WIPS will disappear

I’ve been thinking for a long time now about why it is that most of my customers seem not concerned about wireless intrusion detection/prevention systems. There are most definitely attacks out there that can cause problems to wireless networks and clients. I have many times talked to people about the advantages of having a system like this in place, but still they are unconvinced as to the value of those systems, apart from people that have an obvious need to have tight control over their WLAN such as banks. Still it puzzled me that the focus was on detecting rogues on the network, not other types of attacks. I attempted to talk about the wider value gained from a WIPS system, such as better performance metrics from monitoring the WLAN more closely. Even when it was offered for free it seemed that this functionality wasn’t that important as it was hardly used or even monitored.

I happen to be fortunate to work with a lot of very smart people, who know a lot about IT security. I know from working along side them what the current trends are for both attacks and for types of devices used for defense in depth and the methodology used to defend enterprises from those attacks. Today one of the top item’s on everyone’s agenda is mobile devices. As almost all of those devices access in some way wireless networks, its not a large jump to think that this would increase the need for WIPS use. Its not happening, however. In fact from what I can see people are more concerned about protecting the mobile devices than attacks on the wireless network directly.

It finally struck me today what the logic chain is behind people not being particularly interested in WIPS and that the logical conclusion is that stand alone WIPS system will eventually disappear. First, I would say that the reason these systems came about in the first place was that the security of WEP based networks was so poor, that you really HAD to watch the wireless network and know in real time when attacks happened. This has evolved to current standard practice of using WPA2 based 802.1X dynamic authentication. Now people can be sure their wireless networks are controlled and each individual accessing it is authenticated separately. Attackers also realized this and started to focus on the client as the next easy target. In addition they began to do things like planting devices using the same SSID (evil twin attack) and using modified RADIUS servers to capture the user’s authentication. This is difficult to pull off, however.

WIPS evolved as well and began to add signatures and heuristics to their act to see these kind of attacks as well. Wireless networks are not fully secured even today, but the most interesting thing for potential attackers is to get into the network unnoticed and easily as possible. The bar has been raised high enough now for WLAN security to divert attention towards the mass of mobile devices and use them as an easier launchpad to get into the network. In addition to this, wireless network monitoring and systems to control what an individual user is authorized to access are becoming more and more sophisticated.

This lead me to a discussion I had with a co-worker about wired IPS systems and why we didn’t see many of our customers excited about looking at the latest developments with these products. What that basically came to was that more and more they were not seeing a need for these systems as the next generation firewall systems with deep packet inspection were taking over the role of the wired IPS devices. I realized then why the announcement of deep packet inspection capabilities that Aruba Networks is now incorporating into their products was so important and why it meant that WIPS products will disappear. Simply the security argument for these products was tenuous in most customer’s minds in any case and now that there is a simpler, more cost effective solution that focuses on the main issue, client security and posture, this means that much of the reasons to have an independent WIPS is gone.

People will focus on the value they can get from their systems and making it as easy as possible to solve the pain points they have. The focus for wireless attacks has shifted to clients and logically this shifts the attention of securing the network to those clients. I think that even some of the current WIPS vendors are seeing this writing on the wall and realizing that to stay relevant they need to shift their focus also. Those that don’t can of course sue other wireless vendors to get more value out of their product, but this is a short sighted strategy. Look for WIPS products to become more and more irrelevant and for the features they provide to become subsumed into a general security feature set of WLANs.

3 Responses to “WIPS will disappear”

  1. rovinguser says:

    Excellent article! Indeed the ‘sweet spot’ are the mobile devices / users , not the WLAN network. Also a WLAN attacker nearly always has to be on the premise and this makes them vulnerable…

  2. @creekdaze says:

    Agreed that an overlay is loosing some ground, but dedicated infrastructure based sensors/monitors are absolutely still valid for full time off channel scanning. Plus it helps with RTLS.

  3. […] WIPS will disappear | WiFi Kiwi’s Blog – I agree with Chris. The idea of separate IPS and WIPS systems is not longer relevant as those functions move into the firewall software. Most of the features in IPS devices are arcane and obscure. Ownership & maintenance of an IPS is a costly and risky business process. This lead me to a discussion I had with a co-worker about wired IPS systems and why we didn’t see many of our customers excited about looking at the latest developments with these products. What that basically came to was that more and more they were not seeing a need for these systems as the next generation firewall systems with deep packet inspection were taking over the role of the wired IPS devices. I realized then why the announcement of deep packet inspection capabilities that Aruba Networks is now incorporating into their products was so important and why it meant that WIPS products will disappear. Simply the security argument for these products was tenuous in most customer’s minds in any case and now that there is a simpler, more cost effective solution that focuses on the main issue, client security and posture, this means that much of the reasons to have an independent WIPS is gone. […]

Leave a Response