Review: Wireless Intrusion And Prevention Systems

We invited a mixed group of 18 vendors to our third review of wireless IDS/IPS devices. Our main focus was conventional wireless IDS/IPS players, including AirDefense, AirMagnet, AirTight Networks, Cirond, Highwall Technologies, Madge Networks, Network Chemistry, Newbury Networks, Red-M and WiMetrics, and in the end we drew our participants from this field--AirDefense, AirMagnet, Highwall Technologies and Network Chemistry sent gear to our Midwest Real-World Labs.

Cirond declined, saying its "go-to-market strategy" was in the midst of a metamorphosis; indications are the company is in the midst of a shakeup. Newbury Networks, still smarting from a scathing blog entry by one of our editors, declined our invitation.

WiMetrics focuses exclusively on the wireside portion of rogue access-point detection, and its engine is found in the Highwall Endpoint. U.K. vendors Red-M and Madge Networks didn't respond to repeated invitations, and we found out post-testing that the latter had been purchased by Ringdale. Finally, AirTight, the most notorious no-show, took lots of our time with pre-review customer and OEM partner interviews, attempting to influence the weightings on our scorecard to favor its strongest features. When we were unwilling to guarantee anything beyond our original test plan, it declined.

We also invited infrastructure vendors Aruba Networks, BlueSocket, Colubris Networks and Enterasys Networks, all of which have developed their own WIDPS functionality or teamed with partners; wireless-infrastructure-management vendors Airwave and Wavelink; and packet-analysis vendors Network Instruments and WildPackets. None took us up on our offer.

Installation, Architecture, Design

AirDefense and Highwall Technologies shipped us appliances; the other two vendors offer software-only versions of their WIDPS products. All four share a remarkably similar three-piece architecture: An edge sensor--in the form of a refitted AP or customized device--collects and processes data; this sensor then communicates over IP with a server that stores and crunches the data; and finally a client piece in the form of a Web page, Java applet or Win32 application provides an end-user interface. AirDefense Enterprise has a self-contained proprietary (and enhanced) database, while AirMagnet Enterprise and Highwall Enterprise use Microsoft SQL Server, and Network Chemistry's RFprotect Distributed runs the open-source Firebird database on Windows.

AirDefense Enterprise still doesn't provide a graphical start-up wizard for its Linux-based appliance, even though the vendor told us last year that such a feature was under consideration. Instead, we used a text-based menu to enter relevant network information, time zones, permissions and more. Highwall Enterprise came preloaded and needed just a few knobs tweaked, while the software from AirMagnet Enterprise and Network Chemistry RFprotect have relatively straightforward install routines.

Each vendor claims its product is scalable, but the term clearly means different things to different people. AirDefense Enterprise centers on objects monitored as opposed to sensors attached and says that its system should scale to about 300,000 devices. AirMagnet cites a deployment with 1,400 locations, and Network Chemistry boasts an installation covering 2,500 retail stores and using a total of 5,000 sensors. We had no documented large Highwall installations.

Network Chemistry makes the bold statement that its RFprotect scans more channels than any other vendor's WIDPS--220, to be precise. We found this to be true if you count every 5-MHz step in the 5-GHz range as a channel, but more important, this claim demonstrates where wired and wireless IDS systems diverge dramatically (see "Sensor Overview" at left). There are 14 channels in the 2.4-GHz spectrum, and we counted 37 "regular" channels in the 5-GHz range. Not all channels are used in every part of the world, but most modern wireless chipsets support them if configured to do so. A dirty secret of wireless IDS is that the radio in a sensor can be set to only one channel at any time, so scanning is just as much an art (deciding what channel to be on) as a science (deciding what do with information once you hear it). More isn't always better.

