Re: WLAN IDS

["planz" <planz235 () hotmail com>]

Hi Rob,

Technically speaking, 'decrypting at wire-speed' may be possible. But my concern was different. It was always possible 
to include WLAN IDS module to an existing NIDS and perform L2 decryption as an additional Load. 

But many questions are in the air unanswered.  Such that, how the MAC spoofing going to be stopped, how the sniffing 
going to be prevented by encryption at L2. how the de-authentication frames going to be verified as they are from only 
the reialble MAC. The second series of question arises for how you would locate or identify the culprit?  You need a 
GPS or building-wide location-marking system(using bluetooth??).

I have some ideas on these monitoring as well as IDS inventions for WLAN. 

1)  RFMON Sticks.

Description: These sticks are typical WLAN Cards in the form of antenna, but only having RFMON mode, but has a TCP/IP 
Stack and connected to wire with a IP address.  These IP Stack may be replaced, if the card is able to transmit to the 
control center in a differenct channel with a different encryption, but to avoid de-authentication frames from unknown 
sources or chances of being sniffed in the air, the control-transmission is send in 'wire'.

Functionality:  These 'sticks' are located in different locations in the building and keep monitoring and doing a 
intrusion detection and sends the traffic to the control center.  These sticks can locate intrusion based on locations 
and also can monitor the clients' location. This stick can also locate the any FakeAP/HostAP/RogueAP.


I see 802.11b has lot of 'technological weaknesses'. Many of the control frames are traversing in Layer 2 without 
security, the insecurity is always on. Therefore, WLAN IDS is ineffective at this moment with 802.11b.

Meanwhile, I have other ideas on this space for manufacturers.

2) WLAN PCMCIA Cards with GPS transceiver built-in

WLAN Client cards may be built with GPS transciever, so that they don't need additional GPS equipment to trace.

Regards,
Planz

----- Original Message ----- 
From: "Rob Shein" <shoten () starpower net>
To: "'planz'" <planz235 () hotmail com>; "'Will Schmied'" <dontpanic () cox net>; <focus-ids () securityfocus com>
Sent: Thursday, February 13, 2003 12:10 AM
Subject: RE: WLAN IDS


I wouldn't say that decryption of WEP at "wire speed" is a dream (unless you
really mean wire speed, in which case it IS a dream as there are obviously
no wires).  Remember, with WEP involved on 802.11b bandwidth drops to 2
Mbps, which is very simple to handle, even with the overhead of decryption.
The real issue is that above layer 2, a regular IDS can do the job anyways.
The only point to an IDS that focuses on WLANs is one that will spot
attacks/probes/oddness that are unique to WLANs, which all happen at layer
2.  That said, I think there is a place for a WLAN IDS that also checks for
sniffing activity, which is a greater problem with WLANs than with standard
wired networking.

And frankly, I don't think it would be a good idea to suggest to a client
that they "wait for 802.11i, for more robust security."  That's not going to
help them now, even if it turns out not to have any problems of its own, and
we are all employed to provide solutions now :)

> -----Original Message-----
> From: planz [mailto:planz235 () hotmail com] 
> Sent: Monday, February 10, 2003 11:57 PM
> To: Will Schmied; focus-ids () securityfocus com
> Subject: Re: WLAN IDS
>
>
> WLAN IDS is a Layer 2 thing.  At a maximum you can monitor 
> MAC addresses and DHCP and ARP requests.  (AirSnare).
>
> If you look at application layer, The packet data is 
> encrypted using WEP key. Therefore, IDS need to decrypt these 
> packets at wire-speed to analyse, which is a distant dream. 
>
> Let's wait for 802.1i,  for more robust security...
>
>
> ----- Original Message ----- 
> From: "Will Schmied" <dontpanic () cox net>
> To: <focus-ids () securityfocus com>
> Sent: Sunday, February 09, 2003 10:29 AM
> Subject: WLAN IDS
>
>
> > Has anyone got any thoughts about the various WLAN IDS 
> approaches out 
> > there?  Good, bad, other?  I'm really just collecting general 
> > information here...
> >
> > Thanks,
> > Will