.
.
 .
.
.
.
.
.
.
 
Daily News for
.

- Submit your news or opinions -- See our Submission Guidelines.
- Advertise on targeted pages! Email marketing(at)mobilevillage.com for details.
The only newsletter that delivers all the web's top mobile enterprise news, saving you time!
- Sign Up Now - it's free!

 

  

Clear Choice Tests

WaveLink Mobile Manager Enterprise

Save time (and headaches) managing your WLAN infrastructure

By Thomas Henderson
Network World, 02/21/05

When you've got a large enterprise wireless LAN infrastructure, keeping track of all your access points becomes a monster job as the network gets bigger. WaveLink's Mobile Manager Enterprise is a central administrative, management and infrastructure audit point for an 802.11 WLAN. In tests, we found that it's a major piece of the puzzle that can be made even larger with the integration of AirMagnet Enterprise (see related story) to help diagnose network problems.

Mobile Manager Enterprise has an almost-surgical ability to manage a diverse set of access point brands and models in great detail by administrator-defined groups with pre-defined, articulate policies. Firmware upgrades and access control list (ACL) changes - the bane of access point management - can be rolled out with incredible ease. WaveLink keeps track of its list of compatible vendors and knows their foibles perhaps better than the access point vendors themselves. Where WaveLink can control, it has a very strong grip.

We found that the system can be fooled, but not for long. Mobile Manager Enterprise doesn't monitor the wires like a protocol analyzer or intrusion-detection application, so it's for wireless components only. It also has a limited set of enterprise wireless access points that are compatible with the system.

Monitor and manage

Mobile Manager Enterprise is a server-based application that runs on Windows 2000 server or XP Professional (with appropriate service packs installed). The server application joins a wired network where wireless access points reside. These networks can be local, or joined over a VPN or private network link.

The system monitors, controls and administers the discovered wireless access point infrastructure. Mobile Manager Enterprise runs as a Windows service, and an application called Administrator connects to the service through an authorized network adapter on the server.

The system probes the network via administrator-defined searches to look for access point signatures that it knows through an auto-discovery process (it looks for various Layer 2 signatures). Specific IP address ranges also can be monitored for access point signatures. When found, the access points are added to the Mobile Manager Enterprise database. Access points are categorized and become managed by groups and areas. The system manages only enterprise-class access points, and the compatibility list is important because incompatible access points must be managed singly and discretely. Managing an incompatible access point adds to the labor cost, thwarting the WaveLink system's usefulness. We wish more access point models could be managed with WaveLink, but because enterprise-class devices are uniformly managed through SNMP and ACLs, users of lower-priced access points with fewer features will be left out from WaveLink's management conveniences.

A graphical view of the network can be used to visualize discovered components. You then can watch mobile devices roam across the graphical maps imported into the application. We found this amusing but not incredibly compelling. This feature might be useful in tracking rogue devices as they roam through a large facility and potentially helps locate these devices when needed; otherwise, it's more of a gimmick.

We used several compatible and incompatible access points, and found that Mobile Manager Enterprise knew which ones were and weren't within seconds (see "How we did it"). We found it possible to fool the system by changing the media access control (MAC) address of a D-Link Systems home access point/router to one that falls within a compatible range. But that trick worked only until the system probed the access point/router to discover the masquerade during the system's check of its known access point lists. This type of rogue lives a short life until it is detected. Except for some very old yet ostensibly compatible access points, detection was flawless.

The system then can develop an ACL or point to a control point (we used a Linux-resident RADIUS server) as an authenticator. It is necessary to populate access points with the information needed to update their ACLs with acceptable client-side MAC addresses. The ability of Mobile Manager Enterprise to do ACL updates across an entire corporation itself is nearly worth the price of the product in labor savings. Newly installed or replacement access points can be automatically updated and placed into service. In our tests, this feature worked for three brands of compatible access points.

