Is LAN Defender intended to sit in a single location on the network or does it have the capability to “wander”?
Access points (AP) don’t really matter so you don’t have to protect every single AP, the DHCP server(s) are what really matters. If they try to MITM everyone’s computer, that’s a lot of work and they are more likely to get caught. To do a good MITM they have to attack the router where DHCP happens, replace it, corrupt it or just change the DNS server(s), etc. The best case for them is if they have a pineapple (an automated wireless network hacking tool) or a hardwired equivalent on-site, and they are remotely controlling it from far, far away.
We can “spy” on the Router even through an AP, but latency and caching are bad for us, so it’s better if we are physically close to the router(s).
What kind of reporting capabilities exists? (It seems to have that, but it’s not really clear what “notify the administrator” might mean.)
Reporting by LAN Defender is currently done through email because if a MITM attack is dumb enough to kill access to your email server, then you’re going to notice and that’s bad for them. The email server should use SSL with a separate certificate from your other networks, which while not perfect is yet another layer they’d have to crack, only they don’t know they need to. We can talk about using stronger protocols, but that requires more servers on the receiving end and let’s call that phase two, or maybe even three if you want better reporting, like JSON data sent to a database and keep-alive reports.
Each LAN Defender can also be accessed by an HTTP connection to its IP address, which it will also email to you. Again, we had to walk a line between more hardware and what everybody already has.
Since we are on a programmable platform, data could be uploaded to an API by simply adding a process that runs on a cron job, thus a keep-alive and data on the current status.
Are they thinking about extending to other adversary emulation functionality past WiFi man in the middle?
Extending the umbrella, yes, we have plans, but we had to start somewhere.
We have gotten rid of all our environments (like PCI) that had compliance reasons to validate there wasn’t any kind of WiFi hijacking happening. Past that, it really comes down to risk reduction vs cost for me.
Cost. For a large customer like BYU or a large company, we would work out a global enterprise-wide license that would be very affordable.
I’d kind of think of this as something that is taken around the enterprise and even at events, rather than something we install at a single point & have to log into to get information out of. Each of our campuses has a relatively broad footprint and we aren’t staffed to have to deal with passive monitoring solutions. Just finding locations everywhere for installation would be a challenge & might not provide us with the type of risk reduction to justify the cost of something like this. We’ve run capstones in the past with students looking at this sort of functionality and more, running off Raspberry Pi devices with 3D-printed cases. If there were a wider range of adversary emulation it provided, there might be a more compelling reason to use something like this.
LAN Defender is meant to be static. We have a second, more mobile, solution in development for people who need “more”. Right now we’re calling it a “pocket protector”. It’s a stronger, harder VPN that uses patented handshake technology that is not vulnerable to current PKI hacking methodology. It also detects MITM attacks with more active technology and secures the traffic while doing it. Right now, it plugs into a USB port and acts like a wireless network card, except it’s secured.
We can add this same VPN technology to LAN Defender in the future.