Enterprises deploying 802.11n for better bandwidth and throughput are headed for a thorny tangle of security and performance challenges. Raw events generated by WLAN infrastructure have proven far too numerous and difficult for operators to easily digest. While Wireless Intrusion Prevention Systems (WIPS), such as Airtight Networks' SpectraGuard Enterprise deliver more complete data with fewer false positives, there is still plenty of room for improvement, said Sri Sundaralingam, Vice President of Product Management.
"When you introduce bandwidth-hungry apps like video or critical healthcare apps, the last thing you want to do is just be reacting to these issues," said Sundaralingam. "We have long provided performance and availability monitoring, but we wanted to simplify and enhance these areas to deliver more proactive rather than reactive solutions that can get you to just what you need in no more than two clicks."
Airtight engineers have focused on these goals for the past year, culminating in SpectraGuard release 6.0, available January 5th, 2010. In addition to core product updates, 6.0 adds two new advanced WIPS modules: Performance Management and Smart Forensics. Both are included with the entry-level SpectraGuard Enterprise license at no extra cost; customers with more than 50 sensors can purchase additional licenses at $100/sensor.
Too much data, too little insight
Driven by concern over wireless security especially in regulated industries including retail and healthcare WIPS does a better-than-WLAN job of classifying and responding to rogue devices, attacks, and policy violations. For example, most WLAN controllers can generate alerts for unknown APs on channels/bands used by legitimate APs. But WIPS sensors can listen for rogues on other channels, recognize more sophisticated attacks that span several APs, and pro-actively prevent network penetration by disabling upstream Ethernet ports and/or wireless clients.
However, both approaches tend to suffer from event overload. When security incidents occur, investigators must sift through lengthy controller logs or WIPS databases, looking for past events that might be related or devices that might have been compromised. Worse, events are often described in RF terms that require WLAN staff interpretation, instead of quickly conveying "who, when, where, and how" to security staff, said Sundaralingam.
Performance and availability problems are even harder to tackle efficiently. Some WLAN controllers maintain hundreds of SNMP counters and thresholds per AP. But busy operators don't have time to review much less interpret a mountain of attribute values, and RF conditions change so fast and so frequently that poor thresholds can trigger alert floods. AirTight saw these challenges getting worse with 802.11n and believed that automated analysis and trending could help avoid outages and reduce help desk calls.
To speed security incident investigation, SpectraGuard Enterprise 6.0 adds Smart Forensics. This new incident analysis module boils any detected threat down to just the essential evidence, reached from the console home page in just two mouse clicks.
Security staff can use a status-coded hierarchical location tree to select any office with an outstanding threat. The new Smart Forensics dashboard for that location offers roll-up counts for devices and incidents per threat type (e.g., rogue AP, misconfigured AP, honeypot AP, unauthorized association, bridging client, banned client).
Click on any threat type to view lists of associated events, associations, quarantines, and administrative actions. Click on any affected device to see a description of that device, a map of its current and historical location, a list of past and present associations, a list of related events, and current visibility and quarantine status.
According to Sundaralingam, Smart Forensics does a better job of summarizing and correlating security data previously gathered by SpectraGuard, making investigation easier for non-RF experts. Furthermore, Smart Forensics exposes new details needed to assess each threat type for example, recently associated APs and probed SSIDs for threats attributed to a client. AirTight expects to add further details over time, based upon customer feedback, aiming to deliver essential details (and only those details) in an easily-consumable fashion.
The other advanced module new in 6.0 will deliver more proactive, automated performance analysis. Like Smart Forensics, the Performance Management module starts with a new dashboard. There, network operators can drill into performance events, ranked by severity. Events may be grouped and analyzed by category, location, top AP, or top client. New real-time graphs and reports offer trend analysis for WLAN coverage, configuration, interference, and bandwidth.
For example, when a WLAN controller sees client associations or total throughput drop, it may not be able to differentiate between a normal reduction in demand and a problem preventing clients from associating or transmitting traffic. But Sundaralingam said the SpectraGuard Performance Management module can correlate many sensor-observed factors, including the number of legacy clients in the area (not just associated to the WLAN), RF signal strength for all devices in that vicinity, and frame throughput. This broader, full-time perspective lets SpectraGuard identify the likely cause and depict its impact using real-time charts and heat maps.
To preemptively identify problems caused by increased load or density over time, this module offers a new trio of RF, Bandwidth, and Configuration audit reports. These reports can be run at scheduled intervals to automatically compare current and past performance metrics to isolate trends before they trigger business-affecting degradation or outages. However, the period over which trend analysis can be performed is limited by data retention policy roughly three months for most WLANs, said Sundaralingam.
Rounding out the release
SpectraGuard Enterprise 6.0 also incorporates a number of core product enhancements, including IPv6 support (increasingly required by DoD customers), the ability to detect client bridging attacks (where multi-homed clients relay traffic between wired and wireless NICs), and the ability to detect WPA message integrity check attacks (which can be used to inject short frames like ARP without knowing the WPA-PSK). AirTight has also submitted release 6.0 for FIPS 140-2 and Common Criteria EAL2 certification.
Customers with support contracts will be eligible to install the core 6.0 upgrade at no additional charge. New customers can give SpectraGuard Enterprise 6.0 a try by purchasing an entry-level server kit ($9995, plus sensors) or by signing up for SpectraGuard Online, a cloud-based service that starts at $30/sensor/month. The latter has proven popular among retailers to generate PCI compliance scan reports, but can be useful to any organization wanting to trial an enterprise-class WIPS without making a significant capital investment.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.