Validated WIPS

When the FCC recently ordered Marriott International and Marriott Hotel Services to pay a $600,000 fine for “jamming mobile hotspots” within their own facilities, the Wi-Fi world suddenly changed.

Marriott-1

There were a flurry of articles*, many happy businesses, some understandable “What were you thinking?!” rants, and some excellent verbal commentary on the topic.

Marriott-2

The containment capability mentioned is accomplished via a Wireless Intrusion Prevention System (WIPS), which can be either:

  •  A WIPS feature set within the enterprise-class Wi-Fi infrastructure system where the APs act as sensors
  • An overlay system (separate from the Wi-Fi infrastructure) consisting of WIPS software (local or cloud) and sensors

WIPS for Security

WIPS is designed to keep an end-user’s network safe from would-be intruders and can monitor all Wi-Fi channels for malicious behavior. When such behavior is identified, it may (depending on the policies configured) implement prevention procedures (such as the de-authentication frames (aka “packets”) mentioned above).

The configuration of a WIPS determines if and how it will respond to observed behavior of clients & access points that are using the Wi-Fi channels. Configuring WIPS policies properly (for effective ROI and FCC compliance) can be quite complex because:

  •  Attacks against Wi-Fi infrastructure systems can be very sophisticated and multi-faceted
  • Correctly identifying attacks against your own infrastructure is never 100% accurate
  • Those administrators who configure the WIPS must be experts in both 802.11 WLAN technology (security and protocol analysis disciplines at a minimum) and use of their chosen WIPS system (regardless of type)

False positives and false negatives are inevitable with any system, regardless of what the manufacturer’s marketing propaganda will tell you. The more they insist that their WIPS is perfect, the less you should believe them. Such false alarms and notifications can dull a network administrator’s senses (because they get tired of hearing/reading them), such that they aren’t paying proper attention when a legitimate attack actually happens. The first time the administrator gets caught “asleep at the wheel”, she will experience a painful lesson in the importance of network security. From that point forward, she will undoubtedly “batten down the hatches”, configuring the WIPS (and other intrusion systems) for maximum security. It’s just such scenarios that lead to accidental, over-zealous attacks against nearby systems that can put an organization at risk of legal action and huge fines.

There’s a reason why there are multiple WIPS overlay systems in the market (and have been for more than a decade) and why every SME-class and Enterprise-class has integrated WIPS features: they’re needed. Attacks against Wi-Fi systems are very common, and if you’ve been part of the enterprise Wi-Fi market over the last 10 years, you likely already know that dozens of major brand-name corporations have been hacked due to poor Wi-Fi security. Over the last ~5 years, the market has seen a shift from WIPS overlay systems to WIPS feature sets integrated into the Wi-Fi infrastructure. The Internet of Things (IoT) phenomenon looms large, and a reversal of that shift is highly likely, and in fact, expected.

IoT will bring with it more than 30 billion “connected things”, many that are Wi-Fi enabled, by 2020. Given the lack of security features/capabilities on IoT devices, many attacks will be against these “client” devices. Due to the sheer number of IoT devices on corporate networks, access points will not be able to do off-channel scanning without disconnecting hundreds of client devices at a time, many of which may be mission-critical. Therefore overlay WIPS, in many environments, will be a necessity to monitor (and prevent as necessary) malicious behavior on Wi-Fi channels.

Whether you are in the healthcare, energy, finance/insurance, education, manufacturing, warehousing, general enterprise, or other vertical markets, Wi-Fi security and performance monitoring is necessary to one degree or another. As if there weren’t enough reasons for strong security and performance monitoring, the perfect storm of combining BYOD and IoT phenomena will necessitate that WIPS be implemented and properly configured across the majority of enterprises, regardless of whether it’s integrated over overlaid.

WIPS for Performance

Though not originally designed for it, multiple vendors’ WIPS platforms have, over the last decade, matured in the area of performance monitoring and alerting. WIPS will now be used to proactively monitor, report, alert, and gather analytics on system-wide & client performance. For example, it will keep you constantly abreast of 2.4GHz channel duty cycle (utilization), noise floor, client capability, and client density throughout a facility or area so that you will know when you can/should:

  • More aggressively band steer clients onto 5GHz
  • Shift clients away from 2.4GHz by removing SSIDs from 2.4GHz
  • Optimize the configuration via changing minimum Basic data rates
  • Remove use of the 2.4GHz band altogether

This client-centric approach will complicate policy configuration further, but will add tremendous value for performance enhancement and troubleshooting reduction.

