'

Wireless crackdown

The spread of convenient wireless LANs has delighted hackers, who find many WLANs vulnerable. Managing and securing a wireless network is therefore vital, but rarely done well. ZDNet Australia compares the offerings from AirDefense and AirMagnet.



No one can deny the convenience of wireless LANs (WLANs), whether in your home, a hotspot at a coffee shop, a warehouse, or your office, and the growth in WLANs around the world reflects this convenience -- much to the delight of hackers who find many WLANs particularly vulnerable.


Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

A wired infrastructure is generally bounded by the walls and confines of the organisation and the only connection with the outside world is via a firewall -- to compromise a wired LAN, this must be breached.

On the other hand, WLAN transmissions are free spirits that blithely pass through walls and fences into the car park, streets, and neighbouring buildings where they are susceptible to unauthorised intercept. Anyone with NetStumbler or Kismet for example can "sniff" for SSIDs and sort data to identify MAC addresses, channels and connection speeds. A hacker does not even have to be located within your WLAN's "typical" coverage umbrella, using the infamous "Pringle Can" antenna a hacker can be located many hundreds of metres away and still receive adequate signal.

Many access points (AP) and notebooks can be insecure -- for example the default settings for many brands of AP are freely available and if in the haste of installation the default password or SSID is left unchanged it can become a gateway for the hacker to infiltrate your WLAN. Depending on the security between the WLAN and wired LAN the latter may also become compromised.

In general a user's notebook is of greater concern than an AP as they often provide very little security and can be inadvertently compromised by the user -- providing the hacker with handy platform with which to breach your network. Even if you have a secure WLAN profile at the office the user may connect to hotspots or even their home WLAN whose profiles are not as secure. A hacker using Hotspotter for example can identify the users preferred network list and then masquerade as one of the less secure profiles APs while disassociating the user from the secure office AP and reconnecting the hapless user to the hackers AP.

At times user's may set up ad-hoc networks to transfer data to and from workstations; such a peer-to-peer network does not require an AP or authentication and can be compromised.

A rogue AP can also compromise the network -- this may be a hacker off-site, but within range of your WLAN, or more often than not an employee has installed a "more convenient" AP on your network without the administrator's sanction or more importantly the security profile of the wireless infrastructure.

To some the mention of an off-site hacker with a rogue AP conjures up an image of a nerdy looking guy with a notebook, AP, and 12V to 240V inverter but it could simply be a notebook or maybe a PDA running soft AP software such as HostAp, AirSnarf, or Hotspotter.

Strengthening your Wireless LAN Network against attacks

  • Lock down the WLAN perimeter. All laptops and WLAN PCs should have personal firewalls and enterprise class APs with high security features should be deployed with all default settings such as passwords, SSIDs etc changed.
  • Secure all communications across the WLAN using strong authentication, encryption, and VPNs.
  • Conduct real-time monitoring of traffic -- and this is where the products tested in this comparison come in.

This month we look at software products to help you manage wireless networks and keep them secure. In this article we compare products from AirDefense and AirMagnet and also review products from Bluesocket and SonicWall. Other companies such as Roving Planet and Wavelink were invited to submit products for review but unfortunately declined to take part.


Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

AirDefense vs AirMagnet
These two companies are an interesting pair of competitors. Rarely do we receive such evenly matched opponents; it's almost like watching a pair of identical twins duking it out. There are of course differences but they have both approached the problem of wireless security in a similar manner and even use identical hardware for their wireless sensors.

The products
The AirDefense solution consists of a server appliance and wireless sensors. The server appliance, as the name suggests, is usually supplied as an appliance, either an 1150, 2230, or 2270, but unfortunately there were none available at the time of this review. So the AirDefense technicians did the next best thing and installed the hardened Linux OS and security software on one of the Lab's servers. As a consequence, functionality is identical to the appliance.

The appliance itself is quite a beefy unit, with a single P4 2.8GHz processor and 1GB of memory in the low end 1150 unit and dual 2.4GHz Xeons and 4GB of memory in the high-end 2270 unit -- these are good for up to 350 and 600+ sensors respectively. AirDefense maintains that it makes more sense to provide an appliance than expecting the client to install, secure, and maintain their own server.

AirMagnet takes the opposite viewpoint and its enterprise server software installs on Windows 2000 and 2003 Server as well as XP Professional, and each server can cater for up to 1500 sensors. The reason for this massive number is because the AirMagnet sensors are more "educated" than the AirDefense sensors. The hardware requirements for the server are relatively modest and typically include a 2.4GHz processor, 512MB of memory, and 4GB of disk space.

