WLAN Security Monitors

We put six WLAN security add-ons and three intergrated WLAN monitors through grueling tests in our Real-World labs. See which one rose to the challenge.

February 27, 2004

40 Min Read
Network Computing logo

We tested overlay products from AirDefense, AirMagnet, Network Chemistry, Network Instruments, Newbury Networks and WildPackets at our Syracuse University Real-World Labs. We discovered that the monitoring tools included with infrastructure products will suffice for installations where rogue detection (and not much more) is needed, though some offer perks like AP-location capabilities or thin IDS features. If you need more in-depth analysis, get a specialized overlay monitor. To help you gauge the hit this will put on your budget, we outlined two pricing scenarios.

Arrows vs. A-Bombs

As wireless LANs proliferate and mature, so, too, do WLAN attacks. Some of the overlay products we tested detect and alert administrators to attempts to gain unauthorized access, for example. These IDS features determine if malicious activity is afoot by comparing suspicious traffic with a database of known attack signatures. We found that while some products' IDS capabilities were better than others, they all missed attacks and showed false alarms.

Conventional IDSs focus on network intrusions, but not all attacks are aimed at swiping proprietary information: Scans by network-reconnaissance tools, such as NetStumbler, can give outsiders valuable information about your WLAN topology, even the approximate location of your APs, making theft a possibility. Some attackers simply want to mess up your WLAN; by launching a DoS attack against your APs, an intruder can bring down portions of your network, and even the best authentication or encryption can't stop it. And unlike Ethernet LANs, where physical access to the medium is required, these attacks can come from outside your facilities.

In addition, your WLAN can be ripped wide open if an IT staffer misconfigures an AP. Then there are moochers who sit outside your building and hog your bandwidth, possibly driving users to throw day-old bagels at you when they can't connect because of RF interference. The life of a WLAN admin is fraught with peril.You need to see all the APs and clients in your vicinity. Basic threat detection also is a must. Some products' advanced capabilities will make it easier for you to maintain a secure perimeter and perform troubleshooting duties.The design and optimal placement of the products we tested vary. Most of the overlay devices perform monitoring from standalone hardware sensors placed throughout your wireless environment, then report back to a management server. Only Network Instruments uses a full-fledged Windows PC, coupled with a client WLAN adapter, to perform monitoring. With this approach, you must place a hulking, expensive device wherever you need RF detection.

Typically, gathered RF information can be viewed elsewhere on the network from a Web page or Windows application or by logging on to the server. Infrastructure vendors operate similarly by aggregating their collected RF data on a server or, in the case of Aruba, in a switch configured as a master. Each vendor maintained that its sensor capabilities far outshine ranges for conventional APs. Our range testing showed that this assertion was correct, though not nearly by the magnitude most claimed. These sensors provide about two to three times the range of a typical AP, so you're likely to need far fewer sensors than APs, but the ratio will vary by vendor and setup. Determining coverage on paper is difficult because the monitors are passive--they don't transmit. The vendors had trouble explaining how to figure out how far each sensor could "hear"--trial and error is the only way for now. Determining AP-to-sensor distribution isn't necessary for the Airespace and Cisco WLANs: Their APs have integrated sensor capabilities.

The solo monitors and the infrastructure devices all take the same basic approach to security: Each listens to your 802.11 traffic by scanning supported channels in the 2.4- and 5-GHz bands and gathers information on rogue APs, possible attacks in progress, exceptions to policies and other details. Despite what the vendors would have you believe, this doesn't really constitute complete WLAN monitoring, since your WLAN traffic doesn't cease when your monitors are listening on different channels. But in a practical sense, the vendors are right: One dedicated monitoring radio per channel isn't feasible, so for now we'll have to rely on scanning.

Wireless Overlay Monitor Pricingclick to enlarge

Dwell time on each channel varies from product to product, and though some traffic will be missed, enough will be seen to paint an accurate portrait of your WLAN. Our tests showed channel scanning is sufficient in most situations; but in the future, multiple radios will provide greater accuracy and flexibility.

AirDefense, AirMagnet, Aruba and Network Chemistry called to our attention their products' ability to identify attacks and anomalous behavior intelligently. Our tests showed that these capabilities are immature. It would be helpful to know exactly which attacks are bombarding your WLAN, but most of the IDSs triggered a hoard of alerts that only hinted at the type of attack in progress. Some attacks, such as MAC address spoofing, are similar to those in the wired world; but others, like deauthentication and deassociation frame floods, which are aimed at severing communication between clients and APs, are unique to WLANs. A common IDS response we saw during a test attack that spoofed APs and then sent out deauthentication packets to connected clients indicated MAC spoofing and deauthentication floods were occurring. Yes, some information is better than none, but we'd like more intelligence and alert consolidation.Airespace and Newbury Networks, among others, consider location services--the ability to pinpoint the whereabouts of an AP--integral to security monitoring. We agree: You must know whether a user is inside or outside your perimeter to determine which security level to assign, just as you must track down a rogue device before you can shut it down.

