Wireless crackdown
No one can deny the convenience of wireless LANs (WLANs), whether in your home, a hotspot at a coffee shop, a warehouse, or your office, and the growth in WLANs around the world reflects this convenience -- much to the delight of hackers who find many WLANs particularly vulnerable.
Contents  Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
On the other hand, WLAN transmissions are free spirits that blithely pass through walls and fences into the car park, streets, and neighbouring buildings where they are susceptible to unauthorised intercept. Anyone with NetStumbler or Kismet for example can "sniff" for SSIDs and sort data to identify MAC addresses, channels and connection speeds. A hacker does not even have to be located within your WLAN's "typical" coverage umbrella, using the infamous "Pringle Can" antenna a hacker can be located many hundreds of metres away and still receive adequate signal.
Many access points (AP) and notebooks can be insecure -- for example the default settings for many brands of AP are freely available and if in the haste of installation the default password or SSID is left unchanged it can become a gateway for the hacker to infiltrate your WLAN. Depending on the security between the WLAN and wired LAN the latter may also become compromised.
In general a user's notebook is of greater concern than an AP as they often provide very little security and can be inadvertently compromised by the user -- providing the hacker with handy platform with which to breach your network. Even if you have a secure WLAN profile at the office the user may connect to hotspots or even their home WLAN whose profiles are not as secure. A hacker using Hotspotter for example can identify the users preferred network list and then masquerade as one of the less secure profiles APs while disassociating the user from the secure office AP and reconnecting the hapless user to the hackers AP.
At times user's may set up ad-hoc networks to transfer data to and from workstations; such a peer-to-peer network does not require an AP or authentication and can be compromised.
A rogue AP can also compromise the network -- this may be a hacker off-site, but within range of your WLAN, or more often than not an employee has installed a "more convenient" AP on your network without the administrator's sanction or more importantly the security profile of the wireless infrastructure.
To some the mention of an off-site hacker with a rogue AP conjures up an image of a nerdy looking guy with a notebook, AP, and 12V to 240V inverter but it could simply be a notebook or maybe a PDA running soft AP software such as HostAp, AirSnarf, or Hotspotter.
Strengthening your Wireless LAN Network against attacks
- Lock down the WLAN perimeter. All laptops and WLAN PCs should have personal firewalls and enterprise class APs with high security features should be deployed with all default settings such as passwords, SSIDs etc changed.
- Secure all communications across the WLAN using strong authentication, encryption, and VPNs.
- Conduct real-time monitoring of traffic -- and this is where the products tested in this comparison come in.
This month we look at software products to help you manage wireless networks and keep them secure. In this article we compare products from AirDefense and AirMagnet and also review products from Bluesocket and SonicWall. Other companies such as Roving Planet and Wavelink were invited to submit products for review but unfortunately declined to take part.
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
These two companies are an interesting pair of competitors. Rarely do we receive such evenly matched opponents; it's almost like watching a pair of identical twins duking it out. There are of course differences but they have both approached the problem of wireless security in a similar manner and even use identical hardware for their wireless sensors.
The products
The AirDefense solution consists of a server appliance and wireless sensors. The server appliance, as the name suggests, is usually supplied as an appliance, either an 1150, 2230, or 2270, but unfortunately there were none available at the time of this review. So the AirDefense technicians did the next best thing and installed the hardened Linux OS and security software on one of the Lab's servers. As a consequence, functionality is identical to the appliance.
The appliance itself is quite a beefy unit, with a single P4 2.8GHz processor and 1GB of memory in the low end 1150 unit and dual 2.4GHz Xeons and 4GB of memory in the high-end 2270 unit -- these are good for up to 350 and 600+ sensors respectively. AirDefense maintains that it makes more sense to provide an appliance than expecting the client to install, secure, and maintain their own server.
AirMagnet takes the opposite viewpoint and its enterprise server software installs on Windows 2000 and 2003 Server as well as XP Professional, and each server can cater for up to 1500 sensors. The reason for this massive number is because the AirMagnet sensors are more "educated" than the AirDefense sensors. The hardware requirements for the server are relatively modest and typically include a 2.4GHz processor, 512MB of memory, and 4GB of disk space.
Both vendors support failover from a primary to a secondary server and should the link between the server and a sensor be lost the sensors will continue to monitor and store information until the link is restored. This is, of, course up to a point. At some stage sensors will run out of memory (but the link should be restored before this point).
