Wireless Propagator: Sensor/Access Point Integration

AirMagnet's recent self-serving press release, which essentially highlighted its relatively new Spectrum Analyzer, noted that the abundance of non-Wi-Fi-generated interference at the annual DefCon Convention (for hackers of all kinds) actually caused more disruption than the more conventional wireless attacks. The sad reality is that high-tech conventions and conferences are swamped with unintentional interference in the 2.4-GHz band from hastily deployed building- and booth-specific APs (access points), Wi-Fi-enabled laptops, Bluetooth devices and the microwaves that heat the overpriced food. Tenants stacked in multistory buildings in Manhattan can attest to similar issues on a smaller scale. And no wireless IDS system can protect against the most potent of all DoS (denial of service) attacks: RF jamming equipment.

Enterprises are usually able to design their wireless networks around potentially interfering equipment, and policies are set up to accommodate certain RF usage patterns. But traditional threats, including MAC spoofing, fake and rogue APs, and DoS attacks, are both more subversive and more targeted than the blatant assaults that completely knock out service. Wireless IDS or distributed wireless security monitoring vendors such as AirDefense, AirMagnet and Network Chemistry have been offering wireless IDS solutions for several years--but all as overlay solutions.

The debate between using an overlay wireless IDS solution and stuffing that functionality into the enterprise's WLAN infrastructure is ongoing. Overlay wireless IDS systems offer advanced, point-specific highly developed systems, but they trouble bean counters with their purchase, deployment and continued management costs. For that reason, many overlay wireless IDS systems find their way into the government and financial sectors, which explicitly calculate the risks vs. the costs. In the horizontal markets, some security teams within larger companies prefer a separate, out-of-band non-integrated system--a layered defense that doesn't require coordination with the networking group.

On the other hand, enterprise WLAN systems with IDS features--such as those from Aruba and, formerly, Airespace (now Cisco)--are available as either part of the base system or for a small incremental licensing fee. Such integration offers the advantage of using your existing and carefully deployed APs via your familiar management interface. There's no ceiling to open up again, no additional server to squeeze into your data center. And the IDS features and reporting will work fluidly with the other features of the product. What's more, scanning the airwaves while serving clients usually has a minimal effect on your data users (though our experience with VoWLAN testing has proved a bit more troublesome).

No matter how the relevant vendors may portray the issue, reader polls from both our recent and earlier wireless IDS reviews clearly demonstrate that users want one system to solve all their wireless needs. During discussions with overlay vendors, one continually reiterated point was that the marketplace for customers who are willing to pay for and manage a separate overlay solution will remain small, just a few single-digit percentage points of all deployed WLAN infrastructure systems. According to Dell'Oro Group, this year's worldwide revenues will be $1.1 billion. A quick calculation shows that overlay solutions will likely be less than $50 million this year, a figure that falls in line with customer counts and average sales numbers shared with me by AirDefense, one of the market leaders. To break this possibly revenue-limiting cap, all three main vendors have announced partnerships or technical integration to insert their intellectual property into existing WLAN infrastructure systems.

The first to break into the game was AirDefense, with its announcement last year of a partnership with Cisco. AirDefense's solution began by extracting data from Cisco's WLSE (Wireless LAN Solution Engine), feeding it into its own enterprise product, and then circulating some of the data back to WLSE. More relevant to this discussion, though, is the fact that Cisco APs can now serve a secondary purpose as a sensor that provides monitoring information back to AirDefense's enterprise product while still servicing wireless clients. According to AirDefense marketing personnel, joint customers of Cisco and AirDefense were demanding this functionality to eliminate an overlay wireless IDS network. Since Cisco's software APIs have been made available on a non-exclusive basis, both AirTight Networks and AirMagnet have performed similar integration with Cisco's WLSE, although only AirMagnet has incorporated its software into Cisco's APs.

AirMagnet also recently reached agreements with Colubris Networks and relative newcomer Xirrus to roll its technology into these companies' access points. Both enterprise WLAN vendors had minimal wireless IDS functionality in their products at the time, so it made sense to partner with a leading player rather than reinvent the wheel.

The most recent announcement is from Network Chemistry, which revealed its "Open Agent Initiative." The company has OEMed its specialized hardware sensor to the likes of Newbury Networks and WildPackets for some time, but this initiative will provide a royalty-free sensor software agent on Cisco and Symbol platforms, expanding to others in the near future. Despite the amalgamation of its software into the access point, the backend still requires the purchase of Newbury's wireless IDS solution with the accompanying separate management interface. So cabling work has almost been eliminated, but space is still needed in the data center.

In many ways, integration of wireless IDS sensors into enterprise APs was inevitable. It serves the customer by eliminating a duplicate overlay network and provides an opportunity for the wireless IDS vendors to expand their market share. Separate overlay solutions may still be appropriate in certain circumstances, but it's clear, moving forward, that the vast majority of WLAN deployments will be able to take advantage of the highly developed features available from wireless IDS vendors without removing a ceiling tile or pulling one more cable.