All the products tested hinted at the location of our 802.11 devices, but granularity, accuracy and presentation varied drastically. Newbury's device, for example, can determine the room a device is in, and Airespace's can narrow it down to a 10' x 10' box; others simply indicated to which sensor a device was closest. WLAN location capabilities hold great promise, and we'll keep an eye on them as the technology matures (see "Location, Location, Location,").

All About the Bandwidth

Your wired network's limitations may help determine your WLAN monitor. Maybe you have wireless-enabled remote sites connected to your headquarters over a WAN, or maybe you want to keep excess traffic off the LAN. Either way, consider bandwidth usage when choosing a monitor. To be effective, all monitors must display summaries and alarms on a central console; therefore, they must generate the alarms on the sensors or send all or a portion of collected data to the server for analysis.

AirDefense, AirMagnet and others have designed their products with bandwidth in mind by ensuring that minimal data is sent from sensors to an aggregation point or by letting administrators throttle back the information sent by pruning out less important data. Others haven't taken bandwidth considerations to heart. Some suggest separate networks for sensors, while some cannot perform their duties without dumping all wireless traffic over the wire. The biggest hog: WildPackets' AiroPeek-RFGrabber combo. To get the richest info on your WLAN with those, you must start a packet capture, which funnels back all the wireless data over your wired network. This could be up to 5.5 Mbps--in contrast, rivals get that down to just a few kilobits per second. Ouch.For overlay products, AirMagnet Distributed 4.0 grabbed our Editor's Choice award for the depth of information it collects and its ability to help us see exactly what was going on in our WLAN. In our roundup of infrastructure devices, Aruba's buggy IDS features kept us hopping, while Airespace's location capabilities compensated for the product's thin threat detection. Cisco did a solid job of rogue-AP detection, but with no other IDS features and monitoring support for only 802.11b, its offering is better suited for configuration management.Administrators familiar with portable wireless diagnostic tools will welcome AirMagnet Distributed's colorful, intuitive and information-packed interface. By porting its standalone troubleshooting products to a scalable, centrally controlled distributed architecture, AirMagnet delivered the richest wireless troubleshooting and diagnostic toolkit--at middle-of-the-road pricing--we tested. We received beta code for its Distributed 4.0 that will ship by the time you read this, but we gave the product no breaks for beta: The tests were the same for all devices.

Based on a three-tier architecture, AirMagnet's sensors store and forward monitoring data to the management server. This server consists of Microsoft SQL server, a minimal Web interface to display some debugging information about the server and the sensors, and a Web page to download the full Win32 console. Sensors are modified dual-slot APs. They are physically identical to AirDefense's--but AirMagnet's has one slot with an 11a/b/g radio, whereas AirDefense puts separate 11b/g and 11a radios in each slot. Both devices use modified Linux to run their sensor software. Unfortunately, neither supports the IEEE 802.3af PoE (Power over Ethernet) standard, but proprietary power injectors can be purchased separately.

AirMagnet's setup is straightforward but time-consuming. We had to connect a serial cable to each sensor to enable DHCP or set the sensor's IP information along with the management server's IP address and shared secret key. This information also can be set through a Web page at the sensor's factory-default IP address. The core management server, back-end Microsoft SQL database and Reporter were preinstalled on the vendor-supplied laptop, but we set up AirMagnet consoles on other test machines through a secure Web page. Sensors connected securely to the management server using shared secret keys, and we could upgrade software automatically. Although AirMagnet suggests using a dedicated machine for the management server and Reporter, we had no problem running our console on the same PC.

AirMagnet's Win32 central management console did a fine job displaying alarms and summary information in a graphical dashboard. A hierarchical left panel ordered our sensors by location attributes, and we could click at various levels in the tree to see RF information.

AirMagnet's flexible interface let us sort and group alarms by date and type. Redundant alarms generated by more than one sensor are consolidated into one item. Each alarm includes a detailed description, with diagrams that told us about the possible problem or attack and how to secure against it. We could acknowledge each alarm to clear the event, but this didn't always stick when we restarted the program, a problem AirMagnet staffers couldn't replicate.

Wireless Infrastructure Vendors at a Glanceclick to enlarge

The infrastructure screen gave us a snapshot of the wireless devices. We could group and filter by status, SSID, clients associated by AP and other attributes. We also could promote rogues to known "neighbors" (devices that perhaps belong to adjoining organizations) or trusted "valid" devices and assign aliases to stations or APs.

Console information in the infrastructure view was refreshed only when sensors fed info back to our management server. Thus, constantly changing statistics, such as signal strengths weren't listed. To ferret out minutiae on rogue devices or the wireless network, we clicked on the remote GUI view, where we could connect to specific sensors and observe wireless activity in real time. No other device we tested offers this depth of information. One nit: This live aspect should be a core part of the management interface rather than in another window.

Both security and performance policies generated alerts, but we could adjust or disable most thresholds. AirMagnet supplied the most comprehensive set of policies and alarms--so many that we couldn't trigger them all. As with the other products tested, several alerts could be generated by a single event. Turning on one misconfigured AP generated a flood of alarms, from rogue AP to broadcast SSID alerts. Unfortunately, you can't view alarms by device and acknowledge just that subset.

