|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Wireless crackdown By Steve Turvey, Technology and Business Magazine October 17, 2005 URL: http://www.zdnet.com.au/reviews/coolgear/wireless/soa/Wireless-crackdown/0,139023505,139216347,00.htm
 No one can deny the convenience of wireless LANs (WLANs), whether in your home, a hotspot at a coffee shop, a warehouse, or your office, and the growth in WLANs around the world reflects this convenience -- much to the delight of hackers who find many WLANs particularly vulnerable.
On the other hand, WLAN transmissions are free spirits that blithely pass through walls and fences into the car park, streets, and neighbouring buildings where they are susceptible to unauthorised intercept. Anyone with NetStumbler or Kismet for example can "sniff" for SSIDs and sort data to identify MAC addresses, channels and connection speeds. A hacker does not even have to be located within your WLAN's "typical" coverage umbrella, using the infamous "Pringle Can" antenna a hacker can be located many hundreds of metres away and still receive adequate signal. Many access points (AP) and notebooks can be insecure -- for example the default settings for many brands of AP are freely available and if in the haste of installation the default password or SSID is left unchanged it can become a gateway for the hacker to infiltrate your WLAN. Depending on the security between the WLAN and wired LAN the latter may also become compromised. In general a user's notebook is of greater concern than an AP as they often provide very little security and can be inadvertently compromised by the user -- providing the hacker with handy platform with which to breach your network. Even if you have a secure WLAN profile at the office the user may connect to hotspots or even their home WLAN whose profiles are not as secure. A hacker using Hotspotter for example can identify the users preferred network list and then masquerade as one of the less secure profiles APs while disassociating the user from the secure office AP and reconnecting the hapless user to the hackers AP. At times user's may set up ad-hoc networks to transfer data to and from workstations; such a peer-to-peer network does not require an AP or authentication and can be compromised. A rogue AP can also compromise the network -- this may be a hacker off-site, but within range of your WLAN, or more often than not an employee has installed a "more convenient" AP on your network without the administrator's sanction or more importantly the security profile of the wireless infrastructure. To some the mention of an off-site hacker with a rogue AP conjures up an image of a nerdy looking guy with a notebook, AP, and 12V to 240V inverter but it could simply be a notebook or maybe a PDA running soft AP software such as HostAp, AirSnarf, or Hotspotter.
Strengthening your Wireless LAN Network against attacks
This month we look at software products to help you manage wireless networks and keep them secure. In this article we compare products from AirDefense and AirMagnet and also review products from Bluesocket and SonicWall. Other companies such as Roving Planet and Wavelink were invited to submit products for review but unfortunately declined to take part.
These two companies are an interesting pair of competitors. Rarely do we receive such evenly matched opponents; it's almost like watching a pair of identical twins duking it out. There are of course differences but they have both approached the problem of wireless security in a similar manner and even use identical hardware for their wireless sensors.
The products The appliance itself is quite a beefy unit, with a single P4 2.8GHz processor and 1GB of memory in the low end 1150 unit and dual 2.4GHz Xeons and 4GB of memory in the high-end 2270 unit -- these are good for up to 350 and 600+ sensors respectively. AirDefense maintains that it makes more sense to provide an appliance than expecting the client to install, secure, and maintain their own server. AirMagnet takes the opposite viewpoint and its enterprise server software installs on Windows 2000 and 2003 Server as well as XP Professional, and each server can cater for up to 1500 sensors. The reason for this massive number is because the AirMagnet sensors are more "educated" than the AirDefense sensors. The hardware requirements for the server are relatively modest and typically include a 2.4GHz processor, 512MB of memory, and 4GB of disk space. Both vendors support failover from a primary to a secondary server and should the link between the server and a sensor be lost the sensors will continue to monitor and store information until the link is restored. This is, of, course up to a point. At some stage sensors will run out of memory (but the link should be restored before this point).
