With the rapid growth of wireless for day-to-day business needs, the discussion of how best to monitor and secure the corporate wireless network is gaining considerable traction. The topic becomes even more crucial when you factor in the sheer number of devices that are connecting - and the fact that many people use two to three wireless devices at the same time.
To monitor and secure a wireless network effectively, you must:
• Understand in real-time the quality of the available wireless connection anywhere in your network
• Identify devices within your network that could interfere with the quality of the wireless connection
• Isolate and proactively avoid any source of interference
• Identify devices enabling an unsecured opening in your network, whether they are accidentally or maliciously doing so
• Continuously scan for network attacks and proactively contain and mitigate these attacks
• Identify the location of devices within the network, including client devices and sources of interference or threats to the network
The traditional approach to monitoring and securing the network is to deploy a dedicated overlay of wireless access points interspersed with the access points that your corporate users use daily. The function of these dedicated access points - often referred to as "monitor mode access points" - is to listen to all channels on the 2.4- and 5-GHz bands. Depending on the vendor's solution, the information gleaned from listening is used to analyze the state of wireless connectivity (typically signal strength), as well as to identify potential security threats.
This dedicated overlay comes with obvious costs:
• Cost for the additional access points
• Cost for additional Ethernet cabling infrastructure
• Ethernet port at the upstream access layer switching device
• Operational costs of managing additional access points
The Cisco Aironet® Access Point Module for Wireless Security and Spectrum Intelligence (WSSI) for the Aironet 3600 Series Access Point introduces a new way for customers to design and deploy their wireless networks. By tightly coupling data connectivity, spectrum analysis, and security threat detection and mitigation into a single, multipurpose access point, this new Cisco® solution eliminates the need for two separately deployed networks.
The 3600 Series Access Point eliminates three out of four cost elements associated with a dedicated overlay while dramatically reducing additional costs. Together, the Cisco Aironet 3600 Series and the Cisco WSSI module dramatically simplify how customers can deploy, monitor, and secure their enterprise-class wireless network. This solution shifts the focus from questions such as how many extra access points are required, the role they will serve, and where to deploy them to how best to serve the business needs of corporate users through a high-quality and secure connection.
The modular architecture of the Cisco Aironet 3600 Series Access Point helps you future-proof your wireless network deployments and maximize your return on investment by field-upgrading the access point using the feature-specific Wireless Security and Spectrum Intelligence (WSSI) module. The 3600 Series with the WSSI module provides:
• Wireless data serving, spectrum monitoring, and security threat detection and mitigation - all in a single access point (the only access point in the industry to do so)
• Reduced total cost of ownership - 30 percent savings by eliminating the extra Ethernet infrastructure previously required together with an aggressive product price point
• Always-on security monitoring - 7/24 Interference analysis and threat detection and mitigation for all channels in 2.4- and 5-GHz bands
• Zero-touch configuration - Install, power-up, and go with no configuration required
As Figure 1 illustrates, the 3600 Series integrates all data serving capabilities monitor mode with wireless intrusion protection system (wIPS) in a single device, the first such access point in the industry to do so.
Figure 1. Multiple Functions Integrated in the Cisco Aironet 3600 Series Access Point with WSSI Module
The WSSI module is a completely self-contained wireless radio supporting both the 2.4- and 5-GHz bands with four integrated antennas, which are used to listen (Rx) to all channels on 2.4 and 5 GHz. The module does not transmit (Tx), and is therefore categorized as a 0 x 4:3 radio, as compared with the 4 x 4:3 characteristics of the integrated radios within the 3600 Series access point.
The WSSI module is physically inserted into the bottom of a 3600 Series (integrated or external antenna version) and draws its power from the access point. Once the access point is powered up, the WSSI automatically becomes the access point's third active radio and appears as the third radio slot (radio) of the access point on the Cisco Wireless LAN Controller that is managing the 3600 Series access point. Figure 2 shows WSSI module along with 3600 Series Access Point.
Figure 2. WSSI Module Along with 3600 Series Access Point
There is absolutely no configuration required by the customer to enable the WSSI module. Once the module is powered up, the following capabilities are automatically offloaded from the integrated radios and are executed on the WSSI:
• Cisco CleanAir® technology monitoring for spectrum interference
• Wireless Intrusion Prevention System (wIPS) scanning for network attacks and malicious behavior
• Rogue detection
• Location context-awareness
• Radio resource management (RRM)
All of these capabilities run concurrently and are applied to all channels on both 2.4- and 5-GHz bands. Once the WSSI is up and running, the integrated 2.4- and 5-GHz radios of the 3600 Series access point focus primarily on serving wireless clients and managing their data traffic.
