Wi-Fi Security Review: AirMagnet

Wireless networking has rapidly become the new way to upgrade systems and networks. It offers freedom of movement and flexibility in changing enterprise environments. Unfortunately, when the 802.11 protocol was developed, little thought went towards security. What security was applied -- specifically WEP -- was quickly broken. Today, it's widely recognized that WEP provides little to no security.

But that said, some security is better than none. Even this limited security can be helpful on simple networks. One of the most trying issues that is seen today is the amount of unsecured wireless networks that exist.

Walking down Yonge Street and Bay Street (heart of the Financial District in Toronto) one finds countless warchalking markings (warchalking refers to the "chalk marks" that people leave to indicate the proximity of open wireless networks). War driving, the act of looking for and using open, unsecure wireless networks is increasing with little-to-no legal action being taken. Until laws are set to deal with this, companies will need to deal with issues themselves.

Being able to audit existing networks for security and performance for small networks is fairly easy. But when you get to medium, large or extra-large, standard tools just won't cut it. There are too many APs and stations to deal with. In addition, it's likely you'll pick up traffic from other sites and need to disentangle the signals. That's where a tool like AirMagnet, designed specifically for larger networks, comes in handy.

An administrator can install this tool on a laptop or handheld PC. The graphical interface allows for easy navigation and if the additional AirMagnet Reporter is installed, easy interpretation. Even without the Reporter I was amazed as to how much information AirMagnet picked up in the test networks I used it on.

AirMagnet Screenshot -- Click to Enlarge For one network, the security in general wasn't bad, albeit a bit noisy in traffic and having only the simplest of security. The other network (see screenshot; MACs removed to protect the "innocent") was quite scary in the laxness and openness found.

AirMagnet's strength lies in its ability to determine a WLAN's security posture and performance. For administrators, this alone is worth the cost of AirMagnet. A few of the APs I tested had an extremely high ratio of signal-to-noise. In fact, it had reached 40% (lots of noise!) making the signal sporadic at times.

Page 2: More Performance Analysis Features, Tracking Rogue Users and the Cost of Wi-Fi Security

Continued from Page 1

Some of the other performance analysis features include detection of weak AP signals, excessive packet retries, APs filled beyond capacity, excessive bandwidth usage, missed beacons, too many APs on a channel, traffic priority problems through conflicting deployment of DCF/PCF at same time, APs that have conflicting configurations, too many broadcast and multicast packets, hidden nodes (causing packet collisions), station misconfigured for ad-hoc when it should be infrastructure SSID, too many clients on an AP, bandwidth overwhelming an AP (may indicate that too many high usage clients on a single AP), clients roaming between APs (might indicate APs too close or "rogue user").

One of the nicer features is the ability to identify and give aliases to various wireless MACs, thus making it easier to identify all actual users and "rogue users". Using the "Find" tool, you can manually and physically track down the location of the rogue user. Much like a Geiger counter, the Find tool will get a stronger signal from the selected MAC as you physically get closer to it.

AirMagnet will even pick up DoS attacks as they happen. This can allow for an administrator to disable a site and re-address it. And if the "attacker" is nearby, potentially track them down. As mentioned it does a good job of finding various but standard security flaws often found within networks. Some of these include identifying the lack of WEP usage, flawed WEP usage, clear text authentication, war driving detection, dictionary attacks, unconfigured (default settings) APs, spoofed MACs, SSID broadcasting, ad-hoc configurations and many others. As a passive auditing tool, AirMagnet should be part of the security auditing teams packages.

And this is just a small portion of what this application is capable of. During my time with it, the application found security and performance flaws that I didn't think of. I couldn't find anything wrong with this except for two issues.

The first issue is cost.

The reality is that this is targeted towards larger enterprises and the price tag is certainly a testimony to that. But, you do get what you pay for (and then some!). Using this kind of tool on a single AP would be overkill.

In addition, the licensing method, which ties the license, serial and key to the MAC address being used, ensures that most attackers won't be using this to find weak networks (except for those attackers with really deep pockets!). The price runs between about $3,000 to $3,500 USD, depending on the version you decide on. Keep in mind this doesn't necessarily include the Reporter application.

The other issue is a personal preference issue. While I enjoy playing in a variety of operating systems, I do prefer the *nix variations for stability, ease of use and flexible configuration options. This product is a Win2k/WinXP product. And I'm very good at crashing XP SP1A, multiple times. That leads to some frustrations along the way. I suspect that's more a user problem than a software problem.

But if your company is determined and serious about running a wireless network of any substantial size, this is a product you should look into. Visit http://www.airmagnet.com for online demos and more information.

And hopefully I will see some of you at the Wireless Expo and Conference here in Toronto, March 16 - 18, 2004 at the Sheraton Hotel downtown, being hosted by Wi-Fi Planet.