AirTight Networks’ SpectraGuard Enterprise (SGE) version 5.5 wireless intrusion prevention system is excellent for testing and maintaining the security of wireless networks.

Among the new features in this latest version is a location-based policy management system, which is designed to make it easier to manage geographically dispersed SGE deployments. This is also intended to help managed security service providers to provide wireless security for different organisations. Another key addition is integrated support for Cisco’s Wireless LAN Controller systems.

The hardware for SGE consists of AirTight’s SpectraGuard wireless sensors and the SGE appliance. We set up a system using an SGE SA-200 appliance and three sensors covering our labs area. Connecting to the appliance for the first time fires up a 12-step initial configuration wizard. This allows users to set up SMTP servers for email alerts, and lets them choose which servers to send syslog messages and Simple Network Management Protocol trap alerts to.

We then set up automated policies to deal with unauthorised access points (APs) trying to connect to the network, unauthorised clients trying to authenticate with authorised APs and authorised clients trying to connect with unauthorised APs.

Initially, we turned the event-generation and intrusion-prevention systems off, so we could monitor what wireless infrastructure was out there. SGE’s web GUI makes it easy for users to see and categorise wireless devices over the air. The system immediately detected our test network’s 3Com AP7250 AP and displayed details of its various settings.

After several days monitoring the environment around our wired network, we logged 36 APs and 213 wireless clients, with over half the APs being Cisco ones. Most of the APs were 802.11b/g devices. Of the remainder, three were 802.11a units, one was a pre-draft 802.11n AP and one was a 802.11b-only type. Sixteen APs were using WEP for security, while four had WPA and four had WPA2 security enabled, with the rest having no security enabled whatsoever.

We then checked to see what kind of events were being generated. We weeded out trivial events and focused on critical ones, like an authorised client trying to connect to an “evil twin” AP.

With AirTight’s intrusion prevention system enabled, SGE 5.5 allowed us to respond to critical security events by either blocking or degrading unwanted communications between authorised and unauthorised devices.