The answer depends on a risk assessment of the benefits and limitations of hybrid-mode air monitors (AMs) for the environment being monitored. Hybrid-mode AMs save money by reducing AP and cabling counts to a degree. In exchange, the speed and effectiveness of the Wireless IDS/IPS system is reduced to a degree. By considering both factors, a decision can be made.
Benefits of Dedicated Air Monitors
All Aruba APs can be configured as either a dedicated AM that constantly scans the RF spectrum, or as a device that provides both AP and AM functions simultaneously (a hybrid mode or scanning AP).
An AP automatically provides monitoring on its configured channel. For example, an AP servicing clients on channel 1 provides full monitoring on channel 1. If set to perform off-channel scanning, the AP periodically spends limited time intervals scanning other channels in the band. The scanning period must be less than the 100ms beacon frequency. These periods occur by default every 10 seconds on an Aruba system, but can be configured to occur more often at the cost of reduced client performance.
Some performance impact is unavoidable with off-channel scanning. Multi-vendor lab testing recently found that when using scanning APs for both client service and off-channel monitoring, a throughput drop of up to 16% was possible when APs were required to spend significant time off-channel.
Are dedicated air monitors necessary? Although Aruba leaves this choice up to the customer, we highly recommend their use. Dedicated AMs provide a number of security-related enhancements over scanning APs. The following sections detail some of the benefits of monitoring with dedicated devices.
Security Benefits
• 802.11n classification and containment: 802.11a/b/g APs cannot detect or contain 802.11n AP traffic. For this reason, customers are strongly encouraged to deploy dedicated AMs that are 802.11n compatible, even if they are purchasing APs are 802.11a/b/g only.
• Faster rogue AP classification and containment: Enhanced security monitoring enables faster response to these security breaches by performing the following functions:
o Classification. Rogue classification is the ability to determine whether a rogue AP is connected to the wired network, and, if so, where it is connected. The longer the AP or AM can spend on a channel sampling data, the more accurate the classification algorithm will be - and in turn the accuracy and timeliness of the results. Scanning APs that are servicing clients can also classify rogue APs, but they are much slower because they must dedicate time to the clients.
o Containment. When a rogue AP has been detected and classified, Aruba can automatically disable it using a low-bandwidth wired and wireless denial of service (DoS) attack. For the wireless DoS attack, the transmitting device must be on the same channel as the rogue AP and must stay on that channel to continue the containment action. While a scanning AP can go off-channel to perform rogue AP containment, throughput can be severely impacted if the rogue is on a different channel than the local. Dedicated air monitors provide a more effective way to perform rogue AP containment without negatively impacting the performance of the wireless network.
• Ad-Hoc network detection and containment. Ad-hoc networks typically generate much less traffic than rogue APs. For this reason, there is a low probability that a scanning AP will find an ad-hoc network during its brief scan interval. With dedicated AMs, ad-hoc networks are quickly detected and disabled.
RF Management and Troubleshooting Benefits
• Packet capture, or sniffing, enables network managers to troubleshoot the network. An AP can perform packet capture on its configured channel, but performing this function on another channel adversely affects client service. A dedicated AM solves this problem because it can capture traffic on any channel.
• Statistics monitoring is another valuable troubleshooting tool. Aruba devices collect a wealth of statistical information about the RF environment, such as interference levels, number of devices, top talkers, frame retry rates, RSSI, devices out of range, and frame type/size distribution. APs provide this functionality for their own channels and offer a limited view of what is happening on other channels. Dedicated AMs scan channels with a much longer dwell time and provide a more accurate picture of what is happening on each channel.
Client Performance Benefits
• Client performance is affected when APs go off channel to scan; voice clients are particularly sensitive. Aruba’s traffic-aware scanning can cancel or defer off-channel scanning. However, while this improves client performance it reduces the security monitoring time. With dedicated AMs, the network can maximize both security and performance without having to choose between the two.
How to Compute AM Counts
For planning purposes, Aruba recommends a ratio of 1 dedicated air monitor for every 4 APs. Each AM can hear traffic within a 20,000-25,000 square foot area (80-90 foot cell radius) in a typical environment. Position AMs to cover the target area without gaps. For larger facilities, Aruba recommends cover target areas with multiple sensors using a 25% cell overlap factor. Aruba’s RF Plan tool can help visualize AM coverage