Setting The Right
WIPS Policies
OVERVIEW
The need for delivering quality wireless services in
hospitality venues like hotels and big convention
centers has been increasing. The availability and
quality of the Wi-Fi service is one of the important
factors for business travelers, event organizers
and holidaymakers while making their decisions
for hotel booking. Some hoteliers offer free Wi-Fi
hotspots in order to attract guests and differentiate
their services, while others charge fee for Wi-Fi
services. Typically, these hotspots use unsecure
open authentication, so network administrators need
to separate guest network access from core corporate
network. With the presence of many Wi-Fi devices
from guests who often runs their own personal
Wi-Fi hotspot, administrators need best Wireless
A Zebra Technologies White Paper
Intrusion Prevention System (WIPS) that delivers no
false positives for clients and access points. Also,
increased emphasis by regulatory bodies like Federal
Communications Commission (FCC) and other
government agencies on enforcement of
laws related to RF jamming laws are making it crucial
for WIPS systems to accurately identify unauthorized
rogue devices before striking air termination on these
devices. Recently, there are incidents where FCC has
imposed massive fines on organizations for wrongfully
terminating personal Wi-Fi hotspots of the guests in
hospitality venues. This paper gives a quick overview
on the best practices for device classification and
policy enforcement while setting up a WIPS system.
2
DEVICE CLASSIFICATION
The basis for any good WIPS system is device
classification. In a wireless network, there are primarily
three kinds of devices you are dealing with – Access
Points, Clients and Sensors. Sensors are essentially the
eyes and ears of a WIPS system. They continuously
scan the wireless network and report what they see, to
a centralized WIPS system. Sensors come in multiple
deployment options. It could be an access point
dedicated to operate only as a sensor, a radio module
attached to an access point, a single radio within a
dual-radio access point designated as a sensor, or
an access point serving both clients and acting as
sensor by performing off-channel-scanning.
An access point can be classified into different categories
– Sanctioned, Neighbor, Rogue and Malicious. By default,
all wireless devices are neighbor until they are classified
as Sanctioned or Rogue or Malicious. Sanctioned devices
are those that you trust. Neighbor devices are those that
can be heard by the sensors but do not pose any threat
to the network. An access point is considered as a Rogue
if it not sanctioned and is found on the wired segment.
An access point that is not on the same wired network
but poses threat or causes vulnerability to the network, is
classified as Malicious. Different vendors, however, have
different requirements on how the classify an access
point as rogue.
RULES TO CLASSIFY APS
By default all APs that you trust, know and are part of
your network should be classified under the Sanctioned
category. If an AP that is not in the trusted list is seen by
the Sensor, it will be classified as Neighbor unless one of
the following conditions is satisfied, in which case it will
be classified as a Rogue or Malicious.
AP that is not sanctioned is seen on your
1 An
LAN (wired) network e.g. employee plugging
in a access point into the wired port will be
classified as rogue
A Zebra Technologies White Paper
AP that is not sanctioned broadcasts the same
2 An
SSID (wireless name) as one of your trusted AP
provided the SSID is sufficiently unique and is posing
some threat e.g. A neighbor Unsanctioned AP that
broadcast ‘Starbucks’ which is the same as your wireless
network is a rogue and doing it purposely. ‘Starbucks’ is a
fairly unique name. However a network name like ‘attwifi’
is not unique enough to be determinedly able to be
classified as a rogue. Personal WiFi hotspot are not rogue
and will fall under the neighbor category, unless they
broadcast the same SSID as your trusted APs or they are
hooked up to your network.
3
RULES TO CLASSIFY CLIENTS
To be able to establish a robust WIPS system, it is equally
important to classify client devices. Client devices can be
classified as Sanctioned, Neighbor, and Unsanctioned.
Sanctioned devices are those that you know are in your
network. For example, all operational devices like
scanners, handhelds that staffs use for business
applications, POS systems, VOIP devices, any corporate
issued devices etc should be classified as Sanctioned.
Since these are devices that the IT organization is
aware of, the first step is to classify these devices as
Sanctioned. Usually this involves either manual process
of importing the list of devices owned by IT into the
WIPS system and sanction these devices, or setting up
classification rules so that the system can automatically
mark them as sanctioned devices. Guest devices, usually
fall under the Unsanctioned client device category.
Apart from classifying Access Points and Clients, it is
recommended to also classify the wireless networks.
Usually the wireless networks are classified as either
operational/corporate or guest. Operational network is
the one on which corporate owned devices, operational
devices connect to and are usually protected by strong
authentication / encryption mechanism. Guest network is
usually an open and captive portal enabled network that
guests and non-operational devices connect to.
What are you guarding against?