Configuring the sensors
The sensors are simply an AP with a hardened Linux kernel to passively observe, pre-analyse, and package WLAN data and pump it through to the server appliance for complete analysis. It is interesting to note that both vendors' sensors are identical in terms of hardware, but use different firmware and as a consequence the AirDefense solution only carries out rudimentary processing at the sensor while AirMagnet sensors actually carrying out almost all of the processing before sending the data to the server. AirDefense claims its sensors typically consume two percent of the total network bandwidth even though the relatively raw data results in more traffic than the highly processed and more compact AirMagnet data stream. All sensor data is transferred using SSL and TLS so they are secure and pass through firewalls with a minimum of fuss.
Manually configuring the sensors is not great hardship on an individual basis but if you have to deploy 20 or 30 of the sensors you would certainly not want to configure each of them manually.
Both products can be setup to auto configure after the sensors grab their IP addresses from a DHCP server and includes policy settings for each sensor.
If your organisation has an installed base of Cisco Aironet 1200 APs, these can also be utilised as sensors (albeit with limited capabilities) to feed the server appliance or enterprise server with security and performance data. Both vendors' products will happily integrate with Cisco WLSE (Wireless LAN Solution Engine) for seamless management of your WLAN infrastructure although only AirMagnet appears capable of utilising Cisco APs as rudimentary sensors without WLSE deployed. The Lab did not test the vendors' level of integration with WLSE.
AirDefense's user interface
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
Even before implementing a WLAN security system your company will really need to hammer out a security policy that encompasses how your APs and clients are to behave in a wireless domain and authentication methods for example. Your policy is realised in the configuration of the security software to determine what constitutes a breach of security or policy. Obviously the policy structure for a bank will be very different from a coffee shop hot spot.
If, for example, you wish to comply with Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA), AirMagnet makes the process as simple as selecting the pre-package policy and applying it. With AirDefense you cannot simply select a SOX profile, you have to manually implement the policy and you will need an audit to ensure compliance -- which is a bit of a pain.
The definition of policies is quite a complex process and there is quite a lot that must be nailed down such as: encryption and authentication, VLANs, approved data rates, channel locks and authorised channels, proper network names, and off-hours traffic.
Performance -- detection
Quite obviously the ability to detect all known wireless attacks by signature is a good start, so a comprehensive signature library is a must. AirMagnet boasts a library of 135 threat types while AirDefense claims an even greater number of signatures at 200 plus. Each of the products is also able to detect unknown attacks using WLAN behavioural analysis, although the subsequent alert and description would tend to be a tad more cryptic.
We carried out a short series of attacks on our WLAN; the test was certainly not exhaustive but it nevertheless gave us a feel for how the products responded to an attack and how user friendly the reporting was.
Amongst the attacks were simple sniffer scans, rogue APs which included both hardware and software APs and also MAC address spoofing of an infrastructure AP. We also hit the WLAN with a variety of Denial of Service Attacks (DoS) such as De-Authentication Flood, Disassociation Flood, EAP Failure Flood, EAP Logoff Flood, and CTS Flood.
Both products detected all the attacks although they did not always identify the attack correctly which was a bit of a surprise given that they should have had quite common signatures. Of the two, AirDefense was the more accurate at identifying the attack and also seemed less prone to false alarms. It was also the most succinct.
AirMagnet certainly identified threats but sometimes with rather generic descriptions. And because some attacks involve more than a single mechanism you were more likely to receive multiple messages from an attack to AirDefense's single alert.
AirMagnet's rogue tracking screen.
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
Should either product detect a rogue AP they can effectively put down the rogue by taking it off the air, as well as disassociate a corporate wireless device should it blunder onto the rogue.
Of course, it is always a good idea to take note of any neighbouring and legitimate APs before enabling the products' automated rogue blocking, after all you would not want to take out your business neighbours' APs by mistake. If an intruder is identified they can also be summarily blocked and kicked off the WLAN in much the same way. This is an option that, while one would not expect to be abused, may well be misused and both products maintain detailed audit logs to identify the complete "when, who, and what" each time the blocking feature is used.
Should the rogue device be physically connected to your wired infrastructure both products can track the device right down to the switch port it is connected to and providing SNMP is setup correctly disconnect the port. AirDefense carries out the wired search from the server appliance out to the offending device in a top-down approach while AirMagnet is able to track back from the closest sensor -- potentially a quicker solution.
A pertinent question, should a rogue device be detected, is "how much damage did they manage to do before they were detected and/or blocked?" Only AirDefense appears to have a satisfactory answer to this because it can provide "forensic" information such as how much data was exchanged, what direction the traffic was flowing and an analysis of all the connections made by the rogue.
Rogue locating software
Each vendor offers wireless rogue location software, because lets face it, it would not be a great deal of help if you identified a wireless rogue but had no idea where it was located.