AirMagnet's reporting capabilities are granular and complete. When we drilled past the console's chart screen, we found that AirMagnet's Reporter module could generate a multitude of Crystal-style reports. We set information to be sent to the database at the minimum interval of two hours. However, others may appreciate AirDefense's more granular and up-to-the-minute data set.

AirMagnet scored well in identifying various attack aspects, though it didn't do well at identifying software APs, opting to identify them as rogues. It also balked at alerting us every time we spoofed a MAC address. For troubleshooting, Distributed also supports packet capturing in Ethereal, Network Associates Sniffer or its own format, though on-board decodes are limited.Wireless admins looking for a comprehensive and robust diagnostic tool will be attracted to AirMagnet Distributed's fully equipped and capable monitoring system.

AirMagnet Distributed 4.0. AirMagnet, (408) 400-0200. www.airmagnet.comAlthough similar in design to AirMagnet Distributed--complete with sensors, console and management server--the likeness between Distributed and Guard is only skin-deep. AirDefense has focused its distributed WLAN security appliance on providing wireless IDS while presenting a detailed view of the interaction of WLAN devices. It has succeeded. Guard, also in beta, led the pack in IDS functionality and was second only to AirMagnet Distributed in troubleshooting detail.

At first glance, Guard seems expensive, but in our two pricing scenarios, AirDefense stayed in the ballpark. The turnkey appliance comprises a rack-mounted dual-processor management server running a hardened version of Red Hat Linux with a relational database, application software for rogue analysis, IDS, operational support, enterprise policy management and comprehensive reporting.

Guard was one of the easiest systems to install and configure. A few minutes after we input basic settings through an intuitive text-based menu, it was operational.

An SSL-encrypted welcome page with a dashboard listing alarm and device counts, and a list of alarms by device, showed us the status of our WLAN at a glance. Unlike AirMagnet, AirDefense doesn't provide a page that groups APs or SSIDs with their associated clients; we missed this feature, which made it easy for us to visualize wireless relationships. AirDefense's dashboard also doesn't provide a treelike view of alarms; rather, alarms are summarized by device and type. Hovering over the alarm gave us some detail, but we had to drill into each alarm for more information. On the other hand, the alarms section let us easily sort and group various alarms by type, device and time, as well as acknowledge and clear alarms.Despite valiant attempts by AirDefense's team to stem alarm floods, the alarms (albeit consolidated ones) streamed into the console in one-minute intervals. One attack could generate as many as five violations. Although our tests showed that event correlation is difficult, we'd like to see more from the self-proclaimed leader in wireless IDSs. To AirDefense's credit, with some tuning and adjusting of our policies, we could condense the volume of new events to be summarized from dozens down to just five or six alarms. Alarm notification, on the other hand, can be configured so that a continuous alarm pages the administrator only every 30 minutes.

One of AirDefense's strengths is Guard's granular security- and management-policy configuration. We could assign different security policies to APs or let certain stations connect to only some APs. Guard's new Live View feature let us do simple packet decoding, though packet capturing is still a tedious process of enabling a sensor capture, disabling it, and then converting and retrieving the resulting file from the server.

If you're an administrator concerned about the volume of data your wireless monitoring system sends across your WAN, you can set rate throttles on each sensor to bring transfer rates to the server as low as 9.6 Kbps. Unlike AirMagnet's Distributed, whose SQL database receives data in a store-and-forward system from sensors, AirDefense constantly streams updates from the sensors to the management server. Comprehensive data is gathered in one-minute intervals, which let us run reports on which APs a client had connected to during the day and how much traffic was exchanged.

Guard initially didn't do well detecting our attacks. After working with AirDefense, we discovered a bug with scanning channels and simultaneously identifying certain attacks. Once we locked our sensors down to a specific channel, Guard identified key aspects of DoS disassoc, deauth and MAC spoofing attacks. Although it could detect the software AP daemon and ad hoc networks accurately, Guard delivered a false positive for a NetStumbler scan that turned out to be one of our test laptops pinging an AP. AirDefense acknowledged that its NetStumbler signature needs some tweaking.

True to its IDS nature, Guard offers SNMP traps, syslog and e-mail notifications. It also works with systems-management platforms..AirDefense Guard 4.0. AirDefense, (877) 220-8301; (770) 663-8115. www.airdefense.net

Network Chemistry, which supplies its wireless sensors to WildPackets and Newbury Networks, wins our Best Value award for its innovative interface, detailed and comprehensive alarm set, and low price.

Network Chemistry's WIPS (Wireless Intrusion Protection System) architecture harnesses its sensors using open-source code and proprietary software. WIPS comprises three apps: SensorManager manages the a/b/g Neutrino sensors; Packetyzer is a front-end GUI for the open-source Ethereal packet analyzer; and the proprietary Fusion, which combines the end-user app and the core analytics engine, provides the console.

After configuring the sensors, we launched Fusion. Easy to navigate, the interface displays key WLAN information: Network view shows devices grouped by SSID with columns of important WLAN stats. A separate window displays alerts, which can be listed chronologically or by alarm. A station window gives more detailed info, including station-specific alarms.

Because it uses Ethereal, Packetyzer doesn't have all the bells and whistles of WildPackets' AiroPeek or Network Instruments' Observer. Still, it does an adequate job decoding packets.