Prior to the WSSI, customers had two options when it came to enabling wireless security and spectrum monitoring: they had to deploy either enhanced local mode (ELM) or monitor mode (+wIPS). Both of these options enable the same set of integrated features we have touched on but with a different scope of coverage and associated cost. The WSSI module merges the best of these deployment modes with attractive pricing to offer up the best possible combination of feature richness and cost of deployment, as summarized in Table 1.
Table 1. Evolution of Wireless and Security Spectrum Monitoring
The WSSI module is a separately purchased hardware product, that can be installed into existing deployments of the 3600 Access Points or purchased at the same time 3600's are themselves purchased.
Cisco Adaptive Wireless Intrusion Prevention System (wIPS) detects wireless-specific attacks. The WSSI module enables a local mode access point dedicated to serving clients to also behave as a monitor mode access point performing wIPS scanning on all channels, without affecting the access point's performance for serving clients.
Attack Detection Time Comparison
In local mode with the wIPS submode enabled, the access point is continuously monitoring the serving channel for any wIPS attacks and sporadically going off channel to detect any off-channel wIPS attack. In monitor mode with wIPS submode enabled, the access point's 2.4-GHz and 5-GHz radios simultaneously monitor both bands and sequentially visit different channels on the respective bands. As explained earlier, an access point with a WSSI module has both the primary radio dedicated to serving clients and the WSSI module visiting channels on both bands sequentially. Note that the WSSI module is dual-band module but operates on one band at a time. Figure 3 illustrates this scanning behavior for different access point modes. It should be noted that the off-channel scanning is a lower-level operation that does not impact client traffic.
Figure 3. Scanning Procedure with Different Access Points
We compared the attack detection time for the above access point modes. The representative results are shown Table 2. Note that detection time depends on the type of attack; the values listed in the table may vary for specific attacks. In the setup, the serving channels of the local mode access point and the local mode access point with WSSI module were the same. The on-channel attack was carried out on the serving channel. The off-channel attack was carried out on a random nonserving channel. The reported characterization is an average over multiple iterations of multiple attacks.
Table 2. Attack Detection Time Comparison between Different Access Point Modes
Channel of Attack
Local Mode Access Point
Monitor Mode Access Point
Local Mode Access Point with WSSI Module
T (Detected by primary radios)
>10T' (In some cases attack was not detected)
~2T' (Detected by security module)
The experiments showed that for the on-channel attacks, the attack is detected by the primary radios. Hence the time to detect the attack for a local mode access point with WSSI module is similar to the time to detect the attack for a local mode access point without WSSI module.
As Table 2 shows, off-channel attacks usually take a long time to be detected by a local mode access point. This is because an access point in local mode is not able to dwell sufficiently long on the nonserving channel to collect enough packets to quickly detect the attack.
Such attacks are readily detected by a monitor mode access point, which is continuously scanning different channels. However, the local mode access point with WSSI module allows the access point to detect off-channel attacks in a way similar to a monitor mode access point placed at that location.
The results also indicate that when compared to a monitor mode access point, the WSSI detection time for an off -channel attack takes twice as long as that of a monitor mode access point. This is because the monitor mode access point has the two primary radios scanning the two bands, while the WSSI module has a single radio to support both 2.4- and 5-GHz bands. However, when two local mode access points with WSSI modules were used in the off-channel attack case, the attack detection time was reduced to approximately 1.2T'.
For wIPS deployment, the current deployment guideline is to use one monitor mode access point for every five local mode access points In order to get similar detection times, we recommend that two out of five local mode access points should be equipped with the WSSI module. For better detection times, use more local mode access points equipped with WSSI modules.
Coverage Comparison of WSSI Module with Primary Radios
The received signal strength indicator (RSSI) represents the value in dBm of the signal strength at which a wireless packet is received. Figure 4 shows the scatter plot of approximately 200 RSSI values received at the WSSI module and primary radio collected from different points. The primary radio is the internal radio of Cisco Aironet 3600i.
Figure 4. RSSI Comparison Between WSSI Module and Primary Radio
Figure 4 shows the high degree of correlation between the RSSI for the two radios. On average, the RSSIs received by the primary radio are about 2 dB stronger than the corresponding RSSIs from the WSSI module. This clearly indicates that the WSSI module has similar coverage to that of the Cisco 3600i access point.
