I have finished giving Meraki's Air Marshal a second look and this time things went much better.

A few weeks ago I posted my first review and, unfortunately, the review was not very positive. After posting my review, I had some email conversation with some Meraki engineers and TAC which identified some issues. For starters, it turns out my MR-16 access point had a faulty 2.4 GHz radio and the wrong firmware version was pushed to me. With these two issues resolved, and some additional firmware changes, I set out to give Air Marshal a second chance. Here are my thoughts:

It Worked

As seen in the brief presentation above, Air Marshal did a decent job of detecting interfering access points, manually and automatically containing access points, and identifying spoofed APs. These were all things that did not function properly the first time I test the solution so I was happy to see them work as advertised.

I was also pleased to receive email notifications when rogue APs were detected. This is an important feature and, again, I was happy to see that this issue had been resolved. 

I Didnt' Test Everything

Due to the limitations of a home wireless lab, I didn't have a chance to play around with all the features of Air Marshal. Here are a few things I have not tested yet: 

• triangulation
• automatic containment of rogues on LAN
• wildcard containment

Perhaps I'll get to those in the near future. 

My Wish List

While Air Marshal does succeed at providing basic WIPS functionality, there are several things I really would like to see in the soluiton: 

1. Improved Alerts - Generating an email for rogue AP detection is a good start but I would really like to see the reporting capabilities expanded and improved. For example, I did not receive an email when Air Marshal detected a spoofed AP. This is just as important as a rogue AP and I should be able to report on it.
2. More Granular Whitelisting - Air Marshal currently accepts SSIDs being broadcast by other Meraki APs in the same network as valid. Administrators also have the ability to whitelist specific SSIDs to avoid accidentally deauth flooding a valid, non-Meraki WLAN. I think this feature needs to be expanded beyond simply whitelisting an SSID. Instead, I would like to have the ability to whitelist BSSIDs.
3. Rogue on LAN - Probably the biggest weakness I noticed is Air Marshal's ability to successfully identify when a rogue AP is on my LAN. Right now this feature is really hit'n miss. I'm told the algorithm used to make this determination is being reworked so hopefully we will see a real improvement shortly.
4. Attack Signatures - Detecting rogues and containing them is a great start but there are other types of wireless threats out there. I would really like to see Air Marshal expand beyond simple rogue activity to encompass detecting and alerting of other wireless attacks.

My Second Impression

My Air Marshal experience was vastly improved this time around. It was nice to see features working as advertised. I think that is an important point, so I will restate it: as advertised. The Meraki documenation doesn't make claims that Air Marshal is at the same level as other, more mature, WIPS solutions. 

Meraki has the beginnings of a decent wireless intrusion prevention system but the system still has plenty of room for improvement. In speaking with Meraki TAC and engineering, it sounds like major improvements are in the works. This is welcome news for sure.

In the meantime, I would say that Air Marshal is a decent rogue detection and containment solution for existing Meraki customers only. There are still some additional features required before I would consider it to be a full WIPS solution and I look forward to watching this product evolve over the next few months.

Daniel

Ful Disclosure: Due to hardware issues experienced during my initial testing, I was provided with additional MR24, MR16, and MR12 access points to assist with my second round of testing. No requirement for positive review or endorsement was communicated or granted as a result of this. 

Note: I performed a second review with new hardware and updated firmware. Many of this issues identified in this post have been resolved. 

After playing around with Meraki's new wireless intrusion prevention system (WIPS) called Air Marshal for a few days, I have to say that I am left feeling surprisingly underwhelmed. 

Usually, when Meraki releases a product it is a straight-forward, and elegant solution which is controlled via their amazingly simple administrative interface. Unfortunately, based on my limited testing of Air Marshal, Meraki has missed the mark right out of the gates with this one. Here is how my experience with Air Marshal went:

The Setup

As with most new features, Meraki is rolling out Air Marshal gradually to all existing cloud controllers. I, being impatient as I am, couldn't wait for gradual to happen so I opted for the expedited approach:

Twitter conversation with MerakiI called Meraki technical support and spoke with a very nice gentleman who promptly pushed the feature to my cloud controller. He also informed me that my MR-16 access point would need to receive a firmware update as well, and that he could push the update immediately. We chatted about Air Marshal while my AP was updated and performed its reboot. After that, I thanked him for his time and converted my AP to an Air Marshal sensor by following the instructions posted on the Meraki website.

With my MR-16 happily running as an Air Marshal sensor, I turned thoughts toward giving it some friends to play with. In addition to the 2 SSIDs already being broadcast, I plugged in a Linksys SOHO access point broadcasting 1 SSID, and an Aruba IAP-135 broadcasting 2 SSIDs. This gave me a total of 5 SSIDs being broadcast by 3 access points which were all sitting on the same flat switch as my MR-16. Let the fun begin!

Detecting and Classifying Rogues

This is where my experience started to turn south. To my surprise, my MR-16 didn't pick up all of the SSIDs that were being broadcast by access points that were located 3 meters away.

Detection and classification.As seen in the picture above, Air Marshal detected and classified 7 wireless networks (some are neighbouring APs outside of my control). Unfortunately, of the SSIDs shown in the picture, 4 were incorrectly classified as 'Other' when they should have been classified as 'Rogue'. Those SSIDs are: SimplyWiFi, SOHO-Linksys, NewSchool, and 1 hidden SSID. Causing further concern was the fact that 2 of my SSIDs were not even detected: OldSchool and SimplyWiFi-G. 

I gave Air Marshal the benefit of the doubt and pressed on thinking a little traffic might improve its accuracy. Sadly, connecting to each of my wireless networks and surfing the web didn't improve the classifications. It was while looking at the classifications that I noticed another error, all of the detected networks were tagged as 'unencrypted'. This was inaccurate for all networks shown in the above image. All of my networks where running WPA2-PSK with the exception of the old Linksys AP which was running WPA-PSK. Here is shot showing my SimplyWiFi networks:

Aerohive AP connections showing WPA2-PSK for both SSIDsAgain, still willing to give my beloved MR-16 the benefit of the doubt I logged into my IAP-135 and checked out the IDS logs. It was able to see both of my SimplyWiFi SSIDs just fine even though it was not acting as a dedicated sensor since it was serving up two SSIDs. 

IAP-135 detecting my Aerohive broadcast SimplyWiFi SSIDs.I decided to let Air Marshal do it's thing and move on to containment.

Rogue Containment

You might have noted, in one of the pictures above, that one of the SSIDs was whitelisted and another was marked as 'partially contained'. This was due to my testing of the containment functionality. Once I marked my SOHO-Linksys SSID for containment, I connected to it with my iPod and waited to be unceremoniously disconnected; the disconnection never came. I was able to happily surf and use NetFlix without any issues. I even tried moving to within a meter of the MR-16 in hopes that it could over power the Linksys from such a position. Nothing. 

Intrigued, I fired up my Backtrack 5 R1 laptop and used airodump-ng to capture everything on channel 6 expecting to catch a glimpse of some deauth or disassociation frames. Not a single death or disassociation frame was seen. 

Patience is Rewarded

I'm happy-ish to report that Air Marshal did eventually reclassify my SimplyWiFi SSID as rogue with no intervention by me. Total time to correct classification was about 24 hours.

Air Marshal rogue classification by keyword and automatic.You'll also notice that I tested the keyword classification feature and it worked just fine. I never did managed to get the containment feature to do its magic though. Also, I had the cloud controller configured to send me an email if it detected a rogue but no email was ever received.

Rogue email alert settingClosing Thoughts

 I really did a lot of soul searching before writing this post. Part of me didn't want to post it because it doesn't paint the best picture of Air Marshal and comes off rather negative. However, I decided to post this because I feel it is my obligation to give honest feedback regardless of positive or negative outcome. In this case, the product fell short of expectations but my feedback is not based on negativity or malice. 

I genuinely want to see Air Marshal, and Meraki, succeed. It just seems that perhaps, in this case, a new feature has been rolled out prematurely. I did, after all, call and ask them if the could give me Air Marshal ahead of the typical schedule. I also acknowledge that there could very well be something wrong my with MR-16 (I don't have a second one to test with) or even with my configuration. Stranger things have happened.

Until this is proven, and in the meantime, I believe there is much work that still needs to be done before Air Marshal is ready for primetime. WIPS is one of those solutions that requires a lot of dials and knobs because it needs to be tweaked to fit each different environment. While a simple administrative interface is normally a big plus for Meraki, I feel it hurts them when it comes to Air Marshal. I would love to be able to tweak, adjust, and debug Air Marshal a lot more than I am able to today. Without being able to look under-the-hood I can't really say why Air Marshal performed as poorly as it did during my testing.

Daniel

I openly invite correction or collaboration with Meraki or anyone who has managed to get Air Marshal working as advertised. In fact, I really do hope that we can chalk this one up to user error. I look forward to retesting Air Marshal after some time and posting a more positive review. 

Note: I performed a second review with new hardware and updated firmware. Many of this issues identified in this post have been resolved.

I recently had the opportunity for a very enlightening, one-on-one discussion and Webex session with the CEO of Tanaza, Sebastiano Bertani. I say enlightening because I really knew nothing more about Tanaza than it existed, and that it offered some form of cloud management for SOHO wireless access points. This post contains a quick summary of what I learned during our conversation and my thoughts on the solution.

What is Tanaza Cloud Control?

Tanaza Cloud Control is a SaaS solution designed to ease the burden on administrators and budgets by securely managing existing SOHO wireless access points without requiring the purchase of additional controllers, AP hardware, or servers. Pricing information can be found on the Tanaza website.

Who is the Target Customer?

I made a point of asking this question specifically because, given that the solution uses SOHO hardware, I felt it would give me a good sense of how much thought has gone into this solution. I'm happy to say that I liked the answer I received. According to Sebastiano, Tanaza is not going after the enterprise. They fully recognize the inherent limitations in using SOHO gear and are on a mission to make wireless networking easy, and affordable for the small business market. (I interpret this to mean organizations with a small handful of APs and no requirements beyond "get me on the Internet".)

This was a good answer because I probably would have stopped listening if he had said that Tanaza Cloud Control, in its current state, was ready to go toe-to-toe with other enterprise wireless vendors.

That's +1 for Tanaza.

What's So Good About Tanaza?

Okay, if you bothered to look at the pricing sheet, you'd probably agree that Tanaza is pretty cheap. But so is Kraft Dinner and it doesn't do jack for my wireless network. So the next logical question should be, what's in it for me? Here is a quick run-down of some of the more interesting features in the current solution:

• Configuration of the wireless setting on a growing list of SOHO access points via an easy-to-navigate web interface.
• The system knows the capabilities of each supported device and will not allow you to push incompatible settings. For example, if you create a second SSID and try to push it to an AP that only supports a single SSID, Tanaza will not allow it. This may not seem like a big deal for people used to enterprise gear, but I think it's pretty impressive for this type of setup.
• No AP or control agent (more on this later) upgrades are required as new features are introduced. All new features on the cloud side of the solution.
• I saw Sebastiano create a new WLAN and push it down to three SOHO APs scattered around Europe in a matter of minutes. He also changed an existing WLAN from WEP to WPA2 in the same amount of time; and all from a single interface. Again, doesn't seem like much for enterprise folks but, it's was pretty cool to see this type of management on geographically distant SOHO APs.

I could go on listing features but I think you get the point. Tanaza does a pretty amazing job of allowing someone to remotely configure wireless networks running on SOHO gear. See the Tanaza website for a full list of features.

Gotchas and What's Missing

Tanaza does a pretty impressive job of offering central management capabilities for SOHO access points. However, there are obvious limitations caused by the use of SOHO hardware and software. Here are few:

• No automated RF management. You can see channels used by neighbouring APs, and manually push channel and power settings down but don't expect Tanaza to make any RF decisions for you.
• Currently, no 802.1X support. Please note that I stated currently. Sebastiano tells me this will be added very soon but for now WEP, WPA-Personal, and WPA2-Personal are all you get.
• For Tanaza to work, you need to install a free software agent on one of the systems on your network. This agent phones home to Tanaza Cloud Control (using TLS) and pulls down configuration changes to be installed on each AP. (More on this below.)
• No usage reporting. Tanaza is currently all about configuration and does not allow you to pull usage statistics or client information.

Coming Soon to a Cloud Near You

I have to say, I really do like this solution because of it's simplicity and because of the fact that the Tanaza team seems to have a good, down-to-earth grasp on where their solution does and does not fit. Do not, however, mistake a sense-of-place for a lack of drive! Perhaps even more impressive than the existing solution, was the future roadmap Sebastian communicated to me. I was informed that the next 12 months will be all about rolling out new features. I'm not sure how much I am allowed to disclose so I will limit my comments to a few key points:

• Remember that agent software I mentioned earlier? Tanaza is currently in beta for custom AP firmware that has the agent built-in; eliminating the need for additional software. They currently have custom firmware for Ubiquiti UniFi APs, and also an OpenWRT module.
• 802.1X support. As I mentioned earlier, they will be rolling out the ability to configure RADIUS authentication very shortly. I think it's important, but at the same time, if they hold true to their target market it might not be required for most customers. This will also cause additional roaming issues since it's still SOHO APs we are talking about.
• Captive Portal configuration. Initially, this will mainly be support for configuring redirects to an external captive portal.

Semi-Closing Thoughts

Unfortunately, I do not currently own a SOHO AP. I've ordered a Ubiquiti UniFi access point and will be testing out Tanaza once it arrives. I specifically purchased a Ubiquiti AP because I'm hoping I can see how Tanaza stacks up against Ubiquiti UniFi Controller Software. Once I've finished playing around with the solution I'll create another post with my overall impression of the solution.

For now, all I can say is Tanaza looks to be an impressively simple solution for anyone who needs to manage a handful of SOHO access points. Let's face it, there are organizations out their that would like to get enterprise gear but just cannot afford it. Tanaza might just be the answer to some of their prayers.

Daniel

Have you had a chance to test Tanaza yet? If so, I'd like to hear your thoughts and opinions on the how well the solution worked, what you liked and disliked, and where you would like to see the product go in the future. Leave you thoughts in the comments section and be sure to share this article with anyone you think might be interested.