Intrusion Detection Systems (IDS) for WLANs have some quite different characteristics from those designed for your wired network. But sometimes their vendors try to be a bit too clever. We look at what you should expect - and what you probably don’t need.

Attacks to mitigate against
There’s a lot of press about WLAN IDS just now - but the main topic is about tracking down rogue APs and end stations. Just as in the wired world, a true IDS has to deal with a variety of threats, including unauthorised users intruding into your network, and valid users carrying out potentially damaging actions, whether maliciously or through carelessness.

  • Reconnaissance scans, using tools like Netstumbler, don’t in themselves do any harm, but they are an indication of someone trying to gain information about your WLAN environment probably in preparation for an attack, and should be detected and alerted on. A related problem is that of eavesdropping user data for company confidential information.
  • Rogue APs, unauthorised APs that are plugged into your corporate LAN, and therefore create a completely open path into your company network, bypassing all your security measures.
  • Impersonation of an AP, a different issue from rogue APs, these don’t actually connect to your wired infrastructure. They may be perfectly legitimate APs, belonging to the company upstairs, for instance, or they may be someone pretending to be one of your APs in an effort to get stations to associate and give them the chance to find out some useful company confidential information.
  • Denial of Service attacks on your WLAN. There is a whole (ha ha) spectrum of WLAN DoS attacks, starting with the brutality of RF jamming, in which the attacker broadcasts large amounts of noise over the spectrum, and effectively stops anyone from using the network. More subtle variants include flooding an AP with association or authentication requests, so that it can’t service real users (this can also be used to impact your authentication server), or spoofing deauthentication messages to your users - either to one station as part of a man-in-the-middle attack, or as a broadcast to kick all your users off the AP targeted.
  • Network intrusion by an unauthorised end station might be just someone wanting to hijack your network to gain free bandwidth to the Internet. This in itself may not be harmless, if they do anything illegal with this bandwidth, or create a nuisance for which you get the blame. Alternatively it could be someone trying to get access to your corporate resources.

Mitigation methods
All of the above can be detected (and prevented). But does it need a pure wireless IDS solution? Some elements may already be covered by your wired IDS methods, while others may be handled as part of whatever WLAN management system you use.

The issue of eavesdropping, for example, is more or less nullified if you’re using encryption. Other attack behaviour is detected on the wire, so it is worth asking yourself if a wired IDS system (which you may already have) could be tuned to find it.

Some features provided by wireless management systems, such as location-awareness (see What could location awareness do for your WLAN?) can act as security features, by distinguishing between users inside and outside your office (Newbury Networks' WiFi Watchdog, reviewed here, is an example). Rogue AP detection is fairly common in WLAN management systems without having to buy an IDS.

This overlap is behind a strong trend for wireless management vendors to sell their products as security devices, which may be based on a somewhat cynical reading of buying habits.

WLAN IDS systems start to prove their value over their wired counterparts, when they detect anomalous behaviour on the ether (as LAN IDSs do on the wire), picking up DoS attacks or scans in progress. So they focus on monitoring at the RF level.

Some systems do go a bit overboard and add in features that are perhaps best left to your wired security tools. For example, AirDefense’s Wireless IDS 4.0 (see review, looks for ‘suspicious activities’. Identifying repeated attempts by a station to connect with multiple APs is an excellent way to highlight a potential hacker, but if this kind of system starts to trigger on strange traffic patterns such as large downloads in the wee hours of the night, this would seem an overlap with the monitoring that is (or should be) already happening on your wired infrastructure. Do you need the extra complexity for a feature you’ve already paid for elsewhere?

So if you’re looking for a WLAN IDS, best to check what you get (i.e. buy) that you don’t need, as well as making sure it does what you want. Some systems offer quite in-depth traffic engineering and reporting functions—fine, but you may already have a separate WLAN management package that does the same thing. And find out how much prevention you can expect, as opposed to just detection—some automatic preventative measures will only work if you have a specific mix of hardware in your WLAN.

Most of the WLAN security specialist companies that have sprung up follow a similar methodology: multiple dedicated sensors (these may be APs running monitoring firmware) with controlling server software, which act as an overlay to your existing WLAN. AirMagnet (reviewed here) Bluesocket (reviewed here) Red-M (reviewed here) and AirDefense (reviewed here) for example use this model. The likes of Airespace and Aruba (reviewed here) roll this functionality into their overall AP/switch/management package.

In the wired world, IDSs tend to be dedicated appliances, not part of a management system. People often feel happier if their security devices are pretty discrete, rather than an extra feature on a platform that has a different core function. This seems, in the main, the way WLAN systems are going to. It’s time to think about your wireless management and security operations - and you may end up keeping the two quite separate.