Private Companies Vendors at a Glance

click to enlarge

The vendor includes policies for the most common wireless attacks and configuration deviations; and a CustomProtect capability lets advanced users create their own signatures. Unfortunately, Fusion allows for rule matching based only on packet content, not on anomalous behavior occurring over multiple frames.WIPS does a good job identifying attacks but is too sensitive with some alarms. Overall, this product was designed as a scalable wireless monitoring system, providing strong functionality for a low price.

Wireless Intrusion Protection System 2.0. Network Chemistry, (650) 575-1425. www.networkchemistry.comLike Network Instruments, WildPackets can trace its roots to wired packet analysis. We could tell: AiroPeek NX runs on admins' laptops, but the RFGrabber sensor allows remote packet capture and analysis from a central location. Perhaps their lineage would explain why WildPackets and Network Instruments seem unable to break out of the packet-analysis mind-set to develop an innovative distributed wireless security-monitoring scheme. There's no monitoring dashboard, and whatever management and configuration policies do exist can't be configured easily. On the plus side, thanks to bargain-priced probes, WildPackets plays in Network Chemistry's league costwise.

Upon installing AiroPeek, we located our probe, assigned it an IP address and used it as a remote network adapter to begin monitoring information and grabbing packets. We located AiroPeek NX's key wireless interface in the SSID tree screen. We easily grouped associated APs and stations with their ESSIDs, along with their signal strength, encryption mode and other data related to frames and bytes. By default, the screen refreshes every second, so our maneuvering or tree-collapsing resulted in a loss of mouse control and re-expanded screens. Changing the refresh mode to manual, or increasing it to several minutes, eliminated that annoyance.

Also bothersome, broadcast MAC addresses indirectly related to wireless traffic are included in the display, generating rows of irrelevant information. Conversely, wireless-specific reporting was limited, except for a live channel statistics screen displaying packet counts and signal and noise strengths, for example.

Security policies were thin. A standard alarm, such as "WEP is not enabled," was listed, but further detail required full packet analysis. Most alarms were generated on packet captures. General-performance policies abounded for the wired network, but there were few wireless policies. One AiroPeek client could capture data from multiple probes but monitor only one.Probe access is exclusive, and the amount of wireless data forwarded to the console during packet capture is substantial, so the product doesn't scale well. WildPackets recommends a dedicated network infrastructure, but the extra administrative burden doesn't make sense for most companies. Also annoying is the requirement to keep monitor mode on all the time just to perform wireless security monitoring. AiroPeek NX does a reasonable job detecting symptoms of attacks when performing a packet capture, but it can't group alarms by device except in packet-capture mode, and it doesn't provide any way to look at historical alarm data.

WildPackets recently announced a new distributed monitoring system, called Omni3, which addresses many of the limitations of the RFGrabber. This system looks like a significant upgrade, it wasn't available in time for testing.

AiroPeek NX 2.0.2 & RFGrabber 1.1. WildPackets, (800) 466-2447, (925) 937-3200. www.wildpackets.com

Network Instruments says it doesn't consider Wireless Observer a point product, and our assessment confirmed that. Until now, the company's focus has been on packet analysis and monitoring of wired segments, and it says it sees the wireless probe as a natural extension of its WAN, Ethernet and Gigabit Ethernet probes.

The company subscribes to a two-tier infrastructure, with Observer as the core engine and console and probes to gather data. The wireless probe we received was a Microsoft Windows XP computer crammed into a compact box with an 802.11a/b/g wireless PCI card. Rack-mounted and software-only versions of the probe also are available.

Wireless Observer could be useful for administrators with concerns about a particular location and who want ongoing packet analysis. Under those conditions, one of the systems could be installed in an office or wiring closet, serving as a temporary remote monitor. However, we don't see this box going up in ceilings around the country, and not just because it would cause said ceilings to fall on heads--because of the probe design and pricing model, Expert Observer is more than three times as expensive as its closest competitor, WildPackets, in our second pricing scenario.We installed the latest client, Expert Observer 9.0, on a workstation and connected easily to the remote probe once we gave it the correct IP information. As we expected from a network-analysis company, Network Instruments' packet analyzer offers information staples like top talkers and bandwidth utilization, and wireless-specific information, such as a wireless site survey and AP statistics screens. Signal strength, rate and packets transmitted and received were neatly displayed in columns. But with no server collecting information and generating alarms, we had to keep Observer's triggers and alarms screen running constantly. The probe's software design is flexible enough to let multiple Observer clients be connected simultaneously, but each instance requires additional reserved memory, limiting the system's scalability.

Because of the probe's PC-based design, we could capture a good amount of data--up to the probe's hard drive capacity--on the remote side before it was transferred to Observer. For that reason, even those with limited WAN pipes can capture significant amounts of traffic without any packet loss. Because of Network Instruments' maturity in the packet-analysis arena, the number and detail of its decodes exceeded those of the other non-packet-analysis products we tested. Unfortunately, however, the packet capture-based Expert Analysis has few wireless-related analyses. And though it did find some congestion and station errors, it missed DoS attacks identified in the separate triggers and alarm screen. We didn't like having to dig for such vital information. Otherwise, it did a fair job of detecting our attacks and security vulnerabilities.

