[unisog] Wireless IDS Options

jeffs jeffs at unr.edu
Fri May 27 20:59:07 GMT 2005

We have been using Airmagnet Enterprise in a test deployment, 8 sensors
in three buildings, for about 6 weeks.  While I really like Airmagnet's
analyzer software I am a little disappointed in the reliability of their
sensor information.  We regularly get false alarms that can't be traced
back to any actual signal or event.  Airmagnet even looked at wireless
captures and was unable to tell me why certain alerts were generated.
The rogue AP triangulation is a nice feature but needs a lot more work.
You can't even import a map until a rogue AP is actually detected.
Although that is easily solved by tagging one of your own APs as rogue
and then setting up the map.  Hopefully these features will be improved
but I would recommend actually using the system in a real environment
before buying anything substantial.

Having said that, the sensors do work great as wireless analyzers.  The
remote console is just as good as using the laptop analyzer software in
the building.  The fact that you have instant access to the wireless
spectrum in your remote sites is almost worth the price of the product
by itself.    

I'd be happy to answer any specific questions off list.

Jeff Springer
Network Security Manager
University of Nevada Reno 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Jim Dillon
Sent: Friday, May 27, 2005 9:58 AM
To: ddb at plazacollege.edu; UNIversity Security Operations Group
Subject: RE: [unisog] Wireless IDS Options

I've been pretty impressed with some of the demos I've seen of Airmagnet
products, but they cost, and I don't have a real world recommendation
for you.  If anyone uses the Airmagnet products, it would be good to
hear your review, up or down. I'm considering a purchase if I can get
some good recommendations. 

My "drive bys" for audits used basic client software, netstumbler, and a
tool I think was called Etherpeek, about a $3k piece of software, a
couple years ago mind you, but it appears to me you can get the same and
more functionality out of a Knoppix STD setup these days. (Includes
Kismet amongst other tools.) The one thing you have to do is load some
external data storage source, thumbdrive or something for data
collection.  There are rules/scripts out there for doing this.  It is
almost past my technical skills to do so anymore, but shouldn't be a
problem for most on this list.  Not a great solution for ongoing IDS,
but OK for an auditor with occasional discovery audits.

I think the Airmagnet products deserve a look at least.  I know they
produced 3 dimensional diagrams of AP location that looked real
impressive on the demo I watched, but of course caveat emptor.

Best regards,


Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Dean De Beer
Sent: Thursday, May 26, 2005 3:24 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Wireless IDS Options

Hi All,

I was wondering what solutions/products everyone is using to monitor
wireless traffic? Currently we are not looking at the traffic until it
arrives on the the switch the AP is connected to. We have snort sensors
monitoring this traffic and are testing Radware's Defense Pro. We use
Bluesocket's wireless gateways to manage logins via RADIUS, VLANS,
And have been looking at their intrusion prevention product Bluesecure
as a solution for monitoring wireless traffic. It seems very similar to
RFProtect but has the added advantage of easy intergration with the
wireless gateway.
Is anyone using open source products like Kismet at all?



Dean De Beer
Manager, I.T
Plaza College
Jackson Heights, NY

unisog mailing list
unisog at lists.sans.org

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list