Startup Takes on WLAN Security

AirDefense appliance includes vulnerability assessment feature and uncovers 'ad hoc' networks.

A security startup is taking a new approach to the problem of WLAN security by applying the concepts of intrusion detection and constant monitoring to Wi-Fi deployments.

AirDefense Inc. will launch this week its wireless LAN security appliance, which includes vulnerability assessment and other features to provide the same level of security for wireless networks thats available in the wired world, said officials of the Alpharetta, Ga., company.

The AirDefense appliance does a complete vulnerability assessment of the WLAN and returns results to a Web-based console. The console manages the network and displays data on the alerts raised by the intrusion detection system, a list of discovered access points on the network and views of the activity on each channel.

In addition to finding deployed access points, AirDefense can uncover so-called ad hoc networks, which are small groups of users with Wi-Fi cards who communicate directly with one another, rather than through an access point.

"This is what a lot of people dont know, that they have these networks in place inside their companies," said AirDefense CEO and founder Jay Chaudhry.

The appliance also monitors network traffic to ensure that access points have enabled Wired Equivalent Privacy encryption and are not broadcasting their users SSIDs (Service Set Identifiers). One vector that attackers use most often against WLANs is posing as an authorized user by stealing his or her SSID.

To further protect against session hijacking, AirDefense developed unique fingerprints for all the WLAN cards sold by major vendors. The appliance can learn which cards are in use by the authorized users on the network and drop connection attempts from attackers using other cards.

The intrusion detection functions are driven by a four-part engine that monitors all the traffic on the WLAN and employs a combination of signatures, anomaly detection, policy compliance and protocol analysis to identify attacks.

"This is a challenge that no one has really even thought about yet," said Pete Lindstrom, an analyst with Hurwitz Group, in Framingham, Mass. "When you start deploying sensors to counter wireless threats, you can create a force field around a building with technology thats both preventive and detective. Technology like wireless often starts as a toy, and then you have to figure out how to control it."

All the information the appliance gathers about intrusion attempts is stored in a relational database. Administrators can then go back through that data and do an audit of a specific attack and see exactly which access points were attacked and what the attacker did while on the network.

The Linux-based appliance uses Cisco Systems Inc. WLAN cards, and the company is working on advanced functionality that may be included in future versions. For example, to fend off denial-of-service attacks, AirDefense has developed a countermeasure that could essentially launch a reverse flood against the attacker. However, such tactics fall into a gray area between defense and aggression, AirDefenses Chaudhry said, so its unclear whether that functionality will ever make it into a production appliance.

AirDefense is available now. Pricing starts at $9,000 and is based on the number of access points on the network.