 |
||||
|
|
|
||
|
Contents 
Introduction
AirDefense v AirMagnet
AirDefense v AirMagnet 2
AirDefense v AirMagnet 3
Comparison table
Bluesocket WG-1100
SonicWall Pro 5060
Specifications
Editor's choice
About RMIT |
|
||
|
|
||||
|
|
||||
Should either product detect a rogue AP they can effectively put down the rogue by taking it off the air, as well as disassociate a corporate wireless device should it blunder onto the rogue.
Of course, it is always a good idea to take note of any neighbouring and legitimate APs before enabling the products' automated rogue blocking, after all you would not want to take out your business neighbours' APs by mistake. If an intruder is identified they can also be summarily blocked and kicked off the WLAN in much the same way. This is an option that, while one would not expect to be abused, may well be misused and both products maintain detailed audit logs to identify the complete "when, who, and what" each time the blocking feature is used.
Should the rogue device be physically connected to your wired infrastructure both products can track the device right down to the switch port it is connected to and providing SNMP is setup correctly disconnect the port. AirDefense carries out the wired search from the server appliance out to the offending device in a top-down approach while AirMagnet is able to track back from the closest sensor -- potentially a quicker solution.
A pertinent question, should a rogue device be detected, is "how much damage did they manage to do before they were detected and/or blocked?" Only AirDefense appears to have a satisfactory answer to this because it can provide "forensic" information such as how much data was exchanged, what direction the traffic was flowing and an analysis of all the connections made by the rogue.
Rogue locating software
Each vendor offers wireless rogue location software, because lets face it, it would not be a great deal of help if you identified a wireless rogue but had no idea where it was located.
In the case of AirMagnet it is part and parcel of the standard software but AirDefense lists it as an additional cost option.
AirDefense's Location Tracking module did not function correctly and at the 11th hour an upgrade patch was applied by one of the company's engineers which did not help the situation at all. We were unable to entice the location tracking to work at all, although the diagnostics worked quite well and provided us with brightly coloured probability distributions showing the probably location of the rogue, but, sadly not in the correct position.
AirMagnet's integrated rogue triangulation functioned but its accuracy was poor -- both products were at times up to 10m off in their positioning of the rogue. Although in a very unfair comparison the AirMagnet's probability curve did at times run very close to the actual location of the rogue although its best guess as to the location marked by a little red AP was not close at all.
Both products include extensive and flexible alerting features with administrators notified of security breaches via SNMP, e-mail, SMS, and pager to name a few. Different managers can be assigned to various areas of the infrastructure and only alerts pertaining to their area are issued.
Alerts can also be targeted based on their severity and a nifty feature of AirMagnet is that you can set thresholds so that as a particular form of security breach escalates the manager or administrator notified can also be escalated. Both products have remote monitoring -- in the case of AirDefense it is via a Java application and HTTPS so you can securely monitor the status of your infrastructure from a remote location. AirMagnet has chosen to go with a proprietary 32-bit Windows app that is secured via SSL. A very user-friendly feature of both interfaces is that they are able to display a detailed description of a threat in layman's terms.
