I had an opportunity this week to be involved in some testing of Motorola’s AirDefense wireless security solution at a client where we were conducting their annual PCI Security Assessment. I wrote in a post a while back about wireless IDS/IPS and discussed my findings from that testing a couple of years ago. With everything in technology, as time passes, things change. Fortunately, things change for the better, but there are still potential pitfalls. This should not be viewed as an endorsement of the AirDefense solution. It just happens to be the solution that we were able to test.
Again, as I have stated previously, I am not going to delve into the details of how to accomplish making a network device ‘stealthy’ because I do not want to give anyone ideas or a leg up. However, it should be noted that doing this is not difficult.
Two years ago, we configured some wireless access points to be very stealthy and located them around a facility and then had AirDefense attempt to locate and identify them. While AirDefense was able to identify half of the rogue access points and that they were potentially rogue access points, it was not able to confirm that these devices were in fact within the confines of the facility. The bottom line, half of the devices were not identified, so you had a 50-50 chance of finding a potentially rouge access point. Not very good odds in the security business.
It is now two years later and I am going to conduct a very similar test. First, this test was not quite as similar as I would like as we used cable/DSL routers with integrated wireless b/g access points. The reason the testing will not be similar to the last time is that the test devices being used this time have built-in firewalls that protect the wireless versus the access points that we tested with the last time which had no built-in security features beyond WEP. One of these devices we kept stock, using only the vendor supplied security capabilities. On the other device we loaded up DD-WRT and made significant changes to make the access point and device itself as stealthy as possible. In addition, we only have two devices to use versus a variety of devices two years ago. However, using vendor firmware and DD-WRT should give us a good set of tests.
In our first test, we plugged the routers in (electrical as well as network WAN port on the router) and let them run in native, non-stealthy mode so that we could see how AirDefense would respond for our baseline. As expected, AirDefense performed flawlessly and found and identified these devices without a problem and about two minutes later delivered the security alerts to the client’s security and networking personnel. Unfortunately, our client is in the process of implementing more AirDefense sensors because they just moved into their new expansion space and we were located there. As a result, AirDefense could not specifically locate the wireless. However, with a few more sensors, they could have narrowed the search area and somewhat triangulated on the location of the rogue devices.
For our second test, we configured both devices to be as stealthy as possible. Because of the limitations of the vendor configuration software, we were not able to configure that unit as stealthy as the one running DD-WRT. The client reset the AirDefense database and we plugged everything in again. The router running the vendor software was identified very quickly just as in the original test. The DD-WRT device took some human intervention to determine that it was likely a rogue device. However, the good news is that this time the DD-WRT device was found by AirDefense unlike two years ago when most of these devices were not found.
During our debrief regarding the testing with the client’s security personnel, we identified some frustrations with AirDefense. The biggest is that, with the prevalence of wireless, the sensors are flooded with signals out in their retail locations. While AirDefense claims that with an appropriate number of sensors it should be able to sift through the chaff of signals, my client’s experience is that it does not. They have spent a significant amount of time attempting to tune the system so that spurious signals have a minimal impact, but they have found that all it takes is adjacent retailers or even homeowners to add wireless and AirDefense goes on alert, regardless of the number of sensors. This client has installed AirDefense at only 20% of their locations, but they tell us that the number of daily alerts can be mindboggling and a lot of work to clear. While the client’s staff has slugged through these alerts day after day, management is obviously very concerned about maintaining this level of diligence going forward as the rollout completes.
Another problem that they run into is with the coffee shops that are located within their retail locations. However, it is not with the separate access points that these locations operate as they have been tuned out. No, it is the coffee shop’s customers’ notebooks and netbooks that are the problem. Most of these devices’ wireless are mis-configured and are acting as access points as well as wireless clients. This creates the bulk of their alerts within their retail facilities and masks a lot of the real alerts.
The other point that the client’s security personnel wanted passed along to others is that an AirDefense type of solution is not a guarantee that you will identify every rogue access point. Most of this problem is related to the human element. All it takes is a lapse in diligence and you can end up with problems. This was brought home the week before we arrived when the client’s resident wireless security guru was on vacation. While on vacation, a couple of alerts were written off by their back up because of this person’s inexperience. Turned out that these alerts were real problems and required action when they were uncovered when the guru got back. There will be more remedial education for all other security personnel on the AirDefense system. However, the bigger change will be making sure that the guru is not the only one making the call on what gets investigated. With that responsibility spread out to more people, it is hoped that coverage will be more consistent when the team is not together.
In the end, I am glad to report that wireless IDS/IPS is advancing. However, it is not a silver bullet nor do I expect it to ever be a silver bullet. It still requires humans to make the call on what to investigate and what to ignore. That requires skill and experience with the tool in a particular environment. And that skill and experience takes time to develop. So, just because you have implemented wireless IDS/IPS, does not mean that you are immediately protected. Your security personnel will still have to ramp up on the tool in your environment.