This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."
Download it now to read this article plus other related content.
About this Review
First, each product was set up in a basic test lab to determine if all versions were up to date and that all features and functionality were present. Products were also deployed in the posture that assumed a zero-wireless policy and tested for tracing, alerting and blocking capabilities.
We then moved into a live industrial environment, with an extensive wireless network serving many of wireless devices, including a variety of laptops, wireless NICs in desktops and hand-held devices. The server appliance/console and sensors were connected to the physical network, and three sensors from each product were placed in identical locations throughout the building.
We focused on common wireless threats, such as rogue devices, laptops with wireless NICs in ad-hoc mode, and misconfigured access points. Wireless attacks included MAC spoofing, denial-of-service and man-in-the-middle--all conducted using the freely available Auditor security collection from remote-exploit.org, which includes approximately 300 tools, such as Kismet, a wireless scanner; aireplay, a wireless packet injector; Void11, a wireless authentication packet generator; and changemac.sh, a MAC address changer.
A comprehensive site survey is absolutely critical to planning a successful wireless IDS/IPS deployment. Even the most sophisticated tools won't protect you if there are gaps in your defenses.
Each of these products includes site survey tools to determine the best locations for RF reception, helping you place not only the sensors but the wireless access points (APs) to best advantage. Although wireless IDS/IPS vendors can tell you the basic coverage of their sensors, building materials and conditions impact bit and error rates--and the same goes for APs. Metal shelves, microwave ovens, window blinds, doors, HVAC systems and power/network distribution closets, etc. can impact 802.11 signals.
AirTight's SpectraGuard Planner, AirMagnet's Surveyor and Network Chemistry's RFprotect Survey (all tools included with their base products) provide detailed planning for WLAN IDS/IPS deployment. AirTight goes a step further by offering professional services to create a sensor placement blueprint based on floor plan/coverage area. AirDefense Mobile only offers limited RF planning tools in the form of real-time discovery with capture file playback for later analysis.
AirTight's tool was the easiest to use and was much more granular than the others, accounting for factors such as construction materials and an extensive list of wireless equipment. AirTight and AirMagnet also provide the ability to simulate WLAN deployments for best RF coverage. AirMagnet Surveyor has a nicer interface than Network Chemistry, but their functionality is about the same--delivering important information such as coverage area, RF signal strength, data rates and packet loss.
A relatively new feature that simplifies sensor deployment is power over Ethernet (PoE), which eliminates the need for an additional power adapter for each sensor. That translates into significant cost savings and performance enhancement; sensor placement isn't limited to nearby power sources or installing electrical outlets. All but AirDefense are PoE-compliant.
This was first published in March 2006