Would-be intruders operating in off channels won't penetrate your wireless network, but a rogue AP in the building paired with an attacker in the parking lot using an off channel could operate without detection. Most vendors have instituted some fuzzy logic so that sensors dwell longer on popular channels (1, 6, and 11 in the 2.4-GHz range, and the eight the lower and middle UNII channels of the 5-GHz range) and on those channels where they have previously seen activity. AirDefense Enterprise scanned 28 channels in the 5-GHz range, while AirMagnet Enterprise could scan just 13 when set to North American mode. Both vendors told us that upcoming versions of their code will activate and expose support for the other channels. Highwall's appliance could scan only eight channels in the 5-GHz band, though more are accessible if tweaked by the vendor.

The speed of rogue device discovery and classification correlates less with channel scan time, more with how the system communicates information from sensor to server. Network Chemistry's RFprotect took the prize in this category, displaying new devices within seconds--and without making us manually refresh the screen. AirDefense's device also fared well, displaying new devices in a few seconds, but AirDefense Enterprise required a manual screen refresh and took a minute or two to distinguish between an unauthorized AP (found in the air) and a rogue AP (connected to the wired network). AirMagnet Enterprise disappointed us with its minutes-long device discovery process--the only way to get an instantaneous read was to drill down to the Sensor view. Highwall Enterprise is configured by default to poll the sensor only once every 10 minutes; we could reduce the interval one minute. We question Highwall's choice of default--10 minutes is too long for a rogue device to be posing a security or performance threat. And requiring manual screen refreshes is unacceptable.

All the products provide some form of dashboard that summarizes network status; a few let us drill down on a graph or category to learn more detail. Highwall's dashboard was notable for a discrepancy between the counts for rogue APs in the dashboard compared with a detailed list, but company executives readily acknowledged that this is a bug.

No Cause for Alarm

Although false positives of the strangest kind popped up for every product, alarm counts were far reduced over levels seen in previous reviews, and duplicates were almost always rolled into one alarm or alert that listed the latest time stamp and details. Our test lab had a dynamic set of rogue clients and APs, but a typical environment will have a stable AP infrastructure and wireless clients. Although organizations without the physical isolation of a campus will be challenged by their neighbors' wireless infrastructures, all the products let us manually ignore specific clients and APs. The ability of a product to automatically identify a rogue AP as on or off your network is absolutely essential in assigning criticality (see "Rogue AP Containment" at left). Unfortunately, none of these products have the capability we saw in the AirTight product, as reviewed last year, to automatically and logically categorize newly discovered devices based on a configurable rule set. Network Chemistry could likely cobble something together with its policy designer, but it wouldn't be intuitive.

All the products we tested found rogues in the air, but AirMagnet Enterprise was the clear winner at identifying wired ports. It wasn't flawless, to be sure, but of the five rogue APs used, only one wireless router's port remained unidentified. In contrast, AirDefense Enterprise stumbled in this portion of our tests, acknowledging that the structure of its SNMP queries against the Cisco switches in our test lab can extract MAC (Media Access Control) addresses only in the management VLAN, leaving devices in other VLANs unidentifiable. Highwall's appliance uses a software agent that needs to be exposed to every VLAN to properly identify the existence of rogue APs on the network, and then it does not give port numbers. Network Chemistry's RFprotect foundered in these tests for reasons similar to AirDefense's, and RFprotect also consistently misidentified the port of one rogue AP, an issue that we resolved only when we reinitialized the database. Both AirDefense and Network Chemistry promise that future releases will address these issues.

Go to Your Corners

Client containment, mitigation or countermeasures--that is, the ability to suppress communication between two devices--is a powerful tool in a wireless administrator's arsenal and should be used with caution. We set up a scenario where a rogue client was exhibiting malicious behavior. In our tests with three different chipsets. Network Chemistry's RFprotect enjoyed the most success thanks to its honeypot method; it generated a nominal amount of wireless traffic to perform containment, roughly 8 to 11 Kbps. AirMagnet Enterprise's setup stumbled on the Centrino chipsets and generated twice the amount of wireless traffic as Network Chemistry RFprotect needed to contain the rogue. AirDefense Enterpise bested RFprotect in wireless traffic flow, but it had trouble suppressing the Centrino chipsets and was consistently delayed in starting containment operations. Highwall Enterprise's GUI offers a containment option, but we didn't have any success getting it to work, even after requesting assistance from the vendor.

