Wireless LAN Tools: Discovery and Planning (Part 3) - Page 2
August 10, 2004
Continuous rogue detection
Since new APs are bound to surface over time, the process just described must be repeated over and over. The bigger and more distributed your workplace, the more labor-intensive this task becomes. Moreover, once you put your own WLAN in place, you will need to differentiate between your own 802.11 devices, harmless neighbors, and malicious rogues. You may even want to stop suspicious devices from communicating.
Devices discovered by WLAN analyzers can often be saved to a name table for future use. For example, this Network General Sniffer Wireless Auto-Discovery tool seeks out APs and stations, attempts to resolve their IP addresses, and saves these results an Address Book. Depending on the tool, table entries may be stored permanently or "aged out," manually or automatically.
To more easily recognize your own devices--and those you've investigated and then decided to ignore--edit name tables to add aliases, categories, and authorizations. In the preceding example, devices have been categorized based on observed traffic (i.e., APs send beacons, stations send probes). Aliases like "WAPG" have been added to improve readability.
Whether you spot-check for new devices monthly, weekly, or daily, there's a chance that new devices will show up when you're not looking. On the other hand, continuous traffic capture could generate massive files that would be time-consuming to analyze manually. As an alternative, try using triggers (see image at right)--defined conditions that kick a monitoring analyzer into capture mode and generate some type of alarm.
If you're responsible for watching for rogues 24/7 in a large network, consider deploying a wireless intrusion detection system (IDS). For example, Network Instruments Observer can gather traffic from Remote Probes placed at strategic locations throughout your network, letting you store, view, and analyze results from a central console.
Other WLAN analyzers associated with paired sensor and IDS products include Network Chemistry, WildPackets, and AirMagnet. Dedicated WIDS engines like AirDefense can also export packet captures for review by third-party WLAN analyzers.
Once you've detected a suspicious device, a WLAN analyzer can be used to drill-down and (hopefully) find the device as described previously. But wireless devices are by definition mobile--by the time you investigate, a device could be long gone.
Automated event responses can reduce the damage done. For example, scripts may be invoked to disable switch ports, block IP addresses, reset APs, or even issue 802.11 requests to disassociate/deauthenticate stations. WLAN analyzers don't usually take actions by themselves, but can invoke scripts or relay events to management systems that do.
Surveying your site
If you're planning a new WLAN installation, you'll be conducting a site survey. Many WLAN adapters are supplied with "site survey" utilities--for example, the Cisco Aironet Client Utility (see image at right). These are handy for spot-checking signal strength, quality, and loss, but a thorough site survey requires much more than a client utility.
Advanced wireless site survey systems are available from a variety of sources, including WLAN switch vendors (e.g., Airespace, Nortel, Trapeze) and software suppliers (e.g., AirMagnet, BVS, Connect802, Ekahau, VisiWave). These systems help to design WLANs by using field measurements to plot radio coverage areas on floorplans, predicting signal, noise, data rate, and capacity. Obstructions, building materials, ceiling height, existing APs, and other sources of interference may all be factored in to recommend AP number, placement, power output, and channel assignments.
Capabilities vary quite a bit, and go far beyond what a WLAN analyzer can do by itself. But analyzers play an essential role in the site survey process. As previously mentioned, most WLAN analyzers can discover existing APs. You may decommission unauthorized APs, but your WLAN must live in harmony with neighbor APs. At minimum, that means factoring those APs into your site survey so that you can avoid co-channel interference.
The site survey tools found in many WLAN analyzers can monitor or record detailed metrics associated with discovered devices. For example, this Network Instruments Observer survey (see image at right) provides min/max/average signal, quality, and data rate for different frame types (management, control, data), for each transmitter. This kind of information can be used both as input to planning and to validate results after plan implementation.
In fact, site surveys are often conducted by positioning APs in probable locations, such as the center of a floor. Tools are then used to record signal, noise, speed, and loss at defined distances from each AP--for example, taking measurements every 10 feet. You could do this at a small site with a simple utility, jotting measurements on paper. But it's easy to see that this approach quickly becomes tedious and time-consuming.
Some WLAN analyzers include tools to automate this process. For example, AirMagnet (see image at right) can record measurements to a file when specified events occur, like change in association state, signal strength, or data rate. Or, you can move at a consistent pace between two points, recording measurements every N seconds.
AirMagnet and BVS analyzers generate data that can be fed directly into related site survey products. For example, BVS Bird's Eye Site Supervisor runs on a Yellowjacket. As you move through a site with Yellowjacket, you tap your location on the floorplan to record data points. Those results are consumed by a Win32 program, Site Investigator (see image at right), to plot RF coverage by AP, SSID, or channel. The more data points recorded, the more granular and accurate the coverage map.
Site survey systems provide many other advanced features that are beyond the scope of this article, like active surveys, what-if simulations, and automated AP (re)configuration. Whether you use a site survey system or design your WLAN with pencil, paper, and calculator, analyzers can help by gathering data before, during, and after that task.