When I first reviewed AirDefense almost a year ago (registration required to read), I was impressed with both its capabilities and policy-based approach. I’m still impressed. Although imperfect, the product facilitates wireless security monitoring with a solid policy-based core. I’m also pleasantly surprised to find that AirDefense has lowered the price of the solution dramatically. It now offers a starter kit for around $10,000 (£5,300) which helps when deploying in organisations on a tight budget.

A cost issue with any wireless IDS solution, sensors and probes will need to sit beside your wireless APs (access points) on the network. Although the sensors will not need to be as densely distributed as your APs, costs can still add up quickly when used through a building or across a campus.

The AirDefense system consists of a hardened server appliance running Red Hat Linux with distributed wireless AP sensors and a Java-based Web console. The AirDefense Web console and AP sensors communicate on a secure channel to the server.

The AirDefense appliances are scalable (the company says a single appliance can support more than 2,000 sensors and APs), but they lack a centralised management platform and do not talk to one another, except via SNMP.

After a simple sensor setup, I connected to the remote AirDefense appliance via secure Web interface. As the system relies heavily on Java applets, I had to download and install the Sun JVM (Java virtual machine) before connecting to the console via the Internet. Not surprisingly, using Java in conjunction with minor Internet delays made for sluggish console performance.

A good dashboard
AirDefense’s dashboard really shines. Tables and graphs provide views of the entire system with sections for system activity, AP counts, station counts and associations, and ad-hoc activity, as well as graphs of alarms by priority, device, and class. The graphs also include sensor-collected information such as mean signal strength and traffic levels by channel and by bytes transferred. The previous version had introduced additional information that popped up when I rolled the mouse over an AP or WLAN client icon. Now, by right-clicking you can drill down to view more detailed information on a problem or issue.

AirDefense’s strong suit is its policy-based approach to monitoring wireless devices and traffic. There are four main categories for policies: configuration, performance, vendor, and channel. All of the policy thresholds are configurable.

The vendor policy, for example, allows or disallows certain vendors’ NICs (network interface cards) and APs from being seen on the wireless network. Knowing which cards are allowed on the WLAN helps prevent session hijacking: If an enterprise has a policy of only supporting Cisco NICs, then all other NICs could be excluded so that a non-Cisco NIC would immediately trip an alarm

Reporting is also extensive in AirDefense. This version adds the ability to create reports to meet US government criteria including the Health Insurance Portability and Accountability Act (HIPPA) and Gramm-Leach-Bliley Act (GLBA), so in that country, compliance reports can be handed directly to an auditor.

Overall, AirDefense has matured well, adding nice features that round out the product. The starter kit pricing is especially attractive for those businesses that want to find out what having a wireless IDS can do for them.

AirDefense is a serious tool for those wanting to monitor their wireless domain. It isn’t perfect but it is moving in the right direction.

OUR VERDICT

Strong on policy-based management, AirDefense’s wireless 802.11 a/b/g IDS monitoring has now matured. AirDefense adds a layer of security monitoring to an enterprise infrastructure, performing signature and statistical anomaly detection, protocol analysis, and monitoring for policy deviations.