Protect WatchGuard Networks and Third-Party Networks with WIPS

With WIPS, you can protect both WatchGuard AP networks and also third-party AP networks.

WatchGuard Wi-Fi Network Protection

The patented WIPS security protection in WatchGuard APs and Wi-Fi Cloud can protect Wi-Fi networks in which all APs deployed on the network are WatchGuard APs. WatchGuard APs are categorized in Wi-Fi Cloud as Authorized APs and automatically protected, while other APs in the airspace are detected as rogue or external neighbor access points and blocked.

  • We recommend you deploy at least one dedicated WIPS sensor for every 3-5 Wi-Fi access points, depending on the physical environment and signal attenuation.
  • Place your WIPS sensors to provide full coverage over your Wi-Fi airspace, but do not install them too close to your existing APs to avoid interference.
  • Make sure there is some overlap in the coverage area so that at least two sensors are active in the same area in the event of multiple threats.

  • Tri-radio models (AP225W, AP325, and AP420) have a third radio as a dedicated WIPS sensor and offer dedicated 2.4 and 5 GHz Wi-Fi access on the other two radios.
  • Dual-radio models offer 2.4 and 5 GHz Wi-Fi access. You can also configure a dual-radio AP as a dedicated WIPS sensor where both radios are dedicated to security scanning and do not broadcast Wi-Fi.

Third-Party Wi-Fi Network Protection (WIPS Overlay)

Secure Wi-Fi and Total Wi-Fi management subscriptions also enable you to use WatchGuard APs as dedicated WIPS sensors in a third-party AP and Wi-Fi controller environment.

WatchGuard WIPS sensors are dedicated to WIPS security protection and monitor, detect, and prevent security threats in all third-party AP networks. WIPS can protect APs from any vendor.

  • We recommend you deploy one WatchGuard WIPS sensor for every 3-5 third-party APs, depending on the physical environment and signal attenuation.
  • Use dual-radio APs, such as the AP125, configured as dedicated WIPS sensors for WIPS overlay deployments. Dedicated WIPS sensors do not provide Wi-Fi access which is not required when protecting third-party AP networks.
  • Third-party APs must be classified in Wi-Fi Cloud as Authorized APs before they can be protected by WIPS. You can upload lists of authorized third-party AP MAC addresses to Wi-Fi Cloud. For more information, see Import Device List.
  • In addition, Wi-Fi Cloud offers direct integration with Aruba and Cisco wireless controllers to import AP information with an AP420 in Cloud Integration Point (CIP) mode. For more information, see Wi-Fi Cloud Integration with Third-Party Controllers using CIP.

About WatchGuard Wi-Fi Cloud WIPS

WIPS (Wireless Intrusion Prevention System) is a powerful, cloud-based, enterprise-level wireless security solution that helps detect and prevent threats to your wireless network.

WIPS includes these security technologies that work together to secure your wireless network:

  • Auto-classification of APs and clients using marker packet techniques that classify APs, clients, and networks, including vulnerable and guest SSIDs, based on the sources and types of wireless traffic
  • Authorized Wi-Fi policies to enforce a minimum set of security parameters for wireless access
  • Intrusion Prevention capabilities to detect wireless security threats and actively mitigate certain types of attacks

WIPS Classifications

WIPS uses device classifications together with your security policies to monitor your network for threats.

Access Points

APs are classified by WIPS in these categories:

  • Authorized — Managed APs that match your defined Authorized WiFi Policy.
  • Guest — Authorized APs that are configured for guest Wi-Fi access.
  • Misconfigured — Authorized APs with a configuration that does not match your defined Authorized WiFi Policy.
  • Rogue — Unauthorized APs connected to your wired network.
  • External — Neighborhood APs that are not part of your Wi-Fi network but operate in the vicinity.
  • Uncategorized — New APs discovered by Wi-Fi Cloud that have not yet been classified.

Clients

Clients are classified at initial discovery and subsequent associations with your APs:

  • Authorized — Managed clients that connect through an Authorized AP.
  • Guest — Clients that connect to an Authorized AP for guest Wi-Fi access.
  • Rogue — Unauthorized clients on your network that connect through a Rogue AP.
  • External — Neighborhood clients that are not part of your Wi-Fi network but operate in the vicinity. External clients can be reclassified if they connect to an Authorized, Authorized Guest, or Rogue access point.
  • Uncategorized — New clients discovered by Wi-Fi Cloud that have not yet been classified.
  • Misbehaving — Authorized clients that connected to an external, guest, or rogue AP, ad hoc network, or performed bridging between the wired and wireless network.

WatchGuard AP Operation Modes

You can configure WatchGuard APs in these modes of operation:

Access Point

  • Performs normal AP functions for Wi-Fi access to the network.
  • Does not perform security scanning.

Access Point with Background Scanning

  • Performs normal AP functions for Wi-Fi access to the network.
  • Scans the RF environment for radio and channel optimization.
  • Scans the wireless network for security threats on available channels.
  • VoIP-aware scanning option is available to optimize high priority traffic while background scanning.
  • Limited ability to detect over-the-air threats.
  • Cannot perform active prevention of over-the-air threats.
  • Not as effective as a dedicated WIPS sensor.

WIPS Sensor

  • Dedicated to WIPS security and intrusion prevention.
  • Does not perform normal AP functions for wireless access to the network.
  • Can be used to protect a WatchGuard AP network or any third-party AP network. WIPS can protect APs from any vendor. For more information, see Protect WatchGuard Networks and Third-Party Networks with WIPS.
  • Dual-radio AP models configured as dedicated WIPS sensors use both 2.4 and 5 GHz radios for security scanning, and do not perform normal AP functions for Wi-Fi access to the network.
  • Tri-radio models (AP225W, AP325, and AP420) have a third radio as a dedicated WIPS sensor and offer dedicated 2.4 and 5 GHz Wi-Fi access on the other two radios.