Astute Observer

AS WLANS (WIRELESS LANS) continue to be deployed throughout the enterprise, administrators need tools to help them audit wireless network installations, analyze performance, and identify security issues. One of the big security issues facing wireless networks today is the of rogue access points that employees may install on the network, exposing the organization's network and data to unauthorized users and malicious hackers.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Observer Suite 8.1 Network Instruments, networkinstruments.com Deploy  8.0 criteria score Ease-of-use 9 Implementation 8 Innovation 8 Interoperability 8 Scalability 8 Security 8 Suitability 9 Support 9 Training 8 Value 9 Business Case: This all-in-one network analysis tool would provide excellent value to any organization. Online reporting capabilities allow managers to quickly see performance reports at any time. Technology Case: Stable drivers allow Observer to be used on any system, including an administrator's laptop for quick troubleshooting. Historical trending and reporting provides useful data that can help pinpoint problems. Pros: + Includes analyzers for wired and wireless networks in one product + Stores all historical data and creates trending reports + Provides powerful expert analysis + Includes SNMP probes Cons: - Works only with selected wireless cards Cost: $3,995 Platforms: Runs on Windows 2000 and XP; supports Cisco, Symbol, Nortel, and Intel cards About our Reviews and Scoring Methodology

Network Instruments' Observer line of software provides administrators an easy way to monitor wireless networks and help pinpoint those rogue access points. Observer comes in three flavors -- Observer, Observer Expert, and Observer Suite -- with Expert and Suite adding functionality such as real-time expert analysis and SNMP probes, respectively. We tested Observer Suite 8.1, and it displayed an ease-of-use and low price point that helped earn it a Deploy rating.

Observer is a protocol analyzer, similar to products offered by Sniffer and WildPackets. With the introduction of wireless capabilities, Observer has become one of the better protocol analyzers we have seen. The biggest plus for Observer is that the product includes all the components you need to analyze wired, fiber optic, and wireless networks; other analyzers typically focus on either wireless, wired, or fiber.

Another excellent feature of Observer is its ability to keep trend data. Observer stores all data captures and can use them to create trend reports and analyze data over periods of time. Observer Suite also includes a built-in Web server to make reports available remotely, providing a Web site for managers or executives to easily monitor network performance.

For managers of wireless networks, Observer can be a valuable tool. In addition to performing the standard packet decoding and analysis, Observer can also identify rogue users and access points as well as WEP (Wired Equivalent Privacy) misuse. The best way to identify rogue systems is to configure a list of valid MAC (Media Access Control) addresses for your organization's wireless devices and filter them out. Based on such a list, Observer can alert you to devices with invalid MAC addresses that are accessing the network. Observer also analyzes WEP configurations and can alert administrators if an access point is found with WEP disabled or without the proper configuration. This helps enforce the company's wireless security policy.

As with any wireless analysis tool, wireless NIC (network interface card) support is an issue. Many of these tools require their own special drivers that are suitable only for auditing the network. For example, Netstumbler works with Lucent or Compaq cards, while ISS Wireless Scanner supports only the Compaq WL110 NIC.

Furthermore, many WLAN analyzer vendors develop their own drivers from scratch, and these may not work properly in everyday use. Consequently, administrators without dedicated monitoring hardware may be required to reinstall the wireless NIC vendor's drivers to return to normal wireless network functionality.

Network Instruments takes a different approach than most, adding layers to existing wireless card drivers. Based on our experience with Observer, this avoids sacrificing everyday functionality for the sake of monitoring the WLAN.

We installed Observer Suite on a Windows 2000 SP2 laptop using a Cisco Aironet 350 wireless card. We installed Network Instruments' driver for the card and did not have any issues using the card as we normally do every day. Firing up Observer, we watched the activity on our wireless network, which included five Agere Orinoco access points. We monitored wireless traffic, WEP use, and access point utilization. To test Observer's ability to spot rogue access points, we added an Intel access point to the network and created a filter for our authorized Agere access points. Observer passed the test with flying colors, successfully providing us a list that included our Intel access point -- and some access points in the neighboring office.

Although not specifically designed for wireless security auditing, Observer is a versatile tool that can add value to any organization. Its ease-of-use and low cost make it an ideal candidate for that administrator trying to gain control of an ever-expanding wireless world.