RF management products are often sold as a security measure, both to block unauthorised devices and to prevent wireless intrusion. In the current surge of WLAN management products, there is a distinct upsurge of interest in RF management, where two approaches have emerged, to have a separate standalone RF management system or rely on dual-purpose access points.
Red-M's Red-Detect product is definitely an overlay network of dedicated probes. It's suited well to organisations with a zero-wireless policy, especially given the claims it makes for its Red-Detect intrusion detection system, which has the ability to jam any rogue access points.
In tests, it turns out to be good as an overall wireless security monitoring solution, despite two near-fatal flaws. One, it doesn’t have a real correlation engine for presenting important alerts to administrators (it relies on nested folders instead). And two, it is more expensive than the competition.
Red-Detect consists of a small, stripped-down Red Hat Linux appliance and several Red-Alert Pro probes. I was easily able to upgrade the firmware of an older Red-Alert probe to function with Red-Detect. Whereas this could detect only 802.11b and Bluetooth wireless traffic, the included Red-Alert Pro probes support Bluetooth and 802.11a/b/g wireless-device detection.
The Red-Detect server depends on a management machine with a Windows-based console to display wireless network alerts and information gathered by the probes and aggregated by the server.
Red-Detect is easy enough to install and use. Unfortunately, at the information-presentation stage, it falls short. The Red-Detect software console is simple, broken out into a hierarchical tree view on the left and a primary pane on the right. The primary pane, for the event messages and limited graphics, made the Red-Detect console extremely easy to use and navigate
In lieu of correlation, events and alerts were dropped into their appropriate folders in the tree view. If an unauthorised wireless conversation occurred, it showed up in the appropriate folder or detailed subfolder. Such was the case for a wireless attack, a security event, or a performance event.
No correlation means duplicate messages
In the Events view, I was disappointed to find that a good number of alert and event messages were repeated. Each message or event had its own unique ID number, yet a great number of events were simply duplicate messages. I could flag a specific type of event as nonreportable, but event correlation here would be a great improvement to the product.
I could also do some rudimentary performance monitoring by sorting event column headings to view connection speeds for APs and their connecting users. I could right-click an event and see more information on the devices that generated that specific event, and I could chart connection history or view channels in use to see which could be underperforming.
While I could conduct performance monitoring of a specific wireless device, this functionality paled compared to, say AirDefense’s informational capabilities (see review). Thus, I can see using Red-Detect in conjunction with a zero-tolerance wireless policy — just monitoring a campus to see if any device is wirelessly enabled — but I’d have a hard time using the product on a consistent basis to track wireless users and devices on an actual wireless LAN.
The probes subsection lists the current probes seen by Red-Detect. A probe is normally a stand-alone device, but once selected and managed by the server, it becomes part of the Red-Detect infrastructure and is no longer independent.
I was disappointed in Red-Detect’s performance in finding wireless devices. My Red-Detect server and the three deployed probes found fewer wireless devices than were found by a single AirDefense probe.
Strong-arm tactics on intruders
One interesting component to Red-Detect is CounterMeasures, which gives administrators unprecedented and potentially harmful control. The feature locks onto intruding machines and, using a variety of adaptive techniques, keeps them from connecting to the network or seeing network traffic. CounterMeasures can last up to 10 minutes and follow an intruder, even if he or she has moved and tried to connect to another AP on my network. It’s an interesting capability offering a strong-arm tactic against wireless intruders.
Red-Defense still has a way to go, but it is easy to use and offers value for those looking to add a layer to an overall wireless security policy.
With the unique ability to monitor Bluetooth in addition to 802.11 a/b/g devices, this functional IDS solution is best used for zero-tolerance policy compliance of wireless devices for an enterprise. Although easy to use, Red-Detect lacks fundamental reporting capabilities and is expensive in relation to its capabilities and competition.