We tested overlay products from AirDefense, AirMagnet, Network Chemistry, Network Instruments, Newbury Networks and WildPackets at our Syracuse University Real-World Labs. We discovered that the monitoring tools included with infrastructure products will suffice for installations where rogue detection (and not much more) is needed, though some offer perks like AP-location capabilities or thin IDS features. If you need more in-depth analysis, get a specialized overlay monitor. To help you gauge the hit this will put on your budget, we outlined two pricing scenarios.
Arrows vs. A-Bombs
As wireless LANs proliferate and mature, so, too, do WLAN attacks. Some of the overlay products we tested detect and alert administrators to attempts to gain unauthorized access, for example. These IDS features determine if malicious activity is afoot by comparing suspicious traffic with a database of known attack signatures. We found that while some products' IDS capabilities were better than others, they all missed attacks and showed false alarms.
Conventional IDSs focus on network intrusions, but not all attacks are aimed at swiping proprietary information: Scans by network-reconnaissance tools, such as NetStumbler, can give outsiders valuable information about your WLAN topology, even the approximate location of your APs, making theft a possibility. Some attackers simply want to mess up your WLAN; by launching a DoS attack against your APs, an intruder can bring down portions of your network, and even the best authentication or encryption can't stop it. And unlike Ethernet LANs, where physical access to the medium is required, these attacks can come from outside your facilities.
In addition, your WLAN can be ripped wide open if an IT staffer misconfigures an AP. Then there are moochers who sit outside your building and hog your bandwidth, possibly driving users to throw day-old bagels at you when they can't connect because of RF interference. The life of a WLAN admin is fraught with peril.
You need to see all the APs and clients in your vicinity. Basic threat detection also is a must. Some products' advanced capabilities will make it easier for you to maintain a secure perimeter and perform troubleshooting duties.