[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: RE: WLAN IDS
From: "Citadel Consulting" <listserv () citadelconsulting ! net>
Date: 2003-02-20 20:46:11
[Download RAW message or body]
Just a correction for the die-hards out there; Management and Control
frames are separate from one another and each serves a different
purposes.
Craig Baker
CISSP, CCNP, MCSE
Citadel Consulting, LLC
Phone: 317.313.7666
Fax: 866.615.2434
-----Original Message-----
From: Citadel Consulting [mailto:listserv@citadelconsulting.net]
Sent: Thursday, February 20, 2003 2:58 PM
To: 'Rob Shein'; 'planz'; 'Will Schmied'; focus-ids@securityfocus.com
Subject: RE: WLAN IDS
I have been to some WLAN IDS training through a company called
AirDefense. They have an excellent layer 2 WLAN IDS product as well as
an intrusion prevention/honeypot hybrid solution. The latter will detect
an intruder and associate them with a honeypot AP and log or respond
according to the user's configuration parameters. The products are very
unique and are primarily targeted at companies with a large amount of
access points and when a more real time solution to layer2 IDS is
required. If layer two isn't monitored, an attacker has an unlimited
amount of time to sniff out packets using something like Wepcrack to
break encryption or to spoof a mac address. Wired-side ids products are
not very intuitive for reading and reporting the important wireless data
(layer 2 management control frames), which are the real vulnerability
with 802.11a,b,g...etc.
The bottom line is if you think that you might have people bringing in
access points as a quick way to connect to the network (rogue AP) or you
have a large installation base of APs then this might be something to
look into. Over the next two years it's not going to be possible to
recognize rogue or unauthorized APs without an active monitoring and/or
response system.
Craig Baker
CISSP, CCNP, MCSE
Citadel Consulting, LLC
CitadelConsulting.net
Phone: 317.313.7666
Fax: 866.615.2434
-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Wednesday, February 12, 2003 11:11 AM
To: 'planz'; 'Will Schmied'; focus-ids@securityfocus.com
Subject: RE: WLAN IDS
I wouldn't say that decryption of WEP at "wire speed" is a dream (unless
you
really mean wire speed, in which case it IS a dream as there are
obviously
no wires). Remember, with WEP involved on 802.11b bandwidth drops to 2
Mbps, which is very simple to handle, even with the overhead of
decryption.
The real issue is that above layer 2, a regular IDS can do the job
anyways.
The only point to an IDS that focuses on WLANs is one that will spot
attacks/probes/oddness that are unique to WLANs, which all happen at
layer
2. That said, I think there is a place for a WLAN IDS that also checks
for
sniffing activity, which is a greater problem with WLANs than with
standard
wired networking.
And frankly, I don't think it would be a good idea to suggest to a
client
that they "wait for 802.11i, for more robust security." That's not
going to
help them now, even if it turns out not to have any problems of its own,
and
we are all employed to provide solutions now :)
> -----Original Message-----
> From: planz [mailto:planz235@hotmail.com]
> Sent: Monday, February 10, 2003 11:57 PM
> To: Will Schmied; focus-ids@securityfocus.com
> Subject: Re: WLAN IDS
>
>
> WLAN IDS is a Layer 2 thing. At a maximum you can monitor
> MAC addresses and DHCP and ARP requests. (AirSnare).
>
> If you look at application layer, The packet data is
> encrypted using WEP key. Therefore, IDS need to decrypt these
> packets at wire-speed to analyse, which is a distant dream.
>
> Let's wait for 802.1i, for more robust security...
>
>
> ----- Original Message -----
> From: "Will Schmied" <dontpanic@cox.net>
> To: <focus-ids@securityfocus.com>
> Sent: Sunday, February 09, 2003 10:29 AM
> Subject: WLAN IDS
>
>
> > Has anyone got any thoughts about the various WLAN IDS
> approaches out
> > there? Good, bad, other? I'm really just collecting general
> > information here...
> >
> > Thanks,
> > Will
> >
>
-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure
-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic