Skip navigation

Policing the Airwaves

3 wireless IDSs tell you who's on your network

If you operate a wireless network, you probably need to monitor the security of that network to help protect both the wireless LAN and the wired LAN that it's connected to. If your business prohibits wireless devices, you might want to monitor the airwaves to make sure that policy isn't violated. To scan and monitor wireless activity, you need a specialized security tool designed for this task. That's where wireless Intrusion Detection Systems (IDSs) come in.

Wireless IDSs are similar to IDSs designed for wired networks. Both consist of network sensors and sometimes central management consoles. Both monitor the network according to configurable security policies and can take action, including sending alerts, in situations of noncompliance. Wireless IDSs use wireless Access Point (AP) hardware for sensors. The difference between wireless APs and wireless IDS sensors is that the AP software is designed to manage client connections, and a wireless IDS sensor's software is designed to detect wireless radio traffic and interact with a central management console to report activity and take action according to defined security policies.

For example, a wireless IDS sensor shows all active APs and client stations that broadcast signals within its range regardless of whether those devices are part of your network. A sensor can determine whether APs and client stations are using encryption and if so, what kind, and it can determine what type of wireless frequencies and channels are in use. A sensor can also detect rogue devices, intrusion attempts, network probing, wireless attacks, and more.

You can use the central management console of some wireless IDS systems to instruct sensors to initiate countermeasures that will prevent APs from functioning or will prevent specific client stations from connecting to your wireless APs. To block client stations and rogue APs, a wireless IDS broadcasts data so as to initiate a Denial of Service (DoS) attack against the devices. But you should use such blocking with extreme caution because intentionally inflicting a DoS might cause someone, such as an innocent neighboring business or one of your company's own employees visiting from another office, undue harm.

In a typical wireless IDS deployment, you install the central management console in a location where your administrators can monitor it and access it quickly when they need to. You place sensors in the same general vicinity as your APs and possibly in areas where you want to detect and prevent unauthorized wireless network activity. For example, if your policies prohibit using wireless networking in some areas of your business premises, then you might deploy sensors in those areas.

Table 1 summarizes the features of three wireless IDSs: AirDefense Enterprise 4.0, AirMagnet Distributed 4.0, and Red-M's Red-Detect 3.6. Let's take a closer look at these three platforms, each of which consists of a management server and wireless network sensors that monitor the wireless radio spectrum.

AirDefense Enterprise 4.0
AirDefense Enterprise 4.0 ships as a prebuilt rack-mountable server platform along with associated network sensors. The server runs the AirDefense management software on top of a modified and hardened version of Red Hat Enterprise Linux. The sensors are built from AP hardware, but instead of acting as APs, they run a customized OS designed by AirDefense specifically to monitor wireless-radio traffic.

To get AirDefense up and running, I had to configure the basic server settings, configure the sensors to communicate with the server, then configure detailed server settings based on my test wireless network environment. The initial configuration of the server was fairly simple. I logged in by using the default username and password, started the management interface, and changed a few required settings, such as the IP address and login password.

Configuring the sensors was equally easy. I used a serial cable to connect to a sensor from my desktop system, defined its IP address, changed the password, and defined the address of the server with which I wanted the sensor to communicate. After those tasks were accomplished, the server and sensor could begin to communicate and I could use the management console to make further configuration adjustments over the IP network.

The AirDefense management software is a Java-based application that you access by using any Java-enabled Web browser. It seemed somewhat sluggish in comparison to a Windows desktop application, but the GUI design is excellent and I found it easy to use after I learned my way around the various screens. The interface includes detailed context-sensitive help that makes learning the ins and outs of the interface far easier than referencing a printed manual would be.

AirDefense let me adjust monitoring policies to suit my needs, then monitor and manage the network for policy violations. For example, I could define configuration policies that apply to APs to monitor the allowed authentication modes, data transmission rates, channel parameters (including which channel to operate on), and encryption protocol parameters. As Figure 1 shows, I could adjust the security policies used to monitor one or more APs—including their channel frequency, allowed encryption protocols, whether they should be broadcasting Service Set Identifier (SSID) beacons, and their allowed authentication modes—at one screen.

