Defining the primary architectural approaches for today's WIPS
solutions
Author/Blog Contributor - Chia-Chee Kuan, CTO at AirMagnet
Date: July 22, 2010
Today I'd like to review the different architectural approaches for deploying WIPS solutions. As we move ahead, the debate over which approach is best for what situation will likely intensify and is thus a great topic for discussion. WIPS solutions come in three basic architecture types; they are all fundamentally very different, with a variety of pros and cons.
The first and most rudimentary WIPS architecture leverages an AP radio that services wireless clients for WIPS scanning. In this approach, a WIPS module gets a very small time slice (or RF sample) from the AP radio for security scanning. The impact of the time slice to a wireless client service is designed to be minimal, allowing an organization to implement WIPS functionalities at a very low cost. The main advantage (or pro) to this approach is exactly that - low cost WIPS functionality. However, that low cost can come at a huge price. Time slicing uses limited scanning, usually sampling less than one second for each minute period. In laymen terms, that means the WIPS security functionality is not comprehensive and therefore compromised. Essentially, with this approach, an organization is saying, "we use a subset of non-real-time rogue AP detection features as our WIPS security framework." Because of this weakness, major WLAN infrastructure vendors have all moved away from claiming that this WIPS architecture is a good WIPS solution.
The second WIPS architecture is a integrated solution where a dedicated WIPS scanning radio is collocated in the client serving AP. The dedicated radio eliminates the limitations associated with, or the need to use, time slicing. Essentially, it means the WIPS solution is always scanning the air. The advantage to this approach is that all WIPS functionalities can theoretically be supported with the deployed APs, which can service the wireless clients, as well as fulfilling the "always on" WIPS scanning functionality. However, the disadvantage is that this functionality is consolidated within a single AP that is servicing clients and conducting WIPS scanning. That creates a single point of failure, which could be considered a violation of the layered security model and present a security risk. This architecture also dictates that your WLAN infrastructure vendor be your WIPS vendor, due to the dual purposed AP and collocated WIPS modules. This particular single vendor limitation is analogous to an enterprise having to deploy a Cisco firewall, for example, because the enterprise happens to be using Cisco switches. This can also require a hefty investment.
The third WIPS architecture is an overlay solution where dedicated WIPS sensors are deployed. These dedicated WIPS sensors are completely free from serving wireless clients and also provide the "always on" WIPS functionality. The advantage to this approach is the separation between the WLAN infrastructure and the WIPS architecture. This allows the orthogonal implementations to maximize the independence of the WIPS security solution on the WLAN infrastructure. This overlay WIPS architecture also allows an organization to independently select not only a best-of-breed WIPS solution, but also WLAN infrastructure. This independence can be very beneficial in today's diversified WLAN market where the best suited WLAN infrastructure solutions may very well not be your best suited WIPS solution provider. An overlay solution is also the only acceptable approach if an organization has mixed WLAN infrastructure already deployed (or plans to have a mix in the future). The disadvantage to this approach is cost - extra overlaid devices (sensors) require a larger investment from an organization into their wireless security infrastructure.
In summary, there are three main WIPS architectures - (1) integrated WIPS scanning with shared AP radio, (2) integrated WIPS scanning with dedicated radio in AP device, and (3) overlay WIPS scanning with dedicated device (sensor). The level of WIPS security capabilities and business flexibility goes up from (1) to (3). The cost of WIPS equipment and deployment however does not necessarily end up being the highest with option (3) depending on vendors -- however, in some instances, you get what you pay for. As we look at the future of WIPS solutions, it's only going to get more sophisticated, including multiple Wi-Fi radios, WIPS sensors and spectrum radios. What approach do you feel is best suited for your business?
Chia-Chee Kuan is CTO and co-founder of AirMagnet. Chia-Chee will contribute his expertise on technology, security vulnerabilities, and future trends in the WLAN industry.