Product Reviews

Wireless Outlaws

Learn how to protect yourself with this product.

• By James Carrion
• 09/01/2003

How can you protect your company network from unauthorized wireless access? You can send out a company memo, threatening to discipline anyone installing an unauthorized access point. The problem is, would you even know that rogue access points are present so that you can enforce this policy? To figure that out, you could send a posse of junior admins around the company, armed with access point detection tools like Marius Milner’s Net Stumbler (www.stumbler.net) or Kismet (www.kismetwireless.net), to sniff the air for rogues. That would work fine for a while for a small business in a single location, but it wouldn’t be practical for a large company with multiple locations or a campus network.

AirDefense has a wireless monitoring solution called AirDefense Guard that’s designed to monitor multiple locations 24/7 for wireless devices remotely so you can detect rogues before they do damage to your network. Let’s see how well it works.

Guard consists of a central network appliance called the AirDefense Server and one or more wireless sensors strategically located around your physical location. The sensors passively gather wireless data and report it back to the server where alerts are then generated.

Guard sensors can detect hardware access points, soft access points (where a user has installed software on their wireless station that emulates an access point), ad hoc networks (peer to peer wireless stations connected without an access point), malicious station associations (where a hacker is trying to penetrate your network), or accidental association (where a user from another company in the building next door innocently connects to your access point instead of his or her own).

Guard generates an alarm when an attack, intrusion, probe, policy violation, or performance warning occurs in the network and will then report this to the AirDefense Web-based console. It can also e-mail the alert to the designated admin.

Configuring the AirDefense Server is straightforward. You can connect a keyboard and monitor directly to the AirDefense Server and then configure its TCP/IP parameters through the command line interface, or you can configure the server over the network using Secure Shell (SSH) or via a secure Web-based Java application.

You’ll need one or more sensors depending on how large of an area you want to monitor. The practical coverage limit of each sensor is around 1,000 feet in all directions in most buildings; but since wireless access points can transmit up to 180 feet and some even much further, it’s a good idea to have sensor coverage overlap. Sensors can be clustered into groups for administrative purposes.

The AirDefense Sensors are also initially configured through a Web browser via their own built in Web server, but then subsequent administration can be performed from the AirDefense Server. You can also configure encryption on the link between the sensor and the AirDefense server.

There are only 11 access channels allowed by U.S. Law, but the sensor can scan all 14 channels allowed by the 802.11b protocol, working under the assumption that rogues don’t play by the rules. You can configure a sensor dedicated to a single access point by locking it to a specific channel, or a sensor can monitor many access points by scanning across channels. [AirDefense has since added 802.11a and 802.11g sensors to the product.—Ed.]

You can configure AirDefense policy to authorize an access point or station or to ignore it. The ignore option is convenient if you’re sharing airspace with another company and you don’t want their access points to trigger AirDefense alarms. You can create a new policy that’s assigned to an access point or edit the default policy, which is automatically inherited by new access points.

My laptop uses an SMC 802.11g card and connects to a SMC 802.11g access point. Guard detected both as unauthorized devices and generated appropriate alarms. There was no way for me to disable the “rogue devices”. All I could do was note their presence and then try to physically track them down based on signal strength and their proximity to the sensor that reported it. I then created an access policy that authorized both the Access Point and the laptop and the alerts went away. I was also running Boingo on the laptop for finding and connecting to wireless access points, and Guard reported the Boingo scans as a Net Stumbler attack.

Most critical information is reported via the AirDefense Web Dashboard. The dashboard shows summary data collected every minute, which then resets at midnight. It will retain daily information for 30 days and then discard it, or you can choose to archive it. Color coded icons inform you whether a sensor is online or offline, or an access point or wireless station is authorized or unauthorized. It will also show the most suspicious devices based on number and type of alerts generated. In addition, you can generate a plethora of graphs and reports.

You can set a mail relay server so that these alerts and reports are emailed to designated admins. The only drawback is that you have to configure an open mail relay as there’s no option to configure SMTP authentication. You can also configure SNMP trap messages to be sent to an SNMP manager or for data to be logged to a SYSLOG server.

Guard can also generate a graphical snapshot of the wireless network called the NetMap. This shows all the devices detected by a sensor along with their associations and policy violations. It was unclear to me why my wireless laptop was showing up as both associated and not associated at the same time (see Figure).

All alerts are reported to the Web based Air Defense Server console. (Click image to view larger version.)

It’s up to you to control the proliferation of wireless devices in your company and to protect the network from wireless-based attacks. Although you can use freely available tools to monitor a small business, you’ll need automated help to monitor a large company. AirDefense Guard is up to the task. Just deputize Guard sensors to monitor wireless traffic around the clock.