Another containment scenario we tested replicates corporate wireless clients accidentally associating to neighboring APs. Again, Network Chemistry's RFprotect took the prize. AirMagnet Enterprise generated 11 Kbps to 20 Kbps of wireless traffic to do containment and again had problems with the Centrino chipsets, both for 802.11b/g and 802.11a. AirDefense Enterprise did reasonably well, letting only a few bytes of possibly hostile traffic through.

Performing complex containments is a weak point in most WIDPS products. To test the ability of the systems to contain multiple clients while scanning multiple bands, we ran two different tests using a single sensor. In the first test we has as many as three rogue clients in succession try to associate to a dual-band Cisco AP. AirDefense's appliance passed with flying colors. AirMagnet Enterprise couldn't identify the second client (which was running 802.11a) until we introduced the third; after that, it contained all three. Network Chemistry's RFprotect took several minutes to find the second client and couldn't contain it. The vendor confirmed that behavior and emphasized its ability to perform total containment, defined as not one successful piece of data moving between wireless client and AP. It said this total-containment capability would be compromised if it had to engage a rogue on another channel. Future versions will let the customer make some of these trade-offs between effective and off-channel containment.

In our second test of multiple clients we added to the mix a rogue AP on a different 2.4-GHz channel. AirDefense Enterprise couldn't contain the client associated to the second AP, but it did identify all the rogue clients. AirMagnet Enterprise had no difficulties at all, but RFprotect couldn't contain the second client, nor identify the third client running 802.11a. RFprotect's dual-radio sensor would have resolved the multiband/channel-detection issue, however, due to a shipping snafu the company did not send us the dual-radio sensor. Although these two tests simulated extreme cases, we were disappointed more devices didn't perform better.

Next, we looked at ad hoc client containment. AirDefense Enterprise again stumbled with the Centrino chipset in both the 2.4-GHz and 5-GHz bands, but not without generating a lot of traffic--roughly 110 Kbps. Network Chemistry's RFprotect didn't do well with our first round, and after we shared our results and testing methodology, the company acknowledged that we had discovered a bug in how its ad hoc containment worked with mixed-vendor chipsets. The second round, with a patch, was successful, but generated about the same amount of bandwidth as AirDefense Enterprise. AirMagnet Enterprise surprised us with a frugal 10 Kbps generated by its very successful tarpit-style containment method. Highwall's device doesn't offer any ad hoc client containment.

To push the envelope on containment, we asked NetGear to send us its latest MIMO/pre-802.11n products--the RangeMax 240 client (Model WPNT811) and the RangeMax 240 AP (Model WPNT834). The AP was set for 240 Mbps and configured in the most proprietary mode possible. Results among the products we tested were mixed: We saw WIDPSs unable to identify the existence of the client, not recognizing the client-AP association, and constantly reevaluating the channel the client was on. All had difficulty containing the client, though containing the AP was generally more successful. In short, upcoming SOHO pre-802.11n product pairs will prove more challenging to identify and control than conventional Wi-Fi products. Clearly, security in this space is a moving target.

High Stakes Hide and Seek

When we first looked at the WIDPS arena several years ago, device-location identification was on the road map. Now, all the products tested support it, but our results prove that it's still more art than exact science. We placed four rogue APs in a regular office building; AirDefense's appliance identified all devices within 15 to 20 feet of their actual locations. AirMagnet Enterprise fared a bit worse, but all devices were still pegged within 20 to 30 feet. Highwall Enterprise did quite well considering it had only one eight-sectored sensor compared with the five the others had. One rogue AP didn't make the map, so far off the page was it calculated!

