WIDS/WIPS
Wireless Intrusion Detection system (WIDS) is a technology designed to protect wireless networks from unauthorized access, it does this by monitoring traffic on the network to identify any suspicious activity that may indicate a security breach.
Wireless Intrusion Prevention system (WIPS) uses a combination of techniques to detect and prevent intrusions in real time, this system not only monitors but also takes action to prevent rogue access points, man in the middle attacks, denial-of-service attacks, and any other threats to the wireless network.
Wi-Fi presents a tempting attack surface for threats that can compromise data and network security. While Wi-Fi standards have evolved and become more secure with advancements in Wi-Fi security protocols, hackers can still exploit a variety of vulnerabilities. So, using WIDS/WIPS is essential for several reasons:
Improved Wireless Security: WIDS/WIPS are designed to detect and alert concerning any unauthorized activities on the wireless network in real-time. This is important to secure sensitive data and prevent unauthorized access to your network.
Compliance: Some industries are required to use intrusion detection systems as a part of regulatory requirements. WIDS/WIPS can help meet compliance regulations by providing a detailed audit log of network activity and potential breaches.
Increased Visibility: WIDS/WIPS allows businesses to monitor their wireless networks visually. This includes tracking access points, users, devices, and more, which is beneficial for identifying potential weak areas in the network and improving security measures.
Proactive Threat Management: Using WIDS/WIPS means being proactive about threat management. Rather than reacting to security incidents after they happen, a WIDS can warn you of potential vulnerabilities and threats before they become security incidents.
Protects from Inside and Outside Threats: WIDS/WIPS protects from external threats and potentially harmful activities originating from inside the network, providing a comprehensive wireless security solution.
Protects Wireless Networks: Traditional IDS solutions are primarily geared toward wired networks. They analyze network traffic, searching for patterns or behaviors indicative of malicious activities. While they are adept at detecting threats on wired networks, they might lack the specialized capabilities required to detect and mitigate threats specific to the wireless spectrum.
The Nile Access Service ensures that the overlay wireless security vector is secure. Traditional vendor-based WIDS solutions need a high level of expertise to configure the WIDS functionality. The complexity in these solutions requires experts to fine-tune the settings. If not done right, customers get an overwhelming number of events or alerts that could be false or inactionable.
Nile brings the ‘Nile way’ to WIDS by making it zero configuration, always on, and turnkey. The WIDS functionality kicks in right at service activation, taking on the onus to expertly enable the protection and alerting against top Wi-Fi intrusion threats.
Nile is able to effectively detect, alert, and mitigate rogue access points from the get go. The Nile WIDS uses sophisticated correlation techniques that intelligently filter out non-wired neighboring/friendly access points in the vicinity, to truly alert about real threats—such as a rogue access point that is connected to the LAN. The benefit of the Nile full wireless and wired LAN service is the end-to-end visibility. It is able to detect the port number where the rogue AP has been plugged in and block the port, thus stopping proliferation of the intruder into the wired LAN and further into the wider network. Furthermore, the rogue AP alert provides location information for the customer to send IT personnel to physically remove such rogue APs.
Rogue access points, or those not approved by IT, can cause a security threat if permitted to connect to the network. Many enterprises have a policy of not allowing third-party Wi-Fi access points to connect to the corporate network.
If a rogue AP connects to the network, it can broadcast its own WLAN to unsuspecting users. This creates an entry point for non-corporate devices to connect to the corporate WLAN if end-to-end security measures are not in place. This is the classic definition of a rogue AP. If not detected, bad actors can safely operate outside the physical perimeter of the enterprise, connecting to the rogue’s WLAN from the parking lot, finding an entry point into the enterprise LAN. WIDS and WIPS help to protect against rogue access points.
An evil twin AP, also known as a honeypot AP, is a form of rogue AP that makes a malicious access point look like a legitimate one. Once users connect to the evil twin AP, attackers can intercept any data traffic passing through this AP. This is called a man-in-the-middle attack. It may result in the compromise of login credentials and other sensitive information, such as banking data if the user carries out transactions when connected to the evil twin. Organizations should use a WIPS to detect the presence of an evil twin AP and prevent any corporate clients from connecting to them.
A rogue access point is an illegitimate access point plugged into a network to create a bypass from outside into the legitimate network. It may or may not be malicious. For example, an employee may connect a router that functions as a rogue AP, but without ill intent. However, lack of malicious intent does not mean that it should be connected to the network. An evil twin is also a rogue, but it is by definition malicious. That’s because it is set up to impersonate a legitimate access point. Attackers use evil twins to lure unsuspecting victims into connecting so that they can steal information.
Sniffers and snoopers typically operate passively, which means that they do not send or transmit data over the network. Instead, they simply listen in on network traffic, intercepting and recording data packets as they are transmitted between devices on the network. Criminals can use commercially available software to spy on unencrypted data in transit over the air between devices and wireless access points. While traffic on most websites is encrypted, this is not the case for every site. Mobile apps also sometimes fail to encrypt data traffic, in part because encryption imposes an overhead cost on the computing resources that support the app on the back end. WIDS and WIPS do not protect against snoopers and sniffers. IT teams can use WPA2 or WPA3 to encrypt data in transit over the air between devices and access points.
DoS attacks can take several forms. For example:
- Wireless interferers affecting Wi-Fi frequencies can be used to jam certain frequencies.
- Ad-hoc networks or peer-to-peer Wi-Fi networks typically involve a corporate-issued device connecting to another non-corporate network that may have been set up as a wireless network by a malicious actor. Connecting to one of these makes it easy for malware to infect a network since its traffic is not going through the corporate network firewall.
- Attackers can send a flood of de-authentication messages to connected devices, causing disruption to end users as they become disconnected from the network. Worse, this can be the first step in an evil twin/MitM attack, because when users get disconnected from a legitimate source of wireless connectivity, they may connect to the evil twin when they attempt to restore connectivity. This is one example where these hacking techniques are used in combination.
Successful detection starts with successful classification by learning the environment.
Authorized APs: Nile APs will be authenticated automatically by our switches, they use a Trusted Processing Module to authenticate the Nile AP to our cloud and also use MACSec to authenticate the AP to the neighboring/connected switch.
Authorized end devices: Following the Zero Trust principles within a NSB, every device connected to the Nile service will be authorized and authenticated.
Neighbor's APs: In a shared environment, all the other APs in the vicinity that are not wired to the Nile infrastructure are classified as neighbor's APs. Nile APs have a 3rd radio which is dedicated towards wireless scanning which will be able to identify the other BSSIDs that are bring broadcasted into the network.
Nile service will be able to detect and categorize the threats into following:
Rogue AP: Any non-Nile Element that is connected to the service should be authorized and authenticated on to the network, so when a third party access point is connected to the Nile Service, assuming these devices are not authenticated via 802.1X, they will be waiting for approval.
Please navigate to the Nile Portal >> Settings >> Access Management >> Wired.
** Image showing the third party AP waiting for approval will be added in here
Without an admin manually approving this request, the device will not be able to get an IP address and hence cannot pass any traffic on to the network.
In case, someone approved the request, based on the fingerprinting data that we collect, our system will detect that the device is a third party access point and create an alert that a suspected rogue access point is detected.
Please navigate to Nile Portal >> Alerts >> search for Security events
As this is a Rogue AP, most likely it might NAT all the traffic out of its interface on to the Nile system
When the traffic is NAT'ed even though the source mac address and the IP address will be re-written by the rogue AP, the NSB will see two packets with the same IP and mac address with two different TTL values and that confirms the detection of a Rogue AP.
If the user navigates to the Nile Portal >> Devices page, the 4th tile shows the overview of the clients detected under WIDS/WIPS
if you click on the Rogue AP, you can go into further details about the client and find out the vendor it belongs to and the timeline of the events.
If the Rogue AP is not NAT'ing the traffic, based on the fingerprinting data and also by comparing the wired mac address with the BSSID's broadcasting from of the rogue AP, we will be able to detect them and an alert is showed on the Nile Portal.
Misassociated Clients: In case of a Rogue AP that is in bridge mode where the packets are not NAT'ed, as the traffic from that client is ingressing from the same switch interface as the Rogue AP, it will be categorized as a misassociated client and it will also show the details related to which Rogue AP it is connected to.
Honeypot AP: A non-Nile AP broadcasting the same ESSID and/or BSSID that of a authorized Nile AP, should be detected as ‘Honeypot’ impersonation attempt. These APs are defined as non-wired malicious APs that are impersonating an enterprise AP to lure clients to it as the first step to what’s to follow later.
Such APs can be detected by tracking the presence of vendor specific Information Element (IE) in the beacons of the impersonating AP. As Nile has its own custom IE in the beacons that is encrypted, any other third party AP that is trying to impersonate a Nile AP certainly differs from the IEs in our beacons and hence can be detected easily.
** Not able to find a clean screenshot for this alert, will add at a later time
Rogue AP: After a succesful detection of a Rogue AP, the NSB will take the following actions so that the AP will not be able to pass any traffic:
- Shutdown the wired port on the Access switch where the Rogue AP is detected.
- Change the MAB rule on the Nile portal from approved to denied
- Send an alert to the customer via email/webhook if they have subscribed for it.
A healthcare customer with several clinics across the US, deployed Nile NaaS and found a wireless rogue AP connected to their network within minutes of activation. The customer was unaware that this rogue AP existed in their network. Most likely it was put in months ago to create a temporary network. This AP created security vulnerabilities by potentially creating entry points into their network from outside.
