Distributed Wireless Security Monitoring Systems

It's been more than 6 months since our last comparative review of wireless IDS products (see "Time To Tighten the Wireless Net" ). In the past few weeks, two of the participating vendors in that review--one an established player and one a relative newcomer to the market--have introduced significant upgrades to their products. AirDefense has pushed forward with its forensic analysis, which adds a great deal of insight into the history of your wireless space, while AirTight Networks has filled out its feature set and enhanced its autoclassification capability. With security concerns escalating, there's no time like the present to take another look at how the wireless IDS market is evolving.

AirDefense Enterprise 7.0

The AirDefense Enterprise wireless IDS system provides overlay security for existing Wi-Fi networks and enforces "no-Wi-Fi-allowed" policies in those organizations that have them. Version 7.0 introduces some new features such as built-in location tracking, while enhancing existing capabilities like forensic analysis. AirDefense also has revamped some underpinnings of the software's database to improve performance.

The AirDefense Enterprise system arrived as a rackmountable server with several sensors, which are powerful APs (access points) coupled with custom software that connect to the server through a serial cable the company provided. Initial server configuration is done through a menu-driven text interface, but ongoing management and policy modification is performed using a Java-based interface that runs within a Web browser or as a standalone application. After configuring the sensors to communicate with the AirDefense server, I was able to view them within the GUI. Even on my 1-GHz Windows XP machine with 384 MB of RAM, the Java interface ran snappily.

AirDefense has redesigned its dashboard by grouping its core functionality into five analysis wizards (rogue, performance, compliance, forensic and intrusion), making it easy for users to obtain information.The rogue analysis wizard does a good job prioritizing rogue clients and APs based on the threat they pose. APs found on the wired network are clearly tagged with a higher threat level than standalone APs. On the wired side, a switch port lookup function finds rogue APs, but it requires entering all your switches' IPs and SNMP community strings one at a time or in bulk using a readily available import routine. However, when I used a Cisco AP and a wireless router as test rogues, the system had limited success, because the wired MAC address is significantly different than the rogue BSSIDs (Basic Service Set Identifiers). Even associating a client to the rogue AP and sending some traffic through did not assist with switch port lookups.

On the plus side, it's easy to select and right-click a rogue to contain it, terminate it or just find out more information about it. Termination can be performed wirelessly or by disabling the port--if AirDefense can identify which switch port the rogue is plugged into. The system also can integrate with Cisco's WLSE (Wireless LAN Solution Engine) to assist with wireside tracing and disabling.

The performance analysis wizard lists problems such as excessive roaming or traffic that crosses defined thresholds and assigns them threat levels. The compliance analysis wizard lists all those APs that are out of compliance with predefined or configured policies, such as the use of WPA (Wi-Fi Protected Access) and SSID broadcasting. The inclusion of rogue APs is unnecessary since it's already dealt with in the rogue analysis wizard.

Another complaint: The compliance wizard claimed my clients were not using TKIP (Temporal Key Integrity Protocol), although I was in fact using WPA-PSK (preshared key) with TKIP.

The forensic analysis wizard supplies an immense amount of current and historical detail on the device. AirDefense says it tracks up to 300,000 devices, each with 249 data points using a new database that dramatically increases data-retrieval speeds. For example, after a visitor outside my office turned on her laptop to do some work, the console informed me that a new device had been discovered in my airspace. Based on the time the device had been turned on and the names of each probed SSID, the forensic analysis wizard helped me figure out that the device was, in fact, my visitor's laptop. Microsoft's Wireless Zero Config, not any malicious intent by my visitor, was to blame for the laptop's probing. This wizard also offers location tracking and threat mitigation.The forensic analysis wizard, however, listed both my clients' WEP (Wired Equivalent Privacy) status as "unknown." But running a report against the same two devices showed WEP as "on," as did a report against the AP. AirDefense says this was a bug. Additionally, the wizard and reports listed my laptop's DNS name as "Laptop," erroneously using the alias I had assigned to the device rather than actually performing a reverse lookup of the IP address or leaving it blank. AirDefense promises to address this in a future release.

