What are the primary threats that WIPS offerings should be able to mitigate?
Primary Threats?
3 Comments
WIPS offerings should be able to protect against both infrastructure and end-user related wireless vulnerabilities. Infrastructure related threats include Rogue (i.e. unauthorized) APs connected to your wired network; another scenario is an authorized AP mis-configured (no encryption, mapped to incorrect wired subnet, etc). Infrastructure related threats also include attacks against your authorized WLAN; this includes MAC spoofing & DoS attacks against your authorized APs.
End-user (i.e. WLAN client) related threats are due to laptops being mis-configured (intentionally or unintentionally). This includes client mis-association where user's the laptop is connected to an external AP (i.e. neighbor AP) as well as adhoc connection usage (peer-to-peer connection between two wireless users). WIPS system shall be able to detect & classify these threats accurately as well as prevent them automatically without administrator involvement. Can you imagine sitting in front of your WIPS administrator console and try to sort out what 100's misbehaving users are doing in your deployment? You cannot scale thus automated policy enforcement is critical for end-user related vulnerabilities.
Lastly, WIPS need to be able to protect against emerging attacks such as Cisco AP Skyjacking, WPA-TKIP attack, Multipot attack, "Soft AP" related threats, etc. Ideally a WIPS system should be able to provide zero day attack protection against new & emerging threats without having to upgrade the system.
An effective WIPS such as AirDefense Enterprise provides a comprehensive solution for rogue wireless detection and containment. It can accurately distinguish neighboring devices from actual rogue threats that are connected to the enterprise’s network and can automatically block as well as locate them. A good WIPS should also detect a range of attacks such as reconnaissance activity, identity theft, session hijacking or Man-in-the-Middle (MITM) attacks, multiple Denial-of-Service (DoS) attacks, wired side leakage, dictionary based attacks, etc. For example, AirDefense Enterprise has a security library with 200+ alarms detecting various attacks and policy violations. Reducing false positives, by correlating wireless and wired side information in conjunction with rich historical context maintained in a forensic database, is imperative. Once an accurate assessment of an intrusion is made, the WIPS should provide wireless and wired termination capabilities to mitigate the threat in real-time.
In addition to attack mitigation a WIPS should be able to monitor 24x7 for wireless policy compliance and facilitate reporting for regulatory requirements such as SOX, HIPAA, PCI, GLBA, DoD, etc. By maintaining minute-by-minute forensic data for all wireless devices and automatically generating various compliance reports, the cost of expensive wireless scanning and policy compliance validation can be drastically reduced. Another important function of a WIPS is to provide Wireless Vulnerability Assessment (WVA) module for automated remote wireless penetration testing. By simulating attacks from a wireless hacker’s point-of-view, WIPS should be able to identify sensitive systems exposed to the WLAN. Historically, administrators had to rely on a combination of traditional vulnerability assessment tools and occasional wireless assessments at select locations. These methods are unable to provide a comprehensive assessment of wireless networks. WVA should provide automated active wireless testing, simulating attacks from a wireless hacker’s point-of-view, capable of evaluating each and every AP a company has deployed, validating firewall and wireless switch policies, while also offering unparalleled discovery options to enumerate multiple paths of entry to sensitive systems on the wired side.
The 24x7 wireless monitoring capabilities of the WIPS can also be leveraged for remote troubleshooting and wireless network assurance as well.
The wireless threatscape is evolving at an incredible pace due to the rapid evolution of wireless technology itself, but also because the hacking community has identified the wireless airspace as being the weak link in many enterprises' overall approach to security. Recently we have seen attack vectors shifting from simple rogue access points, to more sophisticated, multistep attacks that exploit vulnerable end-user devices to either gain information directly or as part of an impersonation technique.
Obviously rogue access points are still of prime concern, and we want to be sure that we immediately identify any devices that don't belong, know their location in or outside the premises and know immediately if and how they are connected to our wired network. As hackers have gotten more sophisticated, it is also very important to detect "hidden" rogues that leverage WIDS evasion techniques to avoid the simple rogue detection that comes built in to modern access points. Of course blocking that threat both on the wire side of the connection as well as any and all wireless connections is mandatory. This would be table stakes for any WIDS/WIPS solution.
The next important requirement would be to detect and prevent unauthorized or unapproved connections. This could be something such as one of our approved employee laptops accidentally roaming from the corporate network to the hotspot across the street or to the weakly secured company guest network.
Then we should look for all the vulnerabilities that a hacker could see in the air. Is an AP failing to encrypt broadcast and multicast traffic and exposing wired IP addresses of our controllers and internal devices? Are we using WPA and QoS features in a way that lets a hacker read our traffic? We need to find all of those vulnerabilities on every device before the guys in the black hats do.
Lastly, and of course not least, we need to be looking for hundreds of tools, techniques and methods of evasion that an intelligent hacker could use to exploit our users and infrastructure, then pinpoint that user, block connectivity and collect a complete forensic packet capture of his behavior for proof.