Network Chemistry's RFprotect used heat maps with wide gradient bands to indicate where the rogue APs were located. After configuring the product for the building's characteristics, it did quite well with 802.11b/g rogues, within five to 15 feet, but it didn't perform as well with the 802.11a radio in the dual-band rogue we used. There's still room for improvement in all these products. We'd like to see an autocalibrating feature where sensors would ping one another and use attenuation and time-delay values in their internal mathematical models.

A Jumble of Tools

Performance-gauging, traffic-monitoring and remote-troubleshooting tools are not equivalent among these products. All can perform some packet capture. Network Chemistry's RFprotect leans on Packetyzer, a separate program and front end for the popular open-source Ethereal product, to provide full-featured packet decodes. AirDefense Enterprise exposes a host of per-node statistics, and its forensic analysis let us track information about wireless devices on a per-minute basis. AirMagnet Enterprise doesn't fall far behind--it offers tools that can help diagnose wireless problems. Highwall Enterprise offers little in the way of statistics, but it can capture wireless traffic.

In these post-Enron days, stricter accountability requirements mean many industries fall under some kind of regulatory structure, such as the Department of Defense's 8100.2, GLBA, HIPAA, PCI-DSS/CISP or SOX. All the vendors have taken these regulatory requirements, analyzed how they apply to wireless, and come up with reports that they believe will satisfy most auditors. Exact details differ among vendors, but all address the major aspects, and we expect fine-tuning as customers pass auditor-generated report feedback to their respective WIDPS vendors.

Smaller Than Breadboxes

We found sensor design interesting. AirDefense submitted its M400-model sensor, which is based on a Senao device, but these won't be available by the time you read this. Instead, the company is rolling out smoke-detector-style M5x0 series sensors. These will have shells identical to Trapeze Network's APs, which support standards-based IEEE 802.3af PoE and more mounting options at the same price. AirMagnet previously used the Senao-based units but has since moved to a plenum-rated box that natively supports standards-based PoE (IEEE 802.3af), unlike its predecessor. AirMagnet also has an impressive outdoor model that's fully enclosed and more solid-looking than any other Wi-Fi device we've seen, bar none.

Highwall provides a custom-designed sensor with optional external antenna. As our location testing proved, this device has the necessary receive sensitivity and directionality to cut down on sensor counts, but it suffers from needing to cover a larger spectral area per radio; it missed more wireless test traffic than the other units. Network Chemistry has a custom plenum-rated metal sensor; one differentiator is its pass-thru PoE port so that it can be placed in areas that already have APs, potentially reducing cabling and electrical installation costs as well as eliminating a switched port. Existing APs are plugged into the sensor using a patch cord, and the sensor uses the original PoE-powered Ethernet cable. IEEE 802.1Q support means the sensor can hang off a trunked port.

AirDefense and AirMagnet go about power a different way, taking advantage of the fact that only two pairs out of four are used for 10/100 Ethernet. Both offer adapters that use all four pairs to transport two separate PoE-powered Ethernet switch port feeds to an identical adapter, which splits the feeds out again. This method mitigates concerns about power draw and VLANs, though it does use up another valuable Ethernet switch port.

Traffic PoPs

When scoping an overlay, don't forget to calculate traffic utilization over your WAN. Say each sensor generates a 40-Kbps stream; a large deployment with 250 branches or retail stores would quickly mushroom into a 10-Mbps data flow, making WIDPS a pricey application riding on the corporate WAN link. We tested with both "quiet" and "busy" wireless traffic for 30 minutes and derived some interesting results.

Our first results on AirMagnet's traffic tallied up a whopping 12.3 Kbps and 16.9 Kbps, the bulk of it SNMP traffic generated as the sensors persistently queried local switches to perform wireline traces on rogue APs. AirMagnet insisted that a well-designed enterprise system will ensure that remote sensors poll only switches at the remote location, generating significantly less traffic than if one centralized server had to poll dozens or hundreds of switches over WAN links. Architectural considerations aside, anyone implementing a WIDPS should take the time to understand traffic flows and how frequently switches are queried.