Performance policies let me control how many client-to-AP associations were allowed per minute and how much bandwidth was available for communication between APs and the local Ethernet network as well as for station-to-station communication that travels through an AP. I could use vendor policies to permit only certain client stations to connect to certain APs. For example, I could define a policy that let only Linksys-based client stations connect to Linksys APs. Channel policies allowed control over what times of day wireless connectivity could occur and whether ad hoc stations were allowed.

AirDefense uses the policy definitions to detect violations while monitoring the airwaves. When a policy violation triggers an alarm in a sensor, the sensor sends the alarm data to the central management console, which logs the alarm and makes it available for viewing in the console interface. Alarms can also be sent to syslog servers via SNMP, an email message, or another method. Alarms indicate which device violated policy and include the violation category, the specific violation, a date stamp, the priority level, and a counter that shows how many times the violation has occurred.

AirDefense can also terminate a connection with an AP or an individual wireless station, and the termination can persist for a specified time or until manually stopped. AirDefense detects intruders by comparing newly detected wireless devices to a list of known devices defined by the administrator. To terminate the activity of an intruding device, AirDefense launches a DoS attack against that device, broadcasting wireless data packets designed specifically to prevent connections from operating properly.

AirDefense's reporting facilities are reasonably extensive. Dozens of built-in report types are defined and arranged in various categories, including Sensors, APs, Stations, Compliance, Network Trends, and Summary Reports. For example, your company might need to comply with the US government's Health Insurance Portability Accountability Act (HIPAA) Security Rule, which requires that some health information transmitted over public networks be encrypted. The built-in HIPAA compliance report can help you quickly identify which wireless stations in your network might be in violation of HIPAA requirements.

One problem that might come up when using AirDefense sensors at remote locations is not enough available bandwidth on your WAN link. The sensors I used for this review required almost all the available bandwidth of a 64Kbps connection to communicate properly with the server. This bandwidth requirement could present problems for companies that have low bandwidth links to any of their remote facilities in which sensors might be deployed. However, by the time you read this review, AirDefense probably will have made available a new version of its sensor OS, which the company says will operate on as little as 3Kbps of bandwidth. The company also says it will release a new version of AirDefense—AirDefense 5.0—sometime before the end of the year.

AirDefense Enterprise 4.0
Contact: AirDefense * 770-663-8115 or 877-220-8301
Price: $10,000 for the server platform, five sensors, and a license to monitor as many as 100 wireless devices (including clients and APs)
Pros: Hardened server platform; Java console interface; easy to configure and deploy; reasonably extensive set of excellent built-in reports; excellent online Help
Cons: Console startup can be slow; per-monitored-device price model
Rating: 4 out of 5
AirDefense is a good choice for midsized to large businesses that want a prebuilt server with the OS already hardened against known security threats.

AirMagnet Distributed 4.0
AirMagnet Distributed 4.0 ships as a software solution with hardware-based sensors. AirMagnet uses the same sensor hardware from the same manufacturer AirDefense does, but each product's sensors run a custom OS. A unique feature of AirMagnet is that it also provides a software-based sensor component that you can load on a Windows-based computer, such as a laptop equipped with a supported wireless network card (e.g., Proxim's ORiNOCO or AirMagnet's own card, which supports 802.11a, 802.11b, and 802.11g). This feature can come in handy in a variety of circumstances in which you might need a mobile sensor.

The server software requires a computer running either Windows XP or Windows 2000. AirMagnet recommends at least a 1.8GHz CPU and 512MB of RAM. Because the AirMagnet management server runs on top of your own installation of Windows, you need to harden the OS against intrusion.

Installing the AirMagnet management server software is straightforward, with a typical wizard to guide the process. The proprietary server software conflicts with IIS, so I had to disable IIS on my test system before installing the management server software. The management server can send its log data to a local standalone database; alternatively, larger installations can integrate with a SQL server.

After the management server was up and running, I could connect to it via a Web browser and download the console software for installation on my desktop system. The AirMagnet console software is a standalone Windows application that communicates with the server for monitoring and configuring sensors and APs. Installation was easy and straightforward. As you can see in Figure 2, the console displays an impressive amount of information. I found it easy to use and navigate.

