Buyer's Guide

Browse Sections

Aruba RFProtect WIPS: Product overview

Expert Karen Scarfone examines the features of Aruba RFProtect, a wireless intrusion prevention system to detect and block WLAN attacks against enterprise networks.

Hewlett Packard Enterprise's Aruba RFProtect product, which it acquired in its purchase of Aruba Networks, is an enterprise wireless intrusion prevention system. The purpose of a WIPS is to monitor wireless LAN events to identify attacks specifically involving the WLAN itself. Examples include rogue WLAN access points, unauthorized WLAN client devices and a variety of other WLAN-based attacks. The "P" in WIPS indicates that it offers preventive capabilities; the WIPS not only detects the attacks, but in most cases can also act to end them to prevent or minimize damage to the organization. This damage can come in many forms, including WLAN outages or degradations as well as compromises of WLAN client devices, leading to compromises of the organization's sensitive data.

Product versions

The architecture used by Aruba RFProtect leverages Aruba-branded WLAN hardware components. Aruba RFProtect software is installed on the organization's Aruba access points, so that the APs act as WIPS sensors and WIPS management is handled through the organization's Aruba Mobility Controllers.

High availability for WIPS management can be achieved by deploying multiple Aruba Mobility Controllers in failover architectures and activating automatic failover capabilities between these controllers.

Attack discovery capabilities

Aruba RFProtect offers a fairly wide range of attack discovery capabilities. It provides the most basic capabilities that all WIPS products offer, including detecting rogue APs and client connections. In addition, Aruba RFProtect can detect and attempt to stop denial-of-service attacks, as well as man-in-the-middle and client impersonation attacks. Another important feature offered by Aruba's wireless intrusion protection system is the ability to map the physical locations of APs and WLAN client devices, both benign and malicious/suspicious. This can be invaluable in tracking down the sources of attacks and ensuring that compromises are quickly remediated.

The only major attack discovery capability that Aruba RFProtect does not claim to support is the detection of active authentication and encryption cracking attempts. However, most WIPS products do not yet offer these capabilities.

Data collection and reporting capabilities

Little information is publicly available on the data collection and reporting capabilities of Aruba RFProtect. However, the product is designed to help organizations meet their compliance reporting requirements, although the specifics of that support are not explicitly stated. Because data collection and reporting capabilities are so important for getting value from a WIPS, including supporting incident response efforts and compliance reporting requirements.  Organizations interested in evaluating the Aruba RFProtect product should gather additional information about these capabilities from the vendor and/or its own testing of Aruba RFProtect.

Licensing

Aruba RFProtect is a software-based WIPS product, but it requires the use of Aruba Mobility Controllers and Aruba APs. In terms of Aruba RFProtect only, its licensing is based on the number of Aruba APs that each Aruba Mobility Controller supports.

Conclusion

Although Aruba RFProtect's attack discovery capabilities are reasonable, its data collection and reporting capabilities are not well documented, so any organizations considering the product should gather additional information from the vendor and other sources before making a purchase decision.

That being said, Aruba RFProtect may be an ideal product for many organizations that already have Aruba WLAN infrastructures deployed. It can be added to that WLAN infrastructure through simple software installation on the organization's Aruba Mobility Controllers, instead of necessitating a new deployment of WIPS management appliances and dedicated hardware-based WIPS sensors. Organizations with extensive existing WLAN infrastructures that are not in need of replacement are less likely to choose the Aruba RFProtect product because of the need to essentially replace their WLANs.

Next Steps

Part one of this series looks at wireless intrusion prevention systems in the enterprise

Part two of this series offers six enterprise use cases for WIPS

Part three of this series examines seven criteria for purchasing WIPS products

Part four of this series compares the best WIPS products in the market

Dig Deeper on Network security