Configuring the sensors Manually configuring the sensors is not great hardship on an individual basis but if you have to deploy 20 or 30 of the sensors you would certainly not want to configure each of them manually. Both products can be setup to auto configure after the sensors grab their IP addresses from a DHCP server and includes policy settings for each sensor. If your organisation has an installed base of Cisco Aironet 1200 APs, these can also be utilised as sensors (albeit with limited capabilities) to feed the server appliance or enterprise server with security and performance data. Both vendors' products will happily integrate with Cisco WLSE (Wireless LAN Solution Engine) for seamless management of your WLAN infrastructure although only AirMagnet appears capable of utilising Cisco APs as rudimentary sensors without WLSE deployed. The Lab did not test the vendors' level of integration with WLSE.
AirDefense's user interface
Even before implementing a WLAN security system your company will really need to hammer out a security policy that encompasses how your APs and clients are to behave in a wireless domain and authentication methods for example. Your policy is realised in the configuration of the security software to determine what constitutes a breach of security or policy. Obviously the policy structure for a bank will be very different from a coffee shop hot spot. If, for example, you wish to comply with Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA), AirMagnet makes the process as simple as selecting the pre-package policy and applying it. With AirDefense you cannot simply select a SOX profile, you have to manually implement the policy and you will need an audit to ensure compliance -- which is a bit of a pain. The definition of policies is quite a complex process and there is quite a lot that must be nailed down such as: encryption and authentication, VLANs, approved data rates, channel locks and authorised channels, proper network names, and off-hours traffic.
Performance -- detection We carried out a short series of attacks on our WLAN; the test was certainly not exhaustive but it nevertheless gave us a feel for how the products responded to an attack and how user friendly the reporting was. Amongst the attacks were simple sniffer scans, rogue APs which included both hardware and software APs and also MAC address spoofing of an infrastructure AP. We also hit the WLAN with a variety of Denial of Service Attacks (DoS) such as De-Authentication Flood, Disassociation Flood, EAP Failure Flood, EAP Logoff Flood, and CTS Flood. Both products detected all the attacks although they did not always identify the attack correctly which was a bit of a surprise given that they should have had quite common signatures. Of the two, AirDefense was the more accurate at identifying the attack and also seemed less prone to false alarms. It was also the most succinct. AirMagnet certainly identified threats but sometimes with rather generic descriptions. And because some attacks involve more than a single mechanism you were more likely to receive multiple messages from an attack to AirDefense's single alert. AirMagnet's rogue tracking screen.
Should either product detect a rogue AP they can effectively put down the rogue by taking it off the air, as well as disassociate a corporate wireless device should it blunder onto the rogue. Of course, it is always a good idea to take note of any neighbouring and legitimate APs before enabling the products' automated rogue blocking, after all you would not want to take out your business neighbours' APs by mistake. If an intruder is identified they can also be summarily blocked and kicked off the WLAN in much the same way. This is an option that, while one would not expect to be abused, may well be misused and both products maintain detailed audit logs to identify the complete "when, who, and what" each time the blocking feature is used. Should the rogue device be physically connected to your wired infrastructure both products can track the device right down to the switch port it is connected to and providing SNMP is setup correctly disconnect the port. AirDefense carries out the wired search from the server appliance out to the offending device in a top-down approach while AirMagnet is able to track back from the closest sensor -- potentially a quicker solution. A pertinent question, should a rogue device be detected, is "how much damage did they manage to do before they were detected and/or blocked?" Only AirDefense appears to have a satisfactory answer to this because it can provide "forensic" information such as how much data was exchanged, what direction the traffic was flowing and an analysis of all the connections made by the rogue.
