FEATURE: WLAN Switches, APs, and IDP -- The Trend Toward Open Systems

WLAN Switches, APs, and IDP -- The Trend Toward Open Systems
Network Chemistry's Rob Markovich takes a look the trends that will shape the next generation of wireless network security.

Not so long ago, the enterprise IT department could thwart hackers by erecting a security system around only one or a few points of entry. Intrusion detection and prevention (IDP) is much more complicated with today's wireless LANs (WLANs), where every wireless access point (AP) is a potential back door into the system. Many enterprises want to have wireless security and IDP integrated with their WLAN switches and APs, and as IT security experts exert more control over wireless security decisions, the demand for best-of-breed security products will grow. IT has to protect against rogue devices, assess vulnerabilities, detect intrusions, and handle compliance reporting for thousands of APs -- and the job is not easy when the right tools are not available.

Today, there are three major options for implementing sensor agents (SAs). At one end of the spectrum, some WLAN vendors offer wireless APs that handle security monitoring on a part-time basis. Even though they must stick to a single 802.11 channel, every fifteen minutes or so these APs scan the other channels for rogue APs and other wireless anomalies. Needless to say, this method is not effective; continuous real-time monitoring of the airwaves is essential to ensure WLAN security. Nor can AP vendors alone deliver the specialized support that a best-of-breed vendor dedicated to wireless monitoring can. In addition, network transmission equipment that also performs intrusion monitoring is vulnerable to attack, since it is this same equipment that hackers can probe, hijack, and disable.

The second option calls for an SA to provide round-the-clock security by running full-time on hardware originally meant to be an AP. This has the benefit of providing more comprehensive coverage, but the closed architecture forces IT to purchase IDP from the WLAN vendor, not from security experts.

The third option is to use purpose-built hardware from a dedicated WIDP vendor. Purpose-built hardware can provide more functionality than a typical AP, such as greater range or more sophisticated RF analysis, and is also more secure because the device cannot be hijacked and converted into a rogue AP. 

The Best of All Worlds

Today, the trend in wireless security is toward allowing customers to choose which of the three models best suits their environment; vendors of stand-alone IDP solutions are now allowing their open software SAs to run on third-party AP hardware that incorporates 802.11 radios as well as on their own purpose-built hardware. This gives enterprises the best of all worlds; the independence of choosing the best-in-class hardware and the best-in-class security. WLAN vendors also benefit, since they can purchase best-of-breed IDP protection for their products without getting locked into a single supplier. Every vendor of WLAN systems that sells into enterprises must have an IDP solution, and partnering with an IDP vendor is far more cost effective than developing the capability in-house.

Open software SAs are designed from the ground up to run on third-party hardware; if vendors had to trim an SA to fit different products, APs from different vendors would provide varying levels of functionality. These SAs separate the hardware layer from the software layer and can run on a variety of operating systems, including real-time operating systems. The most versatile of the open software SAs are also light. They have very low memory and CPU requirements and are thus able to run on practically any AP or purpose-built device that has a radio in it.

Where Should Data Analysis Take Place?

An important issue to consider when designing an open SA concerns where to perform the analysis of the data collected by the SA-in the AP, in a central server, or in a combination of both. If all analysis is performed in the agent, the agent will be too fat to fit on all platforms. Centralized data analysis allows the enterprise to support many platforms, but this solution is not very scalable, as the volume of data backhauled to the server can overwhelm the WLAN.

The best solution is a split-analysis architecture, where an SA with low bandwidth requirements performs first-stage analysis, compression, and encryption of wireless traffic before sending data to the software in the server, where the analysis is completed. This architecture enables the development of an open software SA that can fit within the form factor of even the thinnest AP yet does not disrupt the network by transmitting huge amounts of raw data.  Efficient use of bandwidth enables a split-analysis architecture to scale to correlate surveillance and analysis information from thousands of remotely deployed agents.

Ultimately, open software SAs will be available that can run not just on APs but on any device with a radio, such as laptops and PDAs, giving enterprises complete flexibility to purchase the type of hardware and security appropriate for their needs. Sometimes it may be best to run the SA on an AP, sometimes it may be more appropriate to run the SA on a purpose-built device, and there may even be situations when the SA only needs to run part time.

Know Your Security Vendor

To attain the highest levels of security, enterprises need to ask their WLAN vendors where their security technology comes from. Enterprises also need to make sure that the centralized software-where all analysis is done, where the database is maintained, and where IDP integrates with third-party equipment-is from a security vendor. WLAN vendors, after all, focus is on building inexpensive APs, not on developing SA software that scales to serve large installations. Integrating the best IDP solutions with the best APs turns everyone into a winner; hardware vendors can focus all their resources on their core competency, and enterprises are assured the best possible security for their WLANs.

Rob Markovich is CEO of Network Chemistry.