Both vendors support failover from a primary to a secondary server and should the link between the server and a sensor be lost the sensors will continue to monitor and store information until the link is restored. This is, of, course up to a point. At some stage sensors will run out of memory (but the link should be restored before this point).

Configuring the sensors
The sensors are simply an AP with a hardened Linux kernel to passively observe, pre-analyse, and package WLAN data and pump it through to the server appliance for complete analysis. It is interesting to note that both vendors' sensors are identical in terms of hardware, but use different firmware and as a consequence the AirDefense solution only carries out rudimentary processing at the sensor while AirMagnet sensors actually carrying out almost all of the processing before sending the data to the server. AirDefense claims its sensors typically consume two percent of the total network bandwidth even though the relatively raw data results in more traffic than the highly processed and more compact AirMagnet data stream. All sensor data is transferred using SSL and TLS so they are secure and pass through firewalls with a minimum of fuss.

Manually configuring the sensors is not great hardship on an individual basis but if you have to deploy 20 or 30 of the sensors you would certainly not want to configure each of them manually.

Both products can be setup to auto configure after the sensors grab their IP addresses from a DHCP server and includes policy settings for each sensor.

If your organisation has an installed base of Cisco Aironet 1200 APs, these can also be utilised as sensors (albeit with limited capabilities) to feed the server appliance or enterprise server with security and performance data. Both vendors' products will happily integrate with Cisco WLSE (Wireless LAN Solution Engine) for seamless management of your WLAN infrastructure although only AirMagnet appears capable of utilising Cisco APs as rudimentary sensors without WLSE deployed. The Lab did not test the vendors' level of integration with WLSE.


AirDefense's user interface

Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

Policy support
Even before implementing a WLAN security system your company will really need to hammer out a security policy that encompasses how your APs and clients are to behave in a wireless domain and authentication methods for example. Your policy is realised in the configuration of the security software to determine what constitutes a breach of security or policy. Obviously the policy structure for a bank will be very different from a coffee shop hot spot.

If, for example, you wish to comply with Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA), AirMagnet makes the process as simple as selecting the pre-package policy and applying it. With AirDefense you cannot simply select a SOX profile, you have to manually implement the policy and you will need an audit to ensure compliance -- which is a bit of a pain.

The definition of policies is quite a complex process and there is quite a lot that must be nailed down such as: encryption and authentication, VLANs, approved data rates, channel locks and authorised channels, proper network names, and off-hours traffic.

Performance -- detection
Quite obviously the ability to detect all known wireless attacks by signature is a good start, so a comprehensive signature library is a must. AirMagnet boasts a library of 135 threat types while AirDefense claims an even greater number of signatures at 200 plus. Each of the products is also able to detect unknown attacks using WLAN behavioural analysis, although the subsequent alert and description would tend to be a tad more cryptic.

We carried out a short series of attacks on our WLAN; the test was certainly not exhaustive but it nevertheless gave us a feel for how the products responded to an attack and how user friendly the reporting was.

Amongst the attacks were simple sniffer scans, rogue APs which included both hardware and software APs and also MAC address spoofing of an infrastructure AP. We also hit the WLAN with a variety of Denial of Service Attacks (DoS) such as De-Authentication Flood, Disassociation Flood, EAP Failure Flood, EAP Logoff Flood, and CTS Flood.

Both products detected all the attacks although they did not always identify the attack correctly which was a bit of a surprise given that they should have had quite common signatures. Of the two, AirDefense was the more accurate at identifying the attack and also seemed less prone to false alarms. It was also the most succinct.

AirMagnet certainly identified threats but sometimes with rather generic descriptions. And because some attacks involve more than a single mechanism you were more likely to receive multiple messages from an attack to AirDefense's single alert.


AirMagnet's rogue tracking screen.

Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

Performance -- action
Should either product detect a rogue AP they can effectively put down the rogue by taking it off the air, as well as disassociate a corporate wireless device should it blunder onto the rogue.

Of course, it is always a good idea to take note of any neighbouring and legitimate APs before enabling the products' automated rogue blocking, after all you would not want to take out your business neighbours' APs by mistake. If an intruder is identified they can also be summarily blocked and kicked off the WLAN in much the same way. This is an option that, while one would not expect to be abused, may well be misused and both products maintain detailed audit logs to identify the complete "when, who, and what" each time the blocking feature is used.

