Simplified WLAN Analysis: The AirMagnet Attraction, Part 2 - Page 2

Alarms (and assigned severities) call attention to potential problems, but operator action is still required to investigate and fix the underlying problem. To assist in this endeavor, use AirMagnet Channel statistics, Charts, and the Performance tool (right). This tool is conceptually similar to some NIC link test utilities, but can be used with any kind of AP. AirMagnet associates with and sends frames to the target AP for a define period, calculating throughput, link speed, retries, fragmentation, and loss. The catch we encountered: When an AP's SSID is not yet known, we could not find a way to configure the SSID to successfully associate. This only happens when an AP is not broadcasting SSID and no other client can be observed associating.

Keeping WLANs secure

AirMagnet can be used to check for security policy compliance and would-be intruders by repeating discovery and comparing results. If you maintain an Access list, the ACL tool makes it trivial to notice new nodes and old nodes that are now offline. The Access list can be updated directly from the ACL tool, but a reminder to export the profile when done would be helpful. Using the Find tool, one can then seek (and destroy!) newly-identified rogue APs and stations.

AirMagnet Laptop or Duo can be used for security spot-checks or 24x7 surveillance. AirWISE monitors captured frames for over 30 conditions that may indicate security problems (right). Threshold alarms identify excessive probing, (de)associate and (de)authenticate floods, authentication failures, interleaved beacons from legitimate and spoofed APs, 802.1X rekey failure, EAPOL flood attacks, 802.1X EAP-Success/Failure message spoofing, EAP dictionary attacks, and RF jamming. Other alarms flag AP limitations like WEP IV reuse, policy violations like default SSIDs or failure to use WEP, 802.1X, or VPN security, and the appearance of rogue APs or stations. This list doubled in v2.5 and will no doubt continue to grow as attackers discover new WLAN exploits.

To focus attention on real vulnerabilities, disable alarms that do not reflect your site security policy -- for example, disable the "unprotected by 802.1X" alarm if your WLAN does not use port access control. Carefully adjust thresholds as needed to eliminate "false positives" -- for example, set minimum signal strength for rogue station alarms. Efficient intrusion detection requires striking a balance between alarm volume and vigilance. When in doubt, record the alarm to support security audits and forensic analysis after intrusion. (Automated alarm export would help to support this objective.)

We did not test them, but GPS integration and the GPS Log tool are new in version 2.5. According to CTO Chia-Chee Kuan, AirMagnet added GPS support to enable outdoor surveys. "NetStumbler can do it for war driving," said Kaun. "We did it because our security consultant customers needed it. They had to carry a separate device to create coverage maps to identify signal leakage. Now, using AirMagnet with GPS, they just drive around a campus and feed output into mapping software to identify which AP is putting out too much power." Adjusting power to reduce signal leakage can improve physical security, particularly for WLANs in stand-alone buildings. However, note that GPS is less effective indoors, and leakage mapping may be impractical in high-rise offices with multiple tenants.

Troubleshooting

Enterprises using 802.1X will appreciate AirMagnet's Diagnostic tool (right) that analyzes 802.11 association and 802.1X port authentication packets. If a station is having trouble connecting, choose the affected AP and station from pull-downs and click "Go." This tool tracks 802.11 progress, beginning with beacons and probes, followed by authentication challenge/response, ending with association and data transmission. When port access control is used, the tool also tracks 802.1X progress, from Identity and Credentials to Key Delivery and EAP Success/Failure. Results show completed steps, corresponding packets and (when available) AirMagnet's diagnosis.

This advanced tool requires an understanding of WLAN protocols to be used effectively -- an option to export or print results for later analysis would therefore be very helpful. In our tests, diagnosis hints were good, but often unavailable. Nonetheless, we found this tool extremely useful when debugging 802.1X deployment. At minimum, it helps to understand what successful 802.1X is supposed to look like.

In comparison, AirMagnet's DHCP, Ping, Trace, and WhoIs tools are exceedingly simple. Using the DHCP tool, pick an AP and click "Associate." If the attempt fails, retry or reply to prompts for station parameters like WEP keys, LEAP uname/password, transmit power, preamble mode. Before associating, the tool displays BSSID; once associated, it also displays SSID. We'd add a Disassociate button and an explicit status indicator.

In WLANs with DHCP, the next step is to Renew (or Release and Renew) that station's address. Results show DHCP return parameters or the default IP substituted by Windows when DHCP fails. For IP troubleshooting, AirMagnet must get through DHCP (which may require adding the AirMagnet card to the site's MAC ACL) or be pre-configured with a legitimate static IP address.

Ping, Trace, and WhoIs can then be used to debug end-to-end connectivity -- for example, ping the AP, then ping the wireless side of the firewall/gateway, then ping the wired side, then ping a destination server. Traceroute can be used to identify these hops. Of course, these are only possible when ICMP is permitted to and through the WLAN firewall. We found that we could use other TCP/UDP tools while AirMagnet was running, after first using AirMagnet's DHCP tool to connect to a given AP. For example, use a browser to log into a WLAN portal before using AirMagnet to probe further into the network. We found these network tools handy, but occasionally buggy -- for example, apparently successful pings that display all zeroes. Most admins will complement AirMagnet's tools with other higher-layer network troubleshooting and diagnostic tools.

Support

During our evaluation of AirMagnet, we did not need to contact Technical Support. We encountered no problems with installation, and were able to resolve questions by trial and error or consulting the illustrated User Guide. The Handheld version includes a pocket-sized Screen Reference Guide that comes in handy to decipher icons and "map" your way through nested displays. A similar pocket screen guide would also be handy for Duo.

Had we needed it, AirMagnet Handheld includes 9x5 toll-free phone support for 90 days. AirMagnet Duo includes phone support for one year, plus one free software upgrade. Annual support contracts are also available, covering phone support, software upgrades, and defective hardware replacement. Although a tool like this doesn't really require 24x7 support, customers outside the Pacific time zone may wish for broader phone support hours.

This concludes part two of our survey of AirMagnet. Next week, in part three, we will talk to an AirMagnet customer and talk to AirMagnet about future products.