Cisco CleanAir Offloading
The WSSI module provides additional flexibility with respect to Cisco CleanAir solutions. When the access point is in local mode, the WSSI module will monitor both bands and collect CleanAir information while the primary radios are serving clients. More specifically, the detection and reporting of Air Quality (AQ) and Interference Device Reports (IDR) will be handled by the WSSI module.
We compared the detection of Bluetooth devices by an access point3600i (named SJC14-21A-Dungeness-E the screenshot shown in Figure 5) in monitor mode against an access point 3600i (named SJC14-21A-AP-Dungeness-X) in local mode with an attached WSSI module. Both access points are located next to each other and SJC14-21A-AP-Dungeness-X was serving regular client traffic. The new code release supporting the WSSI module allows for each reported interferer to be stamped with the "radio slot #," which allows for the direct comparison of reports from different radio slots.
Interestingly, the relative RSSIs of each detected device remain consistent between the primary radios of the monitor mode access point and the WSSI module. The WSSI module offers very comparable interference device detection to that of the primary radios on the monitor mode access point, as shown in Figure 5. When we compared multiple types of interferers, we consistently got comparable RSSI readings; however, in the interest of brevity, only Bluetooth interferers are shown in Table 3.
Figure 5. A Bluetooth Link (Transmitter/Receiver Pair) was Detected by Both the AP with a WSSI Module (Named SJC14-21A-AP-Dungeness-X) and the Monitor Mode AP (Named SJC14-21A-Dungeness-E) without WSSI Module at Similar RSSI Values
The obvious advantage of the WSSI module is to provide spectrum intelligence on all wireless channels, through AQ reports and interference detection, while the primary radios continuously serve clients. Moreover, as seen in Figure 6, the average AQ reported by the WSSI module and those of the monitor mode access point is also very comparable. The channel 1 measurements from both access points are highlighted to show the similarity of average AQ levels between the access point WSSI module (SJC14-21A-AP-Dungeness-X in the figure) and the monitor mode access point (SJC14-21A-Dungeness-E). Once again, for brevity, only the AQ levels in the 2.4-GHz band have been presented, but similar results are seen in the 5-GHz band. Hence, the WSSI module can essentially provide comprehensive interference awareness similar to a dedicated monitor mode access point.
Figure 6. Comparison of AQ Levels for the 2.4-GHz Band Reported for WSSI Module Access Points and Monitor Mode Access Points
Radio Resource Management Offloading
In addition to its other activities, WSSI module collects radio resource management (RRM) metrics. This allows the primary radios to make fewer off-channel scans, thus ensuring the they spend more time serving clients. Please note that the primary radios will still go off-channel to transmit neighbor messages; however, clients experience a more dedicated service since other off-channel functionality is offloaded to the WSSI module.
The RRM metrics collected by off-channel scans include interference, noise, and load. Figure 7 shows a comparison between these RRM metrics collected from a controlled testbed using a 3600 Series access point equipped with a WSSI module and a 3600 Series in monitor mode. Both these access points were placed in an anechoic chamber with a signal generator injecting a transmission on channel 140, with a transmit power of 12 dBm. As Figure 7 shows, the RRM statistics collected for noise, interference and load are very comparable between the access point with a WSSI module and those of a monitor mode access point. Once again, For brevity, only the results for channel 140 in the 5GHz band have been presented, but similar results are expected on other channels.
Figure 7. WiFi Interference and Noise As Reported by the AP3600 with a WSSI Module (Left) and the AP3600 in Monitor Mode (Right) on the 5 GHz Band
The Cisco WSSI module allows the local mode access point to monitor all channels for wireless intrusion prevention system (wIPS) and CleanAir spectrum intelligence. The coverage area and other RRM parameter values of the WSSI module are similar to that of the primary radio in a 3600 Series access point. The WSSI module also helps offload much off-channel functionality from the primary radio and thus allows for more dedicated service to clients.
The detection time for an off-channel attack is approximately two times that of monitor mode access point. Hence it is recommended that two out of every five access points be deployed with a WSSI module for wIPS deployment. For a non-wIPS deployment - for example, just CleanAir spectrum intelligence monitoring - one out of five access points can be deployed with a WSSI module. Note that the time to detect an interferer or an attacker improves as the WSSI density increases.