thus resulting in high number of false positives.

The monetary trade-off is amount of CapEx investment versus ongoing OpEx costs. While integrated WIPS can reduce the CapEx, it is likely significantly increase OpEx due to increased manual involvement for administrator to manage WLAN threats. This includes dealing with large # of false positives on a daily basis, physical walk around required to do audit using WLAN sniffer (running on laptop), etc. In the longer term, investment in dedicated WIPS will lower total cost of ownership as compared to integrated WIIPS. 

An “integrated” WIPS offers reduced cost by eliminating the extra cost associated with an overlay network (Ethernet, switch ports) required for WIPS sensor only deployments. In the past, this was done by “part-time scanning” APs. The APs provided access and occasionally scanned other channels as a WIPS sensor. The result was reduced security effectiveness.

It is important to realize that dedicated or 24x7 WIPS capabilities can be fully integrated into a band-unlocked, multiple-radio AP such that the cost savings are realized without loss in security. For example, Motorola’s WLAN Access Points (APs) include band unlocked, dual and tri-radio options that can provide 24x7 WIPS sensor on one radio while the second radio serves as an AP. As a result, enterprises do not incur the extra cost associated with standalone WIPS sensors and overlay installation.

In “no wireless” installations, you do need a standalone sensor to enforce the “no wireless” policy. However, leveraging integrated sensor/APs allows customers the flexibility to deploy WLANs, should they choose to support wireless in the future.

Another reason to use WIPS sensors (as opposed to AP-based rogue detection) is that it's important to monitor for unauthorized wireless activities or attacks in locations where you DON'T have APs installed. It is in locations with weak or no legitimate WLAN coverage that employees are most likely to install their own APs, connect to neighboring APs, or get tricked into associating to a fake AP (evil twin). Sure, you could deploy an AP in monitor-only mode to keep watch over a no-coverage area - but a well-placed sensor can probably cover more territory at lower cost. Bottom line: Make sure your wireless surveillance footprint extends beyond the edge of your production WLAN, no matter what kind of device you choose to deliver full-time monitoring.

For an additional perspective, I suggest that you might want to check out the comments for the Building Secure Wireless LANs paper.