AirMagnet Tackles New Enterprise WLAN Threats

By Lisa Phifer

October 26, 2009

The new AirMagnet Enterprise update helps troubleshoot and optimize 802.11n rollouts, and also neutralizes new Skyjack and Karmetasploit Wi-Fi attacks

AirMagnet Enterprise update helps troubleshoot and optimize 802.11n rollouts, neutralizes new Skyjack and Karmetasploit Wi-Fi attacks

802.11n is a game-changer for WLAN expectations. Best effort is no longer enough; prime time business networks must be reliable. Full-time distributed wireless intrusion prevention and service assurance are enterprise best practices. But deployed solutions often lack the insight, intelligence, and automation needed to cost-effectively trouble-shoot large-scale 802.11n WLANs.

Today, AirMagnet announced a major update to AirMagnet Enterprise to tackle these challenges. "We wanted to go beyond basic 802.11n support by delivering a toolset that does real 802.11n analysis and troubleshooting," said Wade Williamson, AirMagnet's Director of Product Management. Version 8.5.1 won't overwhelm admins with puzzling new alerts. "We tell you what the problem is, what the root cause is, and what you need to change to fix it."

Security is never done

Given broad AP and client support for WPA2/802.11i, many enterprises consider WLAN security solved. But Williamson argues that isn't so.

"You really need dedicated stateful monitoring that can put all the pieces together to catch the kinds of attacks we're seeing today," said Williamson. "Hackers haven't been sleeping on Wi-Fi and 802.11n as an Ethernet replacement raises the stakes. Really nasty tools like MDK3 and Karmetasploit are getting a lot of action on [hacker] sites."

802.11n Block-Ack, SkyJack, and MDK3 Destruction Mode attacks are just three of the 40 new security and performance alerts added to AirMagnet Enterprise.

  • Streaming applications can now confirm many 802.11n data frames with one block acknowledgement. AirMagnet detects when forged Block-Acks are sent to disrupt traffic and tells you where those frames are coming from.
  • During a SkyJack attack, forged Cisco over-the-air provisioning (OTAP) frame are sent to trick APs into connecting to a rogue controller (which can be offsite). Skyjacked APs can then be exploited to gain remote access to the corporate network or capture user logins. AirMagnet detects forged OTAP broadcasts when they start, before APs fall for them.
  • Recovering from an MDK3 Destruction Mode attack can mean rebooting every AP. "First the hacker floods the air with [beacons] that look like legitimate APs. Then they DoS clients to trick them into connecting to fake APs, which really wreaks havoc," said Williamson. "Putting these attacks together in combination turns out to be very effective." AirMagnet correlates these events so that admins can quickly determine are all part of one coordinated MDK3 attack.

AirMagnet works hard to stay on top of new attacks; its Intrusion Research Team discovered SkyJack and moved rapidly to develop an MDK3 signature. Events like these show how a purpose-built WIPS, such as AirMagnet, can be more agile then an embedded WIPS from vendors distracted by infrastructure matters, said Williamson.

Friend or foe

One of the biggest challenges that large WLANs face is managing new devices. While admins know how to find rogue APs, the number and diversity of largely-ignored Wi-Fi clients continues to grow. It's not feasible to manually review hundreds of unknown devices per day. Automation is essential, but cannot be safely employed without accurate classification of unknown devices.

To this end, AirMagnet Enterprise classification has been completely overhauled. "We felt there was a gap between solutions that were powerful in classification and solutions that were truly usable in terms of [granular] policy enforcement," said Williamson. "We not only created an integrated policy view to see how devices will be classified; we now let you verify those policies before making them live."

Like most contemporary WIPS, AirMagnet Enterprise auto-classifies using criteria like vendor, RSSI, connectivity, channel/band, and security. But AirMagnet's new policy editor combines criteria into simple boolean statements that can be tested by pushing a button. Seeing how existing devices would be (re)classified helps admins avoid unintentional outcomes. However, even this test cannot show how clients that behave in ways not previously seen or considered will be classified.

Getting more from 802.11n

"Everyone is happy to claim 802.11n support—the ability to see and decode 802.11n traffic," said Williamson. "That's a world of difference from identifying the source of an 802.11n problem and explaining what can be done to get the performance you expected."

AirMagnet addressed this initially with its laptop Wi-Fi Analyzer, taking home Best of Interop in the Wireless/Mobile category back in May 2008. Those diagnostic and troubleshooting tools have now been rolled into AirMagnet Enterprise, along with a few new tools designed specifically for a full-time distributed solution.

Instead of alerts that indicate low throughputs or signal strengths, AirMagnet Enterprise presents a matrix where admins can select an AP and client to pinpoint which 802.11n options do/don't apply to that combo. Color-coded cells emphasize areas of greatest concern, hot-linked to detailed explanations about 802.11n technology associated with each problem and recommended fixes. For example, if a client is only getting 50 Mbps, this matrix isolates the option mismatches that may be responsible and suggests changes to increase data rate.

The new AirMagnet Enterprise is a free upgrade for existing customers with support contracts. However, intelligent analysis and troubleshooting for 802.11n WLANs requires the ability to decipher 802.11n transmissions—that is, 802.11a/b/g/n sensors. Purpose-built 802.11a/b/g/n sensors are available with internal or external antennas at $1195 apiece. "Customers upgrading to new sensors will find they can get them at hardware cost," said Williamson.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year networking industry veteran, Lisa has been involved in the design, implementation, and testing of wireless products and services since 1996.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.