Two paths to WLAN intrusion detection

VigilantMinds manages all your WLAN IDS needs; AirMagnet puts control in your hands

Intrusion detection systems (IDSes) have become a key piece of security infrastructure for enterprise networks. With the rise of wireless networks, the need for IDSes has increased, as has the complexity of finding patterns and policies that define acceptable use and reject interlopers in a mobile, highly changeable network community.

I looked at two wireless network IDS solutions with two different approaches. On one hand, AirXone Managed Security Service, part of a managed service offering from VigilantMinds, ties a hardware sensor to a remote-monitoring capability, offered under a professional services contract. VigilantMinds becomes a trusted partner in your infrastructure — there is little that the company won’t know about what goes on with the wireless portions of your network.

AirMagnet Distributed 4.0, on the other hand, puts a tremendous amount of control in your hands, assuming that you want to be able to view and control the most minute details of the radio frequency space under your organization’s control. The detail and control are great, but so is the responsibility.

VigilantMinds AirXone Managed Security Service

Installing the AirXone system is a piece of cake. A VigilantMinds consultant works with you to define the site requirements, brings in an appliance that connects to your network, and teaches you how to use the browser-based reporting and management console. This managed service offering includes expertise and installation labor, along with a solid WLAN IDS.

One of the first steps in an AirXone deployment is to figure out how many proprietary sensors to deploy — more sensors, of course, affects the price. I found that an individual sensor covered portions of an office building’s three floors, though the coverage would vary in each installation. The sensor I deployed found dozens of APs (access points) and clients, including one AP located in an outdoor setting three blocks away from the lab.

Within the coverage of the sensor, the system notes both APs and clients, including MAC (media access control) addresses, SSIDs (service set identifiers), and security features , all available for inspection. Each of these wireless devices can be categorized according to its authorization to use the network and its status within the network.

Depending on the size of the network, populating the database of approved devices can be done manually or through links to an authentication database or inventory system. When operational, the sensors maintain contact with the VigilantMinds management facility. Because this happens on a nonstandard high port, it requires a modification to your regular network IDS to prevent the wireless IDS from generating a flood of warnings on the wired security system.

A useful feature, the system allows users to flag particular devices to ignore, which may come in handy in a crowded urban setting, for example, where the wireless network in the office next door is a constant, yet nonthreatening, presence. With the help of VigilantMinds’ consultants, you can develop an enormous variety of rules to achieve the state all organizations seek with an IDS: Genuine threats create alarms, while other activities are simply noted or ignored.

Administrators can access the management console to create rules and check statuses. But in the VigilantMinds model, most of your interaction with the system will be through alerts already screened by the management system and consultants before they’re passed on to you.

If you need a secure wireless network, but don’t want to build a team of in-house experts on wireless security, then AirXone is a great solution. But if you need something that tightly integrates into your own wired network management console, this is not likely to be your best choice. It could be done, but it would take a whale of a lot of work — and even more trust.

AirMagnet Distributed 4.0

The greatest strength of AirMagnet’s stand-alone laptop WLAN analysis systems lies in the company’s understanding of radio characteristics. AirMagnet Distributed builds on that strength with a remote sensor that is an incredibly sensitive 802.11 a/b/g receiver and a software system that uses the sensors to display a wide range of information on both security and wireless network performance. An organization looking for a single tool to begin managing its wireless network could find many of its needs filled by AirMagnet Distributed.

The AirMagnet system is composed of three major pieces: the sensor, the AirMagnet Management Server, and the AirMagnet console. The sensor looks like a standard 802.11 AP. Setting it up is a simple matter of establishing addressing and shared secret information so that it can communicate with the server. The server setup is relatively simple, though firewall issues and security features of your server (namely in certificate handling) may cause brief slowdowns.

After the server is installed, console software can be downloaded and installed on multiple systems to create multiple console locations. I installed both server and console on Windows XP Pro systems. AirMagnet supports this configuration, but notes that for installations that include more than a couple of sensors, the server should be deployed on a Windows 2000 server.

If you have used the stand-alone version of AirMagnet, you’ll find the Distributed console familiar, though it provides access into many more features. The network can be viewed according to physical inventory, policy violations, security and performance events, or overall network performance, with each view expanding or contracting for more or less detail. Views can show long-term trending or instant status of various aspects of the network.

When you use AirMagnet Distribued for the first time, plan on investing a bit of time simply exploring the various ways you can look at your network statistics. I was particularly fascinated to see a number of APs and clients that don’t exist within my network — and that no other wireless detection system had picked up.

These were APs and clients on someone else’s network, a network that I wasn’t aware could be “seen” from my location. I was laboring under the illusion that physical distance was part of my security, which turns out to be not nearly as true as I’d like.

Creating policies for AirMagnet Distributed is a simple matter of working through check boxes and radio buttons for a wide range of parameters. AirMagnet helps by providing explanations and suggestions for policies when you drill down on various found vulnerabilities.

Rogue devices, for example, generate alarms and can be recorded or blocked from accessing the network. When sensors are deployed with overlapping coverage areas, AirMagnet Distributed can analyze signal strength received by sensors and triangulate a location for the rogue — an especially handy feature if someone placed an unauthorized AP under a desk in the accounting department.

However, AirMagnet Distributed doesn’t do everything you’ll need to manage a wireless network. It won’t allow you to decode packets to look for trouble generated by applications; neither will it provide authentication services for a large wireless network.

What it does do is provide a combination of IDS and WLAN performance analysis that will be of great value to anyone who needs to roll up their sleeves and perform hands-on management of their wireless network.

If you’re a WLAN administrator beginning to build a security and performance toolkit, AirMagnet Distributed should be high on your shopping list.

InfoWorld Scorecard
Scalability (10.0%)
Security (20.0%)
Setup (15.0%)
Management (20.0%)
Performance (15.0%)
Ease of use (10.0%)
Value (10.0%)
Overall Score (100%)
AirXone Managed Security Service 2.0 8.0 8.0 9.0 7.0 8.0 8.0 7.0 7.9
AirMagnet Distributed 4.0 7.0 9.0 7.0 8.0 9.0 8.0 8.0 8.1