The probe's security and performance policies are easily set through Observer. Some basic wireless configuration alerts are included, but we'd like more granular policy control to ensure our APs are set up properly. Policies related to network-analysis tools, such as errors per station, are plentiful, but only a few general wireless security alarms are provided.

Statistics, such as bandwidth utilization and network errors, are trended, and tables and graphs nicely depicted this data. Wireless-related reports, such as clients connected per AP or rogue APs over time, were nonexistent. Bottom line: For WLANs, the device isn't much more than a basic troubleshooting and stat-gathering tool.

Expert Observer 9.0 Console; Advanced Wireless Probe 9.0. Network Instruments, (800) 526-7919, (952) 932-9899. www.networkinstruments.comThe big draw of WiFi WatchDog is its location management. Although this is impressive, Watchdog simply cannot perform more than basic security monitoring.Setting up Watchdog requires some patience. Because the sensors use Network Chemistry's hardware, sensor installation was the easy part. But the MySQL installation, subsequent database modifications, JRE install and server software installation made the configuration tedious. Further, the product's Web-based interface is neither intuitive nor appealing; more extensive use of color and graphics would convey WLAN data better than the primarily text approach.

Without any summary or dashboard to display alert information, we had to rifle through audit reports for system alerts. Events are listed by location in chronological order, but grouping them by device is impossible. Packet capturing isn't supported either.

We tested the device-location feature by drawing several sets of boxes into the location editor to represent rooms in our lab environment. We indicated which sensors were installed where and, through the Web interface, initiated RF signature training with our clients. The system then displayed our client locations. Rogue devices determined to be outside our perimeter were of less concern to Watchdog than those inside. The included RADIUS authentication system allows or denies access based on location.

We defined simple security policies, such as "no rogue APs," but our choices were limited. Reporting consists mostly of one security audit report and device lists; only a few location-related reports are available.

The attacks Watchdog discovered were likewise limited. Although the company claims to catch DoS attacks, we couldn't trigger those alarms.Watchdog trailed the pack in overall security monitoring, but its location-awareness capabilities provide unique functionality that we'd like to see in all monitors. Meantime, Newbury's pricing reflects the security model--it implemented five times the number of sensors in the first pricing scenario and almost double in the second.

WiFi Watchdog 3.0. Newbury Networks, (617) 867-7007. www.newburynetworks.com

Frank Bulk is a technology associate with the Center for Emerging Network Technologies at Syracuse University. He has worked for a reseller and as a network administrator. Write to him at [email protected].

Jesse Lindeman is the lab manager at the Center for Emerging Network Technologies at Syracuse University. He has been a systems administrator for a historic roofing firm in Washington. Write to him at [email protected].

Post a comment or question on this story.

We tested wireless security-monitoring systems in our Syracuse University Real-World Labs. The sensors were placed in one room so they could listen to the same wireless traffic. We allowed as many as three sensors per vendor.We configured the sensors to scan all 14 2.4-GHz channels and all 12 nonoverlapping 5-GHz channels using their default scan times. If we missed an attack or could not reproduce an event, we locked the sensors on a specific channel to eliminate the possibility that the device was scanning another channel during the test.

Our lab had many types of wireless devices, including SOHO and corporate-class APs (access points) in various security modes (WEP, WPA and open) and flavors (802.11a, b and g). Also at our disposal were infrastructure switches from Aruba Wireless Networks, Airespace and others.

For ad hoc testing, we placed the cards in ad hoc mode (peer to peer), using the client card's utilities or Windows XP's zero-configuration tools. We also had internal laptop and PCMCIA client cards.

For interference testing, we used a Bluetooth AP and a PDA with Bluetooth support. Bluetooth transmits across most of the 2.4-GHz ISM spectrum, effectively interfering with the first 11 channels of 802.11b. The density of AP deployment in our lab generated more than enough beacon and contention traffic.

For attacks, we used AirJack tools (802.11ninja.net/airjack) such as disassoc_wlan_jack, essid_jack, fata_jack, hunter_killer1 and wlan_jack. We had one laptop running NetStumbler, both for monitoring our tests and to trip the NetStumbler scan detections that some products under test provided. We used the Host AP (hostap.epitest.fi) driver to configure a software-based AP, and the FakeAP (www.blackalchemy.to/Projects/fakeap/fake-ap.html) script to generate counterfeit APs. We also used AirMagnet tools to simulate other attacks, but the public-domain software generally made those tools redundant.To verify Power over Ethernet functionality, we used several PoE devices, including the 802.3af-compliant Hewlett-Packard ProCurve 2650-PWR, a 3Com power injector and several Cisco Systems injectors.

We measured sensor range by placing Cisco Aironet 1200 dual-radio APs at various distances and on different floors in our building. Each AP was set to broadcast its SSID. If the sensors in the lab could pick up the beacons for the radio, we considered that discovery; if they detected less traffic at farther distances--a proxy for the fact that the sensors couldn't hear all the beacons--we considered that weak or intermittent.Aruba 800 WLAN Switch with AirOS Wireless Intrusion Detection 2.0 software; Aruba 52 Access Point

Aruba Networks has begun its foray into the edge closet with its 800 WLAN Switch. Based on Aruba's much heftier and significantly more expensive 5000 WLAN switch, the 800 wirelessly enables satellite offices, branch locations, and small and midsize businesses. Using it as a bridge, you can integrate your legacy wireless network with your Aruba 5000 wireless install.

