What Are WIDS and WIPS?

WIDS stands for wireless intrusion detection system. It is a technology designed to protect wireless networks from unauthorized access. It does this by monitoring traffic on the network to identify any suspicious activity that may indicate a security breach.

WIPS stands for wireless intrusion prevention system. WIPS uses a combination of techniques to detect and prevent intrusions in real time. It not only monitors but also takes action to prevent rogue access points, man in the middle attacks, denial-of-service attacks, and other threats to the wireless network.

Why are WIPS/WIDS important?

Wi-Fi presents a tempting attack surface for threats that can compromise data and network security. While Wi-Fi standards have evolved and become more secure with advancements in Wi-Fi security protocols, hackers can still exploit a variety of vulnerabilities. Enterprises have long employed a layered approach to IT security with wireless intrusion detection and prevention an important part of this.

What are the most important wireless security threats that enterprises should be aware of?

This section discusses some of the most important wireless security threats to be aware of. Such security threats include:

• Rogue access points—unapproved sources of wireless connectivity that can connect to the network and interfere with it.
• Honeypot or evil twin APs—fake Wi-Fi access points set up by intruders to mimic legitimate ones, hoping that users connect to them. This exposes their data traffic to being intercepted in a man-in-the-middle attack (MitM).
• Sniffers and snoopers—attackers can use commercially available network analysis tools to snoop on wireless data traffic in transit over the air.
• DoS (denial-of-service) attack—disruption of end-user access to the wireless network by sending de-authentication packets.

Failure to protect a network from such threats leaves it open to a variety of adverse outcomes, such as data loss, data destruction, and loss of service. One cybersecurity report1 cited wireless access points as the number one attack vector for data breaches. 34% of organizations that experienced a data breach said that wireless access points were the point of origin.

What are the similarities and differences between WIPS and WIDS?

WIPS and WIDS have differences as well as similarities. Both are used to continuously protect a wireless network and in some cases, a wired network, from unauthorized users. Both WIDS and WIPS operate non-stop, largely without any management or IT admin involvement. They guard the wireless local area network (WLAN) on a constant basis, listening to all radio traffic within the WLAN’s operating frequencies.

• WIDS—uses a system of sensors to detect the presence and intrusion of any unauthorized or rogue devices.
• WIPS—detects threats and protects against them by containing the unauthorized device or disconnecting it from the network.

Most of the systems currently available are designed to both detect and deal with threats, and as such we would consider them to be a WIPS.

A typical WIPS consists of three components: a server, a management console, and a collection of distributed sensors. The WIPS server can be either hardware or software based. This server performs system management and configuration tasks, signature, behavior, and protocol analysis, as well as radio frequency spectrum analysis to detect intrusion.

What happens without WIPS or WIDS?

IT teams generally deploy a range of perimeter security, authentication, and authorization systems to protect the network from who and what can log on to it, either through wired LAN or wireless LAN. They also need to use tools to monitor other security vectors, and this is where WIDS and WIPS are useful as part of a layered strategy for wireless security. Not using a system to protect the network against unauthorized intrusion can leave it open to data compromise.

An in-depth look into wireless security threats

This section provides greater detail about some of the threats that WIDS and WIPS protect against–and one for which other safeguards are required.

Rogue access points

Rogue access points, or those not approved by IT, can cause a security threat if permitted to connect to the network. Many enterprises have a policy of not allowing third-party Wi-Fi access points to connect to the corporate network.

If a rogue AP connects to the network, it can broadcast its own WLAN to unsuspecting users. This creates an entry point for non-corporate devices to connect to the corporate WLAN if end-to-end security measures are not in place. This is the classic definition of a rogue AP. If not detected, bad actors can safely operate outside the physical perimeter of the enterprise, connecting to the rogue’s WLAN from the parking lot, finding an entry point into the enterprise LAN. WIDS and WIPS help to protect against rogue access points.

Evil twins

An evil twin AP, also known as a honeypot AP, is a form of rogue AP that makes a malicious access point look like a legitimate one. Once users connect to the evil twin AP, attackers can intercept any data traffic passing through this AP. This is called a man-in-the-middle attack. It may result in the compromise of login credentials and other sensitive information, such as banking data if the user carries out transactions when connected to the evil twin. Organizations should use a WIPS to detect the presence of an evil twin AP and prevent any corporate clients from connecting to them.

What is the difference between an evil twin and a rogue access point?

A rogue access point is an illegitimate access point plugged into a network to create a bypass from outside into the legitimate network. It may or may not be malicious. For example, an employee may connect a router that functions as a rogue AP, but without ill intent. However, lack of malicious intent does not mean that it should be connected to the network. An evil twin is also a rogue, but it is by definition malicious. That’s because it is set up to impersonate a legitimate access point. Attackers use evil twins to lure unsuspecting victims into connecting so that they can steal information.

Sniffers and snoopers

Sniffers and snoopers typically operate passively, which means that they do not send or transmit data over the network. Instead, they simply listen in on network traffic, intercepting and recording data packets as they are transmitted between devices on the network. Criminals can use commercially available software to spy on unencrypted data in transit over the air between devices and wireless access points. While traffic on most websites is encrypted, this is not the case for every site. Mobile apps also sometimes fail to encrypt data traffic, in part because encryption imposes an overhead cost on the computing resources that support the app on the back end. WIDS and WIPS do not protect against snoopers and sniffers. IT teams can use WPA2 or WPA3 to encrypt data in transit over the air between devices and access points.

DoS attacks

DoS attacks can take several forms. For example:

• Wireless interferers affecting Wi-Fi frequencies can be used to jam certain frequencies.
• Ad-hoc networks or peer-to-peer Wi-Fi networks typically involve a corporate-issued device connecting to another non-corporate network that may have been set up as a wireless network by a malicious actor. Connecting to one of these makes it easy for malware to infect a network since its traffic is not going through the corporate network firewall.
• Attackers can send a flood of de-authentication messages to connected devices, causing disruption to end users as they become disconnected from the network. Worse, this can be the first step in an evil twin/MitM attack, because when users get disconnected from a legitimate source of wireless connectivity, they may connect to the evil twin when they attempt to restore connectivity. This is one example where these hacking techniques are used in combination.
  Enterprises can use WIDS and WIPS to protect against these types of DoS attacks.

Summary

WIDS and WIPS are powerful security tools that detect and prevent a wide range of security threats that can compromise network integrity and sensitive data. Effective wireless security starts with best practices such as enterprise-grade authentication, authorization, and encryption. A comprehensive wireless security strategy should also employ WIDS and WIPS, for the highest level of protection for wireless networks and the data they transmit.

1CRA Business Intelligence 2023 Global State of Cybersecurity Study, Sponsored by InfoBlox.
TABLE