In the case of AirMagnet it is part and parcel of the standard software but AirDefense lists it as an additional cost option.
Both products elicit the help of Cisco APs to assist with the triangulation and location process. Before we discuss the results of our rogue AP location attempts we should point out that the Lab and its surrounds are particularly hostile to this process. We have a made of steel and thick concrete sitting at one side of the Lab, and lots of thick concrete walls reinforced with steel girders, not to mention the plate glass windows with metallised reflective film, surrounding the Lab. If you are in a similar environment then quite frankly do not expect a great deal of accuracy with all the multipath reflections in progress. A more detailed description of this month's trials and tribulations with the rogue tracking can be found here.
AirDefense's Location Tracking module did not function correctly and at the 11th hour an upgrade patch was applied by one of the company's engineers which did not help the situation at all. We were unable to entice the location tracking to work at all, although the diagnostics worked quite well and provided us with brightly coloured probability distributions showing the probably location of the rogue, but, sadly not in the correct position.
AirMagnet's integrated rogue triangulation functioned but its accuracy was poor -- both products were at times up to 10m off in their positioning of the rogue. Although in a very unfair comparison the AirMagnet's probability curve did at times run very close to the actual location of the rogue although its best guess as to the location marked by a little red AP was not close at all.
Both products include extensive and flexible alerting features with administrators notified of security breaches via SNMP, e-mail, SMS, and pager to name a few. Different managers can be assigned to various areas of the infrastructure and only alerts pertaining to their area are issued.
Alerts can also be targeted based on their severity and a nifty feature of AirMagnet is that you can set thresholds so that as a particular form of security breach escalates the manager or administrator notified can also be escalated. Both products have remote monitoring -- in the case of AirDefense it is via a Java application and HTTPS so you can securely monitor the status of your infrastructure from a remote location. AirMagnet has chosen to go with a proprietary 32-bit Windows app that is secured via SSL. A very user-friendly feature of both interfaces is that they are able to display a detailed description of a threat in layman's terms.
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
While looking a little bland when compared to the AirMagnet front end, the AirDefense user interface is comprehensive and relatively easy to navigate, although at times you do have to drill down further than its competitor to glean information. The front dashboard does, at a glance, convey lot of critical information and it could be argued that because it is simpler and less cluttered than AirMagnet, alerts are more easily noticed.
A particularly neat screen is the Alarm display which, for example, can be configured to display the last seven days with concise descriptions of the events in the left pane and a graphical representation of each day in the right pane. Reporting is not as extensive as AirMagnet's and the reports not quite as fancy as its competitor but they are complete and do not lack in critical information.
Another string to AirDefense's bow is AirDefense Personal which can be installed on your fleet of roaming notebooks to provide security outside of your secure infrastructure, it fully integrates into the AirDefense Enterprise system and policies and policy changes are automatically uploaded to AD Personal when users reconnect to the LAN. While out and about the user is notified of any threats and the threat log is downloaded to the enterprise system when the notebook next logs on.
User interface -- AirMagnet
Of the two interfaces AirMagnet's is certainly the most attractive and it manages to cram an astonishing amount of information in the status screen. The large swag of information is presented very well, but the sheer volume can be a bit daunting for a first time user as you don't quite know which graph to peruse.
The remainder of the displays do not present the user with such an information overload and are definitely less intimidating although they do manage to still squeeze more information into each screen than AirDefense.
Luckily, or perhaps unluckily, AirMagnet's colour code all items, so at times the display is a riot of colour, but once you become familiar with it your eye can quickly target the information you are after.
AirMagnet's array of "canned" reports are extensive, far more so than AirDefense, and as you might imagine given the colourful nature of the interface they are cosmetically prettier. But do not mistake good looks for lack of information, the reports are every bit as detailed as the AirDefense reports and are formatted in such a way that they can slip right into your management reports with minimal tinkering.
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
The WG-1100 is a wireless gateway "appliance" that comes in a 1U rack mount form factor. In effect, the WG-1100 sits between your relatively insecure WLAN and wired LAN and acts as a policeman so even if your WLAN is compromised the WG-1100 the wired side remains secure.
The appliance is in fact a small form factor PC motherboard, power supply and 20GB hard drive slotted into a 1RU case. The processing in the unit supplied to the Lab is via a 1GHz PIII and 256MB of memory.
The unit secures the wired LAN by only allowing correctly authenticated and encrypted clients from one side to the other.
