With SpectraGuard Online, wireless intrusion prevention vendor AirTight Networks has introduced a fast and affordable way for retail outlets and small companies to monitor their wireless LAN deployments to get out ahead of the next iteration of the of the Payment Card Industry Data Security Standard.
According to the recently released summary of changes due to come in version 1.2 of the PCI standard, which is expected to be released in October, the next version will provide greater detail regarding the use of wireless technologies on network segments containing cardholder data. For instance, logs for external-facing technologies such as wireless networks must be copied to an internal server, and a three-month audit trail must be quickly available for analysis. In addition, the use of WEP (Wired Equivalent Privacy) encryption must be phased out over the next 18 months, and further guidance will be provided for the use of wireless analyzers and intrusion prevention systems.
Small businesses could have a tough time meeting some of these requirements, as their wireless LAN infrastructure equipment may not be able to provide the logging, archiving or detection features necessary to help businesses ensure they are up to spec.
AirTight is looking to fill the breach with SpectraGuard Online, a hosted version of its enterprise wireless intrusion prevention platform. The hosted version provides all the detection and analysis capabilities found in the SpectraGuard Enterprise platform, without requiring customers to foot the upfront cash outlay for sensor and server equipment. Instead, wireless detection becomes an ongoing, monthly operational expense.
Pricing for SpectraGuard Online starts at $62.50 a month for each sensor, which includes a $50-per-month charge for the compliance and assessment services and an additional $12.50-per-month charge to lease the sensor equipment. This base price includes 24/7 phone and email support with AirTight engineers, including a series of initial calls to help define and configure the wireless security policies to meet corporate specification. Best of all, AirTight offers potential customers a 30-day free trial of the service, to see if the solution will meet their needs.
Customers with a tight budget also get the flexibility to meet PCI requirements for wireless analysis without putting a sensor in every shop full time or requiring a periodic walkabout with a handheld scanner. For instance, the current PCI specification requires a company use a wireless analysis tool on a quarterly basis, so a SpectraGuard Online customer with many small retail outlets could meet this requirement by periodically moving the sensors between facilities.
From a management perspective, it would take some juggling to track where the sensor is at a given time, but with the right organization, a company could at least theoretically share one sensor between eight and 12 different locations. All the logs would be stored in a central database, reports could be generated particular to each stop the sensor makes and each location would be scanned for one week every two to three months, thereby providing much more detailed and ongoing information than a single handheld analysis scan could achieve, while exceeding the letter of the specification.
For my tests, I wanted my experience with SpectraGuard Online to hew as closely as possible to what a customer would get with the free trial. I started the test with a discussion with AirTight engineers to determine how many sensors I needed to adequately cover my test location and whether I would need triangulation services to locate devices, which would require more sensors for accurate locations plotting. After taking measure of the building dimensions and the floor plan layout, we decided two sensors were adequate to cover the space, but that I would also get a third for location detection.
After receiving the sensors from Airtight a couple days later, I simply needed to plug the devices into my network. After about 5 minutes, the sensors loaded the most recent firmware, connected to AirTight’s servers to get their instructions and were transmitting detection data back to my data store in AirTight’s data center. Because privacy is paramount, the sensors are secured so they only communicate the data back to my account.
A Detailed, Preliminary Report
Three days later, I received a 24-page preliminary report from AirTight detailing everything Wi-Fi the sensors detected in and around the network, an overwhelming report enumerating vulnerabilities graded into critical, high, medium, low and probable categories, according to their anticipated risk. The report specifically detailed detected ad-hoc networks, unencrypted wireless networks and known hotspots found nearby, then provided line-item accounting of every access point and wireless client detected. While daunting and overly alarmist in its tone, this report forms the basis of the next stage of the service-working with an AirTight engineer to define and implement a security policy.
The AirTight representative did the work to set up the policy to match my security demands. I informed him which wireless networks I approved for corporate use-and what grade of encryption they use-and what clients would be allowed to connect to these networks (by e-mailing him a list of MAC addresses). I also defined which network segments of my wired infrastructure could have wireless attached and which segment must be a Wi-Fi-free zone. To aid in this effort, I had to ensure that one sensor was connected to each segment with a different policy to allow AirTight’s algorithms to determine when detected APs are connected to protected wired network segments.
After the policies were configured, the engineer e-mailed me the login information to the AirTight portal so I could view real-time reports or further craft the policy to my specifications (for instance, to add more approved wireless clients). My account was also set up to receive weekly PDF-based update reports similar to the initial assessment via e-mail. I liked that the engineer who mailed these weekly reports specifically spelled out things I should look into, rather than having a robot simply e-mail me a report.
The Web portal looks exactly like what the administrator of AirTight’s on-site solution-SpectraGuard Enterprise-would see, telling the administrator immediately whether the wireless network is secure at this time, and highlighting any detected security or performance incidents. The administrator can also customize the portal, organizing hierarchical views of the company’s locations and adding maps or floor plans as needed. The administrator should also make sure to place the sensors and known access points on the floor plan to calibrate the system if triangulation will be employed.
Lacking Firefox 3 Support
A Java-based Web application, the Spectraguard Online portal, was designed to work in Internet Explorer. Unfortunately, I found the portal was not accessible using the Firefox 3 browser, which it doesn’t currently support, according to AirTight officials. Even use with older iterations of Firefox may be a hit-and-miss affair.
The portal includes a report generator from which administrators can create reports tailored to the various compliance specifications to which their company may be beholden, including PCI, SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act) and GLBA (Gramm-Leach Bliley Act). Wireless administrators can pull up these reports on-demand for specified time periods, or they can schedule reports to run automatically at defined intervals. Unfortunately, at this time these reports are only available in HTML or XML formats-PDF reports won’t be available until the AirTight implements the next version of the core software, which should happen within the month.
SpectraGuard Online’s PCI report, for instance, spells out each of the specific PCI requirements AirTight has deemed relevant for companies with sensitive customer or credit card data traversing the wireless network. After this expository data, the report offers both summary and detailed views of detected violations of the PCI requirements, organized by severity. My PCI report highlighted non-authorized client connections, rogue APs and denial-of-service attacks that posed legitimate threats to my protected network. It also spelled out nearby hotspots, open APs and all detected wireless clients that did not necessarily represent a threat but needed to be tracked in the logs nonetheless, per PCI recommendations.
The existing PCI information is based on version 1.1 of the PCI standard, as the full details of version 1.2 will not be entirely known until October. However, AirTight officials assure me that once the standard is published, it will be easy for them to adjust their reports to meet the new criteria and guidelines.
However, it will be interesting to see how closely the PCI Council sticks to its requirement that logs be copied to an internal log server. Since SpectraGuard Online is an externally hosted database, customers would not be sticking to the letter of the law by storing their data on AirTight’s servers. This could be remedied if AirTight were to give customers an option to download a CSV or database of their logs periodically, but I imagine we won’t see that feature implemented until after the official standard is released in October, and more likely until we see a sign from the Council whether an internal log server really must be internal or whether a cloud-based solution-with the proper security-or a detailed report will suffice.
AirTight also offers its remediation services to SpectraGuard Online customers, allowing them to take preventative measures when bad things occur. For example, with the remediation services, Spectraguard Online can automatically jam unapproved clients from joining a protected wireless network or likewise jam an unauthorized AP connected to a protected segment from accepting client connections.
For many small companies and branch store operations looking into AirTight’s hosted solution specifically to meet PCI compliance, these services may be overkill, both from a feature and a price perspective. However, for some with critical needs for active protection, an ad-hoc sprinkling of this service at certain locations could be beneficial.
The remediation service costs an additional $50 per month per sensor.
eWEEK Labs Senior Technical Analyst Andrew Garcia can be reached at [email protected]