When you've got a large enterprise wireless LAN infrastructure, keeping track of all your access points becomes a monster job as the network gets bigger. WaveLink's Mobile Manager Enterprise is a central administrative, management and infrastructure audit point for an 802.11 WLAN. In tests, we found that it's a major piece of the puzzle that can be made even larger with the integration of AirMagnet Enterprise (read our review of AirMagnet) to help diagnose network problems.
Mobile Manager Enterprise has an almost-surgical ability to manage a diverse set of access point brands and models in great detail by administrator-defined groups with pre-defined, articulate policies. Firmware upgrades and access control list (ACL) changes - the bane of access point management - can be rolled out with incredible ease. WaveLink keeps track of its list of compatible vendors and knows their foibles perhaps better than the access point vendors themselves. Where WaveLink can control, it has a very strong grip.
We found that the system can be fooled, but not for long. Mobile Manager Enterprise doesn't monitor the wires like a protocol analyser or intrusion-detection application, so it's for wireless components only. It also has a limited set of enterprise wireless access points that are compatible with the system.
Monitor and manage
Mobile Manager Enterprise is a server-based application that runs on Windows 2000 server or XP Professional (with appropriate service packs installed). The server application joins a wired network where wireless access points reside. These networks can be local, or joined over a VPN or private network link.
The system monitors, controls and administers the discovered wireless access point infrastructure. Mobile Manager Enterprise runs as a Windows service, and an application called Administrator connects to the service through an authorised network adapter on the server.
The system probes the network via administrator-defined searches to look for access point signatures that it knows through an auto-discovery process (it looks for various Layer 2 signatures). Specific IP address ranges also can be monitored for access point signatures. When found, the access points are added to the Mobile Manager Enterprise database. Access points are categorised and become managed by groups and areas. The system manages only enterprise-class access points, and the compatibility list is important because incompatible access points must be managed singly and discretely. Managing an incompatible access point adds to the labour cost, thwarting the WaveLink system's usefulness. We wish more access point models could be managed with WaveLink, but because enterprise-class devices are uniformly managed through SNMP and ACLs, users of lower-priced access points with fewer features will be left out from WaveLink's management conveniences.
A graphical view of the network can be used to visualise discovered components. You then can watch mobile devices roam across the graphical maps imported into the application. We found this amusing but not incredibly compelling. This feature might be useful in tracking rogue devices as they roam through a large facility and potentially helps locate these devices when needed; otherwise, it's more of a gimmick.
What we used
We tested WaveLink Mobile Manager Version 5.7.2 in a 4,000-square-foot building using several access points, including those from Proxim, Cisco and Symbol. We added several "rogue" access points from these vendors, as well as those from D-Link, Linksys, APC, 3Com and others. Rogue detection was tested in several ways, including using them with spoofed media access control addresses, using old and unsupported firmware, and other "tricks."
We used several notebooks and desktop PCs from HP, Sony, Apple and Toshiba. CardBus adapters included those from D-Link, Proxim, Cisco, Microsoft, Linksys, 3Com and Netgear. Operating system clients included Windows 2000 Professional, XP Professional with Service Pack 2, GNU/Linux Xandros 3.0, Apple OS X 10.2.x and 10.3.x, and an HP iPaq with Windows CE. We installed the server application on XP with Service Pack 1, and later onto an HP DL360-G2 with Windows 2003 Server.
We couldn't fool it for long
We found that Mobile Manager Enterprise knew which ones were and weren't within seconds. We found it possible to fool the system by changing the media access control (MAC) address of a D-Link Systems home access point/router to one that falls within a compatible range. But that trick worked only until the system probed the access point/router to discover the masquerade during the system's check of its known access point lists. This type of rogue lives a short life until it is detected. Except for some very old yet ostensibly compatible access points, detection was flawless.