The WG-1100 is the baby of the range with 10/100 Ethernet ports, two primary ports and a single failover, that have a maximum throughput speed of 30Mbps when using 3DES encryption. A wide range of encryption is supported including PPTE (40 and 128 bit), SSL and there is IPSec client support for Windows, SSH, Mac OS 10.2, PGPNet, and Funk AdmitOne to name a few.
Authentication methods are equally wide ranging with RADIUS, LDAP, Windows Domain, Secure Tokens, Local DB, Windows Active Directory, MAC Address, 802.1x, and WPA Transparent Login. The WG-1100 has very good user and policy management so that users can be defined by role, allowed locations and times and you can define what types of application traffic users can send or receive and even how much bandwidth users are allocated. As an example visitors may only be allocated a maximum bandwidth of 128Kbps and only allowed to connect while located in the visitors lounge with very restricted application traffic types allowed. Roaming policies can be defined for users and they can seamlessly roam across subnets, if their clearance allows, while using IPSec tunnelling.
The device is AP and wireless device agnostic and so it will work seamlessly in a multi-vendor AP environment. Also, PDAs, tablet PCs, and VOIP wireless handsets are no problem. Management is via a secure Web page and SNMP manageability is supported however management does not extend to the APs.
If you want to provide wireless connectivity to your wired infrastructure with the minimum amount of hassle then the BlueSocket WG-1100 is a secure option that is worth a look.
| |||||||||||||||||||||||
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
A traditional firewall is not much use when it comes to stopping intruders entering your wired LAN via your VLAN. To a firewall, a clever hacker will simply appear as a regular user. SonicWall is a trusted name in firewalls and the Pro 5060 is one of its top models. When paired with the SonicPoint APs it becomes a firewall with WLAN security bells and whistles.
The Pro 5060 is a powerhouse appliance that integrates high-speed gateway, antivirus, content filtering (blacklist), anti-spyware, anti-spam and intrusion detection; add the SonicPoint and you can add Wireless IPSec VPN and AP management to the list.
The Pro 5060 boasts gigabit stateful inspection performance over its six Gigabit ethernet ports, and supports features such as ISP failover, load balancing, WAN redundancy, and policy-based management. The performance specifications of the Pro 5060 are impressive:
- 750,000 concurrent connections
- stateful packet inspection throughput of 2.4Gbps bidirectional
- maximum of 6000 VPN client sessions
- encryption performance of 700Mbps using 3DES or AES.
As standard, the Pro 5060 ships with a one-year licence for antivirus, anti-spyware, and attack database updates. There is a 30-day trial of content filtering and gateway-enforced network antivirus. Like the Bluesocket, the Pro 5060 has integrated QoS features using 802.1p and Differential Service Code Points Class of Service designators to ensure bandwidth for critical VoIP and multimedia content applications.
There are two models of the SonicPoint AP available -- the higher speced unit supplied to the Lab is 802.11a/b/g capable while the "G" model as the name suggests is 802.11b/g.
The SonicPoint is a piece of cake to set up with PoE support and plug-and-play configuration with the Pro 5060 uploading predefined profiles and security settings. The SonicPoint has support for WPA using TKIP or AES alternatively users can be forced to use IPSec VPN tunnelling, managed by the Pro 5060.
In essence the Pro 5060 is a secure wireless gateway, much like the Bluesocket, with the addition of a powerful firewall and AP management.
