Intrusion Detection Systems

The new breed of wireless IDS products can search a WLAN for vulnerabilities, detect and respond to intruders, and help the WLAN administrator manage a WLAN. As with a wired IDS on a wired network, a wireless IDS in a wireless environment has the functionality to detect session hijacking, spoofing, identity theft, and DoS attacks before those packets ever reach the network. Other new wireless IDS products allow the placement of their monitoring sensors near APs. These sensors may also be sold as part of the AP firmware. These sensors monitor and capture all wireless traffic on these APs 24/7 and report information to a central monitoring server, where the data can be analyzed and acted upon.

Both the wired and wireless IDS may experience false-positive alarms. False positives occur when legitimate network traffic violates policy or boundary rules set up within the IDS. For example, a wireless client uploading a large file to a network server could trigger an IDS alarm if the IDS contains a policy limiting data transfer size. False positives waste institutional resources and add to the cost of implementing any type of IDS. Careful analysis of the network before implementation, baselining for historical data comparison, and security policy rule sets that are realistic and responsible will all help reduce false-positive alerts. An IDS can be configured to fit your security policy and your network's design with many built-in features and options. These optional IDS features include network-based or host-based monitoring, passive or reactive monitoring, misuse detection, anomaly detection, vulnerability detection, and the ability to do performance monitoring.

Deciding on the type of IDS to choose for your enterprise, and deciding on how to configure its options and features, can be crucial to the longterm success of this undertaking. For this endeavor, there is no single correct answer. Network design, projected transactional load, the depth of security policy desired, the real and future costs, implementation, and management overhead are critical factors that should be considered when configuring a wireless IDS security product.

An increasing number of network-based wireless intrusion detection systems utilize a completely passive method to "listen" on the wireless segment through wireless sensors. These sensors must be placed strategically across the network so that all wireless traffic can be monitored. This means that you should place sensors at, in, or near every AP in order to detect typical wireless attack techniques such as setting up rogue APs or jamming devices; however, many network-based IDSs place their sensors upstream from the switch where APs connect. This type of design is less effective because the sensors cannot hear what is happening on each wireless segment.

Host-based IDSs examine the data on each node/host computer in a system, allowing them to report suspicious activity back to a central server. Host-based IDSs monitor attacks against individual computers more precisely than network-based systems. If the wireless sensors are not correctly placed in the network, then the detection of rogue APs, RF jamming devices, and other RF DoS equipment is not feasible.

The IDS analyzes information gathered from both internal and external sources to detect misuse or abuse of a network by applying misuse detection rules to the WLAN. For example, typical rules may include limiting APs to operate only on specific channels, requiring all WLAN traffic to be encrypted, prohibiting SSIDs from being broadcasted unmasked, and limiting traffic on the WLAN to occur only within certain hours of the day. An IDS can be used like a traditional management system or directly tied into a wireless management software package in order to effect necessary changes.

The IDS anomaly detection feature monitors and compares network segments and their current status to "normal" baselines and reports anomalies that raise alerts to the appropriate personnel. Baseline norms for typical network load, protocols, and packet size should be established before implementation of an IDS. Users consuming more than average bandwidth can be identified by monitoring the performance of the network. More importantly, anomalous traffic loads may be evidence of an attack in progress. High traffic loads may be a DoS, and very low or no traffic load may indicate a damaged or nonfunctioning network segment.

A robust IDS on a WLAN can detect vulnerabilities in real time, such as rogue APs on the network or the creation of ad hoc networks. An open rogue AP that has hijacked an authorized user can result in a peer-to-peer attack. Locating any ad hoc networks that are actively transmitting traffic is the first step in preventing peer-to-peer attacks of this nature. WLANs share a finite amount of bandwidth, so it is important to determine who is using the bandwidth and when. If the business rules support it, streaming audio, video, and peer-to-peer file-sharing applications may be disallowed to keep the network from being flooded with unneeded traffic. When built-in rate-limiting functionality is being used in an enterprise, wireless gateway and performance monitoring features in the IDS are not required solely to locate and control network abusers. Instead, these features can still be used to report WLAN usage statistics. Over time, IDS performance monitoring can also provide statistics for AP bandwidth load. This enables the development of management reports that, along with site surveys, can be used to determine where and when growth of the network needs to occur to meet additional user requirements.

A security policy should be in place to define the governance and operation of an incident response team to an attack or anomaly identified by the IDS. The policy must define primary and secondary contact personnel, how they are to be notified, and what steps they should take to respond to the incident properly. This includes stipulating who is responsible for each managerial or technical activity. A good security policy must include a section on IDS incident handling procedures for both wired and wireless clients.

In order for the IDS to be an effective security tool, the activity logs and the reports generated by the IDS must be handled securely, efficiently, and with consideration about their relative importance. These logs may be used in evidentiary proceedings by law enforcement, and their significance as a historical source document cannot be dismissed. Timely incident response is largely based on the following factors: detailed and understandable reports, near real-time analysis by qualified network security personnel, and immediate corrective action appropriate to the incident. Adherence to these factors can help make the IDS an effective tool, rather than an expensive use of time, resources, and money. Responding to incidents poorly, or in an untimely manner, will allow an attack to proceed in most cases. Additionally, the complexities of today's wireless IDS dictate that the appropriate personnel attend all available training sessions offered by the IDS vendor.

Periodic upgrades to the system, such as host-based agent updates, and updates to the network-based software and firmware should begin shortly after the IDS is installed and running. Ongoing training for the personnel responsible for the operation and maintenance of the IDS will ensure its continued success and effectiveness. All network devices associated with the IDS should be tested periodically for operational readiness. As new WLAN segments are added, these new segments must be incorporated into the IDS. Professional security audits should be conducted, preferably by outside resources, at least annually, and should test the IDS for weaknesses. Regularly scheduled spot-checking of the IDS should be considered mandatory to measure its efficiency and improve its operation.