Should the rogue device be physically connected to your wired infrastructure both products can track the device right down to the switch port it is connected to and providing SNMP is setup correctly disconnect the port. AirDefense carries out the wired search from the server appliance out to the offending device in a top-down approach while AirMagnet is able to track back from the closest sensor -- potentially a quicker solution.

A pertinent question, should a rogue device be detected, is "how much damage did they manage to do before they were detected and/or blocked?" Only AirDefense appears to have a satisfactory answer to this because it can provide "forensic" information such as how much data was exchanged, what direction the traffic was flowing and an analysis of all the connections made by the rogue.

Rogue locating software
Each vendor offers wireless rogue location software, because lets face it, it would not be a great deal of help if you identified a wireless rogue but had no idea where it was located.

In the case of AirMagnet it is part and parcel of the standard software but AirDefense lists it as an additional cost option.

Both products elicit the help of Cisco APs to assist with the triangulation and location process. Before we discuss the results of our rogue AP location attempts we should point out that the Lab and its surrounds are particularly hostile to this process. We have a made of steel and thick concrete sitting at one side of the Lab, and lots of thick concrete walls reinforced with steel girders, not to mention the plate glass windows with metallised reflective film, surrounding the Lab. If you are in a similar environment then quite frankly do not expect a great deal of accuracy with all the multipath reflections in progress. A more detailed description of this month's trials and tribulations with the rogue tracking can be found here.

AirDefense's Location Tracking module did not function correctly and at the 11th hour an upgrade patch was applied by one of the company's engineers which did not help the situation at all. We were unable to entice the location tracking to work at all, although the diagnostics worked quite well and provided us with brightly coloured probability distributions showing the probably location of the rogue, but, sadly not in the correct position.

AirMagnet's integrated rogue triangulation functioned but its accuracy was poor -- both products were at times up to 10m off in their positioning of the rogue. Although in a very unfair comparison the AirMagnet's probability curve did at times run very close to the actual location of the rogue although its best guess as to the location marked by a little red AP was not close at all.

Both products include extensive and flexible alerting features with administrators notified of security breaches via SNMP, e-mail, SMS, and pager to name a few. Different managers can be assigned to various areas of the infrastructure and only alerts pertaining to their area are issued.

Alerts can also be targeted based on their severity and a nifty feature of AirMagnet is that you can set thresholds so that as a particular form of security breach escalates the manager or administrator notified can also be escalated. Both products have remote monitoring -- in the case of AirDefense it is via a Java application and HTTPS so you can securely monitor the status of your infrastructure from a remote location. AirMagnet has chosen to go with a proprietary 32-bit Windows app that is secured via SSL. A very user-friendly feature of both interfaces is that they are able to display a detailed description of a threat in layman's terms.


Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

User interface -- AirDefense
While looking a little bland when compared to the AirMagnet front end, the AirDefense user interface is comprehensive and relatively easy to navigate, although at times you do have to drill down further than its competitor to glean information. The front dashboard does, at a glance, convey lot of critical information and it could be argued that because it is simpler and less cluttered than AirMagnet, alerts are more easily noticed.

A particularly neat screen is the Alarm display which, for example, can be configured to display the last seven days with concise descriptions of the events in the left pane and a graphical representation of each day in the right pane. Reporting is not as extensive as AirMagnet's and the reports not quite as fancy as its competitor but they are complete and do not lack in critical information.

Another string to AirDefense's bow is AirDefense Personal which can be installed on your fleet of roaming notebooks to provide security outside of your secure infrastructure, it fully integrates into the AirDefense Enterprise system and policies and policy changes are automatically uploaded to AD Personal when users reconnect to the LAN. While out and about the user is notified of any threats and the threat log is downloaded to the enterprise system when the notebook next logs on.

User interface -- AirMagnet
Of the two interfaces AirMagnet's is certainly the most attractive and it manages to cram an astonishing amount of information in the status screen. The large swag of information is presented very well, but the sheer volume can be a bit daunting for a first time user as you don't quite know which graph to peruse.

The remainder of the displays do not present the user with such an information overload and are definitely less intimidating although they do manage to still squeeze more information into each screen than AirDefense.

Luckily, or perhaps unluckily, AirMagnet's colour code all items, so at times the display is a riot of colour, but once you become familiar with it your eye can quickly target the information you are after.

