Page 45 - Cyber Warnings
P. 45
PART II: DEFENDING YOUR AIRSPACE
WIPS vs. WIDS
by Ryan Orsi, Director Product Management, WatchGuard Technologies
In part one of this series: The Anatomy of a Wi-Fi Hacker, we addressed the ever-growing need
for a digital connection and the risks associated with public Wi-Fi. Paramount among those risks
is the man-in-the-middle (MiTM) attack, which allows a hacker to gain visibility into a device’s
traffic, and therefore launch other sophisticated attacks.
Think of the MiTM as a beanstalk that starts as a seedling and grows into something much
larger. In this case, it grows into higher-layer attacks such as SSL Stripping with HTTS bypass,
toxic proxies, or attacks that exploit vulnerabilities in WPAD. We want to kill this beanstalk (or
the MiTM) before it grows, but how?
In part two of this series, we’re going to explore that question. It all starts with the basics of
Wireless Intrusion Detection Systems (WIDS) and Wireless Intrusion Prevention Systems
(WIPS).
Both these systems were (and are) heavily driven by compliance standards like PCI DSS and
HIPAA, which outline requirements for identifying rogue access points (APs) on Wi-Fi networks.
WIDS works to detect existing rogue APs and uses traditional methods, such as:
• CAM Polling: A client connects to an AP (which needs to be in bridge network mode),
and that AP is connected to a switch. The switch records the MAC address of the client
connected to the AP and switch. The WIPS server then polls the switch and tries to get
the MAC address. Meanwhile, the WIPS sensor is scanning the airwaves to correlate the
AP MAC address from the client to the MAC address from the WIPS server/switch. If
these addresses are found to be nearly the same, it’s considered a rogue AP.
• Passive MAC Correlation: A sensor on the network looks at the wired and wireless
network and finds the MAC addresses. If these are within a couple bytes of each other,
there is a probability of them being the same device.
These two approaches suffer from complexity and scalability issues, and often result in false
positives. Companies are now looking to solutions with marker packets, a new approach that
effectively eliminates these challenges. Marker packets are essentially a small broadcast packet
that flows through all the APs.
With this approach, the system can gather information that is then referenced against
established policies to identify an AP as legitimate or rogue. Marker packets essentially
45 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
