Wireless crackdown

		Contents Introduction AirDefense v AirMagnet AirDefense v AirMagnet 2 AirDefense v AirMagnet 3 Comparison table Bluesocket WG-1100 SonicWall Pro 5060 Specifications Editor's choice About RMIT

Policy support
Even before implementing a WLAN security system your company will really need to hammer out a security policy that encompasses how your APs and clients are to behave in a wireless domain and authentication methods for example. Your policy is realised in the configuration of the security software to determine what constitutes a breach of security or policy. Obviously the policy structure for a bank will be very different from a coffee shop hot spot.

If, for example, you wish to comply with Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA), AirMagnet makes the process as simple as selecting the pre-package policy and applying it. With AirDefense you cannot simply select a SOX profile, you have to manually implement the policy and you will need an audit to ensure compliance -- which is a bit of a pain.

The definition of policies is quite a complex process and there is quite a lot that must be nailed down such as: encryption and authentication, VLANs, approved data rates, channel locks and authorised channels, proper network names, and off-hours traffic.

Performance -- detection
Quite obviously the ability to detect all known wireless attacks by signature is a good start, so a comprehensive signature library is a must. AirMagnet boasts a library of 135 threat types while AirDefense claims an even greater number of signatures at 200 plus. Each of the products is also able to detect unknown attacks using WLAN behavioural analysis, although the subsequent alert and description would tend to be a tad more cryptic.

We carried out a short series of attacks on our WLAN; the test was certainly not exhaustive but it nevertheless gave us a feel for how the products responded to an attack and how user friendly the reporting was.

Amongst the attacks were simple sniffer scans, rogue APs which included both hardware and software APs and also MAC address spoofing of an infrastructure AP. We also hit the WLAN with a variety of Denial of Service Attacks (DoS) such as De-Authentication Flood, Disassociation Flood, EAP Failure Flood, EAP Logoff Flood, and CTS Flood.

Both products detected all the attacks although they did not always identify the attack correctly which was a bit of a surprise given that they should have had quite common signatures. Of the two, AirDefense was the more accurate at identifying the attack and also seemed less prone to false alarms. It was also the most succinct.

AirMagnet certainly identified threats but sometimes with rather generic descriptions. And because some attacks involve more than a single mechanism you were more likely to receive multiple messages from an attack to AirDefense's single alert.

• Talkback (0)
• Print
• E-mail
• Share
  • del.icio.us
  • Digg
  • Reddit
  • Slashdot
  • StumbleUpon

Talkback 0 comments