AirMagnet Laptop

Like OptiView III and OmniPeek, AirMagnet Laptop came with a Cognio Spectrum Analyzer card. AirMagnet Laptop uses an engine that is accessible by AirMagnet sensors, which can be other notebooks running licensed AirMagnet sensor applications or dedicated AirMagnet sensors (similarly to OmniPeek's optional sensors).

AirMagnet sensors run in two modes: Enterprise Analyzer Sensor or AirMagnet Enterprise Sensor. The Enterprise Sensor mode sends information to a mother-ship node, while the Analyzer Sensor uses an application console that looks into the sensor. The server is an engine that collects sensor data for correlation in the console that provides an integrated view of the entire grid of sensors.

A Web interface permits a download of the console application (password controlled), and several users can access the engine simultaneously. The console then becomes the business end for this intrusion-detection system (IDS)/intermediate distribution frame/monitoring application.

Finding rogues

AirMagnet found the man-in-the-middle attacker as a rogue access point. The flood attacks were deemed "Suspicious activity," which was amusingly closer to reality than the description offered by OmniPeek and Sniffer.

In our tests, AirMagnet excelled in two places. First, the user interface allows a great deal of inter-related information to be shown on screen. This big-picture console display let us watch attacks and get detailed information from several perspectives concurrently. Second, AirMagnet's diagnostic feature is an articulate description of what is being seen. Highly detailed information about alarms and detailed references are shown so that captured alarm information can be understood by the operator. This lets operators assign priorities, knowing how AirMagnet has judged the traffic it is seeing -- and more importantly, why it's alarming. This information is invaluable, as the errors found among WLAN protocol analyzers aren't often called by the same description. The detective work of determining the seriousness of an error or alarm is more rapidly discerned as a result. The AirMagnet user interface is the antithesis of command-line-interface information.

In monitoring mode, AirMagnet lets you assign different roles to users. Some may have full administrative capabilities, while others can see but not acknowledge alarms that have been found. The AirMagnet console-monitoring application is available as an HTTP download from the main data-collection server so that rapid access to problems that require the use of the console can be accommodated throughout the enterprise.

Alarm conditions can spawn syslog messages, e-mail, SNMP traps, pager, instant messages or Short Message Service messages. The system supports connection to other wireline IDS software, but we didn't test this. Notification rules can be set on a per-alarm basis.

Analyzing the analyzers

The field has improved since our last test. While AirMagnet Laptop remains on top, WildPackets' OmniPeek is becoming tough competition. But the trend towards multiple options make price comparisons more difficult and hazy. Network General's Sniffer Portable is aging, but remains a tool by which others are compared because of its initial prominence in the market. And Fluke's OptiView III has once again become a good tool -- while not really useful as a 24/7 monitor, it begs to be hung around our shoulder as we crawl through rafters in search of WLAN problems -- just not attacks.