WIPS monitoring requires scanning all WiFi channels in round-robin fashion to detect threats and vulnerabilities. This scanning can be in one of two forms:
- background scanning, in which a radio that provides WiFi access service intermittently scans off-service channels, or
- dedicated scanning, in which a radio is dedicated to security and does not provide WiFi access service.
For enterprises that desire strong WIPS security and/or those that deploy real-time applications, background scanning isn’t adequate for the following reasons:
- Detection latency and blind spots. The intermittent scanning of off-service channels causes long delays between successive visits to the same channel. As an example, after every 5 seconds of dwell on the service channel to serve WiFI clients, the radio makes one visit of 100 ms to one off-service channel. These timings can be variable across vendors, but are in the same ballpark. The reason being that the service channel can neither be left more frequently than once every few seconds, nor can it be left for more than hundred milliseconds at once, or it would disrupt WiFi client traffic. So, with multiple off-service channels to scan, the time between successive visits to the same off-service channel can be as high few minutes. Also, every off-channel wireless activity may not be detected during a single visit to the channel. As a result, the threat detection latency can be as high as many minutes with background scanning. There is also a high chance that the radio never sees certain threat-posing activity.
- Limitations in over-the-air containment. In order to prevent many wireless threats, WIPS radios use over-the-air containment techniques, which includes transmitting specially-crafted messages to target radios to break their undesirable connections. However, when the target radio is disconnected, it usually automatically re-connects, and hence, needs to be addressed on a continuous basis. So for effective containment, a WIPS needs to send a steady stream of disconnect messages. In background scanning, since there is WiFI service to be maintained alongside scanning, the radio has a restricted ability to visit the off-service channel where the threat is to be contained. The situation is worse when there are multiple simultaneous threats (such as multiple client mis-associations to neighborhood or honeypot APs) or when new threat detection and containment of existing threats must be performed simultaneously.
- Real-time applications. When a background scanning radio makes a security scan visit to an off-service channel, WiFi service to its connected clients is briefly halted. This may not have significant impact on data applications, but if the client is running a real-time application like VOIP or web conferencing, these interruptions noticably impact performance. Hence, many vendors recommend turning off background scanning when real-time applications are running on the radio.
So traditionally, an alternative to background scanning was to deploy separate devices whose radios are dedicated to WIPS monitoring. Separate WIPS devices also need separate Ethernet drops, driving up the total cost of that solution. The Mojo C-130 AP solves this problem by including a third radio dedicated to WIPS scanning. With the C-130, WIPS scanning happens independently of access radios, and the time between successive visits to any channel is reduced to a few seconds. This greatly reduces detection latency, avoids blind spots, and makes possible effective over-the-air containment.
The Benefits of a 2-Stream 11ac Third Radio
However, a dedicated WIPS radio can have one or two stream capability, and it can be 11ac or 11n. Here’s why 2-stream 11ac is better.
- Behavioral logic. This is the key to accurate intrusion detection and prevention. Behavioral logic analyzes connection patterns of devices to identify threats and eliminate false alarms. It goes beyond detecting the mere presence of devices in the neighborhood based on the broadcast beacons and probes they transmit. However, to enable behavioral logic, WIPS needs to also detect and analyze connections (associations) as they happen. This is where the 1-stream versus 2-stream difference shows up, as well as the difference between 11n and 11ac.
- 1-stream versus 2-stream. The spatial stream number on the monitoring radio dictates the type of wireless frames it can hear. A monitoring radio with fewer spatial streams than the transmitting radio cannot hear those frames. For example, a 1-stream monitoring radio cannot hear 2-stream frames. Typical WiFi traffic contains a mix of frames transmitted in different spatial streams, with the bulk of the traffic in one or two streams. So by having 2-stream capability on its WIPS scanning radio, a C-130 is able to see virtually all wireless connections. In contrast, a 1-stream radio can only see some of them. By virtue of this unprecedented ability to see wireless traffic, a C-130 enables effective behavior detection.
- 11ac versus 11n. The 802.11ac standard came after the 802.11n standard, and specified a change to the preamble of MAC frames. This preamble change was backward compatible, so an 11ac radio can read both 11n and 11ac frames in the air. However, the reverse is not true: an 11n radio cannot read 11ac frames in the air. Since 11ac traffic is increasing by the day, 11n radios become increasingly blind to wireless frame transmissions. As a result, APs whose third scanning radio is only 11n cannot deliver meaningful WIPS today.
Mojo’s Industry-Best WIPS Engine
The Mojo C-130 access point packs one-two-three punch when it comes to WiFi security. It has a dedicated third radio for WIPS security. The third radio has 2-spatial stream (2x2) capability and it is 11ac. And to top it all, the scan data from the radio is processed by Mojo’s industry-leading automated security engine.
Data collection is only as good as the data analysis engine behind it. Powered by 30+ patents and unique Marker PacketTM techniques, Mojo AirTight (our WIPS engine) processes scan data collected by the third radio to automatically classify devices and connections. That way it can detect genuine threats, eliminate false alarms, and perform reliable protection, all while never disrupting WiFi service. This is done without requiring ongoing manual intervention, which eliminates human errors, lowers operational overhead, and makes things easier for IT managers.