AirTight Networks' SpectraGuard Enterprise is an 802.11a/b/g wireless Intrusion Prevention System (IPS) that uses a combination of wired and wireless monitoring and selective, legal transmissions to ensure that only authorized clients and Access Points (APs) connect to your wired network wirelessly. Though SpectraGuard gives network administrators tight control over standards-based wireless networks, proprietary technologies such as the newly popular pre-802.11n (pre-n) multiple-input/multiple-output (MIMO) wireless routers might evade its detection and blocking techniques.
What’s in the Box?
The SpectraGuard server is a 1U rack-mountable hardened Linux appliance that connects to your wired network. You also need one or more SpectraSensors, probes that you distribute throughout your facility to monitor wireless frequencies and report back to the server via your wired network. All configuration is done from an administration console, a Java applet that you access on the server over HTTP Secure (HTTPS). Setup is a simple matter of plugging everything in. The SpectraSensors even automatically detect the server if they’re on the same subnet.
How Does It Work?
SpectraGuard starts by detecting all the APs in range of the SpectraSensors, something you could also do with a free tool such as NetStumbler. SpectraGuard’s value as an IPS lies in its ability to distinguish authorized APs from unauthorized, or “rogue,” APs and from external APs. SpectraGuard correlates the data it sees on wireless networks with data on the wire, so it can classify an AP as internal if it lets wireless clients connect to your wired network, or external if it doesn't. Internal APs are further classified as authorized or rogue APs based on an administrator-configured security policy. The security policy can specify allowed SSIDs, protocols (802.11a/b/g), and wireless encryption technology (Wireless Application Protocol—WAP, Wi-Fi Protected Access—WPA, 802.11i). It can also specify which brands of APs are authorized. Clients are also classified as authorized when they connect to an authorized AP.
Armed with data about wireless clients and APs, SpectraGuard can detect and prevent common wireless threats. When SpectraGuard detects unauthorized wireless activity, it disassociates clients from the AP involved in the violation by spoofing the AP’s MAC address and sending associated clients a disassociate message. In addition to rogue APs, SpectraGuard can block APs that were at one time authorized but that no longer meet your security policy (misconfigured APs). It also detects and prevents malicious attacks, such as unauthorized APs that spoof authorized APs.
SpectraGuard can block individual clients as well, such as authorized clients that "mis-associate" (in AirTight lingo) with external APs and clients that establish ad-hoc connections with other clients. If you manually populate SpectraGuard's list of authorized clients, the IPS can also prevent unauthorized clients from associating with authorized APs. SpectraGuard’s disassociate blocking technique even works against Denial of Service (DOS) attacks from clients that comply with 802.11a/b/g standards, although no device can block layer 1 (physical layer) DoS attacks that simply broadcast disruptive radio transmissions.
Under Siege
To prevent clients from accessing a rogue AP, SpectraSensors must continuously disassociate them from the AP. If a SpectraSensor is preventing attacks on one wireless channel, it might be unavailable to prevent attacks on other channels. To free up SpectraSensors to detect and prevent multiple attacks simultaneously, you can configure SpectraGuard to block less frequently. On the highest setting, Block, I was unable to get clients to associate to a rogue AP. On the lowest setting, Degrade, my client connected to the AP but was unable to complete its DHCP request. On higher traffic networks, AirTight reports that clients might be able to complete a few pings on the Degrade setting or even view parts of Web pages but will be unable to sustain a TCP connection for more than a few seconds. A SpectraSensor can degrade performance on up to four 802.11b/g channels and up to four 802.11a channels simultaneously.
The Hunt
In addition to protecting your wired network from rogue APs, SpectraGuard helps you track them down. Each SpectraSensor can use the signal strength of an AP to estimate the distance to that AP. You can use the readings from multiple SpectraSensors to triangulate the location of the rogue AP. SpectraGuard can even show you the probable location of rogue APs on a map of your facility. Creating the map requires additional software called SpectraGuard Planner, or if you don’t want to purchase SpectraGuard Planner, AirTight will create a map for you for a reasonable price. Maps can even include data about the material of walls and other obstructions to increase accuracy.