Save Your Pennies. And Dimes.

We set up three pricing scenarios for comparison purposes. Costs fluctuated dramatically in the smallest deployment but stabilized as the setup grew. Network Chemistry, two-time winner of our "Best Value" award, has raised its prices more in line with those of AirMagnet. Highwall's unique sensor deployment model let it bring home the price prize in all scenarios except the distributed one, where its per-sensor software licensing model drove the cost up beyond its competitors. Although price usually makes up a larger evaluation component in smaller deployments, larger shops should expect to see price equity as the vendors work hard to acquire their business.

If this review were a horse race we'd have a photo finish among the first three placers. Network Chemistry's RFprotect edged out two-time previous winner AirDefense by a nose thanks to consistent performance in our security policy monitoring and enforcement tests, plus reasonable pricing. AirDefense Enterprise and AirMagnet Enterprise ended neck-in-neck. AirDefense Enterprise had an excellent showing but was hamstrung by its pricing, while AirMagnet Enterprise could have gained a clear second-place finish if it hadn't stumbled on location testing and the capabilities and performance of its sensors. We'd recommend any of the top three for most companies. Highwall Enterprise was unique in many respects. It scored well on rogue device discovery and sensor design, and we were pleased with its pricing. For the right deployment it could be a good fit. Visit our Interactive Report Card to tailor our scoring to your wish list.

Network Chemistry RFprotect Distributed 5.0
Network Chemistry has definitely put market leaders AirMagnet and AirDefense on notice with its affordable, well-rounded RFprotect Distributed. Version 5.0 performed consistently in most categories and exceeded rivals in containment, earning it our Editor's Choice award. As a bonus, the company has a well-rounded portfolio that includes a mobile version and client-side wireless security product, and Network Chemistry promotes general awareness of wireless security issues via its leadership in the Wireless Vulnerability and Exploits Initiative and its more recent Wireless Threat Index, which tracks wireless security trends.

Network Chemistry sent us a desktop machine with the server and client software preinstalled, but we had no problem reinstalling the Win32-based product to address specific bugs. The company also sent us single-radio models of its PortSaver sensor. Unfortunately, only one radio performs containment at a time, which means that rogues on other bands can go on unhindered unless a neighboring sensor has overlapping coverage.

Normally, the next step after installation would be to configure some security and performance policies, but there were no sample templates provided, and while the PolicyEnforce section of the configuration tab is powerful, it will take some time plus a little programming knowledge to develop meaningful policies. Network Chemistry already has export and import policies features within this section--it would take only a little work to create some canned metrics and actions for specific wireless environments that would also provide a basis for further customization.

The dashboard provides several appropriate summaries, though none let us click through to any details. The main tabs--Network, Alerts, RF Environment, Locate, Shield and Reports--are self-explanatory. Network Chemistry's network view neatly summarizes the wireless devices for a specific area, and this release supports multi-level location hierarchies. Network Chemistry continues to provide a unique touch with its spectrum usage charts, which show channel utilization and scanning patterns.

We found reporting parameters flexible; output could be easily exported to a variety of formats and scheduled to save to disk or to disseminate by FTP or e-mail. However, Network Chemistry depends on Packetyzer, a GUI front-end to Ethereal, for historical statistics on traffic flow, bytes and utilization. We found these too sparse and disconnected from the main product.

Rogue discovery performed quite well, though occasionally RFprotect identified the wrong port, a trunked one. It's a sobering reminder that automated mitigation does have risks if the product is not 100 percent accurate.

