This article is the fourth in a series that explores the purpose and use of 802.11 Wireless LAN Analyzers. Prior installments provided a resource list of open source and commercial WLAN analyzers (Part 1), explained how to combine software with hardware to create a WLAN analysis toolkit (Part 2), and used several different tools to illustrate wireless node discovery, rogue detection, site surveys, and basic troubleshooting (Part 3).
Here in Part 4, we show how to use WLAN analyzers to support typical 802.11 network monitoring and reporting tasks. Analyzers can help WLAN administrators detect security vulnerabilities and active attacks, monitor performance and pin-point potential problems, and evaluate network and application usage to spot emerging trends.
Security audits
In last week's installment, we illustrated the use of WLAN analyzers and Intrusion Detection Systems to detect and track down nearby 802.11 APs and stations. That process, commonly referred to as rogue detection, is just one step in auditing the security of your WLAN.
Performing a security audit can help you find and fix your own WLAN's vulnerabilities before attackers can exploit them. Like an accounting audit, a network security audit check for the presence of known risk factors and compliance with best practices and established policies. A security audit can be conducted in-house or by a third-party, and can involve both active penetration testing and passive observation.
WLAN analyzers play an essential role during an audit by alerting you to common risk factors, like an AP broadcasting its SSID in beacon frames, or an AP using WEP keys that are known to be especially weak. Analyzers can also detect deviation from best practices commonly used to reduce risk, like an AP operating with a factory-default SSID (probably an unconfigured and therefore unsecured AP) or a station sending NetBIOS over wireless (probably leaking fileshares to others on the WLAN).
These conditions may or may not represent actual threats—for example, the AP may belong to a neighbor, or you might not intend to use WEP anyway. More often, these security alerts draw your attention to conditions that you didn't know existed or did not realize were risks. Performing a security audit gives you the opportunity to review these warnings and take corrective action where appropriate.
For example, consider this security audit template provided by WildPackets AiroPeekNX. This template loads pre-defined capture filters that are applied to wireless traffic to detect 13 common security mistakes. When an audited event occurs, it triggers a notification and/or a packet capture. Analyzing captured packets lets you investigate the event—in this example, identifying the AP using a factory-default SSID, and whether any stations are communicating with that AP. This template can obviously be extended or refined to check for additional risks or best practices.
those that do not. Audits are typically repeated until you reach the point where remaining risk is acceptable. At that time, you will probably want to disable WLAN analyzer alerts that you no longer want to hear about. For example, this Network Instruments Observer panel is used to selectively enable or disable individual alerts reported by each local or remote network probe.
Click to view entire screen shotDepending on the analyzer, alerts may be set globally or at a more granular level. For example, AirMagnet alerts can be set on a per-SSID-group basis. The Publicly Secure Packet Forwarding alert shown here applies mostly to public WLANs. But traffic between wireless stations may be appropriate in some private WLANs—for example, printing to a wireless print server. To reflect this, this example assigns public SSID(s) to a "Guest" group and private SSID(s) to another group so that we can apply different alert settings to these WLANs.
In fact, many of the alerts built into WLAN analyzers can help you enforce your company's security policy. The above example includes a long list of authentication alerts related to non-use of 802.1X and various EAP types. But these may or may not be policy violations for your WLAN. It's up to every organization to decide which security measures are required or permitted on their own WLAN.
http://www.isp-planet.com/fixed_wireless/technology/2004/wlan_analyzers_pt4.html
