June 17, 2002

IBM researchers demonstrate industry's first self-diagnostic wirelesssecurity monitoring tool

IBM Research has demonstrated the
industry's first self- diagnostic tool that can automatically monitor
802.11 wireless networks and report security problems in real-time. The
Distributed Wireless Security Auditor (DWSA), which runs on desktop and
laptop computers, can monitor wireless network security and report to the
central back-end servers minute by minute, 24 hours a day, seven days a
IBM researchers introduced its first version, the Wireless Security Auditor
(WSA) last summer, which runs on a small wireless PDA running Linux. IBM
Global Services quickly developed a specific services offering that deploys
software tools, including the WSA, to help customers safeguard and perform
risk assessments of their wireless networks. Researchers have now
extended the tool, making it more autonomic by adding self-sensor and
self-diagnosis features. Running as a lightweight process on wireless
clients in an enterprise, DWSA can quickly report wireless infrastructure
security issues to system administrators.

"As 802.11 wireless networks have become more popular, their security has
to be checked frequently to ensure they are still secure," says Dave
Safford, manager of Global Security Analysis Lab at IBM Research. "Our
self-diagnostic tool takes advantage of the many wireless clients already
out there by having them continuously monitoring the security of the
wireless network and reporting anomalies to a central server, all without
human intervention."

The DWSA system, which runs on Linux on desktops and laptops, can
accurately pinpoint the location of any rogue access points, enabling
network personnel to quickly find and then fix or remove them, unlike other
wireless auditors that require personnel to perform time consuming physical
searches by walking around the site. DWSA locates rogue access points
based on signal strength measurements by the wireless hardware on the
distributed clients. The signal strengths vary with the distance from the
rogue, and can be used to estimate the actual distance. As long as at least
three client machines report the signal strength of the rogue, their
reports can be used by the system to calculate the access point location
using the estimated ranges and simple geometry. The Windows version will
be ready shortly.

Existing security for 802.11 wireless consists of two subsystems: a data
encryption technique called Wired Equivalent Privacy (WEP) and an
authentication method, either Shared Key or 802.1x. Both the encryption
and authentication are optional, and wireless access points are typically
shipped with both turned off. Wireless network security needs to be
checked frequently since employees can easily add new wireless devices,
which may become easy access points for hackers. This tool allows system
administrators at the central location to find what access points exist and
examine their configuration remotely so that they can take proper steps to
keep the wireless network secure.

DWSA acts as an extension of IBM's security consulting team by continuously
monitoring customers' wireless systems so they can enjoy the benefits of
wireless technology with the security of wireline computing. In addition,
a new wireless risk assessment offered by IBM Global Services for WLANs
uses a combination of tools, techniques and methodology to help customers
evaluate their security posture. As part of a full family of wireless
services, the Wireless Security Auditor for LANs is used by IBM
consultants to detect wireless access points that do not have the
appropriate security. A set of recommendations are sent to the customer,
as well as a proposal to address security issues detected. These
recommendations go beyond the simple technology and cover processes and
security policies as well.

IBM Tivoli Risk Manager continues to expand on its vulnerability management
capabilities by extending its support to wireless network vulnerability
management based on the DWSA. IBM Tivoli Risk Manager monitors output of
the DWSA and other security checkpoints giving administrators a complete
view of e-business security exposures, intrusions and wireless network

The wireless security tool was developed in collaboration with the IBM
Personal Computing Division, which is investigating the potential of
including it on future ThinkPad models. ThinkPads are already equipped with
built-in 802.11b wireless networking capability.

For further information on DWSA, visit to www.research.ibm.com/gsal/dwsa.
Further information on IBM Research can be found at: www.ibm.com/research.

Click Here!