WIPS for Compliance

While optimized configuration of an enterprise-class WIPS for organization-specific security and performance monitoring is no small task, it’s exacerbated by the added requirement of compliance monitoring and reporting. Whether your organization is responsible for meeting criteria related to HIPPA, HI-TECH, PCI, SOX, GLBA, DoD 8420.01, FISMA, or other, the WIPS has to be properly configured to be useful. While most manufacturers will make recommendations (or have default configuration settings) for alarming and reporting, that doesn’t mean that they are: 1) correct, or 2) correct for you. This is where the knowledge, experience, and guidance of an expert will help you get the maximum value out of a very important network component. Customized configuration, alarming, and reporting that suits your environment and compliance requirements is essential in extracting maximum ROI from a WIPS.

Reminder:     If WIPS weren’t important, it would’ve never stood the test of time

within this fast-moving industry. There were four overlay vendors in the early years, and three of them were acquired (two by infrastructure vendors, and one by a diagnostics vendor). In today’s market, most mid-market and enterprise-class vendors have some level of WIPS integrated into their WLAN infrastructure platform. Having this integrated feature set enables them to “overlay themselves” with APs that are configured as dedicated sensors (whether WIPS sensors or Spectrum sensors). This is only significantly useful if their WIPS feature set is top-notch, and many are not. Some vendors also have the dynamic ability to switch APs into WIPS/scanner mode when the AP deployment is too dense. I don’t recommend relying on this approach, as it seems most useful when you’re network is poorly-designed.

Testing Before Deployment

Whether deciding to use a separate overlay WIPS, using the integrated WIPS features in your WLAN infrastructure, or overlaying your own network with APs that are acting as sensors, the importance of testing before deployment is very important. This also holds true for testing before upgrading.

Having worked for or with almost every Wi-Fi manufacturer in the valley (and other places!) over the last 15 years in WLANs, I have learned that “what works today, may not work tomorrow.” Firmware that’s hot-off-the-press may not have been (and probably wasn’t) thoroughly tested due to the extreme number of features in most enterprise-class systems (and the lack of time and automated feature test systems). This is more common that you might think. Customers are often the unknowing/unwilling beta testers for vendors.

This is never truer than when related to WIPS systems or feature sets because bugs are easier to get away with. If client devices don’t connect properly or if performance is way out of line, everyone knows immediately. If your WIPS is performing a Denial of Service (DoS) attack on your neighbor, then “oh well…sucks to be them.” Right? No. Not when your neighbor reports your system’s attack to the FCC and you get slammed with a $600k fine and a huge amount of bad press. Like with any computer or network system, the only way to know is to test. Test before deployment. Test before upgrade.

Other Uses of WIPS

WIPS has more uses than just security, performance, and compliance monitoring/reporting. For example, most WIPS can classify devices, perform location tracking (reportable on a floor plan), do policy enforcement, do active and passive infrastructure testing, and even do forensics.

Validated WIPS Service

Divergent’s Validated WIPS Service can be offered as a project-based service or a managed service, and remote configuration and monitoring are available. We will discuss your needs and goals with you and then assess your current situation in detail.

After the full assessment and remediation has been completed, Divergent will issue a certificate documenting that your WIPS platform has been Validated by a certified WLAN expert. Provided our customer does not modify their WIPS platform without full Divergent oversight, Divergent will, as part of the certificate issued, fully guarantee its services by certifying that:

  • It will participate, to the fullest extent necessary, over a 12-month period, in any bona-fide legal or civil actions against our customer arising from accusations of a misconfigured or misbehaving WIPS.

Diagnostics & Remediation Service

Suppose that you’re on the receiving end of someone else’s WIPS misbehavior. It’s no small task to identify and document such attacks in such a way as to convince the FCC and/or a court (who award damages) – just ask Trade Show Internet who, from the looks of their website, deals with this regularly. Divergent’s Diagnostics & Remediation Service is solely focused on finding and eliminating issues that hinder a secure and high-performance WLAN.

If you know you need WIPS, but you’re worried that the risk outweighs the reward, then use our contact page to drop us a note. We will be happy to give you an hour of our time at no charge to discuss your situation.

* Additional Articles:

http://www.networkworld.com/article/2691674/wifi/marriott-must-pay-600000-for-blocking-personal-wifi-hotspots.html

http://www.bloomberg.com/news/2014-10-03/marriott-fined-600-000-for-blocking-its-customers-wi-fi.html

http://www.cnbc.com/id/102062559#.

1 thought on “Validated WIPS”

Leave a Comment

Your email address will not be published. Required fields are marked *