In the same style as other wireless IDS vendors, a dashboard provides a broad overview of your wireless network's security status, including which devices are in quarantine and how devices have been categorized. Autoclassification continues to be a highlight of AirTight's products, and the development team has improved the classification of various edge cases. Newly identified clients and APs are either categorized or uncategorized. The former are subdivided as authorized, rogue or external, and the latter will become categorized as they connect with other devices or are manually sorted. I found that this process worked well. The high-end Cisco 1200 I used as one of my rogue APs exhibited the behavior you'd expect of an AP that does not transmit broadcast traffic, remaining uncategorized until I associated a client with it. Fortunately, SpectraGuard reacts almost immediately to changes in network connections.
Low number of false alarms
Weak performance monitoring
No built-in wireside rogue detection
AirTight SpectraGuard Enterprise 4.1, free upgrade. $7,500 for starter kit that includes server and two sensors. AirTight Networks, (650) 961-1111. www.airtightnetworks.net
AirTight thinks through alarm generation carefully, eliminating alarms about "misconfigured devices" that have already been labeled as rogues, for example. This minimalist approach may concern some, but you won't waste your time clearing out recurring or duplicate alarms. Still, some improvement could be made in the alarm details. When I received an alarm about an AP that was misconfigured because it was broadcasting its SSID, there wasn't enough information to explain what specifically was wrong. False alarms aren't entirely out of the picture: One event mentioned the Fata-Jack attack, even though I had never run it.
Location tracking, which worked well the last time we tested this product, remains much the same, but the reporting section has been enhanced to include regulatory reports such as Sarbanes-Oxley, GLBA and HIPAA (Health Insurance Portability and Accountability Act).
Because AirTight sensors are VLAN-aware, they can trunk to switched ports, making it easy to restrict wireless devices to a specific network. Even properly configured and authorized APs are contained or disabled if moved accidentally to the wrong VLAN. And although I didn't test it, AirTight does claim the ability to restrict access to multiple device simultaneously--an important feature if you have only a few sensors deployed or the attacker sets up multiple rogue APs as decoys.