NEW YORK - With wireless intrusion threats adding to the nightmares facing enterprise IT administrators, IBM Corp. announced its entry into the Wi-Fi security space, rolling out a subscription-based intrusion detection service (IDS).

The new IDS offering, which is part of IBM's managed Security and Privacy Services portfolio, offers security from man-in-the-middle attacks, denial-of-service scenarios, address-spoofing and encryption breaches.

Kent Blossom, director of IBM safety and security services, told the Wi-Fi IDS would offer protection to both WLAN access points and 802.11-enabled laptops and portable devices.

The service is being tailored to enterprises deploying Wi-Fi "hotspots" and entry point pricing is in the range of $30,000 to $50,000 for pre-installation consulting and $50,000 annually for subscriptions.

Blossom said the Wi-Fi IDS would package two new features from IBM Research, including the capability to do security auditing in a distributed environment. Specialized IBM Tivoli software would be used on site to detect security breaches and intrustion detection sensor alerts would be monitoried round the clock at the company's Boulder, Colorado facility.

He said the explosion of inexpensive Wi-Fi "hotspots" at homes and enterprises has led to a rise in security threats because default settings in out-of-the-box access point hardware was easy to breach. "For an enterprise, that's a serious issue because it exposes the information the networks carry and, in many cases, that includes sensitive data," Blossom explained.

He said Big Blue's IDS would help protect against wireless encryption breaches where the encryption key is exposed and also against address masquerading where an attacker can steal a validated user address and identity.

The managed service offering would also eliminate man-in-the-middle scenarios where an attacker could assume the access point ID to eavesdrop on network traffic. It also secures a enterprise WLAN against DoS where an intruder can flood the access point with nonsense traffic to clog the network.Blossom said the IDS could also be used to automatically reconfigure security features on access points that resort to insecure default settings.

The new service included embedded Linux-based sensors which detect irregularities in the Wi-Fi network and identify unauthorized or unsecured access points. Once that detection is done, the information is translated into reports that define the nature and severity of the problem before the appropriate response is generated.

Blossom said an additional level of protection, dubbed "Wi-Dog," was also embedded to check the physical status of the wireless censors to block tampering.