http://www.eweek.com/article/0,3658,s=712&a=26498,00.asp By Cameron Sturdevant May 6, 2002 AirMagnet Inc.'s AirMagnet Sniffer works right, right out of the box - much to its credit and to network administrators' advantage and earning it an eWeek Labs' Analyst's Choice award. eWeek Labs ran the AirMagnet Version 1.2 protocol analyzer on a device that represents new territory for this genre of product - a handheld computer, namely a Compaq Computer Corp. iPaq. AirMagnet provided "just-the-facts" details about 802.11b traffic it detected - no protocol decodes but 802.11b traffic statistics that are essential to performing wireless network security audits and site surveys. AirMagnet, which started shipping last month (at the same time the company announced it was going into business), costs $2,495 for detection software and an 802.11b card (in our case, a Proxim Inc. Harmony card). The handheld device is not included in this price. The AirMagnet system is not cheap, and IT buyers would be wise to question whether a company this new will be around to support its wares in the future. While AirMagnet is just getting started as a company, however, its founders and designers are all industry pros that developed solid products we tested years ago, including NetXRay from Cinco Networks Inc., which was purchased by Network Associates Inc. We'll go out on a limb and say that the simplicity and elegance of the product make it worth the cost and that the caliber of the company's founders and product developers should ease buyers' minds about future support. Buyers should also bear in mind, however, that Network Associates is slated this week at NetWorld+Interop to announce a handheld version of its Sniffer product line, called Sniffer Pocket. With other wireless sniffers we've tested, we had to set up filters, start and stop captures, wade through piles of documentation, and drag a power-hungry laptop with an even more power-hungry wireless card around the office to get our traffic samples. With AirMagnet, in contrast, we simply loaded the software, recognized the card, turned the system on and started sensing traffic. AirMagnet automatically scanned all the frequencies available in 802.11b and consistently pointed out which channels had real traffic, as opposed to those channels that were carrying spillover radio signals. AirMagnet is not a protocol analyzer in the sense that it can decode TCP/IP application traffic. But that's OK because front-line technicians performing site surveys and network managers doing security audits don't need Layer 3 and 7 information to perform quick checks. That said, we could use AirMagnet to do simple Layer 3 trouble-shooting. For example, we were able to select our access point from among many in our Foster City, Calif., test lab and send a ping over it to make sure it was communicating with the wired network. We were also able to use AirMagnet as a type of rogue access point locator. The coolness factor went up almost immeasurably as we used the AirMagnet-loaded iPaq in full "tricorder" mode to zero in on unauthorized access points. It almost goes without saying that this is the same way that IT managers conducting a site survey can determine where to place access points for the best coverage before installing end-user stations. The AirMagnet is a good security tool for ferreting out rogue access points but should also serve as a reminder to network administrators about the vulnerability of wireless networks. AirMagnet, unlike the very able shareware utility NetStumbler (available from www.netstumbler.com), operates in a completely stealth mode and only "listens" for packets. Malicious users of the product couldn't do much more than discover the existence of a wireless LAN and the location of access points, but the malicious person could do so without network administrators ever knowing. The only exception we found to this was when we used AirMagnet to generate traffic to test the performance of an access point during a site survey. Here, AirMagnet had to associate with the access point and send traffic, which was then detectable. Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevantat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 04:43:42 PDT