The system then can develop an ACL or point to a control point (we used a Linux-resident Radius server) as an authenticator. It is necessary to populate access points with the information needed to update their ACLs with acceptable client-side MAC addresses. The ability of Mobile Manager Enterprise to do ACL updates across an entire corporation itself is nearly worth the price of the product in labour savings. Newly installed or replacement access points can be automatically updated and placed into service. In our tests, this feature worked for three brands of compatible access points.
It handles firmware updates
We also used the system to perform access point firmware updates and changes. Profiles for groups or individual access points can be built, including settings for security (such as Wired Equivalent Privacy, 802.1X and other settings). We found this simple to set up and a strong benefit. A default profile can be used as the basis for others. Once profiles are built, the default profile can be used to automatically install firmware updates and policies to any new access points. In testing, we found the automatic installation was a breeze for rolling out new or expanded wireless infrastructure.
WaveLink also sends an addendum that highlights implications of firmware updates for each access point type it covers. This is very handy, as access points from different brands and models don't react to firmware updates in the same way, requiring access point-specific instructions for updates. Also, if a firmware update requires a reload of an ACL list or other settings, Mobile Manager Enterprise can handle this rapidly.
Get alerts when things go wrong
The system's alerting feature lets users create statistical alerts (such as when traffic is too high or there are too many errors) to trigger e-mail messages, or proxy sends to a network management framework (Computer Associates' Unicenter, HP OpenView or another SNMP manager).
Mobile Manager Enterprise maintains a database of access point firmware that is subsequently sent to access points via Trivial FTP, which is a non-secure but seemingly mandatory protocol for updates to access points. We force-fed alarm conditions to the Mobile Manager Enterprise server using NMAP and were unable to make the system choke, although the user interface fell behind the updated alarm lists for a while.
A prerequisite for using Mobile Manager Enterprise is that an entire spatial geography be covered by access points (or AirMagnet sensors), as the system doesn't perform intrusion-detection-system-like checks of network wires to look for rogue access point signatures, except when it periodically probes the network looking for access points. The time frame is long enough to let some access points with spoofed MAC addresses be ignored for a while. When a wireless rogue was introduced into Mobile Manager Enterprise-covered airspace, it detected it every time.
It learns the location of surrounding access points, and moving an access point physically can set off a trigger. Ad hoc networks that can be heard also are detected and flagged, such as APC's Wireless Mobile Router, which extends wired or dial-up connections for shared 802.11b clients. AirMagnet Enterprise adds value to the system by its ability to send triggers to Mobile Manager Enterprise that rogue devices have been detected.
We could only find one method that fooled Mobile Manager Enterprise, and only for a short time. It required a "van in the parking lot" style attack, where an access point with a wired connection uses a spoofed MAC address identical to the one it replaces. This works only until the scheduled probe discovers that the feature set isn't identical, which generates an alert. Other rogue attempts, via client or access points, were all detected.
A few bumps
The user interface suffers from a few features that don't work (for example, seeing date stamps on logs from the log manager). There is no method to import user ACLs or draw from directory services of any kind. MAC address data entry is painful, even if it needs to be done only once. Even companies that keep studious track of user information must enter items manually.
Documentation is extensive, but sometimes ambiguous. Updates are helpful for access point-specific information, but drawing conclusions as to action items is left to end users, as no recommendations are made.
It is worth considering adding AirMagnet Enterprise Version 5 (formerly known as Distributed Version 4). It has been compatible with Mobile Manager Enterprise for several months. Sensor information and SNMP traps can communicate with the WaveLink system in intelligent ways bidirectionally. One main benefit of this integration is the newly enabled ability for AirMagnet Enterprise to shut down switch ports where rogue activity is suspected.
A great time saver
Overall, WaveLink's Mobile Manager Enterprise is an extraordinary time saver. It's a must-have for companies with heterogeneous access point infrastructure (and remote sites), as the alternative is lots of duplication of effort to manage and update access points, and the incumbent documentation needed for security audits.
An extraordinary time saver, especially for comapanies with different kinds of enterprise access points, and multiple sites.