Distributed Wireless Security Monitors

We put out a call for distributed WLAN monitoring systems that are WAN-optimized for geographical and distributed operation and provide, at minimum, wire-side and wireless rogue-device detection, intrusion detection, RF interference detection, user and group traffic monitoring, and performance monitoring in the 2.4-GHz and 5-GHz ranges.

Of the 11 vendors invited, five took on the challenge. Industry veterans AirDefense and AirMagnet, newcomers AirTight Networks and Highwall Technologies, and price leader Network Chemistry all supplied gear to our three testing sites: our Syracuse University Real-World Labs® and partner labs in Iowa and Rhode Island. Among the other invitees, BlueSocket and Network Instruments said their latest offerings were not fully baked, and Cirond, Newbury Networks, Red-M and WildPackets all said their products did not meet our criteria.

EvolutionWe last reviewed WLAN security products 15 months ago (see "Wi-Fi Vs. Bad Guy,"). This time, we took our testing to the next level by evaluating some sophisticated features as well as WAN and other performance metrics. Fortunately, the vendors whose products we tested have also moved ahead: Rather than rest on their laurels, they're working to help companies wring extra value out of their overlay systems. Features such as security-policy templates and detailed forensic-traffic reporting can save harried IT staffs hundreds of hours. Given that most security initiatives defy obtaining a hard return on investment, features that boost compliance with GLBA (Gramm-Leach-Bliley Act), HIPAA (Health Insurance Portability and Accountability Act), Sarbanes-Oxley and other regulations can only help, and this is one area where point-specific products shine.

To get a better feel for what it's like to manage a truly distributed wireless security monitoring system, we stationed sensors at our labs and with SANS Institute wireless security researcher Joshua Wright, best known for creating the asleap attack. Our partnership with Wright yielded some very interesting findings, which we summarize in "Doctrine of Containment" and present in their entirety in this chart. Our experience with a mixture of public and NAT connections made us incredibly sympathetic toward our comrades who've deployed wireless to hundreds of remote locations, but we learned that given a solid understanding of your network and adequate preparation, it is possible to "unplug and play."

We placed heavy emphasis on advanced rogue AP detection and location, features that weren't available or mature last time out. Any AP sending out beacons can be easily identified in the air, whether it's broadcasting its SSID (Service Set ID) or not; the real trick is successful immobilization and extraction. We pushed these products to see if they could identify whether the device was off or on the network and if on, which switch port it was using. Network admins take note: If you only go hunting for rogues on the third Tuesday of the month, put down the sniffer and you might still avoid being labeled the roving geek. All the products tested except that from Highwall provide wire-side or wireless containment that enforces your wireless security policy by backing up continual monitoring of your airspace with immediate action. This can be accomplished in two ways: For a rogue AP on your network, the Ethernet port on the switch can be disabled. Alternately, rogues can be contained wirelessly--the monitoring system will prevent clients from associating to that device.

Some vendors have added a level of ingenuity in that they don't contain rogue APs not attached to your network unless an enterprise wireless client accidentally associates to that rogue. Initially, most rogue wireless APs were bridges or repeaters, but with the proliferation of cheap wireless APs integrated with routers, it's almost impossible to reconcile what are now nonmatching MAC addresses on the WAN and LAN sides. For this review, four of the six rogue APs in our test bed were also routers (see "How We Tested Wireless Security Suites," for details).

We also spent time analyzing facets of these products that most reviewers overlook, including wireless bandwidth usage when performing over-the-air rogue mitigation and wired bandwidth usage when monitoring a wireless network. Many retail chains still have 64-Kbps leased circuits, so any product that clogs half that pipe is unacceptable. Tally up 1,000 remote 32-Kbps links and you have 32 Mbps of traffic streaming into your data center, making wireless security an expensive WAN service. Although we didn't have access to dozens of APs and hundreds of wireless client to generate the background RF traffic the sensors listen for and report to the centralized management system, the results we did gather from our tests offer shades of what would happen on a larger scale.All the systems we tested shared a similar distributed client-server architecture: Sensors on the edge transport data over Layer 3 links to a centralized server. The most significant difference was how much processing and correlation occurred at the sensor compared with at the core. AirDefense and AirMagnet share common ground by using a Senao-designed AP for a sensor with their custom software loads. AirDefense provides its server software on a Linux appliance but told us it plans to offer a software load for Intel-based servers. AirMagnet customers supply their own Win32 boxes, but the company does throw in a license for Microsoft SQL. AirTight also follows the appliance model, running a Linux distribution and using Accton Technology APs with its own software load.

Highwall and Network Chemistry manufacture their own sensors. Highwall's Sentinel remote sensor has a unique design. Rather than deploying a multitude of sensors with attendant cabling and configuration requirements, Highwall's encyclopedia-size unit, which includes a high-gain receiver, can be outfitted with an even larger multisectored antenna that also provides some location capabilities--it can find out where a wireless device is. According to the vendor, one sensor can cover a multistory building. The other vendors quote ranges of three to six APs to one sensor. We found that our single Sentinel remote sensor at Syracuse University could see many more client devices than rivals. What does that mean besides the obvious extended coverage? We found we sacrificed scanning time--rather than have 10 sensors scanning the air, one sensor must scan 10 times as much volume--and there's no wireless rogue mitigation because of FCC transmit power-control limitations.

We preferred Network Chemistry's inexpensive and well-designed RFprotect sensor, which is plenum-rateable, offers external antenna connectors and is flexible enough to be powered by any of three varieties of PoE (power over Ethernet). Network Chemistry also offers a slightly more expensive model, the "Port Saver," that lets the sensor use an AP's existing PoE connection and pass on the remaining power to the AP. Cabling accounts for a substantial portion of the deployment cost, and this is an innovative way to save. Network Chemistry requires customers to provide their own Win32 servers to host its RFprotect Server Engine software, which uses an open-source database.

