The Nile Access Service is designed to protect wireless networks from unauthorized access and security threats. This is achieved through the use of Wireless Intrusion Detection Systems (WIDS) and Wireless Intrusion Prevention Systems (WIPS) - technologies that monitor the wireless network traffic and take action to detect, alert, and mitigate potential security breaches.

A WIDS is a technology that monitors the Nile wireless network for any suspicious activity or unauthorized access attempts. It does this by continuously analyzing the wireless traffic to identify patterns or behaviors that may indicate a security breach.

A WIPS goes a step further by not only detecting potential threats but also taking immediate action to prevent them. This system uses a combination of techniques to detect and mitigate rogue access points, man-in-the-middle attacks, denial-of-service attacks, and other threats to the Nile wireless network.

Importance of WIDS and WIPS

Implementing WIDS and WIPS technologies is crucial for the Nile Access Service for several reasons:

By leveraging these technologies, the Nile Access Service can provide a comprehensive wireless security solution that protects against both external and internal threats.

Rogue access points are unauthorized APs that are connected to the network without the knowledge or approval of the IT team. These rogue APs can create an entry point for non-corporate devices to access the network, potentially exposing the organization to security risks.

An evil twin AP, also known as a honeypot AP, is a form of rogue AP that impersonates a legitimate access point. When users connect to the evil twin AP, attackers can intercept the data traffic, leading to potential compromise of login credentials and other sensitive information.

Sniffers and snoopers are tools that passively monitor and intercept wireless network traffic, including unencrypted data. Criminals can use these tools to spy on and steal sensitive information transmitted over the wireless network.

DoS attacks can take various forms in the wireless domain, such as:

These DoS attacks can not only impact the availability of the wireless network but also serve as a precursor to more sophisticated attacks, such as evil twin or man-in-the-middle scenarios.

By understanding these generic threat vectors, the Nile Access Service can implement robust WIDS and WIPS strategies to detect, alert, and mitigate these security risks, ensuring the overall integrity and reliability of the wireless network.

The Nile Access Service is designed with comprehensive WIDS and WIPS capabilities to detect, alert, and mitigate a wide range of wireless security threats. Nile's approach leverages the unique features and architecture of the Nile Service Blocks (NSBs) and the Nile Cloud Services to provide a robust wireless security solution.

The Nile Access Service ensures that all authorized network elements, including Nile APs and client devices, are properly authenticated and integrated into the system:

The Nile APs are equipped with a dedicated third radio that continuously scans the wireless environment, including neighboring APs that are not part of the Nile infrastructure. This allows the Nile Access Service to classify and monitor these "neighbor APs" for any potential security threats.

The Nile Access Service leverages the comprehensive data collected from the NSBs and the Nile Cloud Services to detect and categorize various wireless security threats, including:

When these threats are detected, the Nile Access Service generates alerts that are surfaced in the Nile Cloud Services Portal, allowing administrators to take appropriate action.

As this is a Rogue AP, most likely it might NAT all the traffic out of its interface on to the Nile system

When the traffic is NAT'ed even though the source mac address and the IP address will be re-written by the rogue AP, the NSB will see two packets with the same IP and mac address with two different TTL values and that confirms the detection of a Rogue AP.

If the user navigates to the Nile Portal >> Devices page, the 4th tile shows the overview of the clients detected under WIDS/WIPS

if you click on the Rogue AP, you can go into further details about the client and find out the vendor it belongs to and the timeline of the events.

If the Rogue AP is not NAT'ing the traffic, based on the fingerprinting data and also by comparing the wired mac address with the BSSID's broadcasting from of the rogue AP, we will be able to detect them and an alert is showed on the Nile Portal.

Misassociated Clients: In case of a Rogue AP that is in bridge mode where the packets are not NAT'ed, as the traffic from that client is ingressing from the same switch interface as the Rogue AP, it will be categorized as a misassociated client and it will also show the details related to which Rogue AP it is connected to.

Honeypot AP: A non-Nile AP broadcasting the same ESSID and/or BSSID that of a authorized Nile AP, should be detected as ‘Honeypot’ impersonation attempt. These APs are defined as non-wired malicious APs that are impersonating an enterprise AP to lure clients to it as the first step to what’s to follow later.

Such APs can be detected by tracking the presence of vendor specific Information Element (IE) in the beacons of the impersonating AP. As Nile has its own custom IE in the beacons that is encrypted, any other third party AP that is trying to impersonate a Nile AP certainly differs from the IEs in our beacons and hence can be detected easily.

** Not able to find a clean screenshot for this alert, will add at a later time

Upon the detection of a rogue AP, the Nile Access Service can automatically take the following mitigation actions:

By combining comprehensive threat detection, alerting, and automated mitigation capabilities, the Nile Access Service provides a robust wireless security solution that protects the network from a wide range of security threats.