Aruba's switch supports a mix of as many as 16 access points and AirMonitors (Aruba's term for its dedicated hardware monitors; they consist of the same hardware as its access points, but have different software images). However, only eight of these devices can be directly connected to the box.

The 800 uses access points for data services and AirMonitors for RF monitoring. Aruba says this approach is more robust and scalable than that of Airespace and Cisco Systems, whose systems perform both tasks using one access point. Although the jury is out as to whose tack will prove more viable, Aruba's 800 appears to be ahead in offering administrators a peek into their wireless networks.Setup was straightforward. After connecting to the switch's robust, IOS-like CLI (command-line interface), we set its IP network information and configured the internal DHCP server. Through Aruba's new, easily navigable Web-based configuration pages, we created a WLAN profile and mapped out a floor plan to let the switch determine the ratio of access points to AirMonitors based on number of users and desired throughput levels for both 802.11b/g and 802.11a. Aruba's access points, like Airespace's and Cisco's, are 802.3af PoE (Power over Ethernet)-compliant, making installation a snap.

With the WLAN up and running, we launched a slew of common attacks to test the Aruba WLAN's resiliency and its ability to identify various types of malicious WLAN traffic.

The 800 was quick to detect nontrusted access points and could distinguish between what Aruba calls "interfering access points," which are those that are not connected to your wired network, and rogue access points, which are. But it had problems with our test dual-radio access points, which used common BSSIDs for both spectrums; it kept rotating the rogue alarm from 11b to 11a and back again as it tried to determine which frequency and channel the access points were using. The 800 also had difficulty determining one access point's 11a channel, kept another rogue in the active list for weeks after it was powered down, and displayed quirkiness by showing some access points' 5-GHz channels as 11b/g and 2.4-GHz channels as 11a. The switch supported ad hoc network detection, though two alarms providing the same information were generated for each offense.

The 800 automatically prevented our hypothetical users' clients from associating with rogue access points by bombarding the clients with deauthentication packets made to look as if they came from the rogues. The switch also identified clients not associated with Aruba WLANs and let us preclude those clients from associating with any access point, Aruba or otherwise.

The 800 not only contained unauthorized APs and clients, it also detected malicious attacks that relied on similar containment methods to bring down WLANs. Unfortunately, the switch triggered alarms regardless of whether containment deauthentication and disassociation packets were generated by Aruba access points or by interlopers. False positives also resulted when we configured the 800 to catch wireless bridges in the building--we got alarms back saying Aruba's own access points were in violation of this policy.The 800's wireless IDS features, while stronger than Airespace's and Cisco's, are immature at best. Although it technically saw every attack we threw at it, depending on how each attack operated, the 800 switch offered up a combination of MAC spoofing, ad hoc, deauthentication, disassociation and AirJack (so named for the open-source drivers used by many of our attacks) signature alarms to suggest exactly what malicious activity was afoot. We had to run NetStumbler detection continuously for four days to trigger the IDS alarm.

Aruba 800 WLAN Switch with AirOS Wireless Intrusion Detection software 2.0; Aruba 52 Access Point. $4,995 for software/appliance, $500 for AirMonitors. Aruba Wireless Networks, (408) 227-4500. www.arubanetworks.com

Airespace Wireless Enterprise Platform 2.0

Airespace's Wireless Enterprise Platform comprises the 4000 WLAN Switch and ACS (Airespace Control System) software. The company is betting heavily on its highly granular location capabilities, and though ACS is somewhat lacking in the IDS department compared with Aruba's young and dodgy IDS features, many administrators will welcome Airespace's automated approach to keeping intruders at bay.

Setting up and configuring Airespace's switch is as easy as it gets. After inputting its network settings and uplink port configuration via the CLI, we were ready to use the box's slick GUI to configure WLAN and security profiles, all with default-enabled SSL encryption. ACS running on a beefy PC on our test network made configuration, management and troubleshooting our switch, or even an entire network of Airespace switches and access points, simple by bringing all switch configurations and collected RF monitoring data into a single user interface.Rogue infrastructure access points and ad hoc networks were detected promptly and displayed in a dashboard grid. Drilling down into the rogue alarms, we noticed that though our switch was sending alarms for both 11b and 11a radios, ACS was summarizing them by BSSID and distilling both rogue radios down to one alarm. A few additional clicks revealed the whole rogue picture, but most admins would like to see all rogue activity at a quick glance.

Airespace's box, like Aruba's, tries to determine if rogues are connected directly to your wired network. But instead of relying only on Layer 2 MAC addresses to figure this out, Airespace access points spoof clients and connect to invalid access points to find out what Layer 3 IP address the access points are using, all while maintaining data connectivity for users. This measure is performed automatically, as is containment of rogue devices, unless you disable the feature.