We asked the vendors to send us their in-house attack rosters to be used at our discretion, but only AirMagnet took us up on our offer (AirDefense did send us a copy of a free, downloadable security attack CD). Unsurprisingly, AirMagnet's system detected the entire custom set of attacks, but most rivals held their own; every product except Highwall's detected the majority of AirMagnet's basic attacks. For scoring purposes we supplemented the attack set and found that more advanced exploits, such as the CTS flood, EAP-Failure and EAP-Logoff attacks, were missed or inaccurately classified by most devices under test. Wright performed an exhaustive analysis of attacks using a combination of the AirMagnet, publicly available and self-written tools; the results are here.

We were pleasantly surprised that price-leader Network Chemistry has a comprehensive attack signature set, detecting and accurately classifying the most attacks, followed closely by AirMagnet, then AirDefense. But the lesson to be learned is that that there's no wireless security equivalent of the heuristic detection used by leading antivirus companies, and though the vendors may argue otherwise, their implementations are still essentially signature-based and suffer from the same zero-day vulnerabilities as their wired kin. Case in point: Wright's custom--and as yet undistributed--packet fragmentation attack went undetected by all the products.Overall, alarm and event management implementations varied widely. At one extreme, Highwall's system was limited to simple filtering, while at the other, AirDefense's Enterprise 6.2 provided detailed or summarized alarm information by device, type, sensor location and more. AirMagnet has more than 130 alarms, but we pity the wireless administrator who has to evaluate even half of them. Many are related to performance, and AirMagnet had its fair share of false positives. Network Chemistry sat in the middle of the road, making it easy to filter alarms by location.

Basic functions, such as acknowledging alarms, sometimes proved frustrating. For example, certain views of AirDefense's alarm screen are so wide that even with an XVGA resolution we had to scroll to the right to clear alarms. AirMagnet's AirWise screen wouldn't let us group acknowledgements of alarms by type or device--it's one by one or everything--but thankfully, identical alarms for the same device are rolled up and appended with a number to signify the number of occurrences. On the other end of that spectrum, rather than providing a hierarchical and expandable list of alarm as AirMagnet does, AirTight lists alarms in tabbed windows, ranging from "All" to a multitude of subtypes.

Highwall lists alarms in Hotmail-style fashion, with a long column to the left of empty checkboxes. The "MISSINGAP" alarm became quickly annoying as devices that hadn't been seen regenerated the alarm even after we'd cleared it--we felt a bit like a dog chasing its tail. The company says this problem will be addressed in the next release. Network Chemistry's RFprotect Console made it easy to acknowledge groups of alarms by alarm type, but filtering by location didn't always work, even when we refreshed the screen.

One note: When the LAN or WAN link between your sensor and management console goes down, it's vital that the system retrieve all the alarms and events that occurred while it was disconnected. When we tested this function, only AirMagnet's Enterprise and AirTight's SpectraGuard Enterprise successfully passed on that information, though AirTight's alarms were dated when the server received them, not when the events occurred. Network Chemistry says this feature is offered in the version that will be available by press time, and AirDefense says it's including this in a future release.

Cat and MouseRogue mitigation, also known as containment, is a touchy issue. In a testament to the industry's maturation, most of the vendors were quick to point out that performing rogue mitigation against a device attached to your network is a different ball of wax from shutting down an AP not physically connected to your infrastructure. In the latter case, you could inadvertently stop a business one floor above you from accessing its network.

AirDefense's was the most conservative approach: We could take action only if the rogue was our own AP or a rogue device on our network, and all sensors and the server have containment functionality disabled by default. The company told us it would prefer if its customers tied into Cisco Systems' WLSE (Wireless LAN Solution Engine) and used its port-side blocking. Perhaps because of the attention paid to this function, when we enabled AP blocking AirDefense generated the smallest amount of wireless traffic, between 1 Kbps and 2.8 Kbps (see "Containment Performance,").

On the other end of the spectrum (no pun intended), AirMagnet was relatively laissez-faire in its implementation, averaging 23 Kbps to 79 Kbps, with much less traffic required to contain 802.11a than 802.11b/g rogues. It also allows for automated wireless and port-side blocking in response to a security event--we hope that wireless administrators use this capability wisely.

AirTight takes a whole different approach to wireless rogue mitigation. Its mantra is the "Wi-Fi firewall" achieved through autoclassification and rogue containment, and the SpectraGuard generated 3.9 Kbps to 5 Kbps of traffic while successfully shutting down all but one combination of our Cisco CB21AG and Linksys WRT55AG APs in 802.11a. Network Chemistry supports a logical subset of automated containment, preventing authorized clients from associating with unauthorized APs and vice versa. Its RFprotect wireless sensors, which must be running in encrypted mode, generated 9 Kbps to 18 Kbps of traffic but were unable to completely suppress our Cisco CB21AG card in the 2.4-GHz and 5-GHz spectrums. Highwall's product provided no containment because of its sensor design.Of course, before you can stamp out rogues you have to find them, and identification capabilities varied widely. AirDefense found all our rogues in the air but couldn't distinguish between those on or off the network unless we had at least one authorized AP--otherwise, they are all labeled as external. However, when tied to Cisco's WLSE, AirDefense can provide additional details, such as wired port associated with the rogue AP. Nice.

AirMagnet says its latest version, which should be available when you read this, will have similar integration with Cisco's WLSE. Our test system did find the wired ports of the rogue APs in our test bed, except for two rogue wireless routers. The only nit we have with AirMagnet's rogue-identification procedure is that wire-line tracing didn't occur in as timely a manner as the vendor claimed it should have. AirTight, on the other hand, doesn't conduct port tracing; its logic is that, when used in conjunction with containment, port tracing would make it relatively easy for a rogue AP with some custom software to spoof the MAC address of a valid wired device and essentially perform a DoS (denial-of-service) attack against the network. We believe wire-line port detection does not need to be tied to an automatic kill pill and so still can be a valuable tool in locating rogue devices.

AirTight places special emphasis on autoclassification of devices as authorized, rogue, external or uncategorized and uses this system to let administrators determine how unauthorized devices are to be treated; we could define what the sensor should do with illicit nodes. Although its setup did great with open APs and the two bridge APs with encryption on, it correctly classified only one of our four rogue wireless routers with security turned on.

Highwall had no advanced features for on- or off-network detection or wired port discovery, but had no problem with basic over-the-air identification. Network Chemistry was most similar to AirMagnet in that it had wired and wireless rogue discovery, but it was not as successful, failing to identify the wired ports of rogue wireless routers because of its over-the-air tracing implementation. Testing with all the systems showed that unless a device is associated with an AP and sending traffic through it, there will not be enough information to quickly identify or classify a wireless device.

Hide and SeekNext, we tested location capabilities. Don't confuse location discovery with access control based on location--none of these products provided that, unless you include AirDefense Enterprise's ability to authorize certain clients with specific APs. Rather, location let us identify where rogue devices can be found; some products even showed sensor coverage capabilities on a map as well as some extrapolated AP coverage patterns. Interestingly, though none of the wireless IDS vendors are promoting this capability now, a location system could track objects fastened with wireless tags.

AirDefense has partnered with Ekahau to build a separate appliance that runs on a Win32 or Linux system and tightly integrates with AirDefense Enterprise. Configuring and integrating this 1.0 release was challenging, but after a generous dose of technical support, we could perform the necessary training of our wireless environment. Once we got going, AirDefense Enterprise tracked our rogue 802.11b AP within several feet, but the rogue client jumped all over the map, as did the rogue 802.11a AP.

AirMagnet made things much simpler: Once we pulled in a map and placed the sensors, all our rogues were pinpointed within 10 feet. We didn't even have to define propagation characteristics of the building. But AirTight surprised us the most. After we imported a map, placed our sensors and known good APs, and calibrated the sensors (with just a click of a button), AirTight located two of the objects within five feet of their actual location and the remaining one within 10 feet. Network Chemistry followed a process similar to AirTight's, but its results weren't as good.

Highwall's product was again very limited. It's designed to cover a large area and does not work in conjunction with other sensors. No maps are used, and the system reports the vertical orientation as well as which one of eight sectors a rogue could be in. Despite repeated attempts, we located only one of our rogues, and we had difficulty interpreting the results.

Wireless performance and configuration policy monitoring are obvious ancillary benefits to security monitoring--you're already listening to the air for attacks and rogues, so why not track traffic patterns and make sure the wireless network is following your approved configuration? Wireless-infrastructure-based wireless IDS offerings from vendors such as Aruba and Cisco-Airespace shine in this aspect of performance monitoring because they already manage every packet entering and leaving the system, though this doesn't necessarily mean they can track rogue AP, ad hoc or neighboring traffic. Wired IDS purists might be shocked to find that only 2 percent to 5 percent of wireless traffic is observed--remember, there are easily more than two-dozen channels to monitor between the 2.4-GHz and 5-GHz ranges. And, the numbers displayed are not prorated, so when the system says that 15 KBs were transmitted, it's likely 20 to 100 times that value. And the wired guys are worried about missing a few packets on a 10-Gbps link?Nevertheless, performance monitoring will generate, over time, sufficient statistical data for future planning. AirDefense Enterprise recorded a rich set of performance metrics, including number of clients associated per AP and packets or bytes between wired and wireless devices (in both directions). Where we could match up numbers to our control case, with a laptop capturing all the traffic on that channel, recorded values were generally 1 percent or less of actual traffic. But when looking at 1-Mbps rate flows, AirDefense reported 10 percent and 44 percent of client and AP traffic, respectively. We also took a look at a detailed snapshot of a device that included such information as which nodes it had talked with and dozens of performance metrics, and we found extensive wireless configuration policies that can be assigned granularly.

AirMagnet Enterprise cannot zoom in to five-minute segments, but it does have many of the same metrics offered by AirDefense, in different form. Its statistics were more wide-ranging, matching anywhere from 2 percent to 27 percent of recorded values. AirTight acknowledged that performance gathering is a relative weak spot for its product, and we consider the company's self-assessment accurate. We found only three traffic-performance metrics for APs and none for the client we used during formal assessment. Finally, Highwall's offering trailed the pack once again, providing only average bandwidth usage and total data transmitted.

Cost Factor

Operational costs are difficult to pin down. Depending on your desired level of alarm-threshold customization, how serious a problem must be before you're notified, and the level of integration with other enterprise security monitoring systems, the offerings we tested will require from as little as a few minutes a day to as much as an hour to sort through alarms and process notifications. All the systems generated false positives, and we believe that all require tuning.

