Review: Motorola AirDefense Wireless Vulnerability Assessment Tool

Price:  $295 per sensor (AirDefense add-on module)

Pros:  Centrally-initiated IP/port scans, automated AP crawls, good for routine sanity checks


Cons: Buggy discovery results, too slow for exhaustive scans, no substitute for on-site VA

Testing security is critical to safeguard business data and comply with regulatory mandates, but it can be overwhelmingly costly in large distributed networks. Case in point: Retailers struggle to scan every in-store cardholder data environment for PCI DSS compliance. Dispatching staff and equipment to hundreds of sites each quarter can make a CFO's head spin, leaving CSO's searching for cost-effective alternatives.

To help customers cut those expenses, Motorola has introduced a new AirDefense Enterprise Wireless Intrusion Prevention System (WIPS) add-on module. The AirDefense Wireless Vulnerability Assessment (VA) Tool leverages an enterprise's Wi-Fi security monitoring infrastructure to perform centrally initiated, remotely executed scans.

Financially, this proposition makes sense (cents?). But, after taking this tool for a month-long test drive, we conclude that routine AirDefense VA scans are best viewed as a complement (not replacement) for rigorous on-site VA scans.

Spend less, do more

Providers, such as Qualys and Ncircle, have long earned a living by performing Internet-based scans, and there are many firms that are willing to visit and scan your sites for a price. For example, the PCI Security Standards Council maintains a lengthy list of approved scanning vendors.

But AirDefense has taken a novel approach with its VA Tool, using your WIPS to scan the inside of your WLAN from afar. Superficially, their (patented) approach is quite simple:

  1. Use your WIPS console to centrally define and launch IP/port scans
  2. Use your WIPS sensors to connect to nearby APs and scan your subnets
  3. Use your WIPS database to record and deliver scan reports

If you already own AirDefense, the incremental cost to enable this module is $295 per sensor. That's cheaper than conducting a single on-site manual VA scan. If you don't own AirDefense – well, this feature probably isn't going to change your mind. An AirDefense appliance starts at $5,995, plus $495 per sensor. But companies with large, distributed WLANs have many compelling reasons to invest in WIPS – just think of this VA add-on (and last spring's AP Connectivity add-on) as opportunities to get more mileage from that investment.

Given this value proposition, we set out to answer two questions. The first is tactical: Can AirDefense VA scans reduce the need for on-site VA scans? The second is strategic: Can proactive AirDefense VA scans reduce a network's risk exposure? Here's what we found...