Many IT managers have learned the hard way that management techniques used for traditional wired networks simply don’t work in the wireless world. Wireless networks are both dynamic and insecure by their very nature, thus making traditional network management techniques ineffective. Over the last couple of years there have been a few different companies who have stepped forward to offer wireless network management and security solutions. One such company is AirWave. In this article, I will introduce you to AirWave’s flagship product, AirWave Management Platform.
Wireless network monitoring
The first key component of the AirWave Management Platform (AMP) is the real time wireless network monitor. This component continuously monitors your wireless network and compiles data related to every wireless device. The software then compares current values against threshold values to spot potential problems. For example, the monitoring component would monitor each individual user (or device’s) signal strength and wireless bandwidth consumption. If these values fall outside of an acceptable range, then an alert is generated. These alerts can be delivered to an e-mail account or to a pager. You can also receive alerts from within the management console.
In addition to allowing you to monitor real time statistics, the management console also contains a comprehensive reporting feature. This allows you to compile a variety of different reports based on stored data. You can use these reports to view trends that occur over time. Seeing these trends allows you to fine tune your wireless network. You can even export the report data in XML format.
Detection of rogue access points
One of the biggest challenges is detecting rogue access points. Even if your company doesn’t have a wireless network, it is possible for someone to go to the computer store, drop a hundred bucks on an access point, plug it into your corporate network, and then all of your sensitive data will be broadcast across the air waves in an unencrypted format.
Fortunately, AMP does a great job of detecting rogue access points. The software continuously and simultaneously runs various access point discovery protocols, including CDP, OSU, IAPP, and WNMP. These protocols allow AMP to detect your existing access points. However, since these protocols are constantly running, any rogue access points will be detected right away. In case you are wondering, the discovery process is nonintrusive. When an access point is detected, it is possible to manage the device from the AMP console.
Access point management
Historically, managing access points has been a problem for several reasons. First, access points must be configured individually. Up until now, there was simply no easy way to configure all access points within an organization. Compounding the problem is the fact that although most access point manufacturers incorporate the same features into their hardware, the method for configuring an access point varies from brand to brand. So, if you want to change encryption keys across your enterprise, you must manually update every single access point individually. Since each brand of access point has its own update method, it also means that you may have to spend extra time feeling your way around the various access point interfaces.
AMP solves this problem by making the console recognize multiple brands of access points. The most common access-point manufacturers’ codes are built into the software. These manufacturers include Cisco, Proxim, ORINOCO, Symbol, Entrasys, Intel, HP, Compaq, Dell, Avaya, IBM, Nokia, and a few more.
Not only is AMP capable of updating all of these different brands of access points, it is capable of updating them collectively. For example, suppose that you needed to change the WEP encryption keys. You could change the encryption keys for all of the access points in the organization with no more work than would be required for changing a single access point. You also have the option of updating a specific group of access points rather than all access points.
Timing is everything
Another issue involved in access point change management is timing. For example, if you change all of the encryption keys for the access points, then none of the users will be able to gain access to the access points until their machines are also updated to include the new encryption keys. The problem is that you probably don’t want to make this change in the middle of the day while everyone is trying to work. You probably also don’t want to have to come in during the middle of the night to make the change. Fortunately, AMP allows you to schedule the update to occur automatically at a time that is convenient for everyone.
Being able to update access points collectively not only frees up your time, but also makes your wireless network more secure. For starters, you can change WEP keys as often as you like, because changing keys is now painless. Another way that AMP increases security is by providing you with a single interface to configure all access points. You could easily work through the configuration interface and configure each option in a way that meets the corporate security policy, and then roll the changes that you have made out to all access points.
The management console can even handle access point firmware updates. For example, a new encryption protocol called WPA is starting to be used by companies with wireless networks. However, before a device can use WPA, its firmware must be updated to support WPA. Using AMP, you could automatically download and distribute the necessary firmware updates as they become available. There is even an automatic verification feature that you can use to ensure that your firmware was updated successfully.
One of the features that I really like about AMP is its auditing feature. I have often said that security is not a set-it-and-forget-it option. Once you secure a system, you must take the necessary steps to make sure that the system stays secure. To this end, AMP continuously audits all of your access points. During an audit, AMP compares each of an access point’s settings against the settings dictated by your AMP security policy. If a discrepancy is found, the access point is automatically reconfigured to match its intended configuration. The auditor then generates an alert that is designed to inform you of the discrepancy.
Works well with others
One final feature that really impresses me about AMP is that it is designed to work with other network management systems. In fact, AMP was the first wireless network management solution certified to work with HP OpenView. You can launch AMP from within the HP Network Node Manager. Even if you don’t use OpenView, AMP can work with your existing network management software because of the way that it passes along SNMP traps.