Using WIPS in Wireless Networks – Protection and Performance

By Chris Lyttle ·

We are often asked by customers about the relative value of implementing WIPS (Wireless Intrusion Prevention/Protection Systems) in their enterprise network environments either to support a “no wireless” policy or to augment a WLAN solution and add an additional layer of protection. It seems a lot of people equate this kind of system with the wired IPS (Intrusion Prevention/Protection Systems) they may have implemented or looked at in their networks and make a judgment call on the value of implementing something similar on the wireless side. My viewpoint is somewhat different in that I see WIPS as being necessary not only for protection against wireless attacks, but also as being one of the best ways to monitor the health and performance of a wireless network. Recent market analysis done by firms such as Gartner also came to the same conclusion, they see the WIPS market as not only being about mitigating security problems but also about managing the performance and in some cases helping to isolate problems organizations are facing on the WLAN.

There are two basic architectures used by WIPS systems. First is the overlay architecture. This uses specialized access points that are deployed throughout the enterprise in order to provide ubiquitous WIPS coverage and triangulate any place that wireless attacks might come from while also monitoring the wireless infrastructure. Being highly specialized like this gives a great deal more information as to what’s going on in the wireless network. The second architecture that is used is the time-slicing or you could also say integrated architecture. This approach uses regular AP’s which are deployed and serving WLAN clients and for a few milliseconds take a ‘slice’ of time to scan for wireless attacks and to monitor the wireless network.

There are costs and benefits to both of these architectures in WLAN design. For the overlay architecture there is the obvious cost up front of purchasing additional specialized access points to cover the entire RF footprint of the enterprise. There are also several benefits to this architecture, first the ability of the overlay architecture to constantly monitor and if necessary to mitigate attacks and rogues in the network gives it a big advantage. The vendors that have this kind of architecture usually are able to see in much more detail the performance of the radio spectrum that is in use as well and this gives them an advantage in being able to identify when there is interference or other performance problems with the WLAN. The downside to this is that it requires more knowledge on the part of the wireless engineer who is managing the network to be able to identify why the performance is suffering or where the wireless attack could be attempting to exploit a weakness in the WLAN network. This complexity can also be difficult for someone who has to work with many other technologies outside of wireless. Overlay WIPS architectures are also commonly used to enforce a no-wireless policy that an enterprise may have because they do not allow any clients to connect and do not provide network access.

The time slicing or integrated architecture has the advantage that it can utilize existing AP’s that are deployed in the enterprise WLAN. This lowers substantially the cost of a WIPS deployment, especially where the main thrust of the deployment is to assist in client monitoring and rogue detection. As this architecture is normally integrated into the WLAN architecture, the management tools used are also usually a part of that WLAN’s management system. This gives the wireless engineer less tools to learn and potentially a more streamlined way of monitoring and being notified of problems with the WLAN. The downside to this is that as the AP is doing dual jobs, monitoring the network as well as servicing clients, it may end up in a situation where it does neither job very well. The basic operation of this kind of architecture is to spend part of the AP’s time servicing clients and part scanning the network for problems. In the case of voice or video usage in the WLAN a very big factor in them operating well is the latency of the connection. When the AP has to stop and spend part of its time to do a scan, then it will by its very nature introduce latency to the network and affect those protocols. When the AP is scanning there is a problem in that it may miss a wireless attack or network performance problem as it was not scanning but servicing clients when the attack started and also there is a problem where it cannot constantly try to mitigate the attack as it has to go back to servicing clients.

I would encourage strongly anyone who is thinking about implementing a WLAN in their enterprise to consider the benefits of a WIPS solution. As WLAN technologies mature and become relied on by your employees to do their jobs, being able to properly monitor and manage the performance of the WLAN also becomes critical to the business. WLAN’s have become much more secure in recent years with the adoption of standards such as AES encryption and 802.1X authentication for clients, but there continues to be a challenge in properly managing and preventing attacks on the wireless infrastructure. I would also suggest that the overlay architecture will provide the best value for situations where the WLAN is critical for business processes. There are vendors in the market now with overlay systems that are easy to setup and use and also vendors that provide a large set of additional features and enhanced functionality that will enable someone who needs complete control to monitor every aspect of their WLAN.