The last wizard, intrusion analysis, lists suspected DoS (denial-of-service) attacks, wireless phishing traps, Soft APs and other events that warrant further investigation.

Another significant feature in this release is the addition of statistical base-lining: If an AP or client acts out of character, the system will flag a behavioral alarm. My test system stumbled here, failing to learn the behavior of production traffic and sending me false behavioral alarms relating to production traffic. AirDefense was not able to identify why this occurred.

A reporting section offers a host of predefined reports, and reports related to regularations such as Sarbanes-Oxley, GLBA (Gramm-Leach-Bliley Act), DoD 8100.2 and VISA CISP/PCI can be scheduled for regular compliance review.Despite its quirks, AirDefense Enterprise 7.0 easily identified and contained all the devices I threw at it. The audit log records every action the user performs in the GUI, which is helpful for regulatory compliance and an imperative in larger organizations where multiple people may manage the system. Best of all, the forensic analysis added a wealth of detail about my wireless network and devices attached to it that no other product provides.

AirTight SpectraGuard Enterprise 4.1

AirTight is an up-and-comer in the wireless IDS market, with a raft of new features, including API support and sensors with connectorized antennas, that rival offerings from more-established competitors.

AirTight shipped me a small rackmountable appliance with several sensors to scan for intrusions at the radio-frequency signal layer. The server requires a serial interface for initial network configuration. The sensors connected to the server over a built-in host name that I prepopulated on my DNS server, but they also sport a serial interface for text-based configuration. After pointing my workstation's Web browser to the appropriate URL, a Java-based GUI loaded and I entered the default credentials.

An extensive start-up wizard requires the user to change the administrative password and then steps through a detailed configuration of the discovered wired networks, default security policies and so on. There's a multitude of options in the Administration section, especially on operating policies, so read carefully before configuring. The threat mitigation is turned off by default, but after you're sure everything is set correctly, you can easily turn it on to actively protect your wireless network.In the same style as other wireless IDS vendors, a dashboard provides a broad overview of your wireless network's security status, including which devices are in quarantine and how devices have been categorized. Autoclassification continues to be a highlight of AirTight's products, and the development team has improved the classification of various edge cases. Newly identified clients and APs are either categorized or uncategorized. The former are subdivided as authorized, rogue or external, and the latter will become categorized as they connect with other devices or are manually sorted. I found that this process worked well. The high-end Cisco 1200 I used as one of my rogue APs exhibited the behavior you'd expect of an AP that does not transmit broadcast traffic, remaining uncategorized until I associated a client with it. Fortunately, SpectraGuard reacts almost immediately to changes in network connections.

AirTight thinks through alarm generation carefully, eliminating alarms about "misconfigured devices" that have already been labeled as rogues, for example. This minimalist approach may concern some, but you won't waste your time clearing out recurring or duplicate alarms. Still, some improvement could be made in the alarm details. When I received an alarm about an AP that was misconfigured because it was broadcasting its SSID, there wasn't enough information to explain what specifically was wrong. False alarms aren't entirely out of the picture: One event mentioned the Fata-Jack attack, even though I had never run it.

Location tracking, which worked well the last time we tested this product, remains much the same, but the reporting section has been enhanced to include regulatory reports such as Sarbanes-Oxley, GLBA and HIPAA (Health Insurance Portability and Accountability Act).

Because AirTight sensors are VLAN-aware, they can trunk to switched ports, making it easy to restrict wireless devices to a specific network. Even properly configured and authorized APs are contained or disabled if moved accidentally to the wrong VLAN. And although I didn't test it, AirTight does claim the ability to restrict access to multiple device simultaneously--an important feature if you have only a few sensors deployed or the attacker sets up multiple rogue APs as decoys.Performance monitoring was not strong in the first few releases, but metrics such as number of associated clients for an AP, bandwidth usage and average noise level have been added. And another me-too product enhancement has been added--integration with Cisco's WLSE, which allows wiredside blocking, a feature that competitor AirMagnet has had for some time. Overall, the AirTight SpectraGuard Enterprise is a strong point release that deserves careful review for those considering wireless IDS systems.

Frank Bulk is a contributing editor to Network Computing. He works for a telecommunications company based in the Midwest. Write to him at [email protected].