Trapeze, AirDefense raise the bar on enterprise wireless security

Combination of WLAN monitoring and network access policies proves a potent security tool

Gone are the days of being able to ignore security and role separation for enterprise wireless systems. Regardless of whether you go with a thick access point (Cisco or Symbol) or a thin access point (Trapeze or Aruba), your wireless infrastructure must be able to support role separation through using multiple SSIDs (service set identifiers) and dropping these onto the appropriate VLAN.

With the recent ratification of the 802.11n enhancements, enterprises that want to set up secure wireless networks are looking at services such as wireless defense (Wireless IDS), easier advanced encryption and role separation setup, and multimedia support for Wi-Fi VoIP as differentiators in today's Wi-Fi marketplace.

Enter Trapeze Networks and its new entry-level RingMaster 5.0-AirDefense 7.0 solution. Sold by both Trapeze and AirDefense in configurations ranging from entry-level 1U appliances to monster multiserver arrays, this tightly woven package leverages existing Trapeze APs as AirDefense sensors for both monitoring and security tasks. The AirDefense firmware also takes the place of the standard Trapeze backup firmware image. With both images now coexisting on the hardware, you can change from a sensor to an AP through a simple click in Trapeze RingMaster. (RingMaster's UI handles much of the wireless configuration, with a little overlap by the AirDefense UI.) The benefit of this tag-team packaging? IDS and system monitoring are tightly tied together so that IDS alerts can trigger management actions, and vice versa.

The Trapeze RingMaster and AirDefense consoles are currently separate applications tied together at various menus, but the AirDefense-Trapeze integration will become quite a bit tighter in future releases, with a richer set of scripts and action items for the IDS to execute — including the ability to switch over additional access points into IDS sensors. Future APs will also have expanded flash storage to save backup images of both the Trapeze and AirDefense firmware.

Watching over network access

I added the AirDefense-Trapeze box to our existing Trapeze MX-8 small office Wi-Fi switch at the Advanced Network Computing Lab at the University of Hawaii. Soup to nuts, the integration took perhaps one hour total, including downloading the new AirDefense firmware onto my access points.

One of the keys to this solution's success is that any existing Trapeze Access point can be tasked as either an access point or a sensor. Think of a sensor as the equivalent of a wireless protocol analyzer that is then correlated with other air sensors across the enterprise and network data from RingMaster. During testing, the AirDefense system saw dozens of neighboring Wi-Fi devices, but they were not flagged as critical because RingMaster was able to tell the AirDefense server that those devices weren’t on my internal network and thus were not an immediate threat based upon my policies. This level of data sharing dramatically reduced the number of false positives. So while the IDS functions are currently in the AirDefense console and AP information is currently in the RingMaster console, future versions should see the two slowly merge through greater use of the RingMaster plug-in features.
Click for larger view.

Because both Trapeze and Aruba are switch-based Wi-Fi technologies, their thin APs use encrypted tunnels to traverse foreign subnets and return to their control switch. Once there, each SSID is bonded to a VLAN and a security profile is applied to set network use privileges. For example, guests might have access to an open network that only connects to the Internet, whereas engineering must use WPA2 (Wi-Fi Protected Access) with Radius authentication dropped directly onto the engineering VLAN, and sales folks might be required to use WPA-TKIP (Temporal Key Integrity Protocol) on the sales VLAN.

Missing here is what the Wi-Fi Alliance is now calling WPS (Wi-Fi Protected Setup), which sounds suspiciously similar to what Microsoft has been doing with XML configuration pushes since Windows XP SP2. It would be a useful addition: WPS provides a standard for a Diffie-Hellman key exchange, dramatically reducing the pain of setting up advanced encryption technologies such as WPA2 with Radius authentication.

Smart alert systems
After a couple months of running the AirDefense-Trapeze combo pack, I’ve noticed a bit of alert overload from Wi-Fi devices in other, nearby research labs. Working through the AirDefense console, I gradually examined the surrounding rogues to further identify which units were benign and which units deserved closer scrutiny.

My favorite AirDefense feature is the automatic lowering of alert levels if the offending device isn’t on one of my networks. For example, if the system detects a device in a neighboring lab, it won’t get excited unless that device is on a network that I previously indicated as being part of my infrastructure. I still get a log entry noting the offender, but the system won’t page me in the middle of the night. If the offender is on my network, however, I will get an alert and can perform a switch port lookup (in addition to the RF triangulation) to quickly sniff out the rogue device.
Click for larger view.

The tight integration between Trapeze RingMaster and AirDefense 7.0 gives you a best-of-both-worlds product: wireless network management plus security and access monitoring. Clear information displays and trigger settings make it easy to quickly address any problem that crops up, whether it's a rogue AP or a wireless user trying to hop onto a restricted network segment.

Infrastructurewise, you're able to use just about any type of existing Trapeze AP, and swap between Trapeze and AirDefense APs on demand. The solution is also quite scalable, with multiple server models, load-balancing features, and some nice predefined roles for hotspots and other connection points. Based on what I've seen, this is a strong combination product that will likely get better as AirDefense and Trapeze add more automation to upcoming releases.

InfoWorld Scorecard
Ease of use (10.0%)
Value (10.0%)
Management (20.0%)
Setup (15.0%)
Performance (15.0%)
Security (20.0%)
Scalability (10.0%)
Overall Score (100%)
Trapeze RingMaster 5.0 with AirDefense 7.0 8.0 9.0 9.0 9.0 8.0 9.0 9.0 8.8