Spotting Wireless Intruders: IBM

In this year’s ISP-Planet managed security service
provider (MSSP) survey
, we noticed a significant increase in providers
offering Intrusion
and Prevention (IDS/IPS) services. IDS is commonly used to monitor
wired networks, hosts, and servers for signs of attack. IPS goes a step further
by taking action to stop would-be attacks before they can do damage. Because
IDS/IPS requires continuous monitoring by experts who can analyze events and
assess their true impact, these services are excellent candidates for

Applying IDS/IPS to wireless LANs is a logical extension. Security concerns
have impeded enterprise WLAN deployment. Improved 802.11 encryption and
access control are chipping away at that roadblock, and periodic sniffing for
war drivers and rogue WLANs have become common practice. While such measures
help reduce risk, there’s still plenty of room for improvement.

Wireless IDS can help by providing 24×7 WLAN surveillance, detecting attacks
and on-going trends that can escape notice during spot-checks. Several new WIDS
appliances emerged this year, including AirDefense, AirMagnet
Distributed, Newbury Networks, VigilantMinds AirXone, and WildPackets
RF Grabber.

Inevitably, a few enterprising MSSPs noticed and combined these two growth
markets, delivering wireless IDS (WIDS) as a managed service to business customers
concerned about WLAN security. To learn more about what managed WIDS really
entails, we interviewed three MSSPs: VigilantMinds, IBM Global Services, and

We invited each to tell us about its WIDS offering, underlying platform, target
market, and customer benefits. Not surprisingly, we encountered diverse strategies
and opinions. Here first is IBM (we’ll visit the other two in later installments)…

IBM Wireless Intrusion Detection Extensions

IBM’s Global Services organization has long
offered a full spectrum of managed security services, ranging from managed firewall
and anti-virus services to vulnerability assessment, intrusion detection, and
incident management. To deliver these services, IBM combines platforms from
vendors like CheckPoint and Symantec
with IBM-proprietary software and tools, monitored 24×7 from IBM’s Security
Operations Center (SOC) in Boulder, Colorado.

IBM recently added Wireless Intrusion Detection Extensions (WIDE) [.pdf]
to its Business Continuity and Recover services portfolio. When we spoke to
Douglas Conorich, IBM Global Solutions Manager, at the end of August, WIDE was
still undergoing beta test.

“We’ve deployed WIDE, both within IBM and with a few customers, and its
proven viable and ready for commercial use,” said Conorich. “Right now, we’re
seeing a lot of interest in the manufacturing industry. We’re also starting to
see it a lot more in the workplace where people want to be mobile, be in
meetings, but still want to be able to connect back to their network and get
answers, e-mail, etc.”

Conorich expects existing IBM managed service customers will be the first to
deploy WIDE. “If a customer has our standard IDS, vulnerability testing
services, and WIDE, all of this information is correlated so that when an alarm
comes up, the SOC analyst knows if it affects just WIDE or also the standard
IDS, and can determine the consequences of the exploitthe actual impact and
necessity for action,” explained Conorich.

For analysis, IBM uses both event correlation and data mining over a period
of time. “This helps us to spot attacks that occur low and slowwhat we call a
Texas barbeque,” said Conorich. IBM also uses visualization tools to help
analysts spot patterns that are less obvious when reviewing alarm lists.

When analysts determine that corrective action is necessary, the customer is
notified and a one-hour conference call is held to review the event and discuss
its severity. “If we together determine that this is a red incident, we can
optionally send out an emergency response/forensics team to go on-site and help
determine what happened and how it can be prevented in the future,” said
Conorich. “For $25,000 for a 7-day period of services, we provide on-site people
and people working behind the scenes, crunching data, and deliver a report on
what to do to recover and harden the network.” This emergency response option
available to all IBM managed service customers.

Beneath it all, IBM combines commercial hardware sensors and omni or
directional antennas with home-grown software developed by IBM’s security
research facilities. According to Conorich, “TJ Watson does hacking research, Zurich does
IDS research, and WIDE combines those two.” A WIDE deployment consists of
placing sensors at strategic locations within the customer’s network, where they
can detect abnormal conditions, deviations from configured policy, or active
attacks. Sensors monitor wireless traffic in promiscuous mode, shipping
noteworthy frames back to the SOC for analysis.

According to Conorich, WIDE looks for unauthorized or malicious rogue access
points, unknown stations, and policy violations. Even “innocent” rogue APs are a
hazard because they “are usually open so that someone can use the AP to gain
access to your corporate jewels,” said Conorich. “We first map out where your
APs are. then notify your administrator when a new AP appears or comes up
without the proper security configuration.” When any device with an unknown MAC
address turns up, WIDE uses triangulation to identify location, based on input
from two or three sensors.

Unlike some other systems, WIDE is focused exclusively on security; it does
not analyze WLAN performance.

Given commercial WIDS appliances, why should customers choose an outsourced
solution like WIDE? “The people who are setting up these [WLANs] may not be that
experienced,” said Conorich. “If you have the same people setting it up and
evaluating it, pride in ownership [may] prevent them from spotting problems.
They also have trouble seeing [security risks] that they don’t know about. We
have experts that are highly trainedand highly paid to retain them.”

Conorich also argues that outsourcing reduces cost. “You’re going to need at
least 5 FTEs with constant training to man [your SOC]. Behind the scenes you’ll
need security analysts, database administrators, and data mining staff to help
with correlation. Big organizations like IBM can spread these costs across a
larger base.” WIDE service contracts will cover one, two, or three years, with
equipment cost amortized over the contract period. “This is better for customers
because they get new equipment every three years without capital expense,”
explained Conorich.

No further pricing information was available.

Reprinted from ISP Planet.

News Around the Web