Fixed Wireless Technology

WIDS Overview:
Vigilant Minds, and Conclusion

Vigilant Minds offers in-depth intrusion analysis and prevention for wireless and wired networks.

by Lisa Phifer VP Core Competence, Inc. [October 28, 2003]

Founded in January 2001, VigilantMinds is an InfoSec provider based in Pittsburgh, Penn. The company delivers security software, training, professional services, and SecureXone managed security services.

Professional services include security audits, penetration testing, regulatory compliance review, and network forensics. SecureXone managed services include managed firewall, vulnerability scanning, syslog monitoring, and wireless intrusion prevention.

VigilantMinds introduced its wireless managed security service, VigilantMinds AirXone Wireless Intrusion Prevention, about 5 months ago. AirXone includes wireless access monitoring, seven-layer intrusion monitoring, and intrusion prevention, driven by static, behavior-based, and identity-based rules. According to CEO John Foley, VigilantMinds believes there is a big difference between rogue AP detection, intrusion detection, and intrusion prevention.

"We have a philosophy of providing solutions for business issues surrounding security, not just technology," said Foley. "We started with rogue detection. This is very good, but it's not all that [customers] need. They need to see behavior—they need to see what intruders are really doing." Based on this premise, VigilantMinds created AirXone as an intrusion detection and prevention solution. "We can see if [an intruder] is doing something suspicious and should be taken off wireless to prevent [intrusion] into the wired network."

To illustrate how AirXone differs, Foley described a penetration test performed on a customer's network where a company executive had installed an unauthorized but wide open AP in his office. VigilantMinds associated with this AP from the parking lot and ran tests to see what level of penetration was possible using that rogue. "If this company had been using [only rogue detection], they would have known that we attached to the wireless network, but not what happened beyond that," said Foley. "Our system would have seen and prevented that attack."

According to Operations Manager Eric Molitor, most WIDS products perform physical and data link layer state analysis. "We add application-level intrusion detection—all of the things you'd normally look for with a wired IDS," said Molitor. "Then we go beyond that, adding intrusion prevention and interfacing with APs."

To accomplish this, VigilantMinds developed its own proprietary platform for correlation and prevention. This 802.11a+b AirXone appliance is sold both alone and with managed services. "We can sit in-line behind an AP, stopping traffic that matches signatures. Taking that to the next level, we can reconfigure the AP and stop the attacker [by MAC address]," said Molitor. "Or we can sit in parallel, depending upon what the client needs and their risk management philosophy."

Molitor claims that AirXone is AP-independent and can be customized to interface with the customer's choice of AP. But he acknowledged that ability to control each AP is limited by interfaces offered by that AP.

Customers view wireless alerts along with all other security events through one integrated SecureXone management portal. VigilantMinds notifies customers of validated intrusion attempts within 30 minutes, following defined escalation procedures. Although WIPS takes preventative action, Foley emphasized that clients do not give up control over their network. "You're just giving away accountability and responsibility" for detection.

With any third-party service that inspects application payload, privacy can be an issue. Moreover, this payload may be obscured by end-to-end encryption measures (e.g., VPN tunnels) often used to ensure data confidentiality. According to Foley, companies faced with privacy regulations like HIPAA and GLBA have to make sure their suppliers are in compliance with these regulations. "We go through that process with them, and that can [affect] how much data we look at," said Foley. "We are also in the process of getting secret clearance for government contracts."

Because every installation is somewhat different, pricing varies. For example, consider an office building with four to six floors; VigilantMinds would cover that space with approximately three AirXone appliances. "We'd charge a set-up fee—about $7,000-$8,000—to cover understanding the network architecture, base-lining network traffic, and educating the customer," said Foley. Monthly fees for three managed appliances would be on the order of $3,000 per month for the full-blown intrusion prevention service. "Compare this to purchasing an appliance - that will cost you about $20,000 plus annual maintenance charges, and that doesn't include people and reporting and the expertise that comes with this service," argued Foley.

Why should customers hire a company like VigilantMinds to detect and prevent wireless intrusion? "We take the perspective that wireless is the wild west of your network," said Foley. "Companies can benefit greatly from wireless, but so can hackers. Because the risk [of intrusion] is greater, we need to [prevent intruders] from getting to the wired network."

Conclusion
These three MSSPs demonstrate that there's growing demand for wireless IDS/IPS—and that there are multiple ways to meet that demand. If you're deploying a secure WLAN today and looking at your options for wireless IDS/IPS, items to consider include:

• Your business needs for network security (overall, not just on the WLAN)
• Your level of in-house security and WLAN expertise
• Your willingness to outsource security-related tasks
• Your budget for security, commensurate with your business risk
• The type and span of wireless behavior to be monitored (e.g., security or performance or both, airlink and/or application data inspection)
• Your objectives for automated intrusion response and need for related professional services
• How well any prospective MSSP will work with you to understand and refine your needs, policies, escalation procedures, and incident response plans

Contracting a wireless IDS/IPS provider means entering into a business partnership, so the usual considerations regarding history, reputation, and business health also apply.

Finally, what we see today is just the tip of the iceberg. Like the WLAN market itself, wireless IDS/IPS is relatively new. This market landscape will no doubt change dramatically over the next two years. Expect to see expansion, maturation, and (eventually) consolidation, following in the footsteps of large-scale wireless LAN deployment that will drive demand for scalable, cost-effective intrusion detection.

—End