Published: 01 Sep 2008
|WIRELESS NETWORK SECURITY
The latest version of AirDefense is a mature enterprise wireless security solution offers a modularized feature set, which allows organizations to customize their installation to meet specific requirements in a cost-effective way.
AirDefense has focused on the shifting threatscape, which has moved from what one observer has called Internet "hooliganism" to organized crime. With pervasive wireless deployments in retail, manufacturing, delivery and healthcare, companies tasked with regulatory compliance will appreciate its policy and reporting capabilities.
There have been numerous updates since we last examined AirDefense in March 2006. Notable improvements include support for Power over Ethernet (PoE), an improved user interface, overhauled reporting, and new features such as WEP cloaking, advanced forensics, spectrum analysis and a centralized console for the management of multiple AirDefense appliances. These additions should automatically put AirDefense on the short list for enterprises with large, distributed wireless installations.
AirDefense offers three different appliance models to meet the needs of organizations of all scales. We tested the mid-range 3650.Installation/ConfigurationA-
The appliance is initialized via command line interface for basic network configuration. When you attach to the appliance through a browser the first time, AirDefense installs its thin client enterprise GUI on Linux or Windows-based workstations.
For our test, we opted for the Startup Wizard, which led us through system settings, network structure, creating user accounts, defining policies, configuring alarms, automated event classifications, notifications and identifying access points. This was the easiest method of deployment, as the overall documentation for the server and administrator were thin and redundant. You can also restore a previously saved configuration (perfect for distributed enterprise deployments) or go directly to the dashboard for a manual configuration.
Overall, administration is much easier, than the last version we reviewed especially for large, distributed deployments, thanks to the division of labor into distinct roles. We created administrators, who are able to manage all aspects of configuration and management; managers who can do everything an administrator can except for editing logs and adding users; network operators who deal specifically with network operations including alerts and alarms, and a guest account with limited manager and network operator functions.
Furthermore, administration roles can be limited through domain-based partitioning which restricts access to different networks, groups and devices. We assigned our partitioning to logical networks; however, it's easy to see how enterprises, such as retail organizations with multiple locations, divisions and business units could take advantage of this feature.
Users can be authenticated locally through the AirDefense server or through remote RADIUS or LDAP servers.
Sensor placement depends on what type of protection is required. Sensor density is lower for rogue detection and policy enforcement than for connection termination. Location tracking and the newest feature, WEP cloaking, both require more sensors per square feet.
The sensors are a huge improvement over previous hardware, as the version we tested solely utilizes PoE and requires no additional power supply.
Out of the box, AirDefense Enterprise includes a comprehensive set of default policies that provided adequate protection from common threats until we customized the deployment to our specific environment.
Policies were easily configured through the Policy Manager, which could also be instantly accessed by right-clicking on a location, group or device in the management tree. From there, we could quickly view all the associations, behaviors and protocols (a,b,g) of all locations, groups and devices.
Policies are not set for individual users, but for the access points and sensors. When users moves, they are bound by the policies of the access point to which they connect. Policies can be applied individually, in groups, by device, location and globally.
There are four basic policy types: configuration, performance, vendor and channel. The first three apply to access points and the fourth to the sensors. Configuration policies determine the fundamental security configuration for how users connect to the access points.
For implementations dependent on performance, such as wireless VoIP installations, policies can be set to alert administrators when thresholds are met that could impact availability.
Using the vendor policy, we were able to limit users connecting to the network to a specific brand of access point, thus limiting the possibility of rogue devices.
The channel policies are the most powerful, offering granular control over when specific channels are allowed on the network. We set up our test policy to allow wireless traffic during business hours, to log all traffic within the confines of our building during non-working hours and to block all connections on APs located in outside public areas. For international enterprises, AirDefense provides the ability to specify individual channels for the United States, Asia and Europe.
Logging and ReportingA
The extensive logging and reporting satisfied both our security and network appetites with instant access to real-time information and historical data in syslog format. This made it easy for us to route logs into a third-party SIM/SEM device.
The reporting features are much more user-friendly than the last time we reviewed AirDefense.
There are two types of reporting. Web Reporting is simple, with three tabs offering one-click access to standard report templates, previously published reports and favorites for frequently run reports. From the default Reports tab, we were able to quickly set up, schedule and run detailed reports on everything from network usage to security alerts. Reports could be generated in HTML, PDF and CSV formats and automatically distributed via email.
While the Web Reporting will meet the needs of those in the role of manager, administrators and network operators will want to take advantage of the Report Builder. Reports can be built from scratch or created using pre-existing templates. Users have much more control over the content than with Web Reporting. We were able to add data fields, tables and charts, as well as customize titles, headers and sections. You can also create filters using radio buttons, check boxes and text boxes. Reports can be imported and exported.
Three new features (all optional modules) stand out: advanced forensics, spectrum analysis and WEP cloaking. These features are add-on modules above the base price.
Advanced forensics covers both trouble-shooting network anomalies and digging deeper into security-related events, such as the number of policy violations and alarms on specific devices. A summary from the previous 24 hours is displayed in a graphical overview, offering a quick glance at the current threat level, traffic, associations and information about specific devices such as methods of authentication, encryption and the SSID. Additional tabs allowed us to drill down into devices, threats, applications, traffic, signal and locations.
The spectrum analysis tool offers background and dedicated spectrum scanning through the sensors. We were able to locate and identify sources of interference from other wireless networks as well as non-network devices, such as microwave ovens, baby monitors and cordless telephones. Fair warning: licenses must be purchased for individual sensors.
Similarly, the Live View feature, can be accessed by simply right-clicking on any device in the navigation tree, offers a real-time observation of sensors, APs and users (through integration with directory services). Live View offers four main categories of information: data, connections, devices and frames, as well as graphical charts for at-a-glance analysis. For historical analysis, Live View sessions can be stored and analyzed using the frame capture feature. However, Live View and the Spectrum Analysis tool cannot be run at the same time.
Recognizing that WEP remains in service, especially in retail deployments, AirDefense Enterprise has introduced WEP cloaking to mitigate the protocol's inherent vulnerabilities until legacy equipment can be upgraded. This feature operates by generating "chaff" frames to confuse commonly used wireless sniffing and WEP-cracking applications used to perform man-in-the-middle attacks. During our testing, we found WEP cloaking sufficient to foil freely available tools most often used by wireless hackers.
AirDefense is a comprehensive, cost-effective solution for protecting and troubleshooting WLANs.
Testing methodology: We tested the product by deploying the appliance and wireless sensor on an 802.11 network utilizing 802.11a, b and g devices.
Review how we grade at searchsecurity.com/grading_criteria.