Rogue locating software In the case of AirMagnet it is part and parcel of the standard software but AirDefense lists it as an additional cost option. Both products elicit the help of Cisco APs to assist with the triangulation and location process. Before we discuss the results of our rogue AP location attempts we should point out that the Lab and its surrounds are particularly hostile to this process. We have a made of steel and thick concrete sitting at one side of the Lab, and lots of thick concrete walls reinforced with steel girders, not to mention the plate glass windows with metallised reflective film, surrounding the Lab. If you are in a similar environment then quite frankly do not expect a great deal of accuracy with all the multipath reflections in progress. A more detailed description of this month's trials and tribulations with the rogue tracking can be found here. AirDefense's Location Tracking module did not function correctly and at the 11th hour an upgrade patch was applied by one of the company's engineers which did not help the situation at all. We were unable to entice the location tracking to work at all, although the diagnostics worked quite well and provided us with brightly coloured probability distributions showing the probably location of the rogue, but, sadly not in the correct position. AirMagnet's integrated rogue triangulation functioned but its accuracy was poor -- both products were at times up to 10m off in their positioning of the rogue. Although in a very unfair comparison the AirMagnet's probability curve did at times run very close to the actual location of the rogue although its best guess as to the location marked by a little red AP was not close at all. Both products include extensive and flexible alerting features with administrators notified of security breaches via SNMP, e-mail, SMS, and pager to name a few. Different managers can be assigned to various areas of the infrastructure and only alerts pertaining to their area are issued. Alerts can also be targeted based on their severity and a nifty feature of AirMagnet is that you can set thresholds so that as a particular form of security breach escalates the manager or administrator notified can also be escalated. Both products have remote monitoring -- in the case of AirDefense it is via a Java application and HTTPS so you can securely monitor the status of your infrastructure from a remote location. AirMagnet has chosen to go with a proprietary 32-bit Windows app that is secured via SSL. A very user-friendly feature of both interfaces is that they are able to display a detailed description of a threat in layman's terms.
While looking a little bland when compared to the AirMagnet front end, the AirDefense user interface is comprehensive and relatively easy to navigate, although at times you do have to drill down further than its competitor to glean information. The front dashboard does, at a glance, convey lot of critical information and it could be argued that because it is simpler and less cluttered than AirMagnet, alerts are more easily noticed. A particularly neat screen is the Alarm display which, for example, can be configured to display the last seven days with concise descriptions of the events in the left pane and a graphical representation of each day in the right pane. Reporting is not as extensive as AirMagnet's and the reports not quite as fancy as its competitor but they are complete and do not lack in critical information. Another string to AirDefense's bow is AirDefense Personal which can be installed on your fleet of roaming notebooks to provide security outside of your secure infrastructure, it fully integrates into the AirDefense Enterprise system and policies and policy changes are automatically uploaded to AD Personal when users reconnect to the LAN. While out and about the user is notified of any threats and the threat log is downloaded to the enterprise system when the notebook next logs on.
User interface -- AirMagnet The remainder of the displays do not present the user with such an information overload and are definitely less intimidating although they do manage to still squeeze more information into each screen than AirDefense. Luckily, or perhaps unluckily, AirMagnet's colour code all items, so at times the display is a riot of colour, but once you become familiar with it your eye can quickly target the information you are after. AirMagnet's array of "canned" reports are extensive, far more so than AirDefense, and as you might imagine given the colourful nature of the interface they are cosmetically prettier. But do not mistake good looks for lack of information, the reports are every bit as detailed as the AirDefense reports and are formatted in such a way that they can slip right into your management reports with minimal tinkering.
The WG-1100 is a wireless gateway "appliance" that comes in a 1U rack mount form factor. In effect, the WG-1100 sits between your relatively insecure WLAN and wired LAN and acts as a policeman so even if your WLAN is compromised the WG-1100 the wired side remains secure. The appliance is in fact a small form factor PC motherboard, power supply and 20GB hard drive slotted into a 1RU case. The processing in the unit supplied to the Lab is via a 1GHz PIII and 256MB of memory. The unit secures the wired LAN by only allowing correctly authenticated and encrypted clients from one side to the other. The WG-1100 is the baby of the range with 10/100 Ethernet ports, two primary ports and a single failover, that have a maximum throughput speed of 30Mbps when using 3DES encryption. A wide range of encryption is supported including PPTE (40 and 128 bit), SSL and there is IPSec client support for Windows, SSH, Mac OS 10.2, PGPNet, and Funk AdmitOne to name a few. Authentication methods are equally wide ranging with RADIUS, LDAP, Windows Domain, Secure Tokens, Local DB, Windows Active Directory, MAC Address, 802.1x, and WPA Transparent Login. The WG-1100 has very good user and policy management so that users can be defined by role, allowed locations and times and you can define what types of application traffic users can send or receive and even how much bandwidth users are allocated. As an example visitors may only be allocated a maximum bandwidth of 128Kbps and only allowed to connect while located in the visitors lounge with very restricted application traffic types allowed. Roaming policies can be defined for users and they can seamlessly roam across subnets, if their clearance allows, while using IPSec tunnelling. The device is AP and wireless device agnostic and so it will work seamlessly in a multi-vendor AP environment. Also, PDAs, tablet PCs, and VOIP wireless handsets are no problem. Management is via a secure Web page and SNMP manageability is supported however management does not extend to the APs. If you want to provide wireless connectivity to your wired infrastructure with the minimum amount of hassle then the BlueSocket WG-1100 is a secure option that is worth a look.
