AirDefense Secures the Wireless Perimeter

By Lyne Bourque | May 20, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3357801/AirDefense-Secures-the-Wireless-Perimeter.htm
Metcalfe's Law states, "The usefulness, or utility, of a network equals the square of the number of users." This law is often cited in talk about the Internet. In fact, during the infamous "boom" of the mid-to-late 1990s, you could hardly escape those famous words.

During the '90s, the Internet was the veritable Gold Rush of the 20th century. Businesses were making money hand-over-fist at the mere mention of it. In this environment, attackers flourished because the drive was to simply get online. And security? Well, it seemed most everyone assumed that it would take care of itself.

Let's fast-forward a few worm- and attack-ridden years. The Internet boom went bust, replaced this time by a "boomlet" by the name of wireless.

Metcalfe's law still hasn't changed and many rightfully acknowledge the benefits of going wireless. Sadly, security still remains somewhat of an afterthought. In scary parallels to the past, companies are getting a little gung-ho on connecting wirelessly and making things easier for users to hop on.

This is a particular issue for medium to large companies seeking cost savings. Wireless allows for that, but is it worth the risk? I personally think yes, especially if you have the tools that can make your network safer on a larger scale.

Enter Air Defense.

This company has introduced a hardware methodology for dealing with wireless security. In larger environments — say, something over 15-20 APs covering wide areas — control over the network becomes heavily decentralized, and often, security policy enforcement can vary depending on the location. This kind of environment, often found on college campuses, hospitals, and Fortune 500 companies, can be one of the main reasons why organizations shy away from using wireless.

However, control can be centralized and policies maintained by using a product like AirDefense. A Smart Sensor, looking at an area of approximately 40,000 to 60,000 square feet, can be added to wireless networks to detect activity on 802.11a/b/g. In addition to checking the network's status 24/7 (all the time, not just every so often), Smart Sensors utilize both encryption (end-to-end) as well as authentication to pass information to the central server appliance, a hardened device that is ready to go to work when it arrives. This means that attackers, even if they detect the sensor's activity, aren't privy to that the sensor sees.

Constant monitoring ensures that the connection states are well guarded, making it harder to hide Man-in-the-Middle (MITM) attacks amongst others. Being able to detect attacks immediately can be critical for some environments. An IDS, as part of the Smart Sensor package, complements the package.

Continued on Page 2Continued From Page 1

This IDS relies on more than just signature-based detection. It looks at a variety of factors including standard policy setup, anomalies in user activity and activity that breaks 802.11 protocols. This means the IDS is adept at detecting potential attacks before they are even known. Now, no IDS is perfect but the odds swing in your favor when you go beyond a signature-based IDS that is solely on the lookout for known attacks.

The sensors can also be helpful when trying to keep track of wireless inventory and what's being used where. This can help to differentiate regular users from rogue visitors, as well as identify when employees are trying to circumvent proper wireless policy. Additionally, this can be used to create performance baselines on a larger scale and to cross-reference such details.

Comparing something as simple as MAC addresses allows you to identify spoofed addresses, high-use users and high-traffic areas. For example, let's say a particular area rarely uses their AP but another location is near overload. You'd then only need to move the AP to a new location to ensure better load balancing. Such practical administration over network resources is possible because all of the sensors' collected information is presented in a centralized dashboard allowing for better analysis.

When looking at this product, I thought that the amount of data would be overwhelming. Fortunately, AirDefense's reporting software makes it easy to interpret the data, create necessary reports and keep the information that you critically need close at hand. As mentioned earlier, it can act as inventory control, graphically displaying connections on a visual map and graphing the various behavior baselines of devices. And not just for one location, but for all locations. This also allows me to monitor which environments are not following policy (say, using encryption for certain activities) and enforce it.

What about incidents? You can set up various policies based on what you want to have done in the event of certain activities. This can be as simple as recording the incident to paging an administrator or being "pro-active" in response.

Now, I generally shy away from "proactive" products because the potential for mistakes is exacerbated by automated nature of these devices. But with wireless, a rogue user has to physically enter the network area. Since proactive measures can include shutting down APs (thus knocking intruders off the network) or sending multiple disconnects (a type of DoS if you will), the likelihood of a false positive, while still there, has less of a harmful effect against "innocent bystanders". For them, it becomes more of an annoyance than anything else. This is, of course, dependent on how the rules governing the device's response to such situations were set up.