I used SpectraGuard Planner to map the two-story, 40,000-square-foot building I work in. I placed three sensors and three APs in various locations, then attempted to track down a fourth, rogue AP. When the rogue AP was within range of two sensors on the same floor, I was able to locate it within 20 to 30 feet, but three sensors weren’t quite enough for my entire building. When I tested in a smaller area, SpectraGuard truly gave me complete control over the airwaves. At $795 a pop, SpectraSensors aren't cheap, so network administrators should plan carefully and take the composition of walls and other obstructions into consideration when evaluating the true cost of SpectraGuard for their environment.
The Catch
SpectraGuard supports all three wireless networking standards approved by the IEEE (802.11a/b/g), but AirTight doesn't promise that it will support the proprietary MIMO and other pre-n technologies vendors are floating in the absence of an approved IEEE 802.11n standard. AirTight informed me that SpectraGuard should support any device operating in a mode backward-compatible with previous standards. I decided to do my own test to see if I could use one of the new proprietary technologies to sneak under SpectraGuard’s radar.
I set up a NETGEAR WPN824 RangeMax Smart MIMO wireless AP. This device didn’t meet the security policy I set on the SpectraGuard server due to its SSID, brand, and lack of encryption, so clearly it was a rogue AP. To ensure that the device was using NETGEAR’s proprietary technology, I used a NETGEAR WPN111 RangeMax USB wireless network adapter in my client. I started with the RangeMax AP in 108Mbps Only mode. My client connected at 108Mbps without problems. To make sure the RangeMax AP was connected to the wired network, I opened the SpectraGuard console, which forced traffic to traverse from my wireless client to the wire-bound SpectraGuard server through the AP. Clearly the RangeMax AP offered a connection to the wired network, but neither the AP nor the client showed up on the SpectraGuard console.
I opened the Web-based configuration utility for the RangeMax AP and switched it to the default mode of Auto 108Mbps. My client briefly reconnected at 54 Mbps but was then booted off. I reconnected my network cable and opened the SpectraGuard console again. Sure enough, both the RangeMax AP and client now appeared on the console and the AP was quarantined/blocked by SpectraGuard. As expected, SpectraGuard could block the rogue AP only when it was in backward-compatible 802.11g mode.
Recommendations
Because APs go for as little as $20 and anyone can plug them into your network, a wireless IPS is becoming a must-have for any network, wireless or not. SpectraGuard’s well-organized UI, maps, and blocking options make wireless intrusion prevention a simple task rather than a time-consuming activity that yields unreliable results. AirTight probably can't keep up with every wireless AP vendor’s proprietary wireless technology, so I can’t fault SpectraGuard too much for failing to catch the NETGEAR RangeMax AP in 108Mbps Only mode. The company did tell me that SpectraGuard 4.0, due about the time this review is published, will have wireless interference detection that can detect and help locate, but not block, such proprietary technologies. Network administrators concerned with wireless security should remember that wireless technology is likely to continue evolving and that any investment in a network of sensors will likely be outdated sooner rather than later. That said, if you're in the market for a wireless IPS, it's probably not a bad idea to try to pick a solution that detects and blocks the greatest number of wireless standards and technologies. You might also want to investigate implementing 802.1x authentication for all clients on your network; many modern switches support this type of port-level security.
I still give SpectraGuard a 3.5-out-of-5 rating for its combination of effectiveness and ease of use. If your current wireless security strategy consists of a laptop equipped with a dual-band network adapter and NetStumbler and you need a better solution, give SpectraGuard a closer look.
| SpectraGuard Enterprise |
|
Contact: AirTight Networks Web: http://www.airtightnetworks.net Price: $11,585 for SpectraGuard Starter Kit with one SpectraGuard Enterprise Model SA-200 Appliance, four SpectraGuard SS-200 SpectraSensors, and 1 year of maintenance Summary Pros: Easily locates rogue APs; doesn't interfere with neighboring wireless APs Cons: Doesn't defend against MIMO/pre-n APs; location maps require separate purchase Rating: 3.5 out of 5 Recommendation: Helps ensure only authorized use of wireless networks, but functionality is limited for pre-n MIMO APs. |