A traditional firewall is not much use when it comes to stopping intruders entering your wired LAN via your VLAN. To a firewall, a clever hacker will simply appear as a regular user. SonicWall is a trusted name in firewalls and the Pro 5060 is one of its top models. When paired with the SonicPoint APs it becomes a firewall with WLAN security bells and whistles. The Pro 5060 is a powerhouse appliance that integrates high-speed gateway, antivirus, content filtering (blacklist), anti-spyware, anti-spam and intrusion detection; add the SonicPoint and you can add Wireless IPSec VPN and AP management to the list. The Pro 5060 boasts gigabit stateful inspection performance over its six Gigabit ethernet ports, and supports features such as ISP failover, load balancing, WAN redundancy, and policy-based management. The performance specifications of the Pro 5060 are impressive:
As standard, the Pro 5060 ships with a one-year licence for antivirus, anti-spyware, and attack database updates. There is a 30-day trial of content filtering and gateway-enforced network antivirus. Like the Bluesocket, the Pro 5060 has integrated QoS features using 802.1p and Differential Service Code Points Class of Service designators to ensure bandwidth for critical VoIP and multimedia content applications. There are two models of the SonicPoint AP available -- the higher speced unit supplied to the Lab is 802.11a/b/g capable while the "G" model as the name suggests is 802.11b/g. The SonicPoint is a piece of cake to set up with PoE support and plug-and-play configuration with the Pro 5060 uploading predefined profiles and security settings. The SonicPoint has support for WPA using TKIP or AES alternatively users can be forced to use IPSec VPN tunnelling, managed by the Pro 5060. In essence the Pro 5060 is a secure wireless gateway, much like the Bluesocket, with the addition of a powerful firewall and AP management.
This company wants to specifically target management of its wireless infrastructure independently of its wider LAN management system. They are seeking a product that offers granular control and security of the wireless network. The company has a main site that with 30 APs many located in the open plan office area, quite a few in a small warehouse (for stock control) and several in the executive office area where there are individual offices. There is also a regional office with five APs. Most of the APs are Cisco 1200s but there is a mix of other vendor products as well. The company has around 200 employees and staff are expected to be able to connect wirelessly in the office but not outside the perimeter of the buildings. As a consequence the solution will need to include a rogue location feature. Concerns: As always, security is paramount, cost, and ease of use are also important.
Editor's Choice AirMagnet has the edge in initial setup with its extensive range of policy templates that you simply apply or modify for your own requirements, both products offer "zero config" roll outs of sensors. AirMagnet has the best range of reports and produces them in clean formats that can be slipped into operational reports with minimum tinkering. Both AirMagnet and AirDefence detected the range of threats we exposed the WLAN to, although the tests were not exhaustive. AirMagnet is more verbose in terms of alert reporting while Air-Defense was accurate and concise. Once the user gets their head around either products user interface they will find navigation straight forward and intuitive. We had problems with both products rogue location tracking, AirMagnet's was a little too inaccurate for our liking and we could not get AirDefense's to work correctly at all. We have however, read numerous reviews that had no problem with either vendors' product. There is one significant distinguishing feature and that is pricing, AirDefense is considerably more expensive than AirMagnet at $39,000 compared to just AU$14,357 including a Dell SC430 server. If AirDefense's pricing had been more comparable the selection of Editor's Choice would have been more difficult. As it stands -- AirMagnet wins.
About RMIT IT Test Labs
This article was first published in Technology & Business magazine.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This has got to be one of the most difficult decisions we have had to make for an Editor's Choice. With just two comparable products that are so similar in functionality and features it's like picking your favourite of two twins after just meeting them. It all comes down to how each of the programs deliver on their promises. How easy is it to trace and squash a rogue AP, to configure policies and sensors -- is the alerting accurate and presented in a comprehensible format that is easy to drill down? Do the canned reports meet your requirements?
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own -- only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager,