AirDefenses new alliance with Trapeze Networks promises great things down the road, but the current wireless intrusion prevention system implementation born of the duo leaves much room for improvement.
The current generation of wireless-switch-based WLAN (wireless LAN) controllers provides varying degrees of WIPS functionality, but the depth of detection, number of alerts and quality of actions pale in comparison with those of overlay WIPS products from vendors such as AirDefense itself, AirMagnet and AirTight.
Instead of re-inventing the security wheel, many wireless switch makers are actively pursuing and developing relationships with WIPS overlay network providers. In addition to the AirDefense-Trapeze integration reviewed here, Aruba Networks has announced a partnership with AirMagnet, and AirTight has forged alliances with Siemens and Extricom.
Unfortunately, its reaching to say that the AirDefense-Trapeze implementation is integrated. Its more like a repurposing of hardware.
To test the integration, eWeek Labs had to make sure that the various Trapeze and AirDefense hardware and software components were up to snuff. We had to upgrade both of our test Trapeze MX-216 Mobility Exchange controllers and our RingMaster management platform software to Version 5. On the AirDefense server side, we had to upgrade to software Version 7.0 Service Module 2.
During tests, we could migrate an MP-372 from Trapeze code to AirDefense firmware, either from the Trapeze controller command line or from RingMaster. We needed to then manually log in to the updated device and point it to the IP address of the AirDefense server. The MP-372 was then a fully functioning AirDefense sensor.
We also could import information about each of our Trapeze WLAN switches into the AirDefense database via SNMP using the included Trapeze MIBs (management information blocks). This step reports each of the MP-372s we used for wireless access to the AirDefense system, automatically identifying each of our radios as trusted network devices.
Data sharing is unidirectional: Trapezes RingMaster can receive alerts from the AirDefense server, but not vice versa. Although our Trapeze MP-372s also collected information about the wireless landscape, this information was not accessible by the AirDefense system, nor could we leverage the MP-372s providing client access as snipers to knock suspicious devices out of the air (at least not from the AirDefense management console). To see what these devices see, we needed to log in to Trapezes software instead.
There really is no integration of management functionality—only a link from RingMaster to start the AirDefense Java-based management GUI. To get the full lay of the land during tests, we found we needed to keep both the RingMaster and AirDefense management platforms running simultaneously. As both platforms are Java-based applications, we quickly found RAM to be in short supply on our management workstation.
Prices for the AirDefense solution are based on the cost of the central appliance, hardware and software licenses for the sensors, plus an 18 percent annual maintenance fee. We tested AirDefenses high-end 2270 appliance, which is designed for large installations that need up to 300 sensors and costs $11,995.
AirDefense also offers two other appliances in this line—the 1150 model ($5,995 for up to 50 sensors) and the 2230 ($9,995 for 150 sensors).
We were hoping to see some cost benefit from using our Trapeze MP-372s as sensors, but savings may come only when buying MP-372s in bulk. By default, AirDefense sensors cost $995 each, including the hardware plus the IDS (intrusion detection system) and rogue detection feature license.
Purchasing the software license alone to use with the converted Trapeze MP-372s costs $695, plus $349 to buy the MP-372 device from Trapeze.
We found that the AirDefense system accurately detected rogue access points attached to our wired network, automatically classifying the detected devices from Unauthorized to Rogue.
We didnt have quite so much luck with our “evil twin” test—an externally located access point with the same SSID (service set identifier) as our protected network. The evil twin was never classified as a more significant threat than any other ambient wireless network detected, even when our trusted clients associated with the threatening device. However, the act of the trusted client attaching to the evil twin was identified and alerted as a potential threat.
We found Air-Defenses classification routines lacking when compared with those in rival AirTights WIPS solution. AirDefenses actual analysis and correlation capabilities, on the other hand, were outstanding.
Technical Analyst Andrew Garcia can be reached at [email protected].
Evaluation Shortlist
AirMagnets Enterprise 7.0
AirMagnet recently announced tight integration with Arubas WLAN solutions (www.airmagnet.com)
AirTight Networks SpectraGuard Enterprise 5.0
Provides outstanding and easy-to-configure device classification features, but it still lacks integration partnerships with some of the bigger names in wireless switching (www.airtightnetworks.net)