AirMagnet 1.2 Reveals WLAN Trouble Spots

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article/0,3658,s=712&a=26498,00.asp

By Cameron Sturdevant 
May 6, 2002 

AirMagnet Inc.'s AirMagnet Sniffer works right, right out of the box -
much to its credit and to network administrators' advantage and
earning it an eWeek Labs' Analyst's Choice award.

eWeek Labs ran the AirMagnet Version 1.2 protocol analyzer on a device
that represents new territory for this genre of product - a handheld
computer, namely a Compaq Computer Corp. iPaq. AirMagnet provided
"just-the-facts" details about 802.11b traffic it detected - no
protocol decodes but 802.11b traffic statistics that are essential to
performing wireless network security audits and site surveys.

AirMagnet, which started shipping last month (at the same time the
company announced it was going into business), costs $2,495 for
detection software and an 802.11b card (in our case, a Proxim Inc.  
Harmony card). The handheld device is not included in this price.

The AirMagnet system is not cheap, and IT buyers would be wise to
question whether a company this new will be around to support its
wares in the future. While AirMagnet is just getting started as a
company, however, its founders and designers are all industry pros
that developed solid products we tested years ago, including NetXRay
from Cinco Networks Inc., which was purchased by Network Associates
Inc.

We'll go out on a limb and say that the simplicity and elegance of the
product make it worth the cost and that the caliber of the company's
founders and product developers should ease buyers' minds about future
support.

Buyers should also bear in mind, however, that Network Associates is
slated this week at NetWorld+Interop to announce a handheld version of
its Sniffer product line, called Sniffer Pocket.

With other wireless sniffers we've tested, we had to set up filters,
start and stop captures, wade through piles of documentation, and drag
a power-hungry laptop with an even more power-hungry wireless card
around the office to get our traffic samples.

With AirMagnet, in contrast, we simply loaded the software, recognized
the card, turned the system on and started sensing traffic.

AirMagnet automatically scanned all the frequencies available in
802.11b and consistently pointed out which channels had real traffic,
as opposed to those channels that were carrying spillover radio
signals.

AirMagnet is not a protocol analyzer in the sense that it can decode
TCP/IP application traffic. But that's OK because front-line
technicians performing site surveys and network managers doing
security audits don't need Layer 3 and 7 information to perform quick
checks.

That said, we could use AirMagnet to do simple Layer 3
trouble-shooting. For example, we were able to select our access point
from among many in our Foster City, Calif., test lab and send a ping
over it to make sure it was communicating with the wired network.

We were also able to use AirMagnet as a type of rogue access point
locator. The coolness factor went up almost immeasurably as we used
the AirMagnet-loaded iPaq in full "tricorder" mode to zero in on
unauthorized access points. It almost goes without saying that this is
the same way that IT managers conducting a site survey can determine
where to place access points for the best coverage before installing
end-user stations.

The AirMagnet is a good security tool for ferreting out rogue access
points but should also serve as a reminder to network administrators
about the vulnerability of wireless networks.

AirMagnet, unlike the very able shareware utility NetStumbler
(available from www.netstumbler.com), operates in a completely stealth
mode and only "listens" for packets.

Malicious users of the product couldn't do much more than discover the
existence of a wireless LAN and the location of access points, but the
malicious person could do so without network administrators ever
knowing.

The only exception we found to this was when we used AirMagnet to
generate traffic to test the performance of an access point during a
site survey. Here, AirMagnet had to associate with the access point
and send traffic, which was then detectable.

Senior Analyst Cameron Sturdevant can be contacted at
cameron_sturdevant () ziffdavis com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.