Why deploy a Wi-Fi firewall appliance?
The label "Wi-Fi firewall" has been applied to various appliances, including wireless-capable SOHO firewalls (e.g., SonicWALL, WatchGuard) and wireless network gateways (e.g., BlueSocket, Vernier, Cranite). In this article, we use "Wi-Fi firewall" to describe servers that monitor and filter Wi-Fi traffic, blocking unauthorized 802.11 usage and attacks while still in the air.
Commonly known as wireless intrusion prevention systems (WIPS), these appliances provide full-time security policy enforcement throughout your entire wireless LAN (WLAN). Instead of requiring someone to periodically check every floor of every building to find rogue APs, a Wi-Fi firewall continuously watches for rogue traffic, automatically disconnecting any new AP. Instead of depending on employees to use Wi-Fi safely, a Wi-Fi firewall can disrupt non-compliant sessions to prevent confidential data disclosure.
Adding a Wi-Fi firewall to your network
Deploying a Wi-Fi firewall involves installing a central server in your NOC and positioning remote sensors throughout the offices ("air space") to be monitored. Sensor network planning is essential to avoid coverage holes in locations like stairwells where intruders might lurk unobserved.
Choosing the right Wi-Fi firewall
As with any security appliance, it is critical to choose a Wi-Fi firewall that can enforce your company's security policy. If your company bans Wi-Fi, look for an appliance that focuses on effective rogue containment without a lot of setup. If your company has a large WLAN, look for an appliance that lets you define and enforce Wi-Fi security rules with sufficient granularity and scalability. There is no substitute for in-situ trials, but reading product reviews can help.
Another common concern is manageability -- particularly in large WLANs where the volume of events can be overwhelming. Look for features that zoom in, drill down, and otherwise break a big problem into digestible pieces. Templates, hierarchical rules, and self-configuration capabilities also help.
Finally, a wireline firewall can discard bad packets, but a wireless firewall must run active interference, sending 802.11 frames to kick rogues off the air. Wi-Fi containment techniques vary in both effectiveness and impact on authorized users. (Read more on wireless session containment here.)
Finding a Wi-Fi firewall
Capabilities described herein are available in both software and hardware packages. Some companies like to install software (e.g., AirMagnet Enterprise) on their own server platform. Others prefer turnkey appliances to speed and simplify deployment.
Those in the market for a Wi-Fi firewall appliance may want to consider these hardware products:
- AirDefense Enterprise
- AirTight Networks SpectraGuard Enterprise or Sentry
- Bluesocket BlueSecure Centralized IPS
- Highwall Technologies Enterprise
- Network Chemistry Scanner
This was first published in June 2006