Keeping Intruders Out Of Your WLAN

Illicit monitoring detection. Many of the war driving tools, such as NetStumbler, send a barrage of 802.11 probe request frames to prompt responses from access points. The access points reply with probe response frames, which contain details on service set identifier (SSID), channel settings and encryption types. This information is valuable to a hacker when planning an attack. An IDS continually monitors for these foreign probe requests and alerts staff when they are occurring. An IDS, however, can't detect passive monitoring tools, such as AirMagnet Surveyor, because they don't send probe requests.

Unauthorized access deterrence. A significant feature of IDSs is that they can detect and terminate rogue access points and unauthorized users. The IDS continually looks for suspicious signatures, such as invalid MAC addresses, non-applicable hardware vendors, and incorrect SSIDs. If a rogue or unauthorized user is found, most IDS systems, such as those from AirMagnet and AirDefense, can terminate the wireless connections of the applicable access points and users. From the wired side, IDS systems can also interface with wireless management platforms to block access from the offending station or disable the applicable access point.

Policy enforcement. Companies deploying wireless LANs can configure an IDS with appropriate security policies, such as the requirement of WPA for all client devices, allowed SSIDs and valid MAC addresses. The IDS continually monitors users and access points based on the policies. If any deviations from policies are found, then the IDS automatically secures the system and informs appropriate staff. The enforcement of policies is also useful in guarding against denial of service attacks because the IDS is carefully watching the network.Tracking Down Intruders

If someone gets through security, the IDS has a very good chance of taking notice and performing effective countermeasures. The systems can also help find the persons implementing the malicious activity. Most of the IDSs have provisions for locating the intruders.

For example, AirMagnet uses triangulation to pinpoint the location of unauthorized clients and access points. With this knowledge, a company can carry out pre-planned procedures that notify appropriate security personnel with information on where they can find the bad guys.

Most IDS systems use separate sensors that a company installs throughout their facilities. For example, AirMagnet Enterprise 5.0 requires the installation of multiple AirMagnet SmartEdge sensors, which each monitor 802.11a/b/g activity in scan-only mode over a 50,000 square foot area. Up to 1,500 SmartEdge sensors interface to a single AirMagnet Enterprise Server. AirDefense has a similar solution. An advantage of using probes to perform the monitoring is that they operate aside from the operational wireless LAN.

Some of the wireless switch systems, such as the one offered by Airespace, integrate IDS sensors into the access points. This approach is often less expensive to deploy than having dedicated sensors, assuming you install Airespace access points. The IDS data, however, must traverse the same wireless network as operational data, which could limit capacity available for higher end wireless applications. In addition, this solution is not vendor agnostic.Concluding Thoughts

An IDS is invaluable for filling the holes that security mechanisms, such as authentication and encryption, don't cover. Definitely consider implementing an IDS if you have over ten access points. You'll sleep better at night.

Jim Geier is the principal of Wireless-Nets, Ltd., a consulting firm assisting companies with the implementation of wireless mobile solutions.