Although not a formal part of our evaluation, Network Chemistry shared a G.A. copy of its RFprotect Endpoint, which is separate from RFprotect Distributed. We installed Endpoint on the same server as the Distributed product. Client installation required us to apply a registry file, which contains a certificate and runs an executable. The server-based GUI was still a little rough around the edges, and the security policy configuration not simple enough, but the client piece stand out because it actually firewalls traffic flows rather than disabling network adapters, a much cleaner implementation. Network Chemistry also shared its Mobile version of the Distributed product. It includes some site survey functionality as well as sensor placement, but recommended only one sensor, a significant miscalculation.

Network Chemistry has twice won our Best Value award and continues to offer affordable pricing, though it undercut Highwall in only one scenario. Slightly higher-priced software offset lower-cost sensors. If we had specified dual-radio sensors it would have added another $200 to each unit, so weigh the advantages carefully before going ahead.

AirDefense Enterprise 7.0
AirDefense Enterprise has all the class and sophistication that any Fortune 500 company could ever hope for from a WIDPS--and a price tag to match. AirDefense surpassed rivals in the level of detail recorded and provided, but unfortunately failed to contain the two Dell laptops in our test bed in both ad hoc and client testing. Apparently, the Intel Centrino 2915ABG chipset, even though it's more than a year and half old, had not been part of the QA process. We were offered beta sensor code to retest this functionality but had to pass because it was so late in the review process.

AirDefense continues to provide its service on a 1U rack-mountable server running a hardened Linux variant. Configuration was relatively straightforward until it came time to identify which of the two Ethernet ports we should use to attach to our network; AirDefense has reassured us that future shipments will identify the proper port more clearly. Although the sensors allow for configuration via DNS, we chose the DHCP route and were well-rewarded with a relatively pain-free, zero-config process.

The Java-based client starts with a configurable dashboard that drills down in multiple places. Creating or modifying a configuration, performance or other kind of policy was easy; the system provides extensive and granular but well-laid-out options. Again, we wanted more predefined policies, such as "No wireless" or "Financial" to give the wireless administrator a head start with best practices.

AirDefense has developed five data views: rogue, performance, compliance, forensic and intrusion. Each view presents an appropriate subset of the complete list of alarms and prioritizes them in order of criticality. The forensic view shines, drawing on the 200-plus data elements that AirDefense Enterprise stores about each wireless device to list device traffic flows by link rate and frame type. It's also a gateway to device location and containment information. Did we mention that AirDefense Enterprise also stores a minute-by-minute snapshot of your wireless environment?

Alarms were easily manipulated and reporting was complete; one nit is that the output had to be exported to an HTML file to be printed. We found the user interface well-rounded, with complete auditing of all device changes and deletions. This will help satisfy your regulatory auditors.

AirDefense Enterprise surprised us with its inability to cache rogue discoveries while disconnected from the server, a critical feature for distributed sites with unstable WAN links. On the other hand, when we performed a containment test with two sensors and pulled the plug on the active sensor, the other sensor took over in a few seconds, much faster than its competitors. It also topped the multi-rogue containment tests.

Although not a formal part of this evaluation, we took advantage of the AirDefense Personal client-side policy agent. The server portion was already built into our server--Manager is a 32-bit client application that runs on a workstation, and both full and headless versions of the agents run on mobile device. We were able to configure different responses to events, such as associating to a rogue or forming an ad hoc network. Unfortunately, formation of rules, responses, policies, profiles, and groups is not intuitive. It should be a simple matter of creating, copying and customizing rules and events that trigger different responses, which can be grouped into specific policies to be applied to groups and users.

AirDefense again succeeded in topping every pricing scenario by a generous margin. For starters, the first year of maintenance is not free, unlike its competitors. Then there's the double whammy of higher-cost sensors raising the purchase price and expensive subsequent maintenance. In the first scenario AirDefense's pricing was almost four times that of Highwall, and in the second scenario it was a full one-third higher than the next lower price. AirDefense has a strong product, both in function and form, and it deserves careful consideration. If price were no object, it would have won our Editor's Choice. But it's a rare IT group that can spend with abandon these days, and cost might remove AirDefense Enterprise from consideration at some shops.