We also used the system to perform access point firmware updates and changes. Profiles for groups or individual access points can be built, including settings for security (such as Wired Equivalent Privacy, 802.1X and other settings). We found this simple to set up and a strong benefit. A default profile can be used as the basis for others. Once profiles are built, the default profile can be used to automatically install firmware updates and policies to any new access points. In testing, we found the automatic installation was a breeze for rolling out new or expanded wireless infrastructure.

WaveLink also sends an addendum that highlights implications of firmware updates for each access point type it covers. This is very handy, as access points from different brands and models don't react to firmware updates in the same way, requiring access point-specific instructions for updates. Also, if a firmware update requires a reload of an ACL list or other settings, Mobile Manager Enterprise can handle this rapidly.

The system's alerting feature lets users create statistical alerts (such as when traffic is too high or there are too many errors) to trigger e-mail messages, or proxy sends to a network management framework (Computer Associates' Unicenter, HP OpenView or another SNMP manager).

Mobile Manager Enterprise maintains a database of access point firmware that is subsequently sent to access points via Trivial FTP, which is an unsecure but seemingly mandatory protocol for updates to access points. We force-fed alarm conditions to the Mobile Manager Enterprise server using NMAP and were unable to make the system choke, although the user interface fell behind the updated alarm lists for a while.

Rogue/error detection

A prerequisite for using Mobile Manager Enterprise is that an entire spatial geography be covered by access points (or AirMagnet sensors), as the system doesn't perform intrusion-detection-system-like checks of network wires to look for rogue access point signatures, except when it periodically probes the network looking for access points. The time frame is long enough to let some access points with spoofed MAC addresses be ignored for a while. When a wireless rogue was introduced into Mobile Manager Enterprise-covered airspace, it detected it every time.

It learns the location of surrounding access points, and moving an access point physically can set off a trigger. Ad hoc networks that can be heard also are detected and flagged, such as APC's Wireless Mobile Router, which extends wired or dial-up connections for shared 802.11b clients. AirMagnet Enterprise adds value to the system by its ability to send triggers to Mobile Manager Enterprise that rogue devices have been detected.

We could only find one method that fooled Mobile Manager Enterprise, and only for a short time. It required a "van in the parking lot" style attack, where an access point with a wired connection uses a spoofed MAC address identical to the one it replaces. This works only until the scheduled probe discovers that the feature set isn't identical, which generates an alert. Other rogue attempts, via client or access points, were all detected.

A few bumps

he user interface suffers from a few features that don't work (for example, seeing date stamps on logs from the log manager). There is no method to import user ACLs or draw from directory services of any kind. MAC address data entry is painful, even if it needs to be done only once. Even companies that keep studious track of user information must enter items manually.

Documentation is extensive, but sometimes ambiguous. Updates are helpful for access point-specific information, but drawing conclusions as to action items is left to end users, as no recommendations are made.

Overall, WaveLink's Mobile Manager Enterprise is an extraordinary time saver. It's a must-have for companies with heterogeneous access point infrastructure (and remote sites), as the alternative is lots of duplication of effort to manage and update access points, and the incumbent documentation needed for security audits.

Henderson is principal researcher for ExtremeLabs in Indianapolis. He can be reached at thenderson@extremelabs.com.

Recent Related Stories:

Sidebar: Add AirMagnet to complete the puzzle (Network World)

Fixing 802.11b link performance problems (Network World)

Back to MobileVillage News Page

This story and associated images are copyright, 1995-2003 Network World, Inc.

MobileVillage Seeks Partners

MobileVillage® / PDA Inc. seeks partners to join MobileVillage in leveraging its assets, including:

- MobileVillage.com
- Mobile University education program & courses
- MobileEXPO® vertical market trade shows
- Go Mobile®
- Mobile Star Awards Program
- Extensive intelligence, database & relationships
- Other intellectual properties & methodology

Interested parties please contact Jon Covington at jon(at)mobilevillage.com.

 
 
.

About Us | Privacy Policy | Contact Us: Box 671, Matlacha, Florida 33909, (239) 282-1500, mobilevillage @ mobilevillage.com

© 2000 - 2005 MobileVillage / PDA, Inc. All Rights Reserved.
.