Wireless Intrusion Protection System (WIPS)

Use

Capable of mitigating attacks from rogue APs and rogue clients.

A WIPS characterizes access points and client radios in four or more classifications.
Although various WIPS vendors use different terminology, some examples of classifications include the following:

  • Infrastructure Device
    • This classification refers to any client station or AP that is an authorized member of the company’s wireless network.
    • A network administrator can manually label each radio as an infrastructure device after detection from the WIPS or can import a list of all the company’s WLAN radio MAC addresses into the system.
  • Unknown Device
    • The unknown device classification is assigned automatically to any new 802.11 radios that have been detected but not classified as a rogue or infrastructure device yet.
    • Unknown devices are considered interfering devices and are usually investigated further to determine whether they are a valid infrastructure device, a neighbor’s devices, or a potential future threat.
  • Known Device
    • This classification refers to any client station or AP that is detected by the WIPS and whose identity is known.
    • A known device is initially considered an interfering device. The known device label is typically manually assigned by an administrator to radio devices of neighboring businesses that are not considered a threat.
  • Rogue Device
    • The rogue classification refers to any client station or AP that is considered an interfering device and a potential threat.
    • Most WIPS define rogue APs as devices that are actually plugged into the network backbone and are not known or managed by the organization.
    • Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue AP is actually plugged into the wired infrastructure.

Monitoring

  • Not all WIPS have spectrum analysis capabilities, although distributed spectrum analysis is becoming more common. Even if a WIPS has spectrum analysis capabilities, it can only perform spectrum analysis within a range of supported frequencies—typically the same frequencies that it monitors as a WIPS device. The WIPS should also monitor all the available channels and not just the ones permitted in your resident country.

Containment

  • After a client station or AP has been classified as a rogue device, the WIPS can effectively mitigate an attack. WIPS vendors have several ways of accomplishing this. One of the most common methods is to use spoofed deauthentication frames.
  • A WIPS will have the sensors go active and begin transmitting deauthentication frames that spoof the MAC addresses of the rogue APs and rogue clients. The WIPS uses a known layer 2 denial-of-service attack as a countermeasure. The effect is that communications between the rogue AP and clients are rendered useless. This countermeasure can be used to disable rogue APs, individual client stations, and rogue ad hoc networks.
  • Many WIPS also use a wired-side termination process to effectively mitigate rogue devices. The wired-side termination method of rogue mitigation uses the Simple Network Management Protocol (SNMP) for port suppression.
  • Many WIPSs can determine that the rogue AP is connected to the wired infrastructure and may be able to use SNMP to disable the managed switch port that is connected to the rogue AP.