AirMagnet Enterprise 7.0
AirMagnet was our champion in the last two WIDPS reviews, but this time around its competitors sprung ahead. Strong added features, like its new indoor and outdoor sensors, couldn't take up the slack.

Enterprise 7.0 does not offer an appliance version of its product. For this review the company shipped us two desktop machines, one hosting the SQL database for the Win32 AirMagnet Enterprise product found on the other machine. The SQL database and AirMagnet Enterprise came preinstalled, but we reinstalled a G.A. release just before product review deadline and found it a simple process.

AirMagnet Enterprise offers almost a dozen default configuration policies that make it easy for even a newbie to get off on the right foot. The colorful dashboard is a bit overwhelming compared with competitors' GUI's, however. Tabs include AirWise, its descriptive alarm view; Infrastructure; IDS/Rogue; and Charts. The reporting system is still a separate program, but popular reports can be quick-launched from the main console. The IDS/Rogue tab lists all rogue devices and allowed us to not only re-categorize them but disable the switch port or start wireless blocking; both functions can be automated. AirMagnet Enterprise surprised us with its efficacy in port identification but didn't do as well in location tracking.

AirMagnet still suffers from a features gap between the Enterprise Console and the Sensor view. The Sensor view provides a wealth of detail concerning surrounding airspace, and it's unfortunate that AirMagnet's developers haven't been able to find a way to judiciously pull in this data when traversing the Enterprise view. It also took anywhere from one to several minutes for new rogues to display in the IDS/Rogue view. AirMagnet performs batch-based data transfers from the sensors to the server, rather than stream traffic continuously, an unfortunate choice. This delay put AirMagnet in the backseat for responsiveness to new discoveries.

AirMagnet Enterprise had a tough time containing a few of the rogue APs in our test bed and generated a lot of traffic in doing so. Its containment style--using bi-directional de-auths--was effectively disregarded by our Centrino-based laptops; clients would immediately re-authenticate with the rogue AP and continue to exchange traffic. Of course, the same problem occurred with client containment. Our ad hoc tests showed better results because AirMagnet Enterprise uses tarpitting to draw ad hoc clients toward the sensor.

AirMagnet does not have a client-side agent, but it did innovate in its two sensors. The first device includes Cognio's spectrum analyzer to perform in-depth scanning of our wireless space. We launched the interface from the Enterprise Console, but sadly, integration stopped there. The second sensor is a strongly constructed metal model designed for outdoor environments.

AirMagnet's Surveyor tool can perform coverage-prediction models based on a walk-through. It includes a sensor-placement planning feature, but in the office building where we performed location testing, Surveyor recommended only one sensor, far short of what we would need for good location tracking and effective containment.

AirMagnet Enterprise is a modestly priced product and a good choice thanks to strong diagnostic tools and rogue discovery. Buyers will want to evaluate their requirements for key features such as containment, locationing and WAN-link utilization, where other entries performed better.

Highwall Technology Enterprise 4.0
Highwall Technology's Enterprise 4.0 is a vast improvement over the Highwall we reviewed last time around, but our testing confirms that it's best-suited for policing "wireless free" environments, not as an overlay to existing wireless deployments.

Highwall shipped us a branded appliance, which ran Windows 2003 with SQL server, but you can also use MSDE if your deployment size allows. What sets this product apart from rivals are its custom-designed sensors with specialized, large sectorized antennas for added gain and vector-based locationing. Highwall shipped only one sensor, and only a 2.4-GHz antenna.

What pained us right off is that the server must poll the sensor's IP address. If the IP address is assigned dynamically, it must be changed in the server and the service restarted--there is no automatic registration. The sensor GUI, while relatively clean, requires an overhaul. For example, the sensor's system time needs to be entered in GMT, and there is no NTP support--these are basics found even in consumer-level network devices. The sensor, by default, is polled only every 10 minutes. While this reduces bandwidth usage, the trade-off is that that device discovery is delayed.

