Its no secret that installing a wireless network creates security concerns. And its a no-brainer to recognize that network traffic carried over the air should be encrypted to prevent eavesdropping.
But more is required, and a handful of vendors are stepping up to fill the void. VigilantMinds recently announced AirXone, an intrusion detection and prevention product that provides special protection for wireless networks. AirMagnet, Network Instruments and other protocol analyzer makers, as well as wireless security makers including AirDefense, are also rolling out new security tools for wireless networks. The premise of these tools is simple enough: Wireless networks nullify physical access controls and create a hacking exposure.
Although I usually advise IT managers to avoid spending money on wireless monitoring tools—because nearly every network problem can be solved using traditional, and usually significantly less expensive, wire-line tools—I have to say Im taken with the latest crop of security-oriented wireless products Ive seen at eWEEK Labs. For example, Trapeze Networks WLAN Mobility System can periodically put access points into listen-only mode to ferret out rogue access points. Aruba Wireless Networks Aruba 5000 switch and Aruba 52 Access Points can also discover unauthorized nodes. (See reviews of these products at www.eWEEK.com/labslinks.) IT managers should pay close attention to these products because they listen for hackers and raise an alarm when hackers try to access a network.
AirXone takes wireless security to a new level by offering intrusion prevention, using access controls on the physical network to stop intruders. Look for eWEEK Labs review of the stand-alone product in the next several months.
New products that adapt tried-and-true network security measures (intrusion detection, user authentication and access control) to wireless security problems make it reasonable to implement wireless networks in organizations that have feared doing so.
Of course, designing and building a secure wireless infrastructure from the ground up is better than adding it later. However, many of the security tools coming on the market offer a great deal of advice on implementing security for wireless networks that are already deployed. For example, AirDefenses AirDefense software uses sensors to communicate what is happening in the air back to an appliance that processes the information.
Because the sensors are added to the network much like 802.11 access points, they are simple to install, and they maintain a close watch on wireless activity. The chief advantage of this approach to securing wireless networks is that the sensors dont need to know about legitimate access points. They just passively listen for traffic in the air and report what they find. IT managers then have to figure out which access points are legit and which should be taken down. Because the sensors are installed throughout the enterprise, they maintain a constant vigil.
This approach has drawbacks, however. Unlike handheld wireless detectors, such as those provided by most of the big names in the protocol analyzer market, including Network Associates, once the sensors are installed, it should be assumed that sooner or later they will need to be upgraded. The cost of maintaining the permanently installed sensors that are the backbone of the monitoring systems weve seen could become a serious drawback.
In our experience at eWEEK Labs, it has usually been enough to walk around with a wireless sniffer looking for rogue access points. The handheld, or more often laptop-based, sniffers are simple to upgrade and easier to maintain, although they are labor-intensive in that someone has to walk around a building to detect and capture wireless data.
At the end of the day, youll need to balance several factors: the value of having wireless data access, the value of the data sent over the air and users requirements for privacy. For many businesses, the productivity gains and convenience of wireless network access will outweigh the risks. This is especially true if wireless access is limited to Internet applications such as browsing and Web-based e-mail.
Discuss this in the eWEEK forum.
Cameron Sturdevant can be reached at firstname.lastname@example.org.