[ISN] AirMagnet 1.2 Reveals WLAN Trouble Spots

From: InfoSec News (isnat_private)
Date: Fri May 10 2002 - 01:33:09 PDT

  • Next message: InfoSec News: "[ISN] Terrorists could launch cyber-war"

    By Cameron Sturdevant 
    May 6, 2002 
    AirMagnet Inc.'s AirMagnet Sniffer works right, right out of the box -
    much to its credit and to network administrators' advantage and
    earning it an eWeek Labs' Analyst's Choice award.
    eWeek Labs ran the AirMagnet Version 1.2 protocol analyzer on a device
    that represents new territory for this genre of product - a handheld
    computer, namely a Compaq Computer Corp. iPaq. AirMagnet provided
    "just-the-facts" details about 802.11b traffic it detected - no
    protocol decodes but 802.11b traffic statistics that are essential to
    performing wireless network security audits and site surveys.
    AirMagnet, which started shipping last month (at the same time the
    company announced it was going into business), costs $2,495 for
    detection software and an 802.11b card (in our case, a Proxim Inc.  
    Harmony card). The handheld device is not included in this price.
    The AirMagnet system is not cheap, and IT buyers would be wise to
    question whether a company this new will be around to support its
    wares in the future. While AirMagnet is just getting started as a
    company, however, its founders and designers are all industry pros
    that developed solid products we tested years ago, including NetXRay
    from Cinco Networks Inc., which was purchased by Network Associates
    We'll go out on a limb and say that the simplicity and elegance of the
    product make it worth the cost and that the caliber of the company's
    founders and product developers should ease buyers' minds about future
    Buyers should also bear in mind, however, that Network Associates is
    slated this week at NetWorld+Interop to announce a handheld version of
    its Sniffer product line, called Sniffer Pocket.
    With other wireless sniffers we've tested, we had to set up filters,
    start and stop captures, wade through piles of documentation, and drag
    a power-hungry laptop with an even more power-hungry wireless card
    around the office to get our traffic samples.
    With AirMagnet, in contrast, we simply loaded the software, recognized
    the card, turned the system on and started sensing traffic.
    AirMagnet automatically scanned all the frequencies available in
    802.11b and consistently pointed out which channels had real traffic,
    as opposed to those channels that were carrying spillover radio
    AirMagnet is not a protocol analyzer in the sense that it can decode
    TCP/IP application traffic. But that's OK because front-line
    technicians performing site surveys and network managers doing
    security audits don't need Layer 3 and 7 information to perform quick
    That said, we could use AirMagnet to do simple Layer 3
    trouble-shooting. For example, we were able to select our access point
    from among many in our Foster City, Calif., test lab and send a ping
    over it to make sure it was communicating with the wired network.
    We were also able to use AirMagnet as a type of rogue access point
    locator. The coolness factor went up almost immeasurably as we used
    the AirMagnet-loaded iPaq in full "tricorder" mode to zero in on
    unauthorized access points. It almost goes without saying that this is
    the same way that IT managers conducting a site survey can determine
    where to place access points for the best coverage before installing
    end-user stations.
    The AirMagnet is a good security tool for ferreting out rogue access
    points but should also serve as a reminder to network administrators
    about the vulnerability of wireless networks.
    AirMagnet, unlike the very able shareware utility NetStumbler
    (available from www.netstumbler.com), operates in a completely stealth
    mode and only "listens" for packets.
    Malicious users of the product couldn't do much more than discover the
    existence of a wireless LAN and the location of access points, but the
    malicious person could do so without network administrators ever
    The only exception we found to this was when we used AirMagnet to
    generate traffic to test the performance of an access point during a
    site survey. Here, AirMagnet had to associate with the access point
    and send traffic, which was then detectable.
    Senior Analyst Cameron Sturdevant can be contacted at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri May 10 2002 - 04:43:42 PDT