Looking just at capital and deployment costs, we were impressed that Network Chemistry doesn't perform a DoS attack on your wallet. We presented the vendors with three pricing scenarios: First, a six-probe deployment in a typical office building with five 50,000 square-foot floors containing three APs each, no location tracking required, and limited rogue-containment coverage. Second, a campus deployment of 20 buildings with five APs in each one-to-three-story building, with a recommended four sensors in each building so that a minimal level of location tracking is possible with adequate rogue-containment coverage. And finally, a distributed deployment of 50 locations with two APs and one sensor at each site, with limited containment coverage, and a corporate headquarters with two floors that need a total of eight sensors for good location tracking. We asked vendors to include first-year software and hardware support, the cost to run Ethernet and electrical cabling ($250 per port) if the device does not support PoE, and the cost of an injector if the sensor does not support IEEE 802.3af. In our scenarios, Network Chemistry's entry cost was significantly less than rivals', in part because its Port Saver sensor eliminated most of the $250 cabling cost. But even without that benefit, Network Chemistry would have undercut its competitors. AirDefense Enterprise, an acknowledged market and technology leader, came in double or almost triple Network Chemistry's cost, depending on the scenario. Highwall followed soon after AirDefense, and though it claimed that a reduction in sensors would offer some concrete savings, its overall last-place showing doesn't bear that out. Rounding out the field, AirMagnet and AirTight took the middle ground and had fairly equivalent pricing (see our pricing chart).

The two veterans, AirDefense and AirMagnet, demonstrated their products' maturity with consistently high scores, but AirMagnet Enterprise eked out a win and took our Editor's Choice thanks to its much better pricing. Network Chemistry once again finished a respectable third, faring very well with its smart sensor design and earning for the second time our Best Value award. AirTight Networks shows great promise and impressed us with its location monitoring, but it's still getting out of the gate in some features that others have provided for some time. Highwall Technologies provides basic rogue detection and identifies a small set of attacks, but its relatively sparse GUI couldn't compete with the depth of the others.

Last time around, we evaluated the beta 4.0 release; now, just 15 months later, Enterprise has been upped to version 5.2. At first glance, the product looks and acts much the same: It still runs a Win32-based system using Microsoft SQL server as its back end; its standalone laptop version inherits a Win32 interface similar to that of the appliance; and it uses the same Senao sensor, which still doesn't support standards-based PoE natively. But once we delved deeper, the improvements became apparent: Automated intrusion response, both on the wired side using switched port disabling and on the wireless side with RF-containment, is now included. Compliance reporting covered DoDD (Department of Defense Directive) 8100.2, GLBA, HIPAA and SOX. Also new are map-based location services, a time-based ACL (access-control list), and the ability to add notes and assign owners to devices.

AirMagnet didn't send us an appliance for testing. Rather, we performed a fresh install of the product on the laptop the company had supplied for our last review; the PC had Microsoft Windows 2000, SQL and IIS preinstalled. A wizard asked us to choose a system policy that best matched our desired configuration; examples included enterprise, government and no wireless. After we completed a few initial steps, AirMagnet's dashboard opened up and displayed a colorful grouping of graphs and tables providing key statistics relating to the health of our wireless network.

To set up the sensors, we had to attach a serial cable and configure the device's IP network information, management server and secret key that is used to encrypt the communication flow between the sensor and server. In contrast to AirDefense, which performs most analysis on the server, AirMagnet accomplishes most of its analysis on the edge device, the sensor. Although there's much debate in the vendor community about which approach works best, it's never an either-or implementation. In AirMagnet's case, patches and feature enhancements will almost always necessitate a software upgrade of the sensor, something we experienced during our tests. While upgrading our two remote sites, a local Internet link failure threw us for a loop. We recovered one sensor with some late-night technical assistance; by the time we had it working, the AirMagnet sensor at the other site had restarted and successfully completed the download!Having provided integration with AP management vendor AirWave for some time, AirMagnet recently added data exchange with Cisco's WLSE and a generic XML interface and support for Cisco's RDEP (Remote Data Exchange Protocol), also based on XML. AirMagnet provides account integration with Microsoft's Active Directory and OpenLDAP to allow for a single password store.

Port detection of rogue APs outperformed Network Chemistry, the only other vendor that uses its sensors as wireless clients to assist in evaluating whether rogues were on or off the network. Although AirMagnet Enterprise had trouble identifying the switched port for two of the four wireless routers in our test bed, some of the other products tested required third-party assistance or didn't support the feature at all. While the system's wireless rogue AP and client containment were effective, it transmitted the most packets of the systems tested, consuming much more bandwidth than the others.

AirMagnet was first known for its PDA analyzer, which it followed up with a standalone laptop device. Those strong analytical roots let AirMagnet provide more live detail on what was going on in our wireless space than its competitors. Once we drilled down to the sensor of interest, we could view the live RF surrounding that sensor, including what portion of the air is used up with 1-Mbps, 2-Mbps and 5.5-Mbps traffic. We also enjoyed specialized tools to assist in troubleshooting client-AP negotiations, packet capture and decoding, as well DHCP, ping and trace.

AirMagnet supports more than 130 security and policy violation alarms, and it had the best success identifying the more advanced attacks. On the other hand, we felt the system was a little trigger-happy: A client that was incorrectly configured to access a Cisco AP configured for WPA-LEAP was labeled as possibly running the asleap attack because of all the failed access attempts. And while we performing our wireless attacks, AirMagnet Enterprise complained that the attacker wasn't using TKIP or PEAP--who cares! There are options to tune alarms for only certain SSIDs, but a more advanced system would filter out the noise and present the most relevant data to the wireless administrator, something that the setups from AirDefense and AirTight could do.

AirMagnet's pricing was reasonable. Organizations looking for a strong wireless IDS with some diagnostic capabilities will want to evaluate AirMagnet, and government facilities with higher security needs might rest easier knowing that AirMagnet is the only vendor in the beginning stages of FIPS 140-2 certification (see "Getting Hip to FIPs 140-2,").

AirMagnet Enterprise 5.2. AirMagnet, (877) MAGNET-5, (408) 400-0200. www.airmagnet.com

AirDefense Enterprise has undergone two major releases in the past 15 months, though the architecture remains much the same. In typical Layer 3 fashion, the sensors feed into a hardened Linux 1U appliance managed using a Java GUI. Installation was simple, though server configuration is performed through text menus. Company representatives promised that a graphical install is forthcoming. We did need to supply IP networking information to our sensors, which could be linked to two servers for redundancy. After ensuring we had the necessary JVM (Java Virtual Machine) installed, we pointed our browser to the secure Web site and logged in.The GUI is well-laid-out, though we had to refresh more often than we would have liked, and cached dashboard information often didn't reflect cleared alarms until at least a minute after we had completed the procedure. Still, the interface was functional; we easily and granularly applied policy configurations to different locations, for example.

Client performance has greatly improved since the last release, demonstrating that it's possible to make a Java-based client that can really fly. Right-clicking any device offered a wealth of options, making it easy to perform the action or get the details we wanted from almost any screen. We liked the "snapshot" feature, which presented a minute-by-minute overview of what was happening in the air while a given device was active. AirMagnet's Reporter add-on is not nearly as real-time, nor does it provide the same level of detail.

AirDefense doesn't use its sensors to connect to rogue APs over the air and identify whether they are internal or external rogues. Rather, it depends on behavior analysis to detect unique traffic signatures that differentiate between on- and off-network devices. The company didn't share the exact details of how this works, but we discovered that unless we had an authorized AP on our network, autoclassification doesn't work. That could be a problem if you're looking to enforce a no-wireless policy.

Another surprise is that, unlike AirMagnet Enterprise, AirDefense Enterprise doesn't cache the rogue discovery while the sensor is temporarily disconnected from the network, a situation that could occur frequently with geographically dispersed deployments using unreliable WAN links. AirDefense sensors transmit an optimized version of the wireless frames it sees in the air to its server-based correlation engine. Company officials said an upcoming sensor core, not available in the version we tested, will be able to negotiate a set of capabilities between the sensor and server, depending on the hardware platform the sensor runs on and the state of the connection. One of those capabilities will include sensor-side processing and correlation. This demonstrates some of the pros and cons of local versus centralized event analysis: Although AirDefense Enterprise does a good job with correlation and suffers with event caching, AirMagnet lacks advanced cross-sensor correlation capabilities but has some local storage for event forwarding.

AirDefense Enterprise boasts relatively strong integration with Cisco's WLSE. All registered APs in WLSE will show up as authorized devices, and rogue wireless devices found using AirDefense Enterprise can have their wired ports disabled using WLSE. Other vendors claim to have access to the same APIs and interfaces, but AirDefense can claim the tightest integration.

AirDefense Enterprise's wireless termination, or containment, was one of the most efficient and effective that we saw, but its lack of ad hoc termination was disappointing. The company says it will address this in a future release.AirDefense also offers a Personal version of its product that it says protects laptops from misconfigurations and common wireless threats by receiving policies created on the Enterprise platform and feeding back logs and other information. Combining AirDefense's forensic historical analysis with this Personal laptop edition can give an organization extraordinary insight into the state of its wireless network.

Bottom line, AirDefense Enterprise 6.2 is a capable system, but excellence comes at a cost. Still, its unique features, such as detailed forensic analysis, tight integration with Cisco and conservative approach to wireless termination, will be worth the premium to some.

AirDefense Enterprise 6.2. AirDefense, (877) 220-8301, (770) 663-8115. www.airdefense.net

Don't read anything into the fact that Network Chemistry is the only vendor not to use the word "Enterprise" in its product name. We consider RFprotect worthy of consideration by small and large organizations alike thanks to its competitive price and strong functionality. According to company representatives, this system has been deployed in 2,500 retail stores using 5,000 sensors overlaying a 6,000 Cisco AP network!

RFprotect does not come in an appliance model. We installed the RFprotect server, which runs on Win32 or Linux and uses an open-source database, on a Windows XP tower, while we ran the Win32 client on a separate laptop.We can't say enough about Network Chemistry's sensor design--the sensors are plenum-rateable, solidly built, compatible with external antennas and affordable. We easily configured our test units for channels and scan times using the built-in sensor manager tool. By default, the data streams are in the clear, but a shared key let us use Network Chemistry's proprietary ETL tool, which mutually authenticates sensors and servers with one another. Although no serial port is included in this system, the open sensors are easily discovered on the same Layer 2 network or, once the IP address is known, can be added in over a Layer 3 network. Encrypted sensors report into the server without manual intervention at the client console.

Network Chemistry also sent a "Port Saver" version of its sensor, which allows flow-through PoE support. Although we didn't have the tools to measure how much power draw the sensor had, we hooked up a Cisco 1200 with dual radios, one of the more demanding consumers of PoE, and the system worked just fine. Most important, the Port Saver eliminates the need to install another cable drop and dole out an Ethernet port. This makes installation a plug-and-play deal, unless you require trunked ports or want to put the AP and sensor on different VLANs.

Initial configuration was uneventful, and the multi-paneled dashboard gave us a good overview of the state of our wireless network, though we weren't able to drill down to specific items by double-clicking on them from the dashboard. Rather, more detailed screens are accessed using prominent buttons just below the standard menu bar. New to this release is hierarchical sensor grouping that let us associate sensors (and wireless devices) within floors, buildings or other geographical designations. The device-details tab offers a rich set of information about the item of interest, putting into one tabbed screen what other vendors scatter around their interfaces or don't even list.

