Wednesday, October 17, 2007

Wireless LAN Tools

This article is the fourth in a series that explores the purpose and use of 802.11 Wireless LAN Analyzers. Prior installments provided a resource list of open source and commercial WLAN analyzers (Part 1), explained how to combine software with hardware to create a WLAN analysis toolkit (Part 2), and used several different tools to illustrate wireless node discovery, rogue detection, site surveys, and basic troubleshooting (Part 3).

Here in Part 4, we show how to use WLAN analyzers to support typical 802.11 network monitoring and reporting tasks. Analyzers can help WLAN administrators detect security vulnerabilities and active attacks, monitor performance and pin-point potential problems, and evaluate network and application usage to spot emerging trends.

Security audits
In last week's installment, we illustrated the use of WLAN analyzers and Intrusion Detection Systems to detect and track down nearby 802.11 APs and stations. That process, commonly referred to as rogue detection, is just one step in auditing the security of your WLAN.

Performing a security audit can help you find and fix your own WLAN's vulnerabilities before attackers can exploit them. Like an accounting audit, a network security audit check for the presence of known risk factors and compliance with best practices and established policies. A security audit can be conducted in-house or by a third-party, and can involve both active penetration testing and passive observation.

WLAN analyzers play an essential role during an audit by alerting you to common risk factors, like an AP broadcasting its SSID in beacon frames, or an AP using WEP keys that are known to be especially weak. Analyzers can also detect deviation from best practices commonly used to reduce risk, like an AP operating with a factory-default SSID (probably an unconfigured and therefore unsecured AP) or a station sending NetBIOS over wireless (probably leaking fileshares to others on the WLAN).

These conditions may or may not represent actual threats—for example, the AP may belong to a neighbor, or you might not intend to use WEP anyway. More often, these security alerts draw your attention to conditions that you didn't know existed or did not realize were risks. Performing a security audit gives you the opportunity to review these warnings and take corrective action where appropriate.

For example, consider this security audit template provided by WildPackets AiroPeekNX. This template loads pre-defined capture filters that are applied to wireless traffic to detect 13 common security mistakes. When an audited event occurs, it triggers a notification and/or a packet capture. Analyzing captured packets lets you investigate the event—in this example, identifying the AP using a factory-default SSID, and whether any stations are communicating with that AP. This template can obviously be extended or refined to check for additional risks or best practices.

those that do not. Audits are typically repeated until you reach the point where remaining risk is acceptable. At that time, you will probably want to disable WLAN analyzer alerts that you no longer want to hear about. For example, this Network Instruments Observer panel is used to selectively enable or disable individual alerts reported by each local or remote network probe.

Click to view entire screen shotDepending on the analyzer, alerts may be set globally or at a more granular level. For example, AirMagnet alerts can be set on a per-SSID-group basis. The Publicly Secure Packet Forwarding alert shown here applies mostly to public WLANs. But traffic between wireless stations may be appropriate in some private WLANs—for example, printing to a wireless print server. To reflect this, this example assigns public SSID(s) to a "Guest" group and private SSID(s) to another group so that we can apply different alert settings to these WLANs.

In fact, many of the alerts built into WLAN analyzers can help you enforce your company's security policy. The above example includes a long list of authentication alerts related to non-use of 802.1X and various EAP types. But these may or may not be policy violations for your WLAN. It's up to every organization to decide which security measures are required or permitted on their own WLAN.



http://www.isp-planet.com/fixed_wireless/technology/2004/wlan_analyzers_pt4.html

Managed Security Service Provider Survey

Many companies, large and small, are now considering or have already outsourced certain network security tasks to third-party providers. Today, there are hundreds of Managed Security Service Providers (MSSPs), with offerings that range from managed firewall and virtual private network (VPN) services, to managed intrusion detection (IDS) and anti-spam/virus e-mail filtering. According to Gartner, the North American MSSP market continued to expand during the past year, with revenue increasing 19 percent during 2H03 alone.

Why do businesses outsource these sensitive services? To cut cost. MSSPs can offload many labor-intensive tasks associated with establishing a solid network defense, including security hardware/software installation, provisioning, maintenance, and 24x7 event monitoring. They can hire and train experts to staff a security operations center (SOC), investing in remote administration and surveillance platforms, creating a common infrastructure from which to satisfy the security needs of many customers.

In return, customers can reduce capital equipment investments, in-house security staff, and better budget and account for the cost of security by paying a fixed monthly tab.

Of course, no company should abdicate control over the security of their business network. Although your company may delegate certain security implementation and monitoring tasks to an MSSP, you will retain responsibility for determining security policies and dictating incident responses. Purchasing a managed security service means entering into a close and trusted partnership with your chosen provider. It's vital to consider not only the cost, breadth, and depth of services offered, but also each MSSP's history, reputation, business practices, service commitments, and "house style" of interacting with customers.

Before you conduct this type of qualitative assessment, you'll need to identify one or more MSSP candidates who are capable of delivering the security services that your company needs, in the countries where your business operates. To that end, ISP-Planet has been conducting semi-annual MSSP surveys since 1999. What follows here is our fourth MSSP survey, conducted in December 2004.

Participating providers
Our survey attempts to provide an apples-to-apples comparison between common security services offered by a modest but representative MSSP sample set, ranging from national to global, from network generalist to security specialist. By presenting example services in this fashion, we hope to help readers better understand the kinds of security services that are commercially available and some common attributes that should be considered when shopping for such services.

The following table identifies the MSSPs participating in this year's survey, and the surveyed services that are now offered by each provider. In addition, many participants offer managed security services beyond the scope of our survey, such as managed authentication, PKI, vulnerability scanning, and security monitoring for other networked devices. Several also offer related professional services, like security consultation, education, risk assessment, auditing, and emergency response. Consult MSSP websites for services beyond those addressed by our survey.



http://www.isp-planet.com/technology/2004/mssp1.html