AirMagnet's array of "canned" reports are extensive, far more so than AirDefense, and as you might imagine given the colourful nature of the interface they are cosmetically prettier. But do not mistake good looks for lack of information, the reports are every bit as detailed as the AirDefense reports and are formatted in such a way that they can slip right into your management reports with minimal tinkering.

         
 
Product AirDefense
Price AU$39,007
Vendor Pacific Data (distributor)
Phone 03 9820 0322
Web www.airdefense.net
www.pacificdata.net.au
 
Interoperability
Software resides on a hardened appliance, integrates with Cisco WLSE, can utilise APs from Cisco as basic sensors.
Futureproofing
½
The 1150 appliance only supports 250 sensors but the 2270 can support 600 sensors; good notification features.
ROI
Very good performance, simple user interface, extensive feature list but very costly when compared to the competition.
Service
Maintenance includes 5 x 12 technical support via phone, fax, e-mail, and Web support. Four hour guaranteed response time. AirDefense customers also have access to AirDefense channel partner service maintenance agreement.
Rating
½
 
Product AirMagnet Enterprise
Price AU$11,595
With Dell SC430 Server AU$14,357
Vendor Redbridge Solutions (distributor)
Phone 02 9959 9620
Web www.airmagnet.com
www.redbridge.com.au
 
Interoperability
Relatively modest server hadware requirements, Windows only for server, integrates with Cisco WLSE and other vendors, can utilise APs from Cisco with limited functionality.
Futureproofing
Modest hardware can support up to 1500 sensors, very good notification features.
ROI
Very good performance, relatively simple user interface, extensive feature list, relatively inexpensive.
Service
First-year support (including free upgrades) included with package. Support available Mon-Fri 6am to 6pm, phone, e-mail, and Web support. Warranty turn around time is one day.
Rating
 
         

Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

Bluesocket WG-1100
The WG-1100 is a wireless gateway "appliance" that comes in a 1U rack mount form factor. In effect, the WG-1100 sits between your relatively insecure WLAN and wired LAN and acts as a policeman so even if your WLAN is compromised the WG-1100 the wired side remains secure.

The appliance is in fact a small form factor PC motherboard, power supply and 20GB hard drive slotted into a 1RU case. The processing in the unit supplied to the Lab is via a 1GHz PIII and 256MB of memory.

The unit secures the wired LAN by only allowing correctly authenticated and encrypted clients from one side to the other.

The WG-1100 is the baby of the range with 10/100 Ethernet ports, two primary ports and a single failover, that have a maximum throughput speed of 30Mbps when using 3DES encryption. A wide range of encryption is supported including PPTE (40 and 128 bit), SSL and there is IPSec client support for Windows, SSH, Mac OS 10.2, PGPNet, and Funk AdmitOne to name a few.

Authentication methods are equally wide ranging with RADIUS, LDAP, Windows Domain, Secure Tokens, Local DB, Windows Active Directory, MAC Address, 802.1x, and WPA Transparent Login. The WG-1100 has very good user and policy management so that users can be defined by role, allowed locations and times and you can define what types of application traffic users can send or receive and even how much bandwidth users are allocated. As an example visitors may only be allocated a maximum bandwidth of 128Kbps and only allowed to connect while located in the visitors lounge with very restricted application traffic types allowed. Roaming policies can be defined for users and they can seamlessly roam across subnets, if their clearance allows, while using IPSec tunnelling.

The device is AP and wireless device agnostic and so it will work seamlessly in a multi-vendor AP environment. Also, PDAs, tablet PCs, and VOIP wireless handsets are no problem. Management is via a secure Web page and SNMP manageability is supported however management does not extend to the APs.

If you want to provide wireless connectivity to your wired infrastructure with the minimum amount of hassle then the BlueSocket WG-1100 is a secure option that is worth a look.

Product Bluesocket WG-1100
 
Interoperability
Supports a wide range of encryption and authentication methods.
Futureproofing
½
Connectivity is modest with 10/100 Ethernet and a maximum throughput of 30Mbps using 3DES encryption.
ROI
Provides good protection between the wired and wireless domains at a reasonable price.
Service
Support in Australia should be handled through your Bluesocket accredited partner. They have the capabilities to contact Bluesocket USA 24x7 to get support. Bluesocket offers a range of support services from e-mail and telephone support, right through to a 24x7 support offering and on-site engineers.
Rating
½
Bluesocket WG-1100

Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

SonicWall Pro 5060 and SonicPoint
A traditional firewall is not much use when it comes to stopping intruders entering your wired LAN via your VLAN. To a firewall, a clever hacker will simply appear as a regular user. SonicWall is a trusted name in firewalls and the Pro 5060 is one of its top models. When paired with the SonicPoint APs it becomes a firewall with WLAN security bells and whistles.

