Consumer Cards Turned Rogue Detectors
October 06, 2003
Could a new scheme by WLAN management software maker Wavelink turn all existing 802.11 cards into rogue monitoring systems? The potential is there with an initial partnership with D-Link, but a lack of standards in WLAN data gathering means it may not go far.
Most rogue access point (AP) detection systems for wireless LANs require either using a handheld analyzer (a "sniffer") and walking from place to place like you're performing a site survey, or deploying a number of specialized probes in addition to the existing APs that will listen to the airwaves and report back on unknowns. A third method, seldom seen in most WLANs, is to turn the client systems already on the network into the rogue detectors.
Kirkland, Wash.-based Wavelink , which provides software for WLAN management in the enterprise, thinks that the use of client systems for rogue detection is the way to go. In fact, the company announced a partnership today that will build Wavelink rogue AP detection into two 802.11b+ clients from D-Link, one of the top suppliers of inexpensive, consumer WLAN network interface cards (NICs).
"We're providing the ability to use these adapters as sniffing devices," says Eric Hermelee, vice president of marketing at Wavelink. "In the process, all the laptops and PDAs can become sensors on the network."
Ironically, the companies are turning consumer-grade Wi-Fi cards from D-Link into tools to detect rogue APs, which are generally consumer-grade access points like those made by D-Link. In a white paper, Wavelink calls consumer-grade APs "the most common threat to corporate network security."The technology requires a firmware upgrade to the NIC cards. Once upgraded, the cards are automatically turned into sensors that, when idle, scan the airwaves and report data back to the Wavelink Mobile Manager system.
This method is low cost (no external probes to purchase to the tune of $500 to $1000 each), low labor (no walking around with a handheld), and easy enough to implement (to the extent that firmware upgrades are ever easy). This deal is not exclusive between D-Link and Wavelink; in fact, Hermelee points out that this idle-time scanning firmware tweak can be extended to any WLAN adapters.
Is this the beginning of a potential standard for using clients in rogue detection? Hermelee says the company would like to see it as such, but it's not being introduced or pushed that way. Wavelink is still in negotiations with other vendors, "up and down the food chain, from chipset manufacturers to the NIC makers." They plan to have partnerships in place with vendors instead of trying to push solutions on the market that the vendor might break with their own required upgrades, whether intentional or not.
Another stumbling block to a "standard": The data reported back to Wavelink Mobile Manager doesn't match up with what a competitor might also gather to do rogue detection. While theoretically they gather similar things, such as signal strength, BSSID/MAC address, etc., monitoring is still too vendor-specific to work across systems. However, no such standard is in the works by any group, IEEE or otherwise. It might be up to a company like Wavelink to push this through. [After this story went to press, we recieved a note from the editor of the IEEE 802.11k task group who said that the current draft for this new specification does include standards for rogue detection.]
Overall the company expects to add several complementary layers for rogue AP detection, not just the use of client systems for monitoring.
D-Link's support for Wavelink's rogue detection will start out with just the AirPlus Enhanced Wireless CardBus Adapter (model DWL-650+) for laptops and the external AirPlus Enhanced Wireless USB Adapter (model DWL-120+), which both use a Texas Instruments chipset supporting "802.11b+," the enhanced speed 802.11b capable of 22Mbps speed. The target date for the improved drivers is October 13. D-Link will list them at http://support.dlink.com as supporting Wavelink rogue detection. Users of the cards who get the new firmware but don't use Wavelink Mobile Manager will simply not see any of the functionality of the card.