Wireless networking brings some unique problems to the network manager. Not least is the fact that you can't necessarily tell when something has been connected to the network – a problem that's magnified by the fact that you don't even need to be on the premises to connect to the corporate LAN.
As a result, wireless LAN security is a burgeoning area. There are specialist products from companies such as
- AirDefense (read our review of AirDefense),
- AirMagnet (read our review of AirMagnet),
- Newbury Networks (read our review of AirMagnet),
- Highwall (read our review of Highwall) and
- Red-M (read our review of Red-M Red Detect).
Wireless switch/appliance vendors also make much of their security features - consider
- Aruba (read our review of Aruba),
- Airespace (read our review of Airespace),
- Trapeze (read our review of Trapeze) and
- Symbol (read our review of Symbol),
Wireless appliance maker Bluesocket has highlighted security since its launch, in the sense of offering a firewall-like appliance to keep wireless threats off the wired network (read our review of Bluesocket's WG-5000 appliance). Its product takes a similar approach to ReefEdge (read our review of ReefEdge, but bear in mind the company is apparently closed) and Vernier (read our review of Vernier as badged by Hewlett-Packard).
Now the company is joining the pack, by extending into intrusion detection for wireless LANs (see Wireless security systems hit the market), with a product called BlueSecure that addresses the problem of rogue devices entering and using the WLAN.
The hardware part of the package is the BlueSecure RF sensor, a small metal box with a pair of antennae that listens for WLAN traffic; for all but the smallest installations you'd have a number of sensors placed strategically around the premises. The box has a pair of connectors (one is a PoE-enabled network interface, the other a standard power socket for those who don't have a PoE-capable switch to connect it to) and supports 802.11a, b and g.
Once you've got your sensors hooked up, you run the software package. There are two applications, of which the most trivial is SensorManager. This lets you find the sensors on the network (it'll auto-detect within your local subnet, or you can specify the addresses of remote sensors) and either set their IP addresses manually or tell them to use DHCP to obtain network information themselves. Once you've got the sensors set up such that you can talk IP to them, you have the choice of configuring them more intricately (you can set WEP keys to enable them to decode packets, and if you so wish you can restrict the channel range that a sensor watches).
Having configured the sensors, you now run up the BlueSecure application itself. It's a multi-pane screen that monitors the sensors and thus discovers what's happening in the WLAN world. When you begin, it assumes that every access point on the network is a "rogue" device; to confirm that something is actually meant to be there, you simply right-click its entry in the list and select "Add to authorised stations" in the resulting pop-up. The client devices the system spots (i.e. the laptops, PCs, PDAs and the like) are listed in the network window as "children" of the access points, so you can see at a glance which AP each entity is associated with; there's also an "Unassociated" section for devices that are visible but not presently connected to an AP.
The auto-discovery capability of the sensors seems excellent; as we added stations to our WLAN it took only a few seconds for them to appear on the list. The sensor monitors the basic parameters of each device (the network window shows basic stuff like the signal strength, number of packets transmitted, the channel the device is using, and so on) and you can drill into the device by clicking on it and looking in the "Station Details" pane. The latter has a number of sub-sections, accessible via a row of tabs, that tells you everything from the nearest BlueSecure sensor (so you know where to start looking) to an in-depth packet trace. And if you so desire, you can launch a fully-blown packet capture for a given device or access point if you want to delve about in the traffic (which is, of course, where the WEP keys you gave via SensorManager are used to decode the packets and make their content visible).
BlueSecure is a useful tool for ensuring that your network isn't being overrun with rogue end stations and access points. It'll spot rogue access points even if they're configured (as one of ours was) not to advertise their SSIDs, and the way data is presented is comprehensible and sensible. Whether you'd ever bother doing full packet decodes is open to question, but at least the facility is there should you ever want to, say, gather low-level evidence of misbehaviour. In short, a useful and usable product.
This type of system only gives value if you do the job properly and buy sufficient sensors to cover a sensible portion of the organisation. So don't think you can cover a vast site with a single sensor – if it's out of range of a rogue device's radio, you won't spot it.