To configure the sensors, I used a serial connection to define the IP address information, the management server address, and a shared secret key used for communication between the server and sensors. The sensors send their data to the management server, where you can use the console software to review the data. You can also connect to a sensor directly using a Web browser over Secure Sockets Layer (SSL) to examine the sensor's logs (which contain data such as active APs and client station connections), perform diagnostics, and change configuration settings. Unlike AirDefense, AirMagnet can't directly modify AP configuration, but it does interoperate with wireless-network management products such as WaveLink Mobile Manager and AirWave Management Platform via SNMP, and those products can modify AP configurations according to information sent to them from AirMagnet.

AirMagnet includes policies that you can use to detect security problems, and intrusion-detection capabilities that can detect a variety of common wireless network attacks. When AirMagnet detects intrusion attempts or policy violations, it can send alarm alerts in a wide range of formats, including email, SNMP, syslog, Short Message Service (SMS) via email, network phone page, Internet page, Instant Messaging (IM), Windows event log, audio file, and even printer.

AirMagnet can also launch countermeasures to deny service to perceived intruders. Like AirDefense's countermeasures, AirMagnet's countermeasures are essentially DoS attacks broadcast over the airwaves. However, once AirMagnet launches a countermeasure, an administrator must manually deactivate it, and that leaves room for problems—not to mention possible legal retaliation—if an administrator overlooks stopping countermeasure activity.

A nice feature is that AirMagnet can show one list of all APs and wireless client stations for the entire monitored network. This feature is valuable in environments that have many monitored wireless devices because sometimes a graphical map representation of high-density networks can be overly cluttered and hard to read.

Another useful feature of AirMagnet is the ability to automatically escalate problems. The product currently has 98 different alarm types (e.g., for Wi-Fi Protected Access— WPA—vulnerabilities, for changes to APs, for unencrypted traffic). An alarm of any given type can be sent to any number of people, and when the configurable threshold number of a given alarm type is surpassed, AirMagnet can notify additional people.

The AirMagnet Distributed Reporter software includes 50 different report types in four categeories (time-based, site-based, infrastructure-based, and network-based). The reports can be saved in a variety of formats, including HTML, Adobe Acrobat PDF, XML, Microsoft Word, Microsoft Excel, Rich Text Format (RTF), text, and tab separated.

The product comes with a user manual in print and PDF versions. It has built-in online Help too, but AirMagnet's online Help isn't as detailed as AirDefense's.

AirMagnet Distributed 4.0
Contact: AirMagnet * 408-400-0200
Price: $8995 for unlimited sensors, one management server, and unlimited monitoring consoles
Pros: Easy to install and configure; automatic incident escalation; flexible hardware platform; supports software-based sensors
Cons: User must provide and harden underlying OS; countermeasures must be manually stopped; online Help needs improvement
Rating: 4.4 out of 5
For the price, AirMagnet provides a great bundle that will save you money as your wireless network grows. However, you must buy a Windows server OS license and keep that OS hardened.

Red-Detect 3.6
The Red-M product line is a set of components that you can purchase individually to fit your needs. For example, Red-M's Red-Alert PRO sensors can operate independently of Red-M's Red-Detect management server. You can manage the sensors with a Web browser, or they can use SNMP to report to any network management software, including the Red-Detect management server.

The Red-Detect management server is based on Red Hat Linux and comes preloaded on a minitower computer. The Red-Detect management console runs on Windows and can connect to one Red-Detect management server to manage that server's associated sensors. If your environment requires more than one Red-Detect server and you want to be able to manage more than one server at a time, or if you want in-depth reporting capabilities, you'll need Red-M's Red-Vision management add-on package. Red-Vision is probably a must-have for larger enterprise installations. Red-M didn't provide Red-Vision for my review.

