NOTE FROM CLEMENT:
Wireless Intrusion Prevention or Session Containement what a series of buzz word.   See a very interesting article below that was reported on the SecuriTeam mailing list.  This article was written by Joshua Wright,  I had the opportunity or working daily with Joshua when I was at SANS, he is an EXTREMELY smart person who specialize in wireless security.  Josh has this given gift of finding vulnerabilities in different vendors implementation, a must read article for anyone interested in wireless security.  See article below and do follow the link at the bottom for more details and information:

Session containment (also known as wireless intrusion prevention) is a technique implemented by wireless LAN IDS vendors to prevent unauthorized stations from connecting to an authorized or rogue access point. A denial of service vulnerability with some WLAN Session Containment implementations allows attacker to disconnect all connected users from the WLAN.

When a WLAN IDS identifies an unauthorized station on a wireless network, it may attempt to prevent the station from accessing network resources. This is accomplished by mounting a denial of service (DoS) attack against the rogue access point or station, leveraging weaknesses in the IEEE 802.11 specification to disconnect one or more users from the wireless network.

When the disconnect message is repeated continuously, the rogue station is unable to connect to the wireless network, preventing a potential network intrusion.

When implementing a mechanism to disconnect users from a protected access point, vendors must consider several factors:

 * Preventing unauthorized access. The goal of session containment against an unauthorized station is to stop access to the distribution system or wired network. The selection of a technique that reliably stops access to the network is a major consideration for the WLAN IDS vendor.

 * Minimizing impact to the wireless spectrum or channel. A WLAN IDS vendor can easily prevent all access to a monitored access point by implementing a denial of service attack against the wireless spectrum, such as an RF jamming attack. This has the negative side-affect of preventing all access to the spectrum, including potentially authorized stations and access points that are accessing a nearby production network. A WLAN IDS vendor must implement a technique to disconnect unauthorized stations with minimal impact t o other production wireless networks.

 * Limiting DoS scope to designated stations. A vendor may opt to provide sufficient fidelity in their session containment implementation such that they can disconnect a single unauthorized station, preserving the connectivity of other authorized users. This requirement will also influence the implementation of the session disconnect technique.

Considering these implementation factors, vendors have implemented session containment by transmitting spoofed deauthenticate and/or disassociate management frames. By transmitting these frames with a spoofed source MAC address of the access point or victim station, a WLAN IDS vendor can force a client to disconnect from the network, forcing them to repeat the IEEE 8 0 2 . 1 1 authentication and association process to regain access to the network. By repeating the transmission of these frames, a WLAN IDS can sustain a DoS attack against a target MAC address, preventing access to the network.

The following trace is an example of one vendor's implementation of session containment against a rogue station:
1. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:73 ICMP Echo (ping) request
2. 00:12:17:9f:08:73 -> 00:90:4b:2d:65:24 ICMP Echo (ping) reply
3. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication
4. 00:90:4b:2d:65:24 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Probe Request, SSID: "linksys-a"
5. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Probe Response, SSID: "linksys-a"
6. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication
7. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:71 IEEE 802.11 Authentication
8. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Authentication
9. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:71 IEEE 802.11 Reassociation Request, SSID: "linksys-a"
10. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Reassociation Response
11. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication

In this trace, an authenticated, associated station at 00:90:4b:2d:65:24 is exchanging ICMP echo request and response traffic with another station at 00:12:17:9f:08:73. After the ICMP exchange, a deauthenticate request is sent to the broadcast address from the access point at 00:12:17:9f:08:71, which causes the wireless station to reconnect to the network beginning with a probe request frame. A second deauthenticate notice is transmitted in frame 6.

this frame is transmitted before the station re-authenticates to the network, it is silently ignored, and the station continues the authentication and re-association process. The deauthenticate frame transmitted in frame 11 does successfully disconnect the client, forcing them to repeat the connect process.

In this case, the deauthenticate frames are transmitted by the WLAN IDS sensor with a spoofed source MAC address of the access point. This makes the station believe that the access point is disconnecting them from the network, forcing them to reconnect. Sustaining these spoofed frames will keep the station from being able to transmit on the network. This technique is employed by most vendors to implement session containment, with minor variations.

Additional Information:
The information has been provided by Joshua Wright .
The original article can be found at: http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf
and at http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164302965.