Wi-Fi is a Passion


Overview - WIDS and WIPS

As you probably know, there are multiple attacks possible in the wireless world. To detect and prevent those attacks there are monitor tools like a wireless intrusion detection system (WIDS). The best solution for attacks is to prevent them. With wireless intrusion prevention system (WIPS), it is possible to mitigate attacks from, for example, rogue access points. To monitor and prevent attacks, WIDS/WIPS use a management system with a couple of sensors. The information is gained from managed switches, WLAN Controllers, and access points. The information that is gathered is the same information that an auditor or administrator would gather with using a laptop or other tools. The main difference is that a WIDS/WIPS solution monitors 24 hours a day and you can monitor only during the moment you walk around with your tools.

There are solutions where the WIDS/WIPS are integrated in a WLAN controller, but most of the time it is a standalone appliance (hardware or software). The server can do several actions:
- Signature analysis looks for patterns.
- Behaviour analysis looks for anomalies.
- Protocol analysis analyses the MAC layer information or upper layer non-encrypted frames.
- Spectrum analysis analyses the RF spectrum.
All those together give a good overview of your WLAN health that can be viewed in a management console or using the graphical user interface (GUI) from the server itself.

The sensors scan all 14 channels in the 2.4 GHz and all the channels in the 5 GHz. You can fine-tune the scanning interval between 100ms to 1s. It is also possible to fine-tune a scanner to monitor only one specific channel. Communication between the sensors and the server can be through a proprietary management protocol or through the same method as the access points, Control and Provisioning of Wireless Access Points (CAPWAP). Like with access point you can deploy the sensors at different branch office and let them communicate over the WAN to the WIDS/WIPS server that is in a datacentre or head quarter.

There are two architecture models. The first one is the overlay architecture. The overlay uses standalone servers and uses the existing wireless network. This is a more expensive solution since it is a new infrastructure and you need extra hardware. The advantages are that the sensor can scan all the channels. One radio will scan the 2.4 GHz and the other radio 5 GHz. Besides that, standalone sensors have more features and monitor capabilities.

With the integrated model, the sensors are integrated with the access points. The access points use software-defined radio (SDR) to go into sensor mode and use their 2.4GHz radio and 5GHz radio to scan those channels. Or in half sensor mode, one radio is for client access and one radio is for sensor activity. In the last option, the access point will listen on the channel where it is transmitting for 10 seconds. After that it goes to channel 7 for 110ms, back to channel 6 for 10 seconds, moves to channel 8 for 110ms, and so on. This method is called part-time sensor. This solution is cheaper than the overlay solution, but the problem with this is, at the moment the part-time sensor is not scanning a particular channel, the attacker can misuse that for attacking the wireless network. Also, this can occur in bad audio quality for VoWiFi clients that are associated with an access point that does part-time scanning. You can prioritize VoWiFi traffic by/with QoS markings. When the access point is scanning a channel that he is not transmitting on, clients cannot communicate with the access point at that moment, and this has an impact on the wireless network. In those cases, there is an option that when clients are connected, access points cannot scan on other channels. It is wise to deploy some full sensor access points for scanning.

There are also access points that have more than two radios. In this case one can be a scanner and the other two provide access for 2.4 GHz and 5 GHz. The last question is, after you pick the model, how many sensors do you need to deploy? This depends on the budget, but when there is no budget the best way to pick the number of sensors is one sensor per three/five access points.

Another thing that you need to keep in mind is that the sensors need to support your wireless environment. When you use sensors for 802.11a/b/g that will not support the HT (802.11n) or VHT (802.11ac). Channel bounding, 40 MHz, 80 MHz or even 160 MHz channels will also not be supported. Beacon frames that give a lot of information about the network are viewable for 802.11a/b/g sensors, but the enhanced features not.