To set up the Red-Detect server with the typical IP address and password parameters, you must use a crossover Ethernet cable. You also need to install on a workstation the Red-Detect console application, which then lets you contact the Red-Detect server to manage the server, the sensors, and the wireless network monitoring parameters. The Red-Alert PRO sensors have no serial interface, so I had to configure a workstation to have an IP address on the same default network as the sensors would use, then reconfigure the sensors with an address on the network and tell them the address of the Red-Detect management server. Alternatively, the sensors can use DNS queries to find the management server.

Once the server and sensors were online and communicating, I could use the Red-Detect console application on my workstation for monitoring and management. As Figure 3 shows, the Red-Detect console uses a typical treeview layout like AirDefense and AirMagnet, but the information that Red-Detect's interface displays isn't nearly as extensive or detailed. The interface's simple design and capabilities made it easy to navigate and use for configuration and monitoring; however, the online Help lacks context sensitivity and detail.

Red-Detect sends alerts only via SNMP, so you need a third-party SNMP solution if you don't want to sit in front of the console watching for problems. Unlike AirDefense and AirMagnet, Red-Detect doesn't provide any means of establishing policies for use in monitoring. Instead, the product relies on a variety of predefined event types that trigger logging and SNMP traps. For example, the product can track rogue devices, intrusion attempts, probing, wireless attacks, and an assortment of other activities. But the console and sensors couldn't tell me when an AP and client station weren't using encryption.

As you can see in Figure 3, Red-M provides some basic graphical reporting features, which can be useful. You can change the layout from bar graph to line graph and save the graphs to disk, but Red-M has no other built-in reporting facilities, so, for example, you can't generate printed reports unless you purchase Red-Vision.

One particularly interesting Red-Alert PRO feature is that in addition to monitoring 802.11a, 802.11b, and 802.11g networks, the Red-Alert PRO probes can monitor Bluetooth devices. Another attractive feature is the way the solution handles countermeasures against potential intruders. Like AirDefense and AirMagnet, Red-Detect can launch DoS attacks against intruders. An administrator must manually initiate the countermeasure, and after a configurable period of time (as many as 10 minutes) has elapsed, the DoS countermeasure stops automatically. This approach prevents a situation in which an administrator might forget to stop countermeasure activity.

Red-Detect 3.6
Contact: Red-M * 703-744-1445
Price: $8995 for Red-Detect SOHO Server, which can monitor four sensors and includes management server and four probes; $9995 for Red-Detect Server, which can monitor unlimited sensors and includes management server and four probes; countermeasures cost $3000 extra per server
Pros: Hardened server platform; monitors 802.11a, 802.11b, 802.11g, and Bluetooth; easy to install and configure; easy-to-use management interface
Cons: No way to establish policies; limited alerting capabilities; Red-Detect Server has only basic management and reporting capabilities—
Rating: 3 out of 5
Red-Vision management and reporting cost extra; countermeasures cost extra; sparse online Help
Red-M is a far more expensive solution for midsized and large businesses, but small businesses can benefit from the pricing model. Without its pricey Red-Vision and countermeasure add-ons, Red-M is inferior to its competitors.

A Buying Decision
All three products are designed for enterprise-size networks. However, if your small business needs only a few sensors and you want a standalone hardware-based solution to monitor your environment, Red-M's products are the best solution of the three for you because the Red-Alert PRO sensors, priced at $300 each, can operate without a management server.

If you have a midsized or large enterprise and you need to monitor a variety of sites and hardware platforms, consider the functionality offered by each of the three products to determine your needs and total cost of ownership (TCO). If you prefer a software-based solution that can run on your own hardware, AirMagnet is the clear choice because you can install its sensor software on any system that has a supported wireless network card. If you prefer a turnkey solution that includes a preconfigured server platform, then consider AirDefense. You can use AirDefense's Java-based management console on any Java-enabled platform, whereas the AirMagnet and Red-M management consoles operate only on Windows.

If your decision depends heavily on price, be aware that for midsized and large enterprises that need countermeasures and good reporting capabilities, Red-M's solution is the most expensive of the three. AirDefense's and AirMagnet's base packages are superior to Red-M's. Countermeasures are built into AirDefense and AirMagnet but are a $3000 add-on to a Red-M solution. You also pay extra to get in-depth reporting capabilities from Red-M.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.