A good WIPS system, essentially protects:
1
A sanctioned client from associating to a
non-sanctioned (neighbor or rogue) Access Point.
A sanctioned client from associating to a wireless
2 network that it is not supposed to be connected
to (non operational), even on a Sanctioned Access Point.
For example, preventing a VOIP device or a POS device
from associating to a Guest network on a Sanctioned
Access Point.
3
Any client from associating to a rogue
Access Point.
devices from associating to
4 Unsanctioned
operational wireless network on a Sanctioned AP.
Guest device trying to connect to operational network on
which POS systems are connected.
CLIENT
SSID
AP
RESULT
1
Sanctioned
Operational
Sanctioned
ALLOW
2
Sanctioned
Not Operational
X
VIOLATION
3
Sanctioned
X
Rogue / Neighbor / Malicious
VIOLATION
4
X
X
Rogue / Malicious
VIOLATION
5
Unsanctioned
X
Neighbor
DON’T CARE
6
Unsanctioned
Operational
Sanctioned
VIOLATION
7
Unsanctioned
Not Operational
Sanctioned
ALLOW
A Zebra Technologies White Paper
4
ROGUE DETECTION AND
POLICY BASED TERMINATION
Classifying Rogue
Rogue classification is the heart of a WIPS system.
There are multiple techniques to detect and classify
rogue devices, and this is what sets one WIPS system
apart from others. Some WIPS system do basic
check like MAC address correlation on the wired and
wireless side to classify as rogues. These can lead to
falsely classifying a legitimate device as rogue, and
even worse will completely miss classifying rogue
devices majority of the times.
Wireless intrusion prevention system is not only
responsible for detecting any threats on wireless
networks but also for mitigating those threats.
When any rogue device is detected, based on the
policies configured for termination, the system
must immediately contain the true rogue devices
automatically. A WIPS solution that complies with FCC
and ITU regulations should allow air termination and
policy-based termination to be enabled by a user with
administrator rights.
But it is very important to realize that while selecting
a WIPS solution to implement, customers should
evaluate three critical requirements.
•
Firstly, an accurate threat analysis engine with
zero-false positives for rogue detection is vital to
ensure that the system does not terminate a
legitimate wireless client or personal hotspot setup
by guest in hotels.
•
Secondly, the air termination should be reliable to
cripple the true rogue devices without causing any
disruptions to the wireless network or other
legitimate wireless clients.
•Finally, the solution should be designed to comply
with FCC and ITU regulations by disabling air-termi
nation out of the box and allowing it to be enabled
by a user with administrator rights, while having
internal controls that prevent users from indiscrimi
nately terminating wireless devices.
MOTOROLA AIRDEFENSE SOLUTION
Motorola Solutions AirDefense Service Platform
(ADSP), a flagship product, is a wireless intrusion
prevention system that provides the most advanced
24x7 multi-RF WLAN and Bluetooth monitoring
solution for rogue detection and mitigation, intrusion
detection, policy monitoring and compliance,
automated protection, forensic and incident analysis
and remote troubleshooting. As a key layer of security,
AirDefense complements wireless VPNs,encryption
and authentication. Using a monitoring architecture
of distributed smart sensors and a secure server
appliance, the AirDefense provides the most
comprehensive detection of all threats and intrusions.
A Zebra Technologies White Paper
Unlike any other solution on the market, AirDefense
analyzes existing and day zero threats in real time
against historical data to more accurately detect
threats and anomalous behavior originating inside or
outside the organization. The system automatically
responds to threats according to appropriate business
process and compliance requirements on both
wireless and wired networks, making AirDefense the
industry’s most secure and cost-effective wireless
intrusion prevention and troubleshooting solution.
4
Corporate Headquarters
+1 800 423 0442
[email protected]
Asia-Pacific Headquarters
+65 6858 0722
[email protected]
EMEA Headquarters
+44 (0)1628 556000
[email protected]
Latin America Headquarters
+1 847 955 2283
[email protected]
Other Locations / USA: California, Georgia, Illinois, Rhode Island, Texas, Wisconsin Europe: France, Germany, Italy, the Netherlands, Poland, Spain, Sweden, Turkey,
United Kingdom Asia Pacific: Australia, China, Hong Kong, India, Indonesia, Japan, Malaysia, Philippines, Singapore, South Korea, Taiwan, Thailand, Vietnam
Latin America: Argentina, Brazil, Colombia, Florida (LA Headquarters in USA), Mexico Africa/Middle East: Dubai, South Africa
©2014 ZIH Corp. All product names and numbers are Zebra trademarks, and Zebra and the Zebra head graphic are registered trademarks of ZIH Corp.
All rights reserved. All other trademarks are the property of their respective owners.
(12/14)