In-Depth

Disabling Rogue WLAN Access

Detect, then actively block, unauthorized WLAN users

• By Mathew Schwartz
• 04/21/2004

Wireless LAN (WLAN) vendor AirMagnet released AirMagnet Distributed 4.0, for monitoring enterprise-wide WLAN rollouts and troubleshooting WLAN network or performance issues. The product includes a digital dashboard displaying an enterprise’s overall WLAN health.

AirMagnet Distributed relies upon physical, remote sensors, which continually monitor for Wi-Fi signals and profile any in-range wireless device, whether known or unknown. The result is a picture of all enterprise Wi-Fi traffic.

The sensors also have the ability to classify unknown Wi-Fi access as friend or foe. “AirMagnet identifies rogues by radio band, MAC address, SSID [service set identifier], and manufacturer,” notes the company. To minimize network traffic and avoid geographical distribution problems, the remote sensors are built to do WLAN analysis on their own, without a centralized server. All sensors feed results to a central management console, though sensors can trigger alarms directly, for example to a pager, or generating a network alert.

Once rogue activity is detected, AirMagnet Distributed can further respond in a number of ways, based upon the perceived threat level. For example, AirMagnnet can block rogue activity at the network level or reconfigure the network infrastructure to (in effect) disable it; find the device via a wired-side trace, so a security administrator can either secure or confiscate it; and enlist other AirMagnet products to locate and disable the device.

“Distributed 4.0 includes the unprecedented ability to determine the level of risk posed by rogue devices,” then block them, notes AirMagnet CEO Dean Au.

Organizations now have the ability to not only watch for unauthorized WLAN access, but do something about it—a crucial step for maintaining wireless security. Given that security functionality, “any organization considering an enterprise-wide rollout of wireless LANs should take a serious look at this product,” says Frost and Sullivan analyst Wai Sing Lee.

The AirMagnet Distributed console manages all of the remote sensors from one laptop or workstation. Security managers can tailor wireless policies globally, or for different users based on their SSID—the name of the access point which serves a certain group of users. For example, AirMagnet Distributed could immediately block any potential rogue activity on the SSID used by the accounting department, or in a remote office lacking IT support staff. For other SSIDs, security managers might immediately block any access point suspected of launching a WLAN attack. For less-risky alarms, however, security managers might decide to monitor instead, collecting information on potential intruders.

The Naval Postgraduate School (NPS), an early customer, uses AirMagnet to secure and monitor its wireless LAN, test unmanned aircraft Wi-Fi networks, and as an aid to teaching about WLANs. Alex Bordetsky, an NPS professor of information sciences, notes the product “provides a detailed explanation of how to solve most any performance monitoring problems that might arise on a Wi-Fi network.” He also likes its ability to create network-wide views of WLAN use. In the past, creating a map of all wireless devices in operation required time-consuming, manual efforts and constant updates.