Wireless detectives secure the airwaves

Sometimes, the best defense is a good offense. Although new specifications promise to boost security for wireless local-area networks, agency officials would be wise to deploy emerging monitoring solutions that alert administrators about cyberthreats and, in some cases, take action to block them.

With its support for the Advanced Encryption Standard, endorsed by federal officials, the 802.11i specification will undoubtedly help strengthen WLAN security in the area of privacy. And other functions enhance authentication.

But the specification is not a panacea. Already, there have been reports about security vulnerabilities in 802.11i. So, as with securing any developing technology, information technology officials must manage compliance through ongoing efforts.

One of the most proactive ways you can help ensure WLAN security is to incorporate a monitoring solution. Such tools come in a variety of shapes and sizes.

Some products are software-based, while others combine hardware sensors and software. Some are passive and only report the facts, allowing you to take action. Others take a more active stance by not only detecting security-related issues in real time but also helping you contain them.

Many of the available tools also can verify whether wireless devices are configured properly. And several can tell if WLAN devices meet agency security policies or compliance requirements, such as Defense Department Directive 8100.2.

With the idea of proactively monitoring and securing WLANs, we recently examined four solutions: AirMagnet's AirMagnet Enterprise 5.0, AirWave Wireless' AirWave Management Platform 3.0, Bluesocket's BlueSecure Intrusion Protection System 2.1.1 and Network Chemistry's RFprotect 3.1.4. All of these solutions are worth exploring if you are seeking a WLAN monitoring tool.

AirMagnet: Pricey, but packed with features

The AirMagnet solution is a tad pricier than the rest of the group, but it is also packed with all the features an agency's IT organization will want.

Deploying AirMagnet requires installing four components — the server, console, hardware-based sensors and optional reporting software. The console and reporting software were downloadable once we installed the server software. Although none of the installation or configuration steps were problematic, AirMagnet's installation time was longer than some of the other solutions we tested.

We were impressed with AirMagnet's ability to accurately detect in real time a variety of security problems. We introduced some unauthorized wireless access points and clients on the WLAN, and AirMagnet identified them quickly. Likewise, we executed a denial-of-service attack, and again, AirMagnet detected what we were doing. Overall, AirMagnet can detect more than 120 different types of WLAN threats.

After identifying the security threats in our test environment, AirMagnet offered containment tools capable of blocking potentially dangerous wireless devices. Manual and automated blocking techniques are available. We found that both worked flawlessly. AirMagnet also blocks attacks targeted at the wired network to protect LANs from WLAN-based vulnerabilities.

Perhaps most impressive, AirMagnet not only detected and disabled a wide variety of security threats but also documented details about each threat. This capability provides a useful audit trail. One unique part of AirMagnet's documentation process includes the features found in its rogue triangulation tool. This tool enables administrators to pinpoint the approximate location of a rogue device based on a floor plan.

In addition to threats posed by intruders and other malicious activity, wrongly configured wireless devices represent another major threat. For example, we did not enable encryption on several access points. AirMagnet immediately generated an alert for those access points. This support bodes well for agencies with a large number of WLAN devices.

AirMagnet also includes predefined security policies for some industries, including government agencies. Beyond the default policies, though, administrators can customize the solution to their environments. For example, we added a policy entry to generate an alert whenever an unauthorized access point was found.

Like several of its competitors, AirMagnet also includes tools that enable WLAN administrators to closely monitor and manage the performance of the wireless network. Using these included tools, we could see radio frequency problems on a particular channel, which channels were overloaded and more.

Although AirMagnet is more expensive than other solutions and takes a little longer to set up, the revised maxim "good things come to those who are patient" definitely applies.

AirWave: A nose for misconfigured systems

The AirWave Management Platform does a stellar job of capturing the threats that exist within your WLAN. This software-based solution requires a dedicated server. During the initial setup, the solution installs Red Hat Linux on the server, followed by the AirWave software. After assigning a static IP address and host name, we were able to access the AirWave console using a Web browser.

Like its rival AirMagnet, the AirWave solution did take a bit of time to set up, but it was time well spent. AirWave is particularly effective at ferreting out poorly configured wireless equipment that does not meet security policy requirements.

We intentionally neglected to configure the security settings for several access points and merely added the devices to the WLAN. AirWave detected the devices immediately and noted their bad configurations. We then could view each access point to see which settings were in error.

Likewise, AirWave did a good job of detecting rogue wireless devices on the WLAN. We added several unauthorized access points, and AirWave detected them all. Once discovered, we could view details about rogue devices, including IP addresses.

Agencies that have many wireless access points will appreciate AirWave's group and user tools for organizing the WLAN. You might use a group to represent a department within the agency or a floor or a particular building in a campus environment. Using the group function, we were able to define a multidepartment test environment to track several access points.

After setting the details of our groups, we could monitor access points, users and throughput on that portion of the WLAN in real time. We could also view the throughput for individual users, their signal quality and their uptime on the WLAN.

