WLAN infrastructure vendor Meru Networks Inc is considering enhancing its Security Services Module to enable it to detect the source of wireless attacks.
The Sunnyvale, California-based company unveiled the SSM in January as an additional capability in its access points that is activated on the controller at the center of the WLAN.
Manav Khurana, senior product manager at Meru, said it is not a replacement for other WiFi security arrangements, such as dedicated WIDS/WIPS sensors from the likes of AirDefense, AirMagnet or Network Chemistry, or time sharing on radios in APs, which means they act as sensors for part of the time and APs for the rest. Rather, SSM complements either of these approaches, he argued.
The SSM leverages the core competency in RF engineering that we have built up in developing our WiFi products and which has afforded us pioneer status in voice over WiFi, he said. It carries out physical-level security on the actual signal.
The first differentiator to the technology is that, instead of allocating set times at which an AP’s radios will switch to promiscuous (i.e. sensing) mode rather than providing client access, SSM carries out what Meru calls micro-sensing.
This means that an AP only scans a frame when it is using it en route to another AP. If a frame is intended for that AP it will be processed normally and forwarded, whereas one meant for somewhere else will be scanned off-channel, with the radio returning onto the channel as soon as the frame scanning is completed.
We have figures to suggest that this represents a fourfold improvement in scanning efficient vis-a -vis the traditional approaches such as time sharing, with no additional cost, said Khurana. Of course, a dedicated sensor operating full-time will bring still greater functionality, but represents considerably more cost than the Meru SSM.
A second feature of SSM highlighted by Meru as a differentiator is threat mitigation through RF jamming. Since it operates at the signal level, and traffic to or from a rogue AP or ad hoc networks operating on the network can be rendered useless by injecting white noise for the duration of the offending frame.
This is a more efficient means of blocking than the traditional deauthentication attack, whereby traffic is injected onto the network to get a rogue AP deauthenticated, because that uses up bandwidth that could otherwise be utilized by legitimate APs and clients, Khurana said. We, on the other hand, simply don’t let rogue packets onto the air; we just make them look like white noise.
Again, though, he was at pains to stress that the technology is not designed to displace traditional blocking methods. It’s just an add-on, giving the controller more options for jamming.
Khurana was coy as to Meru’s exact roadmap for the SSM, but he did say that one potential avenue for exploration would be to apply identification techniques based on location to the problem of wireless attacks, i.e. enabling network admins to pinpoint exactly where an attack is originating from.