WIPS vs. WIDS

By Ryan Orsi, Director Product Management, WatchGuard Technologies

In part one of this series: The Anatomy of a Wi-Fi Hacker, we addressed the ever-growing need for a digital connection and the risks associated with public Wi-Fi. Paramount among those risks is the man-in-the-middle (MiTM) attack, which allows a hacker to gain visibility into a device’s traffic, and therefore launch other sophisticated attacks.

Think of the MiTM as a beanstalk that starts as a seedling and grows into something much larger. In this case, it grows into higher-layer attacks such as SSL Stripping with HTTS bypass, toxic proxies, or attacks that exploit vulnerabilities in WPAD. We want to kill this beanstalk (or the MiTM) before it grows, but how?

In part two of this series, we’re going to explore that question. It all starts with the basics of Wireless Intrusion Detection Systems (WIDS) and Wireless Intrusion Prevention Systems (WIPS).

Both these systems were (and are) heavily driven by compliance standards like PCI DSS and HIPAA, which outline requirements for identifying rogue access points (APs) on Wi-Fi networks. WIDS works to detect existing rogue APs and uses traditional methods, such as:

  • CAM Polling: A client connects to an AP (which needs to be in bridge network mode), and that AP is connected to a switch. The switch records the MAC address of the client connected to the AP and switch. The WIPS server then polls the switch and tries to get the MAC address. Meanwhile, the WIPS sensor is scanning the airwaves to correlate the AP MAC address from the client to the MAC address from the WIPS server/switch. If these addresses are found to be nearly the same, it’s considered a rogue AP.
  • Passive MAC Correlation: A sensor on the network looks at the wired and wireless network and finds the MAC addresses. If these are within a couple of bytes of each other, there is a probability of them being the same device.

These two approaches suffer from complexity and scalability issues and often result in false positives. Companies are now looking to solutions with marker packets, a new approach that effectively eliminates these challenges. Marker packets are essentially a small broadcast packet that flows through all the APs.

With this approach, the system can gather the information that is then referenced against established policies to identify an AP as legitimate or rogue. Marker packets essentially eliminate false positives for WIDS. But, detection is only part of the equation when protecting a Wi-Fi network.

How can we stop these rogue APs from getting access to, or getting on, the network in the first place? WIPS is the other half of the equation.

Historically, organizations have shied away from WIPS because the prevention features could accidentally shut down neighboring Wi-Fi networks, which can result in painful and costly repercussions.

For example, Smart City Networks was hit with a hefty $718,000 FCC fine for accidentally shutting down a legitimate neighboring Wi-Fi network. According to Travis LeBlanc at the FCC, “All companies who seek to use technologies that block FCC-approved Wi-Fi connections are on notice that such practices are patently unlawful.”

But, new WIPS technology eliminates this problem by using automated classification. Automated classification goes deeper when classifying SSIDs and puts them into buckets such as authorized (good), rogue (bad), guest and external.

Once the SSIDs are classified, more granular policies can be applied to users to keep them safe. For example, a user can connect to an internal AP, but not an external malicious rogue AP by the same name.

This process is accomplished with sensors that constantly scan the airwaves and capture marker packet information. That information is then correlated with policy information and automatically classified. It ensures that legitimate external Wi-Fi networks are not accidentally taken down.

But, if this new WIPS technology exists, why aren’t more people using it? The reality is a lot of organizations are using WIDS, but these systems require dedicated teams to wade through alarms and false positives. So, it’s typically only larger organizations that have the resources to support them.

Unfortunately, because of the resource requirements and perceived risk, many companies stay away from the WIDS/WIPS solutions altogether. The good news is that cutting edge WIPS classification technology is making the wireless defense more scalable, automatic and cost-effective for companies of all sizes.

In the meantime, while organizations play Wi-Fi defense catch-up, how can the everyday consumer tell if a hotspot is secure? Unfortunately, they can’t. While some organizations are trying to work toward offering secure Wi-Fi with accreditations like Friendly Wi-Fi, for the most part, consumers are left to fend for themselves. This is another reason why brands should use automated systems to help keep consumers safe when connecting to public Wi-Fi.

The technology now exists to protect a Wi-Fi network and its users at a reasonable cost, with solutions that require low maintenance, helping to reduce some of the major security issues facing organizations today.

According to a study from Javelin Strategy and Research, 15.4 million victims lost roughly $16 billion from credit card theft in 2016, which represents six percent of all consumers worldwide. And, it’s only expected to increase in 2019.

The study also showed an increase in identity fraud via Wi-Fi attacks with hackers posing as the MiTM. So, these types of attacks continue to drive compliance mandates, like PCI DSS.

PCI has some specific, but not all too realistic, standards for securing Wi-Fi networks, such as my favorite: “performing regular scans for rogue APs on a quarterly basis.” Really, we should just check for rogues every 90 days?

As you can see, compliance is not synonymous with security. And this speaks to the challenges companies and consumers face when dealing with Wi-Fi. Hackers are reaping the benefits of the industry’s slow transition.

The standards are not strong enough, organizations don’t yet realize how to automate Wi-Fi protection, and consumers roll the secure Wi-Fi connection dice.

But it doesn’t have to be that way. Any organization can now afford to proactively defend their airspace and eliminate the Wi-Fi network risks for employees, partners, and customers.

So, make sure that you’re protecting your Wi-Fi network with WIPS technology that utilizes the marker packet detection method and eliminates false positives and automatically assess connected APs and Wi-Fi clients to determine if they’re authorized, rogue or external.

Now that we’ve covered how Wi-Fi hacks happen and how organizations can protect themselves with automated WIPS/WIDS, our final installment will look at how to protect a network from connected devices and IoT.

Join me next month as I explore how the world of connected devices and rapidly evolving IoT threats will impact Wi-Fi security.

About the Author
Ryan Orsi is Director of Product Management at WatchGuard, a global leader in network security, providing products and services to more than 75,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive wireless products to the WLAN, IoT, medical, and consumer wearable markets.
As VP Business Development in the RF industry, he led sales and business development teams worldwide to success in direct and channel environments. He holds MBA and Electrical Engineering degrees and is a named inventor on 19 patents and applications.
Ryan can be reached online at @RyanOrsi and at our company website www.watchguard.com/wifi