AirWave is also particularly effective at globally monitoring and reporting on network utilization. Available reporting provides an at-a-glance, timeline view of the number of users and throughput for a given period. This type of reporting will help administrators with capacity planning.

Unlike some of its rivals, AirWave does not offer a real-time shield against WLAN threats. However, AirWave can integrate with other solutions in agencies that require real-time wireless protection.

The detailed level of detection information provided by AirWave will help agency administrators enforce security policies by eliminating unauthorized devices and correcting settings on devices that might pose a risk. Additionally, AirWave's real-time reporting on WLAN performance provides useful information for capacity planning.

BlueSecure: A policy enforcer

We installed Bluesocket's BlueSecure wireless monitoring and protection solution in a matter of minutes. We powered up the provided sensor and attached it to the network. After installing the BlueSecure software, we configured the sensor and then configured authorized access points and devices.

The documentation that comes with BlueSecure is minimal. However, the setup is straightforward, and the online help is useful. For example, those new to WLANs will find glossary information about important terms and detailed data on each alert generated by BlueSecure.

Once installed and configured, BlueSecure immediately began providing alerts and categorizing them as critical, minor or informational. As did its rivals, BlueSecure quickly located our rogue access points and client machines. And it accurately detected our denial-of-service attack.

BlueSecure also helps agency administrators enforce the WLAN security policy. Beyond standard security policy settings, they can create custom rules that are specific to an agency. For example, you might add a rule to periodically check for access points that are off-line.

Alerts are shown in the BlueSecure console by default. However, you can also configure alerts to generate sounds, send e-mail notifications, launch an application or generate a Simple Network Management Protocol trap or Syslog entry. We modified several alert definitions so that they generated e-mails and wrote Syslog entries.

Similar to Network Chemistry's RFprotect, BlueSecure includes tools that enable administrators to view details about not only a particular device but also traffic traveling across the WLAN. We used the Packetyzer software to view traffic in several portions of the WLAN.

BlueSecure does not include reporting capabilities that compare with those of the AirWave product. However, it does offer basic automatic report generation that includes summary information and a list of WLAN stations, alerts and information on wireless and network packets.

The BlueSecure console interface is customizable, and various windows can be docked and undocked within the interface. However, that flexibility can make it tricky to navigate the various portions of the interface. A tabbed navigational bar, similar to the one used by RFprotect, would make the BlueSecure interface much easier to navigate.

Nevertheless, BlueSecure is an easy-to-install solution that agency administrators can implement without much effort.

RFprotect: Solid features, affordable price

With the exception of one minor installation glitch, we found Network Chemistry's RFprotect to be an excellent choice for WLAN monitoring because of its combination of features and price. During setup, we initially chose a nondefault location to install the database used by RFprotect, which caused a failure. However, after reinstalling the solution with the default location, the database operated just fine.

Aside from the hiccup during installation, RFprotect was impressive. Like its rival BlueSecure, the RFprotect solution uses a combination of hardware sensors and software to monitor and protect the WLAN. RFprotect's console interface was easy to navigate. The tab-like navigator at the top of the console enabled us to quickly switch between a summary dashboard view and other monitoring layers, such as the network performance view.

The dashboard view is useful because it provides summary data about security and WLAN operational performance. Administrators can switch from the summary view to a detailed analysis of devices, clients and WLAN traffic.

RFprotect did a good job of detecting our rogue devices, and we were able to quickly see which devices were not in compliance with security policy. Like BlueSecure, the RFprotect solution categorized alerts as critical, minor or informational, and detailed information was provided for each type of alert.

In its newest release, RFprotect includes a feature called RFshield, which provides intrusion-

protection capabilities. This module allowed us to contain several access points successfully. RFshield helps administrators isolate threats until

they can be removed from the WLAN.

Equally impressive was a new view, available in this latest RFprotect release, called the Radio Frequency Environment view. This panel graphically displayed real-time information about our WLAN traffic. We could see which channels were currently being scanned by the RFprotect sensor, the number of good and bad packets, and the amount of noise or signal on a given channel. This data should prove useful for detecting potential threats and resolving issues, such as eliminating the sources of interference.

RFprotect matches rival AirMagnet's support for documenting WLAN activities and maintaining an audit trail of all administrative actions executed on the RFprotect server. We used the reporting modules to generate a pass/fail compliance report of our test WLAN. RFprotect supports industry-specific security policies, including DOD Directive 8100.2 and others.

The RFprotect solution is easy to set up and use. Its combination of usability, advanced features and affordable price make Network Chemistry's RFprotect well worth exploring.

Proof of concept

As with any technology decision, a proof-of-concept project to select the best wireless monitoring solution for your agency is a good idea. All four of these tools have benefits that can help you gain the upper hand on WLAN security.

Biggs is a senior engineer and freelance technical writer based in northern California.