Wireless IDSes help network admins keep an ear to the air
AirDefense and Red-M IDSes handle wireless attacks but serve different needsFollow @infoworld
If you have a wireless infrastructure deployed and you’re not monitoring it with a wireless IDS (intrusion detection system) take heed: What you don’t know can cost you money, information, and possibly your job. Understanding the wireless traffic flying overhead — and knowing who’s sending and receiving it — is critically important to the security of your organization.
I recently took a look at two wireless IDS solutions. Red-M’s Red-Detect solution is straightforward and to the point, but it has several weaknesses, particularly its lack of event correlation. AirDefense 4.0, on the other hand, is a robust, policy-based solution, but its Java-based approach can be sluggish at times and it has a moderately high price tag.
Bear in mind that whereas these solutions can monitor your campus, they cannot monitor your wireless devices when they’re being used in public hot spots, where they are far more vulnerable to malicious attacks. So finding a wireless IDS that aligns with other components in your security policy is key.
Older and Wiser
When I first reviewed AirDefense almost a year ago, I was impressed with both its capabilities and policy-based approach. I’m still impressed. Although imperfect, the product facilitates wireless security monitoring with a solid policy-based core. I’m also pleasantly surprised to find that AirDefense has lowered the price of the solution dramatically. It now offers a starter kit for $10,000, which helps when deploying in organizations on a tight budget.
A cost issue with any wireless IDS solution, sensors and probes will need to sit beside your wireless APs (access points) on the network. Although the sensors will not need to be as densely distributed as your APs, costs can still add up quickly when used campuswide.
The AirDefense system consists of a hardened server appliance running Red Hat Linux with distributed wireless AP sensors and a Java-based Web console. The AirDefense Web console and AP sensors communicate on a secure channel to the server, something Red-Detect doesn’t do.
The AirDefense appliances remain scalable (the company says a single appliance can support more than 2,000 sensors and APs), but they lack a centralized management platform and do not talk to one another, except via SNMP.
After a simple sensor setup, I connected to the remote AirDefense appliance via secure Web interface. Relying heavily on Java applets, I had to download and install the Sun JVM (Java virtual machine) before connecting to the console via the Internet. Not surprisingly, using Java in conjunction with minor Internet delays made for sluggish console performance.
AirDefense’s dashboard really shines. Tables and graphs provide views of the entire system with sections for system activity, AP counts, station counts and associations, and ad-hoc activity, as well as graphs of alarms by priority, device, and class. The graphs also include sensor-collected information such as mean signal strength and traffic levels by channel and by bytes transferred. The previous version had introduced additional information that popped up when I rolled the mouse over an AP or WLAN client icon. Now, by right-clicking you can drill down to view more detailed information on a problem or issue.
AirDefense’s strong suit is its policy-based approach to monitoring wireless devices and traffic. There are four main categories for policies: configuration, performance, vendor, and channel. All of the policy thresholds are configurable.