Page Two

By Andrew Garcia  |  Posted 2004-08-07 Print this article Print

In tests, eWEEK Labs found that distributed wireless overlay networks provide the most feature-rich products and comprehensive coverage, but infrastructure manufacturers such as Aruba Wireless Networks Inc. are quickly closing the gap with features integrated into their infrastructure access line of access points and WLAN switches.

To test the capabilities of intrusion detection engines, we invited AirMagnet, AirDefense and Highwall Technologies Ltd. to submit products. We found that each tested product capably detected our simulated attacks and rogue devices, but there were significant differences in the sensor devices and policy creation and notification tools.

Click here to read more about the test results.
Theres a race among wireless IDS vendors to quickly add new features. We expect AirDefense and AirMagnet to offer significant feature upgrades within the next month. While the vendors will continue to enhance their detection and correlation routines, buyers should expect to see significant improvements in location tracking and radio-frequency jamming in future revisions.

Better location tracking is a particularly welcome development, since weve been less than impressed with early location results. In our tests, location tracking is generally accurate only to about 30 feet, leaving roughly 314 square feet of area or more for us to manually search.

One of the drawbacks with distributed wireless overlay solutions is that they require a separately managed overlay network, which means IT departments must deploy a fleet of sensors and face issues regarding power and network connectivity. And because many wireless networks are already deployed as an overlay to the wired infrastructure, these products can quickly lead to an out-of-control layering of the network.

As an alternative, wireless infrastructure products are quickly gaining wireless IDS capabilities. Because these products sensor capabilities are integrated with a WLAN infrastructure, they allow greater flexibility to actively block suspicious connections via access blacklists and wireless DoS (denial-of-service) measures. If corporations are looking to replace early-generation wireless equipment to add 802.11i support, these products may well fit the bill for access and monitoring alike.

Access points from wireless switch vendors Airespace Inc. and Trapeze Networks Inc. periodically scan all the channels as part of their operating routine, which is fine for finding rogue access points but less effective for pinpointing attacks and keeping tabs on client activity. We fully expect that all enterprise-class access points will offer some level of rogue detection within a year. For instance, Cisco Systems Inc. has integrated limited rogue detection into its access points that is enhanced when used in conjunction with the companys Wireless LAN Solution Engine.

Aruba has taken things a step further, offering the most comprehensive IDS features among the infrastructure products weve seen. Aruba allows its access points to be configured as active access points that monitor a single channel or as sensors that sweep the spectrum.

Handheld or laptop-based solutions are also available. Although they provide only single-point-in-time data and are therefore inadequate for security monitoring, they can be invaluable for pinpointing the location of rogue access points to disable them—a useful accessory when overlay or infrastructure location results leave a lot of room for error.

Weve found AirMagnets Laptop Trio to be the best solution in this class, but WildPackets Inc.s AiroPeek NX and Network Instruments LLCs Observer 10 also perform well.

Technical Analyst Andrew Garcia can be reached at

Next page: Where to turn for help.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel