The versatile nature of WLANs can make them extremely difficult to manage and monitor but with the right tools they can be brought to heel. There is a wide range of WLAN management products on the market [He is not kidding. See our reviews of products from AirMagnet, Aruba, WildPackets, HP, Symbol, Bluesocket, Trapeze and others - Editor]. However, few look capable of matching Airespace for features as it provides one of the most comprehensive security solutions we’ve yet seen.
The product family centres around the Airespace WLAN switch - we reviewed the twelve port version. As an Ethernet switch, it doesn’t deliver anything particularly exciting with the usual DHCP, STP and VLAN services supported while all twelve 10/100BaseTX ports are 802.3af PoE compliant. However, the embedded Airespace Director software brings into play a whole new range of features specifically for WLAN monitoring and security management. This works in partnership with the Airespace 1200 access points (APs) to provide features such as automatic rogue AP and ad-hoc network detection, load balancing across multiple APs and direct control over AP power output. The latter feature allows the switch to dynamically alter the power output of specific APs if it detects holes or interference in wireless coverage.
All management access is via the switch’s browser interface which is easy enough to use and starts off with a simple table showing the unit’s status and a list of discovered wireless clients and APs. This is broken down to show Airespace APs and those offering 802.11a or 802.1b/g services plus rogue APs, ad-hoc networks and clients. Selecting rogue APs takes you over to another list showing each unit’s MAC address and SSID along with the number of connected clients.
You’ll even be advised of which Airespace APs detected the intruder and be given the opportunity to contain the device. This is a very smart feature as you can use up to four Airespace APs to discourage clients from connecting with the rogue device with various degrees of aggressiveness. During testing we introduced three different rogue APs into the wireless network and all were identified within seconds of coming on-line. With four Airespace APs ganging up on them, test clients were unable to access them. If you opt to allow rogue APs to function the Director will advise on the number of Airespace APs that have detected them and shows the clients associating with them along with their MAC addresses.
The WLAN option determines wireless services and deploys QoS and security policies. Profiles are used to control QoS and each contain bandwidth contracts, a limit on usage per AP and queue depths and these are then applied to your WLANs. You can opt to enforce a range of Layer 2 and 3 security measures such as WEP, WPA, RADIUS, IPsec and L2TP and insist on DHCP address assignments for clients. Policies are also used to automate responses to rogue activity so if any are detected they can be contained without any user intervention.
Monitoring and management
The Airespace solution gets even more interesting once the ACS (Airespace Control System) software in brought onboard as this provides very high levels of WLAN monitoring and management. ACS effectively replaces Director as it provides full access to the switch and all its functions. One of the most interesting additions is the mapping feature which provides a complete picture of your wireless networks. You can create and import your own GIF or JPG layouts of buildings and campuses then position previously identified APs within them. The map uses heat signature style mapping to represent the reach of each AP allowing you to position them correctly for maximum coverage. You can see how the walls of your building affect coverage and the RF mapping is accurate enough to show signal leakage through office windows and doors where represented in the graphics.
The secure ACS browser interface opens with a detailed rundown on the immediate state of the wireless network. You can see the most active APs, recent rogues and coverage holes and moving over to the security summary provides a detailed breakdown of rogue activity. Along with our triplet of rogue APs we also introduced a simple ad-hoc network: ACS picked it up and advised us of its presence.
Intrusion detection is also on the menu allowing ACS to identify and defend against attacks. Alerting facilities could be better as security warnings are posted within the ACS interface, SNMP traps can be sent and emails delivered but only to a single address.
Location tracking could be useful
Available as an option to ACS, the Location Tracking feature could be a clincher. Airespace (which launched its location service earlier this year) reckons it can track wireless clients to an accuracy of within ten metres allowing you to build up a detailed map of movement throughout your WLANs. Location tracking could be a significant feature in Wi-Fi systems (see our feature on the subject), but this is only the second product we’ve seen that offers location tracking. The previous solution didn’t last long as while we were reviewing Cirond’s WinC Manager the company advised us it was removing it from sale (Cirond brought WinC Manager out with a fanfare, and lots of impressive arguments, but apparently had trouble delivering).
The software only used triangulation (see Airespace's White Paper) and was designed to support a wide range of third party access points but during testing we could only get it to work with one Cisco product. At present there are no standards controlling location tracking and Airespace uses RF fingerprinting along with a proprietary prediction tool to build a map of the various wireless networks present within a building.
The Airespace access points contribute by providing RF signal strength measurements which are incorporated into a database. Once this information has been applied to the building map you can see the movement of wireless clients and zoom in on the location of rogue access points and ad-hoc networks as they come on-line.
Airespace has a deal with Aerosoft for active RFID tags, which add a new dimensions to location tracking. Airespace advised us that one hospital is using this to monitor the physical location of newborn babies in its maternity wing: movement beyond a specific perimeter causes ACS to send out immediate alerts (more prosaically the Airespace 4000 system is also in use at a doughnut warehouse).
While it’s true that this level of sophistication comes at a price, the APs do actually look good value considering the extra inbuilt intelligence they provide. That aside the Airespace wireless security solution is one of the most comprehensive we have yet seen as it offers a wealth of reporting facilities, the ability to deploy and monitor WLAN security policies easily from a central console and a mapping facility that could prove invaluable.
Wireless networks in the enterprise are a real threat to security and need to be locked down tight. Airespace certainly delivers one of the most comprehensive wireless monitoring and management solutions currently on the market, making it an ideal choice for these environments. But this is a proprietary solution so all your bets will be on one vendor.