SpectraGuard Enterprise 5.0 builds on AirTight Networks already-impressive wireless intrusion prevention platform with new management and detection capabilities. eWeek Labs tests show that some of the newer features need improvement, but we nonetheless think the product merits consideration by security-conscious businesses looking to lock down their Wi-Fi environments.
Click here to read the full review of SpectraGuard Enterprise 5.0.
2
SpectraGuard Enterprise 5.0 builds on AirTight Networks already-impressive wireless intrusion prevention platform with new management and detection capabilities. eWeek Labs tests show that some of the newer features need improvement, but we nonetheless think the product merits consideration by security-conscious businesses looking to lock down their Wi-Fi environments.
We tested SpectraGuard Enterprise 5.0 using AirTights Standard Server appliance, which lists for $9,995. (A higher-end model—with dual CPUs, more memory and more disk space—is available for $12,995.) Our testbed included five sensors (priced at $795 each), the number recommended for the floor plan we intended to protect.
SpectraGuard Enterprise 5.0s strength lies in its automated classification routines. Once the product detects unknown wireless APs (access points), clients or ad hoc networks, it automatically begins organizing these devices according to the level of risk they present for a companys network.
For example, SpectraGuard Enterprise 5.0 quickly identified when we connected an unauthorized (rogue) AP to our protected wired network but classified an identical AP that we connected to a different network as an external (neighbor) AP.
SpectraGuard Enterprise 5.0 automatically quarantined the rogue AP, disassociating any clients that attempted to connect to it until it was disabled, but it took no automatic action against the neighbor device.
The decision trees that underlie these classifications are nicely presented to wireless administrators in SpectraGuard Enterprise 5.0s outstanding online help files, along with copious other data that clearly explains and diagrams various concepts (see screen, below).
SpectraGuard Enterprise 5.0 offers four modes of wireless intrusion prevention: block, disrupt, interrupt or degrade. The different levels represent the trade-off between the tenacity of the service disruption and the number of RF (radio frequency) channels a single sensor can disrupt at one time.
We found the default setting—disrupt—to be quite successful at keeping clients from interacting with an AP. While our test clients could obtain a DHCP (Dynamic Host Configuration Protocol) address from the wireless network, we could never pass a single ICMP (Internet Control Message Protocol) packet during the quarantine.
During our tests, SpectraGuard Enterprise 5.0 also helped us identify authorized clients attaching to unapproved networks, DoS (denial of service) attacks, reconnaissance attacks via older versions of NetStumbler and wireless performance risks, such as interference from external devices and illegal channel usage in the 2.4GHz band.
We experienced wildly variable results with AirTights location-tracking capabilities.
SpectraGuard Enterprise 5.0 offers two ways to do location tracking: One uses detected signal strength to extrapolate distances between sensors and detected devices, while the other relies on more advanced calculations, attempting to account for RF attenuation factors caused by various building materials, walls or objects. The latter method is somewhat akin to the capabilities offered with Trapeze Networks RingMaster planning software.
We initially attempted to use the RF modeling method but had limited success. We contracted AirTights planning service (priced at $500 for one site) to turn our office-plan CAD file into a SpectraGuard template. (Do-it-yourselfers can use SpectraGuard Planner 3.1, priced starting at $2,495.) The planning service also recommended the optimal number and deployment locations of sensors.
Unfortunately, we made some incorrect estimates about building materials, which threw our template out of whack with real-world findings. This made it impossible to correctly calibrate the environment—and quite difficult to glean accurate tracking. When we attempted to locate detected rogue APs, we were sometimes led astray by as much as 50 feet (see top screen, Page 44).
We had much greater success with the less advanced location-tracking algorithm, which plots locations on a simple JPEG or GIF graphic of a floor plan. With this technique, we experienced the most accurate tracking weve ever seen from a wireless tracking product, successfully locating dozens of devices throughout our offices, usually to within 10 feet (given a middle-of-the-road probability selected).
AirTight officials acknowledged that they have had some growing pains with their more advanced location-tracking capabilities. We recommend that administrators make sure their floor plans are updated with the absolute latest layout modifications and building material data before moving ahead with the advanced tracking algorithms.
TKTK
Whats New
Version 5.0 of SpectraGuard Enterprise supports global management for very large organizations, maintaining multiple SpectraGuard Enterprise Servers via a new appliance called the SpectraGuard MNC (Managed Network Console). At this time, the $19,995 MNC—which can handle as many as 25 SpectraGuard Servers—is only a data aggregator and reporter and is not usable for policy creation and distribution.
Within the MNC, administrators arrange individual SpectraGuard Servers into organizational leaves and nodes, and they can then view alerts, events or dashboards for any level within the tree hierarchy they created. Admins also can run any of the bundled reports for any node in the tree.
However, at this time, the MNC cannot be used to set global or organizational policies, as AirTight officials are looking for feedback from early MNC adopters on how to best implement such a feature. Policies must be defined directly on each SpectraGuard Server, and the MNC offers a button to log in to each server it manages.
AirTight supports SSO (single sign-on) when accessing an individual SpectraGuard Server via the MNC. However, there is no centralized user account authority for SpectraGuard Enterprise 5.0 and the MNC, so administrators will need to do some manual account mapping between the nodes beforehand.
Both the SpectraGuard Server and MNC also now support four levels of administrator accounts, ranging from superuser to view-only. Also new is the ability to audit and track administrator usage of the system, monitoring when administrators log on and off the SpectraGuard Enterprise 5.0 system, as well as what changes they implemented.
In addition, SpectraGuard Enterprise now supports detection and alerting for pre-802.11n networks, although we found the feature too narrowly focused to be useful at this time.
Next page: Evaluation Shortlist: Related Products.
Page 4
AirDefenses AirDefense Enterprise 7.0
Excellent all-around, Air-Defense has also been racking up valuable partnership wins with wireless access companies (www.airdefense.net)
AirMagnets AirMagnet Enterprise 7.0
Outstanding wireless monitoring capabilities, with wireless and wired-side intrusion prevention capabilities (www.airmagnet.com)
Network Chemistrys RFProtect Distributed
A wireless client security solution with central policy controls (www.networkchemistry.com)
Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.