Airespace's switch had some difficulty discovering our WLAN attacks. Without the IDS signatures needed to identify and alert admins to suspicious activity--something the company says it will include very soon--our tests triggered rogue AP, ad hoc and interference alarms when appropriate. Airespace's switch offers a little more protection when attacks are launched by clients by detecting duplicate MAC addresses and blacklisting, or shutting down, offending clients for a set time.

New to the 2.0 family of switch software is what Airespace calls WPS (Wireless Protection System). This lets companies with "No WLAN" policies shut down all wireless activity until they're ready to buy the software needed to put on the switch that will allow for the passing of data. Although some overlay monitoring tools are better suited to this task, Airespace's WPS provides a clear migration path for shops still testing the WLAN waters.

Airespace clearly sees its ability to locate access points and clients to within a 10-square-foot area as essential for battening down your airspace. Although our testing confirmed the vendor's location claims, it remains to be seen whether wireless administrators consider the ability to locate interlopers to be at least as important as specifically identifying the attacks against their WLANs.To help with troubleshooting, Airespace includes a packet-capture feature, which you can activate centrally from the switch. Aruba's 800 box offers a similar feature.

Airespace Wireless Enterprise Platform 2.0: Airespace 4000 WLAN Switch, $11,000; Airespace 1200 AP, $400; Airespace Control System Software, $4,000. Airespace, (866) 546-2100, (408) 635-2000. www.airespace.com

Cisco WLSE (Wireless LAN Solutions Engine) 2.5

Cisco's WLSE 2.5 is aimed at easing configuration and management of large Cisco WLAN deployments. Although this most recent release offers administrators some basic RF monitoring capabilities for their 802.11b networks, it remains primarily an enterprise configuration-management solution.

Putting WLSE in charge of our test bed of Cisco 1200 APs was as simple as letting the device discover them by way of SNMP. The laborious part came when we had to upgrade all the access points' firmware to leverage the platform's RM (Radio Monitoring) capabilities.After loading the preparatory helper image file and then the IOS-based firmware update onto access points, we struggled with configuring WDS (Wireless Domain Services). An undocumented RADIUS-port misconfiguration prevented us from letting our WLSE and all our Cisco access points authenticate to an access point set to perform as our WDS, the aggregation point for all RM data being forwarded to the WLSE. We eventually got things running smoothly, but only after a lot of head-scratching and a 10-minute phone call to Cisco.

Although Cisco promises 11g and 11a support in the coming months, WLSE 2.5 currently lets admins monitor only 802.11b-based WLANs. Nevertheless, we could detect interference sources and rogue 11b access points by scanning channels with access points or with clients that support CCX (Cisco Certified Extensions) version 2.

WLSE helps combat rogues by identifying the switch port to which a rogue is connected. This gives you a chance to disable it manually--unless the offending radio's MAC isn't numerically close to its wired MAC address, or isn't connected to your network. The box can pinpoint client and rogue-access point location with some accuracy, but you'll probably still need a handheld analyzer to pinpoint violating devices.

Wireless Infrastructure Devices Featuresclick to enlarge

WLSE did an excellent job of detecting 802.11b rogues. However, it couldn't properly identify any of our test attacks, though it did hint at malicious behavior by showing some of the attacks as rogue access points. Cisco says it intends to include support for ad hoc network detection in a future release.

Like both Airespace's and Aruba's offerings, Cisco's WLSE 2.5 can indicate when interference is present, but unlike Airespace's and Aruba's products it cannot adjust its AP channel and power output settings dynamically to help the WLAN cope.CiscoWorks 1130 for Wireless LAN Solution Engine, $8,495; CiscoWorks Wireless LAN Solution Engine Software 2.5, no-cost upgrade; Cisco Aironet 1200 Series AP (802.11b/g and .11a), $1,299. Cisco Systems, (800) 553-6387, (408) 526-4000. www.cisco.com

A features chart comparing the above products can be found to the right.Vendors are working on making your WLAN location-aware. But while a few products can pinpoint locations to within a cubicle-sized zone, most of the offerings we looked at gave only tantalizing hints at devices' whereabouts. We expect this location granularity to improve significantly in the coming year as more organizations realize the benefits of a location-aware WLAN.

Many location-tracking uses revolve around keeping tabs on assets and personnel, but the technology can do more. For example, with location-based rights, you can ensure that visitors in your lobby and lounge areas have Web access, and that WLAN access in other locations requires authentication. If malicious devices do get in, location determination can help you dispatch security to the right spot.

Approaches to location tracking fall into three categories, with varying accuracy. The most primitive, and most common, is tracking based on signal strength via RSSI (Received Signal Strength Indicator) to identify the AP (access point) or sensor closest to the 802.11 device of interest. Often, this means that once the monitoring system identifies the nearest AP, it's up to an administrator to track the location with a handheld analyzer. This method offers accuracy only within the closest AP's range. Sometimes, other APs' RSSIs are displayed to help suggest locations.

By adding a little intelligence and a floor plan, monitoring systems can triangulate a location, increasing precision. When a device is heard by APs or sensors, triangulation systems determine approximate location based on several signal strengths. Depending on system specifics, as well as AP or sensor density, triangulation can narrow location down to between 400 and 900 square feet. Although this method may suffice for some apps, it is severely limited because it ignores environment- specific attributes, such as building materials, office equipment and other attenuation, and multipath sources.RF fingerprinting systems take building attributes into account. Measurements are conducted across the WLAN to train the intelligent systems to compensate for attenuation sources, such as walls and cabinets. The systems can determine the RF signatures of signals at specific points in your WLAN, compensating for signal degradation and enhancing location granularity. Although they require hours of RF signature training, the systems can track a location to within 100 square feet. --Jesse LindemanWhen it comes to wireless security, the latest buzzword is WPA (Wi-Fi Protected Access). This quasi-standard has arrived to save us from WEP's inadequacies and design blunders. Most people view WPA as an interim solution to be supplanted by 802.11i once the IEEE finishes that standard.Essentially a subset of 802.11i, WPA provides a workable security architecture compatible with legacy hardware devices. While the 802.11i Task Group has defined the RSN (Robust Security Network) model to address WEP vulnerabilities, WPA is a tactical move by Wi-Fi manufacturers, under the banner of the Wi-Fi Alliance, to address WLAN security.

Both RSN and WPA share an architecture that covers upper-level authentication, key distribution, key renewal and other procedures. However, WPA is built around TKIP (Temporal Key Integrity Protocol), while the more thorough and elaborate RSN supports AES in addition to TKIP. In other words RSN uses stronger encryption and can support future upper-layer authentication. WPA can be implemented with a software/ firmware upgrade in most WLAN products, but hardware replacement is a must for RSN because of the CPU-intensive security mechanisms embedded in the 802.11i standard. Fortunately, most WLAN chipsets have integrated AES hardware support.

TKIP was not invented exclusively by WPA's designers. Rather, when the security deficiencies of WEP were published two years ago, many Wi-Fi vendors tried to solve the problem by rolling out proprietary enhancements to WEP; this work came to be known as TKIP. Unfortunately, interoperability remained a problem.

TKIP addresses WEP's weak key management and uses the RC4 cipher stream algorithm for data encryption. RC4 continues to be used because the installed base lacks the CPU horsepower to run AES, and the algorithm can handle packets in a lossy media.

Vendors also began experimenting with dynamic key management, which reduces vulnerability to attack and provides a workable enterprise-class key implementation framework. Cisco was first to deliver such a system, but like early TKIP implementations, its work is proprietary.WPA has two modes of operation: Enterprise and PSK (preshared key). Because WPA is a stable intermediate stage in the attempt to separate user authentication from message protection, no effort has been spared in hardening the infrastructure given the hardware restriction. WPA can be boiled down to: 802.1X (port access control) + EAP (upper-layer authentication) + TKIP (key management) + MIC (message integrity and countermeasure)

The difference between WPA and WPA-PSK is that in the PSK version, the need for a RADIUS server to generate a master key for a session is replaced by implementing a common passphrase. Using WPA-PSK is similar to using the static WEP key, except the PSK takes a different approach in key hierarchy and key management. Like any shared-key environment, the WPA-PSK is subject to dictionary attacks, so care must be taken to implement strong key phrases.

MIC protects the integrity of the packet across the media; it includes countermeasures to address packet-integrity breaches detected in WEP. MIC also is derived from the master key, which in the case of WPA-PSK would be the preshared key.

In the 802.11i standard, unlike WPA, key management and message integrity is handled by a single component CCMP (Counter mode/CBC-MAC Protocol) built around AES. The counter mode is used for data encryption and the CBC-MAC (Cipher Block Chaining-Message Authentication Code) ensures message integrity. Here's a view of 802.11i: 802.1X + EAP + [{TKIP +MIC} or CCMP (encryption and message authentication)]

Authentication in the RSN model is addressed by 802.1x and EAP. In an enterprise, a RADIUS server is used to facilitate authentication and provide integration with databases. The RADIUS server generates the session master key and sends it as an attribute along with the EAP-Success message. Master key generation is immaterial of the EAP type used.Because higher-level authentication is handled by the 802.1X/EAP framework, clients need an 802.1x supplicant (client) to validate user credentials against the authentication server. Supplicants are available from Funk Software, Meetinghouse Data Communications and other vendors for a range of OS platforms. And many Wi-Fi vendors are working on embedding the supplicant in the wireless adapter's chipset and software. And Microsoft has released a patch that adds WPA to the embedded wireless client.

Given that so much has been packaged into WPA, have WEP's wireless-security holes been sealed? The only truly secure network is an unplugged one, so there will never be a perfect security solution. Security risks can be mitigated using WPA, but it has limits.

The hardware restriction imposed on MIC affects its robustness, and this countermeasure may facilitate a DoS (denial-of-service) attack against the wireless network. Finally, since 802.11 management frames are not encrypted, the Wi-Fi network is vulnerable to malicious deauth frames, which can disconnect users from access points.

A solution for these problems is expected with the 802.11i standard. Until then, prepare by replacing legacy systems with equipment capable of supporting RSN. "Frank Robinson


Wireless Overlay Monitors

your browser
is not Java

Welcome to

NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon

above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.Click here for more information about our Interactive Report Card ®.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights