I have finished giving Meraki's Air Marshal a second look and this time things went much better.
A few weeks ago I posted my first review and, unfortunately, the review was not very positive. After posting my review, I had some email conversation with some Meraki engineers and TAC which identified some issues. For starters, it turns out my MR-16 access point had a faulty 2.4 GHz radio and the wrong firmware version was pushed to me. With these two issues resolved, and some additional firmware changes, I set out to give Air Marshal a second chance. Here are my thoughts:
As seen in the brief presentation above, Air Marshal did a decent job of detecting interfering access points, manually and automatically containing access points, and identifying spoofed APs. These were all things that did not function properly the first time I test the solution so I was happy to see them work as advertised.
I was also pleased to receive email notifications when rogue APs were detected. This is an important feature and, again, I was happy to see that this issue had been resolved.
I Didnt' Test Everything
Due to the limitations of a home wireless lab, I didn't have a chance to play around with all the features of Air Marshal. Here are a few things I have not tested yet:
- automatic containment of rogues on LAN
- wildcard containment
Perhaps I'll get to those in the near future.
My Wish List
While Air Marshal does succeed at providing basic WIPS functionality, there are several things I really would like to see in the soluiton:
- Improved Alerts - Generating an email for rogue AP detection is a good start but I would really like to see the reporting capabilities expanded and improved. For example, I did not receive an email when Air Marshal detected a spoofed AP. This is just as important as a rogue AP and I should be able to report on it.
- More Granular Whitelisting - Air Marshal currently accepts SSIDs being broadcast by other Meraki APs in the same network as valid. Administrators also have the ability to whitelist specific SSIDs to avoid accidentally deauth flooding a valid, non-Meraki WLAN. I think this feature needs to be expanded beyond simply whitelisting an SSID. Instead, I would like to have the ability to whitelist BSSIDs.
- Rogue on LAN - Probably the biggest weakness I noticed is Air Marshal's ability to successfully identify when a rogue AP is on my LAN. Right now this feature is really hit'n miss. I'm told the algorithm used to make this determination is being reworked so hopefully we will see a real improvement shortly.
- Attack Signatures - Detecting rogues and containing them is a great start but there are other types of wireless threats out there. I would really like to see Air Marshal expand beyond simple rogue activity to encompass detecting and alerting of other wireless attacks.
My Second Impression
My Air Marshal experience was vastly improved this time around. It was nice to see features working as advertised. I think that is an important point, so I will restate it: as advertised. The Meraki documenation doesn't make claims that Air Marshal is at the same level as other, more mature, WIPS solutions.
Meraki has the beginnings of a decent wireless intrusion prevention system but the system still has plenty of room for improvement. In speaking with Meraki TAC and engineering, it sounds like major improvements are in the works. This is welcome news for sure.
In the meantime, I would say that Air Marshal is a decent rogue detection and containment solution for existing Meraki customers only. There are still some additional features required before I would consider it to be a full WIPS solution and I look forward to watching this product evolve over the next few months.
Ful Disclosure: Due to hardware issues experienced during my initial testing, I was provided with additional MR24, MR16, and MR12 access points to assist with my second round of testing. No requirement for positive review or endorsement was communicated or granted as a result of this.