You may still think this a bit of overkill, but consider these results from a recent survey (PricewaterhouseCoopers, November 2003) on network attacks:

  • 46% of companies who have wireless have been victim of a security breach.
  • 83% of these reported a monetary loss.
  • 2% said the attacks came from wireless source (that they know of).
That last point is important. GiveThis IDS relies on more than just signature-based detection. It looks at a variety of factors including standard policy setup, anomalies in user activity and activity that breaks 802.11 protocols. This means the IDS is adept at detecting potential attacks before they are even known. Now, no IDS is perfect but the odds swing in your favor when you go beyond a signature-based IDS that is solely on the lookout for known attacks.

The sensors can also be helpful when trying to keep track of wireless inventory and what's being used where. This can help to differentiate regular users from rogue visitors, as well as identify when employees are trying to circumvent proper wireless policy. Additionally, this can be used to create performance baselines on a larger scale and to cross-reference such details.

Comparing something as simple as MAC addresses allows you to identify spoofed addresses, high-use users and high-traffic areas. For example, let's say a particular area rarely uses their AP but another location is near overload. You'd then only need to move the AP to a new location to ensure better load balancing. Such practical administration over network resources is possible because all of the sensors' collected information is presented in a centralized dashboard allowing for better analysis.

When looking at this product, I thought that the amount of data would be overwhelming. Fortunately, AirDefense's reporting software makes it easy to interpret the data, create necessary reports and keep the information that you critically need close at hand. As mentioned earlier, it can act as inventory control, graphically displaying connections on a visual map and graphing the various behavior baselines of devices. And not just for one location, but for all locations. This also allows me to monitor which environments are not following policy (say, using encryption for certain activities) and enforce it.

What about incidents? You can set up various policies based on what you want to have done in the event of certain activities. This can be as simple as recording the incident to paging an administrator or being "pro-active" in response.

Now, I generally shy away from "proactive" products because the potential for mistakes is exacerbated by automated nature of these devices. But with wireless, a rogue user has to physically enter the network area. Since proactive measures can include shutting down APs (thus knocking intruders off the network) or sending multiple disconnects (a type of DoS if you will), the likelihood of a false positive, while still there, has less of a harmful effect against "innocent bystanders". For them, it becomes more of an annoyance than anything else. This is, of course, dependent on how the rules governing the device's response to such situations were set up.

You may still think this a bit of overkill, but consider these results from a recent survey (PricewaterhouseCoopers, November 2003) on network attacks:

  • 46% of companies who have wireless have been victim of a security breach.
  • 83% of these reported a monetary loss.
  • 2% said the attacks came from wireless source (that they know of).
That last point is important. Given that wireless use is increasing and attackers are getting easier-to-use, yet more powerful tools that 2% seems awfully low. "Hacker" sites, for instance, are known to have published list upon list of open and unsecured APs.

Companies must realize that it's not just a matter of setting up a wireless network that's important. A close examination of the security implications can mean the difference between a solid implementation and a leaky infrastructure. Are you willing to take a chance that your competitors won't use your wireless network as a way in and help themselves to your $1 billion revolutionary widget design? Heck no! (There is obviously a lot more to your security than a simple firewall but that's another article entirely).

Serious protection does come at a cost, starting at about $10,000 in AirDefense's case. It's well worth it if you want to protect the bottom line, ensure patient and customer confidentiality or you want to make certain that your doors (and Windows) aren't open for attackers or your competitors to sneak in.n that wireless use is increasing and attackers are getting easier-to-use, yet more powerful tools that 2% seems awfully low. "Hacker" sites, for instance, are known to have published list upon list of open and unsecured APs.

Companies must realize that it's not just a matter of setting up a wireless network that's important. A close examination of the security implications can mean the difference between a solid implementation and a leaky infrastructure. Are you willing to take a chance that your competitors won't use your wireless network as a way in and help themselves to your $1 billion revolutionary widget design? Heck no! (There is obviously a lot more to your security than a simple firewall but that's another article entirely).

Serious protection does come at a cost, starting at about $10,000 in AirDefense's case. It's well worth it if you want to protect the bottom line, ensure patient and customer confidentiality or you want to make certain that your doors (and Windows) aren't open for attackers or your competitors to sneak in.

Article courtesy of EnterpriseITPlanet.com