Wireless Intrusion: Detecting and Preventing Targeted Attacks
In this article
Wireless Intrusion Prevention Systems (WIPS) and Wireless Intrusion Detection Systems (WIDS) utilize either a dedicated wireless radio within the client serving wireless access point to scan the unlicensed spectrum (2.4, 5 or 6GHz) for threat activity or the client serving radio in the access point will scan the wireless channel the access point is operating on for threat activity. When the client serving access point is not serving client data, it can go off cycle and scan the full list of channels in the unlicensed spectrum. The length of time between off cycle scan intervals varies between hardware vendors.
Is your infrastructure vulnerable to an attack?
There are many attack vectors to a wireless infrastructure. Some are targeted attacks, others are passive attacks.
Performing a packet capture of a wireless network would be considered a passive attack. The attacker could initiate a packet capture of all the wireless channels in use and use the packet capture for offline analysis and attempted dictionary attacks if WEP (Wireless Equivalency Protocol, a deprecated method of securing a wireless network) or PSK (Pre-Shared Keys) keys were in use to secure the wireless network.
Targeted attacks have descriptive names which may be familiar. A few of the most common targeted attacks are machine-in-the-middle, evil twin, rogue access points, ad-hoc wireless networks and deauthentication attacks.
- Machine-In-The-Middle Attack: A machine-in-the-middle attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
- Evil Twin Attack: An evil twin is a copy of a legitimate access point, not necessarily giving it access to a specific network or even to Internet (not their network, but your network).
- Rogue Access Point: A rogue access point is specifically an AP inside a network not administered by the network owner, giving it unwanted, possibly unsecured, access to the internal network.
- Ad-Hoc Wireless Network: Ad-Hoc networks are where two devices connect directly between themselves using their wireless network devices in a peer-to-peer network. This circumvents any security features that the organization has implemented. If the ad-hoc clients are multi-homed with the corporate network, this could allow an attacker to pivot to the corporate network.
- Deauthentication Attack: A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.
The functionality of a WIDS/WIPS feature set within your wireless infrastructure deployment can give you the peace of mind to know that wireless attack vectors will be identified, reported on and prevented before the attack can lead to a breach of your wireless network security. WIDS/WIPS rulesets can be enforced to quarantine client devices identified as the source of targeted attacks, or quarantine rogue access points that are the source of evil twin attacks.