Network Chemistry lagged behind the leaders in containing our Cisco CB21AG card and doesn't support ad hoc containment. On the other hand, it performed the best in the quantity and quality of wireless attack detection. The product was a tad oversensitive in a few alarms, such as "Access Point Restarted," but it was easy to manipulate and acknowledge them.

Wireless admins looking to quickly deploy a distributed wireless security system will be attracted to Network Chemistry's sensor design, and RFprotect's well-rounded capabilities and bargain price make it an easy sell.

RFprotect System 4. Network Chemistry, (650) 532-6430. www.networkchemistry.com This latest entry in the wireless IDS space (formerly named Wibhu) has taken a different tack to distinguish itself from rivals: It calls its offering the "Wi-Fi firewall" and promises to shield wired networks from external wireless threats. We believe AirTight's SpectraGuard shows great promise given its core capabilities, but this relatively new product (launched late last year) needs a more solid set of features before it can go head-to-head with the market leaders.

AirTight has stayed with the three-layer model that works for other vendors: Generic APs-turned-sensors function at the edge, feeding into a Linux server running on a modest appliance, all managed with a Java-enhanced Web-based interface.

Installation got off to a rough start until we resorted to reading the included manual. Our KVM functioned only until the beginning of the Linux boot process. After that, configuration of the server required CLI (command-line interface) access over the appliance's serial port. We found another of the minor stumbling blocks in this release when the system's URL launched us into the obligatory check to make sure the correct JVM had been installed. Sadly, our client PC failed that test, and a link to download the correct version brought up the dreaded "Error 404: Page Not Found" message. After manually downloading the correct version directly from Sun Microsystems' site, we were greeted with a wizard that led us through customizing the system for our environment. This process involved configuring the monitored networks (a sensor is required on each Layer 2 network; there is a specific sensor model that can watch dozens of trunked networks), the methods of autoclassification we wanted to perform and the situations to which threat mitigation would react.

Enabling autoclassification is essential because rogue containment is the cornerstone of this product. To save wireless network administrators from having to manually categorize each rogue device as an internal threat, external or neighbor, AirTight has come up with algorithms that classify and automatically react. Our tests bore out the fact that SpectraGuard identifies rogues quickly, but autoclassification isn't an exact science. The basic bridge APs we used in our test bed were initially classified as external even though they were attached to our lab network, but as soon as we associated with them and sent a few pings, they were reclassified as internal rogues automatically. Two other wireless APs on our network took much longer to be classified as internal rogues. The release we evaluated also couldn't classify wireless routers with Layer 2 security such as WEP (Wired Equivalent Privacy), though AirTight says it will address this deficiency in a future patch or release.

In spite of those shortcomings, SpectraGuard performed well in our rogue AP and client mitigation tests and proved more successful than AirMagnet Enterprise--albeit not 100 percent effective--in terminating ad hoc connections. Another unique facet of SpectraGuard is its DoS protection; our initial tests showed mixed success with this feature, which seems to use virtual carrier sense to trick an attacker into thinking the air isn't free.Unlike the suites from AirMagnet, AirDefense and Network Chemistry, SpectraGuard provides no troubleshooting tools, such as packet capture or RF channel usage. Performance metrics are very limited as well, and aspects of the user interface, such as column sorting and page refreshing, leave something to be desired.

One item that caused us concern was that though the SpectraGuard sensors support the full range of channels in the 2.4-GHz and 5-GHz frequencies, they are configured to scan only regulated frequencies. This means that a rogue client configured on Channel 14 in the 2.4-GHz spectrum, for example, will not be identified, and because of FCC regulations may not be contained. AirTight told us that future revisions will support scanning on unregulated frequencies so that at least wireless threats can be identified, even if they can't be mitigated wirelessly. Because AirTight doesn't perform wire-side port tracing, the only mitigation option is for wireless administrators to physically seek out the device. Fortunately, SpectraGuard's location accuracy was excellent. It required no training besides a one-click calibration.

Closely related to AirTight's location technology is its SpectraGuard Planner, which functions as a wireless planning tool for sensors--sort of a reverse site survey. Within SpectraGuard, we could show a prediction of not just AP but also sensor coverage, ranging from the ability to hear traffic to containing it. If a building diagram has been edited with Planner, details about wall densities and other RF affecting factors can be included to refine displayed coverage patterns. Organizations seeking to minimize security black holes will want to evaluate this ability and obtain some assurance that they can effectively contain wireless devices.

SpectraGuard demonstrates that latecomers to the market can create unique and innovative methods for providing wireless security, but the product must smooth a few rough edges and fill out its feature set before we can give it our seal of approval.

SpectraGuard 3.0. AirTight Networks, (877) 424-7844, (650) 961-1111. www.airtightnetworks.net

Highwall has strong ties with software giant Computer Associates, and initial versions of its product offered many months ago did not have a GUI but sent SNMP traps to a central console. Now, tapping into the wireless security monitoring market, the company has come out with its own Web-based system using Microsoft's IIS server and SQL server on the back end. We were intrigued by Highwall's offering--a highly sensitive sensor with an optional antenna that offers coverage at a possible 20-to-1 ratio over competitors.

Highwall shipped us a CD and three Sentinel 1000 sensors along with separate 2.4-GHz and 5-GHz Scout antennas. We installed the software with Microsoft IIS and SQL. The familiar triad of sensor, server and Web GUI applies.The products from Highwall and Network Chemistry are the only ones in this review to offer a serial-less sensor configuration; we accessed the sensor over its default IP address and made the necessary changes to its network configuration. Whether this serial-less approach is a good idea is a matter of personal preference. Some call serial ports a security nightmare, but we find that they help troubleshooting.

The system doesn't have a lot of options, so configuration was minimal. After creating a few locations for our local and two remote sites, we added the sensors manually, because we had poor success with the provided automatic discovery.

To offset the high cost of sensor deployment, Highwall has developed a sensor with an amplifier for a 24-dBi gain and sells an optional phased-array Scout antenna for an even greater 10-dBi improvement. Each antenna serves just one frequency set, so covering both the 2.4-GHz and 5-GHz ranges requires two Scouts. Testing showed that this signal amplification lets one sensor serve a multistory building. However, that benefit is counterbalanced by reduced location capabilities. Because only one or two sensors are needed in all but the largest buildings, there is no location correlation between sensors, so the results are offered back in one of six 60-degree sectors combined with the vertical axis. In addition, fewer sensors mean that each sensor is responsible for listening over a larger volume of space.

Highwall supports relatively few alarms, and it failed to detect most of the wireless attacks we generated. It sometimes took minutes for new rogues to be listed, and active rogues displayed an old "last seen" time. The product doesn't provide wireless rogue mitigation, though Highwall says future releases will support this and still comply with FCC regulations by using a second wireless card. The company also asserts that rogue mitigation can be effectively performed with roughly 30 percent less coverage than normal, but we're skeptical.

For companies with dozens or hundreds of large sites that are using an enterprise management system such as CA's Unicenter, the Highwall system is an attractive product with low deployment costs (but still a relatively high price tag) that will perform the basics of rogue identification and identify basic attacks. But those looking for a standalone system with all the bells and whistles should pass this one by.

Highwall Enterprise 3.0, Highwall Sentinel 1000, Highwall Scout 2000/3000. Highwall Technologies, (866) 352-2126, (941) 362-3502. www.highwalltech.comFrank Bulk is a contributing writer to Network Computing covering wireless and mobile technologies. He works for a Midwest telecommunications company. Write to him at [email protected].

Most wired networks use managed switches to supply network access, and the concept of disabling ports using the vendor's management console or SNMP is relatively well-understood. Wireless networks don't have the same physical controls, but you still must prevent devices from attaching to your network.

Unauthorized access to your wireless network typically comes from a rogue client associating to your corporate wireless network, an authorized wireless client associating to a rogue or neighboring AP, or an illegal wireless client trying to associate to a rogue AP that's attached to your network. You can't respond to these threats using port disabling in any but the third scenario. To fill this security gap some vendors use wireless containment: AirDefense calls this function air terminate/disconnect; AirMagnet performs wireless blocking; AirTight quarantines; and Network Chemistry erects an RFShield.

Fifteen months ago wireless IDS vendors couldn't agree on whether and how containment should be permitted. Two issues stood in the way: Accidental containment of a neighboring device, such as a tenant in the floor below or a Starbucks across the street, could prevent legitimate access. And containment might infringe on the FCC Part 15 rules that state wireless devices must accept interference from other devices.

To deal with the first problem--and avoid potential lawsuits--some vendors made customers sign lengthy disclosure forms or waivers before they would enable the feature. As for the second, if a rogue device is on an organization's premises, the company usually can physically remove it. If the attacker is located off-site--in a van parked on the street or using a high-gain antenna located elsewhere, for example--responding to that interference could be construed as jamming, or intentional interference. The bright side is that it's unlikely a wireless attacker will invoke FCC rules if he or she is caught attempting to infiltrate a corporation's network.The key is that, before performing containment, the system must determine the rogue client is an attacker and whether the rogue AP is on or off the network. Rogue APs not connected to your network may affect performance or be a security concern, but aren't as dangerous as a network intruder.

As mentioned, four of the five vendors participating in this review provide wireless containment with varying levels of granularity and automation. When SANS Institute wireless security researcher Joshua Wright analyzed each vendor's containment method, he discovered that all but AirDefense implement bidirectional deauthentication. This means that the sensor spoofs the AP and deauthenticates the client, and spoofs the client and tells the AP it's deauthenticating. Without this bidirectional behavior a wireless card using a custom driver can effectively ignore the spoofed deauthentication packets and continue accessing the corporate network. An implementation of such an attack proved successful against AirDefense's containment routine (see a roundup of all the attacks we threw at the devices).

A wireless attack provides information about the wireless IDS system in place. Each vendor's implementation of containment differs enough that a unique signature can be easily assigned. We found four major markers: First, most wireless IDSs use a sequence number in their wireless frames that is 0 or consistently incrementing. They don't use a sequence number that continues where the AP left off. Second, each deauthentication includes one of 10 reason codes, and there are enough variations in choice among vendors to identify distinctions. Third, vendors use fragmentation options and numbering differently. Finally, only AirDefense adds intelligence to the timing of the deauthentications. Based on the timing of the packets alone, it would be possible to identify which wireless IDS is in place. These markers give each vendor a unique fingerprint and help the attacker determine the wireless IDS' weaknesses and exploit them to avoid detection or create a diversion.

Does this mean you should stop using wireless containment? No. Even in the wired IDS realm there's concern about zero-day attacks or preliminary attacks that disable the wired IDS before going for the jewels. But a layered approach that combines physical security with wired-side mechanisms will help limit the possible damage a well-orchestrated wireless attack on your system could inflict.

Joshua Wright's report can be found here in its entirety.Wireless IDSs regularly monitor data that could be very valuable to attackers: SSIDs (Service Set IDs), device MAC addresses, channel usage and sometimes even packet captures. Encrypting data flow between the sensor and server is one way to hamper man-in-the-middle attacks. But not all cryptographic implementations are secure, so government agencies and contractors that deal with information categorized as sensitive but unclassified must certify their IT products with FIPS 140-2 (per OMB circular A-130). Focusing mostly on the devices' cryptographic modules, there are four levels of security ranging from no physical security mechanisms to requirements for the device to be tamper-resistant and to include physical protection around the cryptographic module. Just because a product claims FIPS 140-2 certification doesn't mean the whole system has been evaluated. Areas within the management platform, such as identification (who are they?), authentication (is the user who he says he is?) and access control (what functions can the user perform?), may not have been examined.

AirMagnet is the only wireless IDS vendor that has submitted its sensor and the sensor's version 5.2 software load for FIPS 140-2 certification. It's in the second of five stages required for final and full certification (of 143 devices submitted, only eight had completed all five stages at press time). AirMagnet says submitting its sensor for review was required for a recent deal with the military. The details of FIPS 140-2 and surrounding regulations seem to exempt most wireless IDS vendors from required certification, but verticals such as the military and financial services will appreciate a system that has gone through a formal examination process.

We tested wireless security monitors in several locations. The majority of the testing was performed in our Iowa partner lab, which is within a Midwest-based telecommunications company, with location testing performed in a brick-exterior/metal-stud interior multifloor office building containing a variety of conference rooms, hallways, cubicles and walled offices. Our two remote sites were at Syracuse University and the Rhode Island lab of SANS Institute wireless security researcher Joshua Wright.

The Iowa hub site was connected with a standard DSL connection, while the university enjoyed its high-speed OC-3 connection using public IP addresses, and the Rhode Island site used a standard cable modem connection. Each remote site sensor connected back to its respective server in the main lab. We configured the sensors to scan with their default scan times using all available channels (see "Wireless Security Suite Features,", for a breakdown of scanable channels).

We used two Cisco Systems 2950 switches to represent a typical enterprise network, but put all the rogue APs (access points) and wireless IDS servers on the same Layer 2 network. Each switch was configured with SNMP enabled so that the various systems could scan the devices' CAM (content-addressable memory) tables and control ports as necessary. For rogue AP testing, we used six wireless APs from Belkin, Buffalo Technology, Cisco, Linksys and Netgear, four acting as wireless routers and two as wireless bridges. We included two dual-radio APs to make sure 802.11a was well represented. We evaluated rogue discovery with both open settings and with WEP (Wired Equivalent Privacy) turned on. Also, we also simulated bridged mode with the wireless routers by connecting the rogue APs' LAN ports to the network, instead of the WAN, to identify whether it was the device or the fact that it was a routed connection that was stumping the identification process.For ad hoc identification testing, we used two Dell laptops, one with an 802.11a/b/g Broadcom chipset and Cisco's Atheros 802.11a/b/g CB21AG, the other with an internal 802.11b/g WLAN card. For rogue AP and client containment testing, we used the laptop with the 802.11a/b/g Broadcom and Atheros 802.11a/b/g CB21AG chipset, both against a Linksys WRT55AG (v.1) in both 802.11b/g and 802.11a modes. In both cases, we sent pings from the client to see how much affect containment had on traffic.

For ad hoc containment testing, we used three laptops: two Dells, one with an internal 802.11b/g WLAN card and the second using Cisco's CB21AG card, plus a Sony Vaio with an 802.11b/g Intel chipset. We disabled Windows' zero configuration in most cases and used the drivers' more reliable configuration utility, assigning a static ESSID (Extended Service Set ID) and using only 802.11g. We sent pings both ways.

For all the containment attacks, we captured traffic for 60 seconds (repeated at least once) using Packetyzer, a Network Chemistry front-end for Ethereal. We selected the packets related to the containment and calculated the number of bytes used over that time period to come up with the number of bits per second.

To calculate the amount of wired sensor traffic both a silent and then a "quiet" wireless network generated, we captured all wired traffic between the sensor and the server over a 15-minute period. For the silent network run, we made sure there were no 802.11 devices active in the area and removed the antennas, if possible. We repeated the same process with a quiet wireless network by using three clients, each associated to a different AP on channels 1, 6 and 11. We generated background data traffic using a custom script that contained a mixture of Web browsing and e-mail traffic.

We verified performance monitoring by comparing actual traffic flows to what the vendors' systems recorded. We disconnected the sensors and cleared out the AP and client from the console, then established a traffic flow between a laptop and an AP on a specific channel. As soon as we reconnected the sensors, we started capturing traffic on that channel and continued for 15 minutes using AiroPeek NX, then arrested the traffic flow. We compared the traffic stats generated by the system to what AiroPeek recorded.Wireless attacks were obtained from a variety of sources. We invited all the vendors to send attacks, but only AirMagnet dug in to and supplied its FlameThrower toolkit. We also used the Knoppix STD (security tools distribution), and Wright provided some attacks from his personal collection--some self-written, others gathered from the wider security community. More details about the attacks and their sources can be found here.

Location accuracy testing was performed in the aforementioned office building. We placed one sensor at each corner of the building, but when we learned the rogues weren't so easily found, we placed another sensor in the middle of the building, as well as Highwall's Sentinel. A rogue 802.11a AP, 802.11g AP, and a wireless Zyxel phone were placed in various parts of the building and the results recorded on a map.

All Network Computing product reviews are conducted by current or former IT professionals in our own Real-World Labs®, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

R E V I E WWireless Security

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.Click here for more information about our Interactive Report Card ®.