Wireless LAN management is riven with competition at the moment. Essentially a software problem, it nevertheless has hardware components, so the job can be done by wireless appliances, switches, or by management software packages. Like all management areas, it overlaps with security, so that specialist wireless security products are slugging it out with management products that include security features.
WiFi Manager (WM) is a management product in its own right which manages third-party access points. With the addition of AdventNet's sensors - also reviewed here - it becomes an intrusion detection system (IDS).
Other products we have reviewed in this area include
- Bluesocket's BlueSecure IDS, which works in conjunction with the Bluesocket appliance,
- RF-Protect from Network Chemistry,
- Red-Detect from Red-M,
- AirMagnet Distributed management system,
- Wi-Fi Watchdog intrusion detection system from Newbury Networks, and
- Highwall Sentinel wireless IDS.
This one starts for free
In its basic form, WM is free to use (so long as you have three or fewer access points and no more than 10 computers on wired connections), and if you want to manage larger networks you have the option of paying for a full licence.
WM, as its name suggests, is a tool for managing your wireless network. To this end, it is able to communicate with a load of the major vendors' wireless access points (Cisco, Dell and a selection of others are supported already, with the likes of Linksys and SMC to follow in the next release), and to read and update their configuration.
One of the problems with access points is that many of them are re-badged (so WM recognises our 54Mbit/sec Buffalo AP as a GemTek unit, and our NetGear ME102 as a Delta Networks product) but this is part of life – it's not necessarily something the management software companies can cope with.
Auto-discovery is always a pain
Although WM will auto-discover devices on the network, it can sometimes be a little bit too eager to see your APs as other types of device (particularly as servers – if an AP has a Web interface, WM may well discover it as a Web server, not an AP). Auto-discovery is generally a useful tool, though, as it gets most stuff right. Setting undiscovered stuff up manually can be a bit of a faff (simply because there are usually plenty of parameters to play with), but it's generally a one-off task so it doesn't really matter.
Once you have your range of devices, you can configure them. Obviously different devices have different capabilities (and so if a device can't do WLAN admission control, you'll not be able to configure this via WM's admission control screen) but assuming you're actually configuring functions that your kit does indeed have (SSID names, beaconing, WEP keys, that kind of thing) it's actually quite a handy tool – it certainly saves having to go around all your devices in turn and fiddle with them via their proprietary tools.
The hardware sensor
Now we've looked at WM itself, it's time to mention the IDS sensor. This is a grey box, about the size of a small hub, with a pair of antennae, an Ethernet adaptor (with IEEE802.3af PoE) and a power socket (for those without PoE). It connects to the LAN and will happily grab a DHCP-assigned IP address; WM automatically detects any sensors for you, and in our lab it had no trouble seeing what it was meant to (actually it claimed that our single sensor was in fact two similar ones, but the manufacturers have already written a fix that'll be in the next release).
The sensor is 802.11a/b/g compliant. It's slightly disappointing that it doesn't know Bluetooth as well (an advantage claimed by the Red-M IDS product), but perhaps this will be addressed before long. In any case, given its limited range, Bluetooth is far less of a threat to corporate security than the mainstream WLAN protocols).
Why bother with a sensor when you can manage your world via the cabled LAN? Simple: the sensor listens to the wireless side of your organisation, and as such it can detect devices that you don't necessarily know about via their wireless signatures.
A really good IDS GUI
As with most intrusion detection systems of this type, the name of the game is to let the system find things out there, and then to work out what they are and drop the legitimate stuff into the "trusted" pot. Once you've done this, the system will alert you to the existence of new devices as they appear, as well as keeping an eye on the existing stuff that you've left in the "untrusted" section for the time being. The "home page" of the Web GUI via which you control WM is really well implemented, with graphical statistics, intuitive drill-down and a "quick links" section into which you can drop references to the pages of the GUI that you use most, so that you have a fast route to all the stuff you use all the time.
WM is a useful management package once you've got over the oddities of setting everything up (auto-discovering what you can and then hand-carving what you can't). For small networks it's free, for large networks it's relatively inexpensive (though you'll want to sit it on a server that's working all the time, not on a user-type PC), and the RF sensor is a useful add-on that gives you the ability to spot wireless devices that wouldn't otherwise be visible.
Given the modest price tag of the sensor unit (particularly with current exchange rates) we'd suggest going for the whole package, as for not much more money you get significant extra functionality.