Newbury Networks' WiFi Watchdog

An invisible fence to keep attack dogs away from your WLAN.

One of the biggest Wi-Fi security fears for network professionals is the "van in the parking lot" scenario, in which an intruder breaks into the network from outside the company's walls.

Newbury Networks tackles this problem with WiFi Watchdog, which uses location-based technology to let administrators set up physical borders for the wireless LAN (WLAN). If a user is inside the "border," connections are allowed. Anywhere outside the network, connections are denied, even if the wireless signal is present. The system also detects rogue access points and has other security features to help protect the WLAN.

We recently tested the WiFi Watchdog system and found that while it has an arduous installation process, it eventually pays off with very good results. WiFi Watchdog won't replace wireline security or other network defenses, but it can be a good component as part of a secure wireless network. WiFi Watchdog overlays existing and compatible (meaning access points must be on its long approved list) WLAN infrastructure. It doesn't optimize infrastructure in the way that homogeneous switched or other types of WLAN equipment does. Rather, it's an authenticator/de-authenticator with strong location-based smarts.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

One of the biggest Wi-Fi security fears for network professionals is the "van in the parking lot" scenario, in which an intruder breaks into the network from outside the company's walls.

Newbury Networks tackles this problem with WiFi Watchdog, which uses location-based technology to let administrators set up physical borders for the wireless LAN (WLAN). If a user is inside the "border," connections are allowed. Anywhere outside the network, connections are denied, even if the wireless signal is present. The system also detects rogue access points and has other security features to help protect the WLAN.

We recently tested the WiFi Watchdog system and found that while it has an arduous installation process, it eventually pays off with very good results. WiFi Watchdog won't replace wireline security or other network defenses, but it can be a good component as part of a secure wireless network. WiFi Watchdog overlays existing and compatible (meaning access points must be on its long approved list) WLAN infrastructure. It doesn't optimize infrastructure in the way that homogeneous switched or other types of WLAN equipment does. Rather, it's an authenticator/de-authenticator with strong location-based smarts.

How the system works

WiFi Watchdog is a system of passive sensors that use patented methods to locate wireless 802.11b/g users inside an administrator-defined physical geography. Watchdog is used as an overlay to an existing Wi-Fi network that has access points that can authenticate through the RADIUS protocol.

Users within the physical Watchdog boundaries are authenticated through a Newbury-provided RADIUS server and RADIUS-compatible access points. An administrative system (a dedicated Windows 2000/XP PC is suggested) tracks user location and allows authentication via RADIUS following a procedure that the Watchdog application manages.

Watchdog sensors (called LocalePoints) are passive 802.11 access points that add to the intelligence that physical training gains - you need to "walk the dog" around the perimeters of an installation so the sensors become familiar with the geometry of the wireless layout. The LocalePoints then triangulate clients and access points, establish a relative location, and match the location against a database to continue authentication or remove it. In practical use, physical location tracking will prevent a number of common attacks, but it cannot protect against wireline attacks. Additionally, the Watchdog system currently only supports 802.11b/g systems, although 802.11a monitoring might be added soon, Newbury says.

Dancing through installation

The location-training process requires walking around with a working Wi-Fi device and pirouetting (making a 360-degree rotation) so the LocalePoints can learn specific location characteristics. A large sampling is not necessary; just enough to establish boundaries, including ingress/egress points and other boundaries where Watchdog can draw "authentication lines." This information is used to plot user movements and rogue detection points on a user-defined layout map.

Before you do this, though, there is software installation to overcome. We found that Watchdog needs to be installed on an otherwise pristine platform, because it required very specific versions of MySQL and Sun's Java software developers kit. The wide compatibility of these two products lets these devices be installed on a number of platforms, including Windows 2000 and above (we used XP), Linux 2.4 and above (we used 2.4.7), and Sun Solaris (we didn't try Solaris or Mac OS/X 10.3).

The LocalePoints are highly modified Cisco/Linksys access points, initially configured on the same logical IP subnet as the WiFi Watchdog Management AP - and the MySQL-Java SDK combination.

We had difficulty configuring the LocalePoints with the Watchdog-bundled Windows-based SensorManager. Part of the application should update the LocalePoint with its IP information and WLAN scanning information, and we found that at times it didn't. (See How we did it.)

After the LocalePoints are discovered and configured, the Watchdog Web-based application manages wireless devices, users and the like. The application runs as a service on Windows and has an ".initrc-launched" application on Linux, both with MySQL.

Watchdog defines physical geography as Zones that contain Locales and areas are either inside or outside a Locale. The sequence of events required to get good location data mandates that Locales are defined, installed as Zones within an on-screen, two-dimensional layout.

Signatures or measurements between two locales are taken, and physical walkabout is required with a Watchdog feature called the Predictor. Signatures then are bound to the locales. Measurements also are taken at transition points between locales, so the inside/outside signatures can be determined.

Once the setup is complete, there's the matter of taking discovered devices and putting them into groups for administrative purposes. Watchdog does not integrate with directory services, so users and group information must either be imported or entered manually.