MSM7xx Controllers Configuration Guide v6.4.0
Deployment strategy
The mode(s) of operation you choose will depend on the deployment strategy for your wireless
network: overlay, time-slicing, or hybrid (a combination of overlay and time-slicing). Each method
has its strengths and weaknesses as follows:
• Overlay: When using this strategy, some of the 802.11 radios in the wireless network are
configured to operate as dedicated IDS sensors. These radios do not offer access point services,
and spend 100% of the time scanning for IDS threats. The radios operating as sensors are
generally deployed to provide the same coverage as the radios providing wireless services.
Essentially, IDS scanning overlays the entire wireless network, or key parts of it.
• Time-slicing: When using this strategy, the radios that provide wireless services also devote
a percentage of their time to IDS scanning (either on-channel only, or across all operating
channels). This method provides complete coverage but with reduced performance.
• Hybrid: This strategy uses both overlay and time-slicing at the same time in different areas in
the network as appropriate.
When choosing a deployment strategy, consider the following:
Time-slicingOverlayConsideration
IDS coverage will match wireless coverage
because every AP acts as an IDS sensor.
Placement of the IDS sensor radios
must be carefully planned in advance
Coverage
nl
The IDS solution must be capable
of detecting threats throughout the
to provide complete coverage. This
method will also require more APs.
wireless network, with no areas
hidden from the IDS sensor radios.
For example, an overlay of 1 sensor
radio per 6 AP radios means
purchasing 16% more APs. It can be
difficult to do a sparse overlay
because the sensors may be too far
apart to effectively cover the required
area.
APs spend part of their time scanning for
wireless threats, resulting in reduced
wireless performance.
No effect since the radios that
perform IDS scanning are different
from those that provide wireless
services.
AP performance
nl
Delivery of wireless services can be
affected by the scanning method.
In-channel threats (such as denial-of-service
threats) are found almost as fast as the
All threats are found faster due to
dedicated scanning.
Threat detection
nl
To detect a wireless threat, an IDS
sensor must hear the wireless frames
that embody the threat.
overlay solution. Off-channel threat
detection may take up to twice as long.
Rogue detection example
To detect a rogue AP, the IDS system must monitor all channels in the wireless space looking for
beacon frames transmitted by the rogue AP's radio. Typically, 10 beacon frames are transmitted
per second by a radio.
• If using an overlay strategy, the IDS sensors must scan all 38 channels. Assuming a dwell time
of 110 milliseconds, it can take up to 4 seconds to detect the rogue radio.
• If using a time-slicing strategy, detection time depends on the off-channel scan rate. if a radio
is set to a scan ratio of 5%, then mathematically it should take up to 20 times longer (80
seconds) than the overlay method. However, due to the way scanning is performed, the actual
time will be closer to 160 seconds. This would be true for a single, isolated radio. If several
radios are neighbors, and provide overlapping coverage, the time to find a rogue AP radio
is reduced. For example, if several radios are deployed in a classic hex-cell pattern, each
radio has 6 neighbors, so detect time goes down by a factor of approximately 7. So, 160
seconds is reduced to approximately 23 seconds.
Deployment strategy 199