AirDefense, AirMagnet, Highwall Track Down Attacks
eWEEK Labs invited several vendors of overlay wireless intrusion detection systems to submit products for our tests, and three obliged. AirDefense Inc. submitted AirDefense 4.0, priced at $10,000 for the server appliance and five sensors. AirMagnet Inc. delivered its AirMagnet Distributed 4.0, whose starter kit of server software, management console and four sensors is priced at $7,995. Highwall Technologies Ltd. sent its Rogue Detection System 2.0, which includes the $5,000 central management software, the $1,995 Highwall Sentinel 1000 sensor unit and the $1,995 Highwall Scout 2000 antenna for extended-range coverage for 802.11b and 802.11g detection.
AirMagnet and AirDefense use off-the-shelf sensors licensed from Senao International Co. Ltd., but each uses them differently. AirDefense sensors strip the wireless packet headers and ship them to the central server for processing and correlation routines. AirMagnet sensors perform processing at the edge device, so each sensor keeps operating if the central server fails.
Meanwhile, Highwall has designed its sensors and antennas for extremely long-range detection capabilities that can perform moderately effective location mapping from a single Sentinel/Scout pair.
In tests, we expected each product to effectively discover and identify unknown clients, ad hoc networks and access points. Given our offices locationa high-rise in downtown San Franciscowe also expected to see numerous unknown devices outside our purview. We therefore focused on each products ability to spot wireless denial-of-service attacks and potential man-in-the-middle exploits, where managed clients attempt to associate with unknown networks or devices.
Using Cisco Systems Inc.s Linksys WAP55AG 802.11a-/b-/g-compliant access points, we deployed a WLAN (wireless LAN) throughout our offices, then configured the server and sensors of each WLAN IDS (intrusion detection system) to monitor this network. We defined each of our known access points as a known, managed device to the overlay solutions. We then deployed a rogue access point configured with the same network name but outside our managed network.
Using the open-source application Void11 (available at www.wlsec.net) in conjunction with the Host AP drivers for Prism2-based adapters on Linux (hostap.esitest.fi), we directed a deauthentication attack against a managed client associated with our network. In this manner, we hoped to detect the attack and monitor the clients attempts to associate with the rogue access point after disconnecting from our WLAN.
All three products identified both our rogue access point and the deauthentication attack from our Void11 workstation, but AirMagnet provided the most complete information about it, identifying the correct attack tool and explaining in depth the implications of the attack.
Spotting our managed clients associations with rogue access points was not as straightforward, with the information easily getting lost in the glut of data and alerts each product provides. For maximum effectiveness, administrators must import lists of the hardware addresses of all known devicesa potentially arduous task, given the proliferation of wireless client devices throughout the enterprise.