| |||||||||||||||||||||||||
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
| Product | AirMagnet Enterprise | AirDefense |
| Vendor | AirMagnet (dist. Redbridge Solutions) | AirDefense (dist. Pacific Data) |
| Telephone | 0011 1 408 400 0200, (Redbridge 02 9959 9620) | 61 3 9820 0322 |
| Web site | www.airmagnet.com (www.redbridge.com.au) | www.airdefense.net |
| RRP | AU$11,595 (With Dell SC430 server hardware AU$14,357) | AU$39,007 |
| Warranty and support | First year support (including free upgrades) included with the package. Support available Monday through Friday, from 6am to 6pm Pacific Time via telephone, e-mail and Web. Warranty turn around time is one day. | Maintenance includes 5 x 12 technical support via phone, fax, e-mail, and Web. Four-hour guaranteed response time. Access to AirDefense channel partner service maintenance agreement. |
| Hardware requirements | Enterprise Server - Intel Pentium-4 Processor 2.4GHz, 512MB RAM, 4GB HD. Enterprise Console - Intel Pentium-4 Processor 1.2GHz, 256MB RAM, 20GB HD | Supplied as an appliance |
| OS supported | Windows 2000 server, Windows 2003 server, Windows XP Professional | (Hardened Linux Kernel) |
| Fail over capability | Backup server option, sensors will automatically switch over to the secondary server. When the server is unavailable, users can connect directly to the sensors. | Yes, with redundant server |
| Management console | Windows 32 application | Web Java |
| Preloaded policies | Enterprise best practice, enterprise rogue detection, financial (GLBA), healthcare (HIPAA), hotspot, tradeshow, warehouse/manufacturing, retail, government/military | SOX, GLBA, HIPAA, United States Dept. of Defense |
| Number of specific threat classes supported | Denial-of-Service attacks against APs and STAs, and infrastructure. Security penetration attacks, zero-day attacks, configuration vulnerabilities. | 200+ alarm signatures |
| AI feature for detecting potential threats | Analysis of abnormalities with wireless devices or the wireless network. | Correlation of events and anomalous behaviour detection engines |
| Notification methods | Syslog, SNMPv2/v3, E-mail, Paging, SMS, Messenger, Audio, Print | E-mail (SMS and pager concantenation option), SNMP, Syslog |
| Notification escalation supported | Can alert specific individuals of issues uniquely related to them and allow multiple thresholds tied to unique notifications or responses. | A very granular levels of notification for each individual |
| Automated response to threats | Automated wired side or wireless blocking can be tied to any of the 135+ security and performance policy violations. | Intrusion protection via policy-based termination (AirTermination) |
| Wireless triangulation | Integrated triangulation feature. Includes floorplan loading capability | Includes floorplan importation from CAD, Visio, or JPEG/BMP or other file formats. |
| Wired trace ability | Integrated wired side tracing feature. Results include specific switch and port information to which the rogue device is connected to. | As part of integration with Cisco WLSE |
| Sensor type/model | AirMagnet AM-5010-11AG Sensor, Cisco 1100 series, 1200 series, BR 1310 AP's (with limited fucntionality). | AirDefense M400 Sensor - 802.11a/b/g passive monitoring. |
| Sensor capabilities | SmartEdge architecture does packet analysis and stateful monitoring in the SmartEdge sensors, and then does correlation / reporting / alerting / notification in a centralised server. This reduces bandwidth over WAN links. | Sensors locally compress, encrypt data and submit to centralised server for immeadiate correlation and event management. |
| Can standard AP's be used to collect data | Allows the use of Cisco APs and Xirrus APs to collect data. | AP's can collect data in airopeek or pcap format to be then used with Ethereal/TCPDump for further analysis. |
| Wireless blocking capability | Allows for manual and automatic (based on policy violation) wireless blocking capability of APs, STAs and ad-hoc nodes. | Real-time threat mitigation using AirTermination |
| Scalability | AirMagnet Enterprise supports 1500+ sensors per server and with monitoring of unlimited number of APs. | Fully scalable. Each appliance supports up to a certain number of sensors. The 1150 (lowest spec) can handle up to 250 AirDefense sensors while the 2270 can handle 600+ |
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
This company wants to specifically target management of its wireless infrastructure independently of its wider LAN management system. They are seeking a product that offers granular control and security of the wireless network.
The company has a main site that with 30 APs many located in the open plan office area, quite a few in a small warehouse (for stock control) and several in the executive office area where there are individual offices.
There is also a regional office with five APs. Most of the APs are Cisco 1200s but there is a mix of other vendor products as well.
The company has around 200 employees and staff are expected to be able to connect wirelessly in the office but not outside the perimeter of the buildings. As a consequence the solution will need to include a rogue location feature.
Concerns: As always, security is paramount, cost, and ease of use are also important.
Editor's ChoiceAirMagnet has the edge in initial setup with its extensive range of policy templates that you simply apply or modify for your own requirements, both products offer "zero config" roll outs of sensors. AirMagnet has the best range of reports and produces them in clean formats that can be slipped into operational reports with minimum tinkering.
Both AirMagnet and AirDefence detected the range of threats we exposed the WLAN to, although the tests were not exhaustive. AirMagnet is more verbose in terms of alert reporting while Air-Defense was accurate and concise.
Once the user gets their head around either products user interface they will find navigation straight forward and intuitive.
We had problems with both products rogue location tracking, AirMagnet's was a little too inaccurate for our liking and we could not get AirDefense's to work correctly at all. We have however, read numerous reviews that had no problem with either vendors' product.
There is one significant distinguishing feature and that is pricing, AirDefense is considerably more expensive than AirMagnet at $39,000 compared to just AU$14,357 including a Dell SC430 server. If AirDefense's pricing had been more comparable the selection of Editor's Choice would have been more difficult. As it stands -- AirMagnet wins.
Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT | ||||
This article was first published in Technology & Business magazine.
Click here for subscription information.