The Web-based interface is simple but effective. The dashboard, or "Cockpit View," gives a quick overview of threat status, buildings, networks and alerts. We were initially perplexed as to why the dashboard listed zero rogues, but drilling down on our test building yielded half a dozen. We learned that devices are not officially labeled as rogues when discovered, a potential bug. The main menu breaks down into buildings, wireless devices, alerts and reports.

Policies are relatively nonexistent, much in line with Highwall's "wireless free" focus. For example, we couldn't assign a default encryption type, for example, or specify whether SSIDs may be broadcast. Alerts can be turned on or off, but very little concerning thresholds can be modified.

Highwall has licensed WiMetrics' engine and built on that to provide wire-side rogue detection, but that functionality works only when the rogues are in the same Layer 3 network as the server. Ethernet switch port numbers are not listed, but most of the time the system was able to correlate the WAN MAC address on the wired side of the APs in our testbed with the BSSID on the wireless side and list it as one rogue.

Wireless containment did not work in our tests, although we attempted multiple times and requested the aid of Highwall's staff. This hurt Highwall Enterprise in the scorecard. The company did provide us with an endpoint agent that is tied into the server's Web interface. It performed as advertised; we found it relatively straightforward to modify a policy and apply it to a wireless client.

Unless you need to affordably and simply enforce a no wireless policy in large building, we recommend you pass on this product. The other WIDPSs tested offer much more sophistication.

How we Tested

Most of our testing was performed in our partner labs in the Midwest, but location testing was done in a nearby brick-exterior/ metal-stud-interior multifloor office building with a variety of conference rooms, hallways, cubicles and walled offices.

We created separate Layer 3 networks using VLANs for each vendor's server(s) and sensors, as well as for production WLAN and rogue networks. We used two Cisco 2950 switches, one at the "core" serving each of the servers, trunked to one at the "edge" serving the sensors and rogue APs to create a simplistic representation of an enterprise network. Each switch was SNMP-enabled so that the various systems could query the CAM tables and control ports as necessary.

For rogues, we used six wireless APs from Belkin, Cisco, Linksys and Netgear; four acted as wireless routers, two as wireless bridges. We threw two dual-radio APs in the mix to make sure 802.11a was well-represented. When performing rogue discovery tests we used both open settings as well as testing with security turned on.

For clients we used three laptops: a Dell Latitude D610 and a D500, each with an integrated Centrino 2915ABG chipset, and a Dell Inspiron 600m laptop using an 802.11a/b/g Broadcom-based chipset. We also used two PCMCIA cards: Cisco's Atheros-based 802.11a/b/g CB21AG and a Linksys Atheros-based 802.11a/b/g WPC55AG.

For all our containment testing we used a third-party ping program with an audible feedback to verify the flow of traffic between the clients (in the case of ad hoc testing) or client and AP. For all containment attacks we captured traffic for about 60 seconds (repeated at least once) using Packetyzer. We identified the packets related to the containment and calculated the number of bytes used over that time period to come up with number of bits per second.

To calculate the amount of wired-side sensor traffic generated in both "quiet" and "busy" wireless networks, we ran two tests that captured traffic for all the vendors between two sensors and their respective servers over a 30-minute period. With the busy test run, we turned on all our SOHO APs and used several wireless clients associated to different APs on various channels. We then generated wireless data traffic using a custom script that contained a mixture of Web browsing and e-mail traffic.

Location accuracy testing was performed in our Midwest office building. We placed one sensor at each corner of the building and a sensor in the middle. The exception was the single supplied Highwall sensor, which we placed in the middle of the building. Several models of Linksys APs were placed in various parts of the building and the results recorded on a map.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

R E V I E W

Wireless IDS/IPS Interactive Report Card

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.