David Maynor of Errata Security recently posted some opinions about AirTight’s technology under the guise of a product test about what he refers to alternately as wireless IDS, wireless IPS, or wireless NAC technology in his blog. As Mr. Maynor is well known in the industry for his attacks on industry leaders (such as Apple, Intel, and Cisco), we feel we are in good company to be on his target list.

We have offered Mr. Maynor a conversation with me so that we may understand what equipment he tested, how he obtained it, what revision level it was, and to clarify his results, since this was an unauthorized ‘review’ of our product.

Maynor presents an incomplete and biased argument, as he clearly does not understand either the capabilities of or the design targets for the AirTight SpectraGuard Enterprise solution and seems to be arguing a semantic question about the common nomenclature of ‘wireless intrusion prevention’ (WIPS) indicating it should be replaced by “wireless network access control’ (WNAC). His blog criticizes AirTight for terminology driven by the industry analysts and used by the industry as a whole with no attempt to confuse customers.

Aside from the fact that all of the issues Maynor points out as problems apply to all of the Wireless Intrusion Prevention Systems (WIPS) vendors that are shipping products today and that some of the information about AirTight appears to come from a white paper from 2005 which tested a 3.0 beta version of our product, Maynor makes some naïve assumptions about our design targets and mis-states what AirTight has “advertised”.

Maynor’s concluding paragraph states, “[These boxes] should not be labeled either “intrusion detection” or “intrusion prevention”. These devices have no ability to stop a driver level attack like the ones we have previously discussed.”

Maynor points out three “problems” from his perspective, which come to inaccurate conclusions:

Problem #1: Protection relies on deauth packets – which an attacker can ignore

Maynor claims that WIPS prevention can be circumvented if an attacker can plant a hand-crafted rogue AP into a corporate network. This limitation is not unique to AirTight — all other WIPS product have the same limitation.

AirTight has also developed advanced capabilities (such as wire side port blocking & selective virtual jamming) which can be used to offer more resistance to an attacker. AirTight’s session containment has been shown to perform better than any other vendor’s session containment (see the Tolly Group results on AirTight’s website).

Problem #2: a hacker can flood our systems and still gain entry

Again this observation is not unique to AirTight . If the reader is interested, we can share easier tricks which will cause other WIPS system to generate *wrong* information.

Theoretically speaking any software system can be attacked. WIPS are no exception. The real question is if a WIPS vendor has a technology/development roadmap to continuously raise the bar.

If a hacker were to launch the sort of attack (flood of probe packets) described by Maynor, SpectraGuard Enterprise would see this flood of probe packets – and this in and of itself would generate a separate alarm – causing a network admin to check the system – the defense in depth philosophy at work.

SpectraGuard is the only system which is actually able to block the most common types of DoS attacks and to do location tracking of a DoS attacker – both critical capabilities when dealing with a determined hacker.

Problem #3: We send out information about the network through our system

We are sure the author already knows that a rogue AP connected to a network already leaks a ton of information. An AirTight sensor does not disclose any more information that what is already available to an attacker through alternate means.

One of the points in this blog entry seems to be you can finger print network identity by reading some of the packets AirTight uses to identify whether a rogue AP is on the enterprise network. It is true that this technique exposes IP subnet identity but Maynor seems to have missed the point. An open rogue AP exposes more information than our sensor. For example – spanning tree protocol and other broadcast packets (e.g. ARP) exposes much more information about the wired network (default gateway IP/MAC address, etc) than AirTight exposes via our techniques. The bottom-line: An attacker doesn’t need to decipher AirTight’s packets to finger print (i.e. map out) the wired network.

AirTight’s philosophy is simple and our products are designed around it.

(1) WIPS should *not* rely on only one session containment technique (that is, De-auth based). AirTight was the first vendor to recognize this and is the only vendor today which has built non de-auth based session containment techniques in the product. The author unfortunately didn’t test those features and made pre-mature conclusions. Should this threat become real, AirTight already has the capability to contain de-auth resistant APs. AirTight provides access control at the level 2 layer using a battery of techniques beyond deauth and is the only solution which does this.

(2) Hackers will soon start launching attacks against WIPS. A WIPS not only needs to detect, prevent and locate threats, but also it should be able to protect itself. Similar to (1) AirTight was the first vendor to recognize this trend and is already building several defenses in its SpectraGuard product

In summary, security is a process not a product. It is always about raising the bar and multi-layered security is always required. A WIPS system is one layer but real time alerts, location tracking and physical remediation are always recommended as supplementary lines of defense.

No security solution is foolproof and AirTight does not claim foolproof security. None of us has a silver bullet but most IT managers do not face a determined hacker with a sophisticated black box on a daily basis, which seems to be what Maynor was using. If you did find yourself attacked by hackers, AirTight SpectraGuard is the best product to help you address this challenge.