Recently, a reader reported being forced to disable intrusion-prevention monitoring within shared, multi-tenant locations because the wireless scanning system was generating a confusing abundance of red herrings, or false positives, from neighboring access points.
The thought of anyone forced to turn off security caused my anxiety level to spike.
It turns out that economics preclude the use of a third-party overlay monitoring system at the readers company, which opted instead for a combination access point (AP)/scanning system built by its Wi-Fi systems vendor. This is a pure example of the insurance policy nature of network security, which boils down to balancing how much you invest with the potential impact of a compromise to your organisation.
Solutions cost money
You can fix the red herring problem if you are willing to spend a bit; you have to decide how much security you can justify buying. Most of todays overlay systems support policy enforcement engines that automatically discover and classify nearby devices that arent connected to your network as unauthorised but not troublesome. Once the device has been classified as non-threatening, the system doesnt continue generating alerts about its existence.
Among the vendors providing such systems are AirDefense (read review), AirMagnet, (read review), AirTight Networks, Highwall Technologies (read review), Network Chemistry (read review) and Newbury Networks (read review). AirDefense and AirTight are currently in patent litigation over a different component of their systems, the remote security event-filtering and transmission mechanism.
How do they work?
A Network Chemistry system, for example, would identify all known APs as authorised, then use a variable such as signal strength to differentiate between threatening devices in the facility and non-threatening neighboring devices, explains Brian deHaaf, vice president of product marketing.
For example, any AP with a signal weaker than -70db might be known to be outside of the facility. A stronger signal might indicate that it is inside the facility and, if not authorized, is a threat to be addressed.
The automatic classification of unknown APs as rogue APs by some systems can also be problematic, adds Sri Sundaralingam, director of product management and technical marketing at AirTight. The reason is that someone with a handheld wireless analyzer will have to find and check all the unknowns, which can cause a scalability problem, he says.
How to do it on a budget
Dilip Advani, technical marketing engineer at AirMagnet, has some advice that could fit my readers budget. He observes that the readers neighboring tenants should also be concerned that their devices are leaking wireless signals.
Ideally, neighboring stores could resolve this diplomatically by sharing their network information to come up with a wireless non-interfering environment, he suggests. This might require neighbors to change channels, lower their power settings or make other network adjustments, he notes.