Eek! Steve, you get into scary territory when you talk about jamming traffic and blocking devices that run in Wi-Fi's unlicensed spectrum. Technically, unlicensed airwaves belong to everyone.

Because of the "open" nature of these particular airwaves, the WIPS role and goal, then, would be to disable unauthorized devices that are not just in your airspace but are also trying to connect to or have already connected to your network - an illegitimate activity. But there are other devices in your airspace that might be legitimate devices on someone else's network (like the office above you in a multitenant building), but are unauthorized on yours.

That said, your question brings up a really good topic for discussion: How the WIPS vendors delicately balance the degree of automation they include in their systems with the need to be careful about who they automatically cut off. Automation is very desirable in terms of reducing operational complexity and nipping security issues in the bud. But overzealous automation could get the Wi-Fi network operator (the enterprise) in trouble by snuffing out someone else's right to use the airwaves.

WIPS vendors: How do you balance these considerations? Any tips/advice for how enterprises should automate their settings?

I agree with Sri that accurate classification is a prerequisite for automated containment (blocking) of any kind - wired or wireless. But given solid classification, I find that some incidents can be safely auto-blocked.

For example, in my own network, I am comfortable auto-blocking rogue APs that have confirmed physical connectivity to my own private subnets/VLANs. I am also comfortable auto-blocking my own clients when they are not comforming to my policies.

While I will not auto-block APs that cannot be reliably classified near my own network, I know one admin at a high-security "no wireless" facility who was comfortable doing so because 1) his facility was miles from other businesses, and 2) his organization had determined that the consequences of a breach justified that action.

Lastly - it should be noted that radio frequency jamming isn't equivalent to WIPS containment. In my view, a good WIPS should be far more selective and conservative in how it disrupts RF communication by devices that need to be contained. Even blasting out a continuous stream of broadcast Deauths can be too brute-force. Good containment should not end up DoS-ing your WLAN or channels used by legitimate neighbors.

The other posters here are very much on target. Joanie is absolutely correct that RF jamming is almost universally bad. Not only does it violate a whole host of FCC laws, but it is also just bad for your network. Jamming will affect all devices in the area and spectrum being jammed, it undermines Layer 1 of the wireless environment and limits the channels that devices can roam to in order to avoid other conflicts. This is almost universally bad.

That said, blocking messages from our Sensors are not jamming signals. It is instead actual packet traffic from the Sensor that is targeted specifically at the device that is being blocked. This means that you can block a rogue device without impacting all the other approved devices in your network.

On the second part of question, you absolutely want to have very intelligent control over when you will automatically block a device. Determining if the rogue device is on the wire is a fantastic criteria for automated blocking, and AirMagnet leverages 5 complimentary tracing mechanisms to quickly and reliably determine if a device is connected to the wired network or not. However, you will want to go beyond simply "on or off" the wire as well. An approved employee laptop connected to an unsecured outside AP is just as much a threat to the network, so you will need to keep track of the connection state and history for all of your devices. If you see a device that has attacked your network or violated your security policy, you may want to blacklist and block that device immediately whether he is on the wired network or not. Those are just a few examples, and there are a lot of correlative factors that you may want to consider. The key point is that automated blocking should truly reflect the complexities of your security policy so that you prevent all of your wireless threats.

I agree with the Sri and Wade’s comments. With great power comes great responsibility; wireless termination is license to kill and you do not want to use that indiscriminately!

You definitely need to be able to classify “neighbours” from “real rogues” that are physically connected to the corporate wired network, before you can terminate them. Rogue devices come in various flavors (routers, bridges, etc.), they may have encryption enabled, they may be on isolated LAN segments. The key is to be able to detect all rogue scenarios without requiring a wired sensor on all segments. Once you have detected them you can automatically terminate them.

Similarly, you can have a scenario where an authorized user wirelessly connects to a neighboring AP. You cannot DoS that AP – it could belong to a hospital’s ICU there there can be serious liability. You need to surgically contain the wireless session between your device and the neighboring network.

While wireless termination or wired blocking is available from all vendors, Motorola AirDefense has two other unique blocking/prevention techniques that are more targeted and less brute-force than termination. They can also be much more effective and waste less bandwidth.

1. Dynamic ACLs: AirDefense can integrate with WLAN infrastructure and setup dynamic Access Control Lists to block authorized clients that are misbehaving, a unique WIPS offering. AirDefense WIPS information (e.g., location) for a device can be leveraged by Motorola WLAN as an authentication variable as well. We can also integrate with NAC vendors to help quarantine wireless clients that do not meet the policy settings of the enterprise.
2. Dynamic WLAN Re-Configuration: Unique to AirDefense, is the capability to reconfigure WLANs that that are violating policy, facing an impending threat or performing sub-optimally. The recently announced AirDefense Services Platform allows us to run WIPS and multi-vendor WLAN management on the same appliance. The WIPS portion can detect attacks or policy violations (e.g., a corporate user connecting to the guest WLAN, a hacker attempting to break into the WLAN), the multi-vendor management system can then reconfigure the WLAN dynamically (e.g. disable guest access for the user, disable a legacy portion of the WLAN that has a higher risk of compromise, etc.). This is the first time a WIPS system is working in a closed loop with the WLAN management system in a vendor agnostic fashion.
http://mediacenter.motorola.com/content/detail.aspx?ReleaseID=12506&NewsAreaId=2