- Anomaly detection
- Misuse detection
- Protocol analysis
An IPS, contrary to IDS not only can detect attacks, but it can also take pro-active measures against those attacks. For the rest of this tutorial, we will use the term IPS and IDS inter-changeably.
Types of IPS/IDS
To generate alarms an IPS must be installed somewhere in a network to watch over the network. There are two (basic) locations where IPS/IDS can be installed:
- Host-based IPS (HIPS)
HIPS are installed on the host itself. They check for malicious activity at the operating system level. HIPS examine a number of parameter of the host including system calls, audit logs, error messages, and so forth. HIPS has first-hand information on the success of an attack since traffic is examined after it reaches the target of attack.
- Network-based IPS (NIPS)
NIPS examine packets as they traverse through the network to locate attack against the network. They can be installed in active or passive mode. In passive mode, IPS/IDS sniff the traffic as it passes through the network against known signatures. IPS can act as a layer-2 device forwarding the traffic. In active mode, an IPS is installed as layer-3 device and actively looks for known and unknown attacks. In case of an anomaly, all intrusive traffic is dropped before it could reach the target system.
NIPS have the following advantages compared to HIPS:
- Overall network perspective
- Does not run on every operating system in the network – reduces administration overhead
Now that we have a basic understanding of IPS and IDS, let us look what WIPS is? A WIPS actively monitors the radio spectrum of the presence of unauthorized access points (detection) and take countermeasures automatically (prevention).
WIPS monitors and prevents unauthorized access to resources through a wireless network. WIPS is implemented as an overlay to an existing WLAN infrastructure.
Rouge devices can spoof MAC address of an authorized network device. WIPS uses a finger-printing approach to pick out devices with spoofed MAC addresses. This is done by comparing the signals emitted by each wireless device against the authorized wireless device. WIPS can more or less prevent the following threats:
- Rogue AP
- MAC spoofing
- DoS attacks
- Man-in-the-Middle attacks
- Ad-hoc networks.
- Un-authorized associations
- Mis-configured clients
- Mis-configured AP
Components of WIPS
WIPS can consist of three basic components:
- Sensors: devices that scan the wireless spectrum
- Server: to analyze packets captured by the sensors
- Console: user interface for system administration and reporting
Examples of WIPS
- Cisco Adaptive Wireless IPS software (NIPS only)
- AirMagnet Enterprise Wireless Security (NIPS only)
- AirTight (HIPS and NIPS)
- AirDefence from Motorola (NIPS only)
This brings us to the end of a brief overview of Wireless Intrusion Prevention System.