The Pro 5060 is a powerhouse appliance that integrates high-speed gateway, antivirus, content filtering (blacklist), anti-spyware, anti-spam and intrusion detection; add the SonicPoint and you can add Wireless IPSec VPN and AP management to the list.

The Pro 5060 boasts gigabit stateful inspection performance over its six Gigabit ethernet ports, and supports features such as ISP failover, load balancing, WAN redundancy, and policy-based management. The performance specifications of the Pro 5060 are impressive:

  • 750,000 concurrent connections
  • stateful packet inspection throughput of 2.4Gbps bidirectional
  • maximum of 6000 VPN client sessions
  • encryption performance of 700Mbps using 3DES or AES.

As standard, the Pro 5060 ships with a one-year licence for antivirus, anti-spyware, and attack database updates. There is a 30-day trial of content filtering and gateway-enforced network antivirus. Like the Bluesocket, the Pro 5060 has integrated QoS features using 802.1p and Differential Service Code Points Class of Service designators to ensure bandwidth for critical VoIP and multimedia content applications.

There are two models of the SonicPoint AP available -- the higher speced unit supplied to the Lab is 802.11a/b/g capable while the "G" model as the name suggests is 802.11b/g.

The SonicPoint is a piece of cake to set up with PoE support and plug-and-play configuration with the Pro 5060 uploading predefined profiles and security settings. The SonicPoint has support for WPA using TKIP or AES alternatively users can be forced to use IPSec VPN tunnelling, managed by the Pro 5060.

In essence the Pro 5060 is a secure wireless gateway, much like the Bluesocket, with the addition of a powerful firewall and AP management.

Product SonicWall Pro 5060
Vendor SonicWall
 
Interoperability
Proprietary AP management and good encryption support.
Futureproofing
Excellent connectivity with six Gbit Ethernet ports, 700Mbps encrypted traffic throughput, 2.4Gbps Stateful packet inspection and a great range of firewall features.
ROI
½
Loads of features, a great all round security product that is quite good value.
Service
½
12 months warranty and 90 days 8x5 support (local time) web/e-mail/phone support via a 1800 or 0800 number for Aus/NZ Full UTM security services yearly subscription is US$2394 Content Filtering Premium yearly subscription is US$2394
Rating
½
SonicWall Pro 5060

Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

Specifications

Product AirMagnet Enterprise AirDefense
Vendor AirMagnet (dist. Redbridge Solutions) AirDefense (dist. Pacific Data)
Telephone 0011 1 408 400 0200,
(Redbridge 02 9959 9620)
61 3 9820 0322
Web site www.airmagnet.com
(www.redbridge.com.au)
www.airdefense.net
RRP AU$11,595
(With Dell SC430 server hardware AU$14,357)
AU$39,007
Warranty and support First year support (including free upgrades) included with the package. Support available Monday through Friday, from 6am to 6pm Pacific Time via telephone, e-mail and Web. Warranty turn around time is one day. Maintenance includes 5 x 12 technical support via phone, fax, e-mail, and Web. Four-hour guaranteed response time. Access to AirDefense channel partner service maintenance agreement.
Hardware requirements Enterprise Server - Intel Pentium-4 Processor 2.4GHz, 512MB RAM, 4GB HD. Enterprise Console - Intel Pentium-4 Processor 1.2GHz, 256MB RAM, 20GB HD Supplied as an appliance
OS supported Windows 2000 server, Windows 2003 server, Windows XP Professional (Hardened Linux Kernel)
Fail over capability Backup server option, sensors will automatically switch over to the secondary server. When the server is unavailable, users can connect directly to the sensors. Yes, with redundant server
Management console Windows 32 application Web Java
Preloaded policies Enterprise best practice, enterprise rogue detection, financial (GLBA), healthcare (HIPAA), hotspot, tradeshow, warehouse/manufacturing, retail, government/military SOX, GLBA, HIPAA, United States Dept. of Defense
Number of specific threat classes supported Denial-of-Service attacks against APs and STAs, and infrastructure. Security penetration attacks, zero-day attacks, configuration vulnerabilities. 200+ alarm signatures
AI feature for detecting potential threats Analysis of abnormalities with wireless devices or the wireless network. Correlation of events and anomalous behaviour detection engines
Notification methods Syslog, SNMPv2/v3, E-mail, Paging, SMS, Messenger, Audio, Print E-mail (SMS and pager concantenation option), SNMP, Syslog
Notification escalation supported Can alert specific individuals of issues uniquely related to them and allow multiple thresholds tied to unique notifications or responses. A very granular levels of notification for each individual
Automated response to threats Automated wired side or wireless blocking can be tied to any of the 135+ security and performance policy violations. Intrusion protection via policy-based termination (AirTermination)
Wireless triangulation Integrated triangulation feature. Includes floorplan loading capability Includes floorplan importation from CAD, Visio, or JPEG/BMP or other file formats.
Wired trace ability Integrated wired side tracing feature. Results include specific switch and port information to which the rogue device is connected to. As part of integration with Cisco WLSE
Sensor type/model AirMagnet AM-5010-11AG Sensor, Cisco 1100 series, 1200 series, BR 1310 AP's (with limited fucntionality). AirDefense M400 Sensor - 802.11a/b/g passive monitoring.
Sensor capabilities SmartEdge architecture does packet analysis and stateful monitoring in the SmartEdge sensors, and then does correlation / reporting / alerting / notification in a centralised server. This reduces bandwidth over WAN links. Sensors locally compress, encrypt data and submit to centralised server for immeadiate correlation and event management.
Can standard AP's be used to collect data Allows the use of Cisco APs and Xirrus APs to collect data. AP's can collect data in airopeek or pcap format to be then used with Ethereal/TCPDump for further analysis.
Wireless blocking capability Allows for manual and automatic (based on policy violation) wireless blocking capability of APs, STAs and ad-hoc nodes. Real-time threat mitigation using AirTermination
Scalability AirMagnet Enterprise supports 1500+ sensors per server and with monitoring of unlimited number of APs. Fully scalable. Each appliance supports up to a certain number of sensors. The 1150 (lowest spec) can handle up to 250 AirDefense sensors while the 2270 can handle 600+

Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

Scenario
This company wants to specifically target management of its wireless infrastructure independently of its wider LAN management system. They are seeking a product that offers granular control and security of the wireless network.

The company has a main site that with 30 APs many located in the open plan office area, quite a few in a small warehouse (for stock control) and several in the executive office area where there are individual offices.

There is also a regional office with five APs. Most of the APs are Cisco 1200s but there is a mix of other vendor products as well.

The company has around 200 employees and staff are expected to be able to connect wirelessly in the office but not outside the perimeter of the buildings. As a consequence the solution will need to include a rogue location feature.

Concerns: As always, security is paramount, cost, and ease of use are also important.

Editor's Choice

T&B Editor's choice
This has got to be one of the most difficult decisions we have had to make for an Editor's Choice. With just two comparable products that are so similar in functionality and features it's like picking your favourite of two twins after just meeting them. It all comes down to how each of the programs deliver on their promises. How easy is it to trace and squash a rogue AP, to configure policies and sensors -- is the alerting accurate and presented in a comprehensible format that is easy to drill down? Do the canned reports meet your requirements?

AirMagnet has the edge in initial setup with its extensive range of policy templates that you simply apply or modify for your own requirements, both products offer "zero config" roll outs of sensors. AirMagnet has the best range of reports and produces them in clean formats that can be slipped into operational reports with minimum tinkering.

Both AirMagnet and AirDefence detected the range of threats we exposed the WLAN to, although the tests were not exhaustive. AirMagnet is more verbose in terms of alert reporting while Air-Defense was accurate and concise.

Once the user gets their head around either products user interface they will find navigation straight forward and intuitive.

We had problems with both products rogue location tracking, AirMagnet's was a little too inaccurate for our liking and we could not get AirDefense's to work correctly at all. We have however, read numerous reviews that had no problem with either vendors' product.

There is one significant distinguishing feature and that is pricing, AirDefense is considerably more expensive than AirMagnet at $39,000 compared to just AU$14,357 including a Dell SC430 server. If AirDefense's pricing had been more comparable the selection of Editor's Choice would have been more difficult. As it stands -- AirMagnet wins.


Contents
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT

About RMIT IT Test Labs

RMIT IT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own -- only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.

This article was first published in Technology & Business magazine.
Click here for subscription information.