Two paths to WLAN intrusion detection
VigilantMinds manages all your WLAN IDS needs; AirMagnet puts control in your handsFollow @infoworld
Intrusion detection systems (IDSes) have become a key piece of security infrastructure for enterprise networks. With the rise of wireless networks, the need for IDSes has increased, as has the complexity of finding patterns and policies that define acceptable use and reject interlopers in a mobile, highly changeable network community.
I looked at two wireless network IDS solutions with two different approaches. On one hand, AirXone Managed Security Service, part of a managed service offering from VigilantMinds, ties a hardware sensor to a remote-monitoring capability, offered under a professional services contract. VigilantMinds becomes a trusted partner in your infrastructure — there is little that the company won’t know about what goes on with the wireless portions of your network.
AirMagnet Distributed 4.0, on the other hand, puts a tremendous amount of control in your hands, assuming that you want to be able to view and control the most minute details of the radio frequency space under your organization’s control. The detail and control are great, but so is the responsibility.
VigilantMinds AirXone Managed Security Service
Installing the AirXone system is a piece of cake. A VigilantMinds consultant works with you to define the site requirements, brings in an appliance that connects to your network, and teaches you how to use the browser-based reporting and management console. This managed service offering includes expertise and installation labor, along with a solid WLAN IDS.
One of the first steps in an AirXone deployment is to figure out how many proprietary sensors to deploy — more sensors, of course, affects the price. I found that an individual sensor covered portions of an office building’s three floors, though the coverage would vary in each installation. The sensor I deployed found dozens of APs (access points) and clients, including one AP located in an outdoor setting three blocks away from the lab.
Within the coverage of the sensor, the system notes both APs and clients, including MAC (media access control) addresses, SSIDs (service set identifiers), and security features , all available for inspection. Each of these wireless devices can be categorized according to its authorization to use the network and its status within the network.
Depending on the size of the network, populating the database of approved devices can be done manually or through links to an authentication database or inventory system. When operational, the sensors maintain contact with the VigilantMinds management facility. Because this happens on a nonstandard high port, it requires a modification to your regular network IDS to prevent the wireless IDS from generating a flood of warnings on the wired security system.
A useful feature, the system allows users to flag particular devices to ignore, which may come in handy in a crowded urban setting, for example, where the wireless network in the office next door is a constant, yet nonthreatening, presence. With the help of VigilantMinds’ consultants, you can develop an enormous variety of rules to achieve the state all organizations seek with an IDS: Genuine threats create alarms, while other activities are simply noted or ignored.
Administrators can access the management console to create rules and check statuses. But in the VigilantMinds model, most of your interaction with the system will be through alerts already screened by the management system and consultants before they’re passed on to you.