Specifically, every scheduled scan has the potential to trigger three kinds of alerts: Internet Accessible, Unapproved Devices Accessible, and Unapproved Services Accessible. For example, a scan defined to check Internet connectivity might trigger an Internet Accessible alert for the AP under test. A scan defined to check a disallowed TCP port for an entire subnet might trigger an Unapproved Services Accessible for the AP under test, accompanied by alert text that lists all reachable IPs/ports.

AirDefense ScanAlert.jpg

Click to enlarge.

These alerts are intended to draw NOC attention to a newly accessible device or service. If VA scans are run repeatedly, these WIPS alerts can pro-actively warn you about potential network vulnerabilities – hopefully before a hacker finds them. We think this is a very useful enhancement to passive WIPS monitoring that (if used correctly) could improve a network's overall security posture without adding much to TCO. One possibility that high-security facilities may find intriguing: Using AirDefense's action manager to auto-disable APs based on WVA Scan alerts.

However, converting scan results into alerts is awkward. For example, the term "vulnerability" refers both to open IPs/ports and alerts, causing the "number of vulnerabilities found" during the last scan to differ from the "number of vulnerabilities" documented in a WVA Scan Report. There's no direct way to generate a report for one VA scan run; you must pick the time period when the scan ran. And comparing alerts generated by multiple scans is an exercise left to the user. Here again, we believe that AirDefense has left room for improvement.

Bottom line

We used the VA Tool for several weeks, along with other AirDefense features, including locationing and forensics, to examine APs with reported vulnerabilities. We concluded that AirDefense customers can be more proactive about security by running focused Blacklist scans at regular intervals. Moreover, because those VA scans can be initiated centrally and run themselves remotely, without any human intervention, this benefit can be achieved at modest cost.

We expect to see AirDefense fine-tune this VA Tool in its upcoming spring release, including revamping Whitelist scans, improving exported results, and eliminating a few GUI glitches. We also hope to see future releases make more scalable, interpretive use of scan results to help large enterprise admins focus on findings that pose serious concern.

But ultimately, we view AirDefense VA scans as a complement to existing security practices – including on-site VA scans. Any customer that buys this add-on module to avoid initial or periodic on-site VA scans will probably be disappointed. Regular remote scans can keep the NOC better informed but, sometimes, for some tasks, there's no substitute for being there.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since testing her first 802.11 WLAN in 2002, Lisa has performed numerous vulnerability assessments herself and taught workshops on this topic.