By Andrew Garcia  |  Posted 2006-07-10 Print this article Print

SpectraGuard Enterprise 5.0 builds on AirTight Networks already-impressive wireless intrusion prevention platform with new management and detection capabilities. eWeek Labs tests show that some of the newer features need improvement, but we nonetheless think the product merits consideration by security-conscious businesses looking to lock down their Wi-Fi environments.

We tested SpectraGuard Enterprise 5.0 using AirTights Standard Server appliance, which lists for $9,995. (A higher-end model—with dual CPUs, more memory and more disk space—is available for $12,995.) Our testbed included five sensors (priced at $795 each), the number recommended for the floor plan we intended to protect.

Click here to read about a study that finds wireless security network security tightening up.
SpectraGuard Enterprise 5.0s strength lies in its automated classification routines. Once the product detects unknown wireless APs (access points), clients or ad hoc networks, it automatically begins organizing these devices according to the level of risk they present for a companys network.

For example, SpectraGuard Enterprise 5.0 quickly identified when we connected an unauthorized (rogue) AP to our protected wired network but classified an identical AP that we connected to a different network as an external (neighbor) AP. SpectraGuard Enterprise 5.0 automatically quarantined the rogue AP, disassociating any clients that attempted to connect to it until it was disabled, but it took no automatic action against the neighbor device.

The decision trees that underlie these classifications are nicely presented to wireless administrators in SpectraGuard Enterprise 5.0s outstanding online help files, along with copious other data that clearly explains and diagrams various concepts (see screen, below).

SpectraGuard Enterprise 5.0 offers four modes of wireless intrusion prevention: block, disrupt, interrupt or degrade. The different levels represent the trade-off between the tenacity of the service disruption and the number of RF (radio frequency) channels a single sensor can disrupt at one time.

We found the default setting—disrupt—to be quite successful at keeping clients from interacting with an AP. While our test clients could obtain a DHCP (Dynamic Host Configuration Protocol) address from the wireless network, we could never pass a single ICMP (Internet Control Message Protocol) packet during the quarantine.

Click here to read about AirTight Networks patent controversy. During our tests, SpectraGuard Enterprise 5.0 also helped us identify authorized clients attaching to unapproved networks, DoS (denial of service) attacks, reconnaissance attacks via older versions of NetStumbler and wireless performance risks, such as interference from external devices and illegal channel usage in the 2.4GHz band.

We experienced wildly variable results with AirTights location-tracking capabilities.

SpectraGuard Enterprise 5.0 offers two ways to do location tracking: One uses detected signal strength to extrapolate distances between sensors and detected devices, while the other relies on more advanced calculations, attempting to account for RF attenuation factors caused by various building materials, walls or objects. The latter method is somewhat akin to the capabilities offered with Trapeze Networks RingMaster planning software.

We initially attempted to use the RF modeling method but had limited success. We contracted AirTights planning service (priced at $500 for one site) to turn our office-plan CAD file into a SpectraGuard template. (Do-it-yourselfers can use SpectraGuard Planner 3.1, priced starting at $2,495.) The planning service also recommended the optimal number and deployment locations of sensors.

Unfortunately, we made some incorrect estimates about building materials, which threw our template out of whack with real-world findings. This made it impossible to correctly calibrate the environment—and quite difficult to glean accurate tracking. When we attempted to locate detected rogue APs, we were sometimes led astray by as much as 50 feet (see top screen, Page 44).

We had much greater success with the less advanced location-tracking algorithm, which plots locations on a simple JPEG or GIF graphic of a floor plan. With this technique, we experienced the most accurate tracking weve ever seen from a wireless tracking product, successfully locating dozens of devices throughout our offices, usually to within 10 feet (given a middle-of-the-road probability selected).

AirTight officials acknowledged that they have had some growing pains with their more advanced location-tracking capabilities. We recommend that administrators make sure their floor plans are updated with the absolute latest layout modifications and building material data before moving ahead with the advanced tracking algorithms.

Next Page: New features.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel