This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."
Download it now to read this article plus other related content.
AirTight presented a painless and secure installation and excellent configuration options. Each of the others had some "gotcha" that hindered installation and configuration.
We were particularly pleased that AirTight forces the use of a strong administrative password. It can also enforce policy on individual subnets; for example, there could be a subnet for employees, one for vendors/partners, one for contractors and one for guests.
The AirTight and AirDefense appliances were initialized with basic network settings using a command-line interface through a serial connection; the administrative consoles were accessed through a Java-based GUI using a secure browser connection. Setup wizards took us through the basics of access point and client classifications, 802.11 security and intrusion detection/prevention policies. AirMagnet and Network Chemistry are both software-based, so the configuration wizards start from the moment of installation.
Overall, we found both AirDefense and AirMagnet more complex and time-consuming than AirTight to install and configure. (AirDefense bills itself as a plug-and-play configuration, but we didn't find this to be the case.) Instant network device synchronization was also supposed to be an AirDefense feature; however, during our testing several of the APs from less common vendors had to be reset in order for AirDefense to identify them.
The configuration choices were pretty much the same across the board for security policies, letting us limit access based on security settings (WPA, WEP, AES), protocol (802.11a/b/g), SSID and AP vendors. Since the practical testing environment had multiple AP vendors and mobile users with older equipment capable of only 802.11b and WEP, our security settings were set to SSID and the use of WEP--the bare minimum for wireless security.
AirMagnet suggests installing its Enterprise Server on a machine solely dedicated to running only its services; if you use Microsoft SQL Server with AirMagnet Enterprise Reporter, it needs to be installed on another machine. We'd prefer one hardened, rack-mounted appliance.
Network Chemistry's initial installation and configuration was somewhat confusing. There are multiple choices on wizard windows that use inconsistent terminology (client vs. console). Auto-provisioning the sensors through either DNS or DHCP required additional steps such as auto-generating Encrypted Transport Layer keys, DNS addressing schemes and vendor-specific DHCP tags.
For large, distributed installations, this functionality is probably worth the effort to figure out, but for our practical testing, we manually configured each sensor through the console by simply clicking the "Add Sensor" button. The configuration from there was similar to setting a network adapter on any Windows-based system using DHCP or by inputting static IP settings. The template settings, which let us set up a single sensor and then load those settings on to the other sensors, made the job fairly painless.
There is a lot of neat technology in Network Chemistry's software, but the details will challenge anyone except an RF engineer to set it up.
This was first published in March 2006