IDS mailing list archives
RE: WLAN IDS
From: "Citadel Consulting" <listserv () citadelconsulting net>
Date: Thu, 20 Feb 2003 15:46:11 -0500
Just a correction for the die-hards out there; Management and Control frames are separate from one another and each serves a different purposes. Craig Baker CISSP, CCNP, MCSE Citadel Consulting, LLC Phone: 317.313.7666 Fax: 866.615.2434 -----Original Message----- From: Citadel Consulting [mailto:listserv () citadelconsulting net] Sent: Thursday, February 20, 2003 2:58 PM To: 'Rob Shein'; 'planz'; 'Will Schmied'; focus-ids () securityfocus com Subject: RE: WLAN IDS I have been to some WLAN IDS training through a company called AirDefense. They have an excellent layer 2 WLAN IDS product as well as an intrusion prevention/honeypot hybrid solution. The latter will detect an intruder and associate them with a honeypot AP and log or respond according to the user's configuration parameters. The products are very unique and are primarily targeted at companies with a large amount of access points and when a more real time solution to layer2 IDS is required. If layer two isn't monitored, an attacker has an unlimited amount of time to sniff out packets using something like Wepcrack to break encryption or to spoof a mac address. Wired-side ids products are not very intuitive for reading and reporting the important wireless data (layer 2 management control frames), which are the real vulnerability with 802.11a,b,g...etc. The bottom line is if you think that you might have people bringing in access points as a quick way to connect to the network (rogue AP) or you have a large installation base of APs then this might be something to look into. Over the next two years it's not going to be possible to recognize rogue or unauthorized APs without an active monitoring and/or response system. Craig Baker CISSP, CCNP, MCSE Citadel Consulting, LLC CitadelConsulting.net Phone: 317.313.7666 Fax: 866.615.2434 -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Wednesday, February 12, 2003 11:11 AM To: 'planz'; 'Will Schmied'; focus-ids () securityfocus com Subject: RE: WLAN IDS I wouldn't say that decryption of WEP at "wire speed" is a dream (unless you really mean wire speed, in which case it IS a dream as there are obviously no wires). Remember, with WEP involved on 802.11b bandwidth drops to 2 Mbps, which is very simple to handle, even with the overhead of decryption. The real issue is that above layer 2, a regular IDS can do the job anyways. The only point to an IDS that focuses on WLANs is one that will spot attacks/probes/oddness that are unique to WLANs, which all happen at layer 2. That said, I think there is a place for a WLAN IDS that also checks for sniffing activity, which is a greater problem with WLANs than with standard wired networking. And frankly, I don't think it would be a good idea to suggest to a client that they "wait for 802.11i, for more robust security." That's not going to help them now, even if it turns out not to have any problems of its own, and we are all employed to provide solutions now :)
-----Original Message----- From: planz [mailto:planz235 () hotmail com] Sent: Monday, February 10, 2003 11:57 PM To: Will Schmied; focus-ids () securityfocus com Subject: Re: WLAN IDS WLAN IDS is a Layer 2 thing. At a maximum you can monitor MAC addresses and DHCP and ARP requests. (AirSnare). If you look at application layer, The packet data is encrypted using WEP key. Therefore, IDS need to decrypt these packets at wire-speed to analyse, which is a distant dream. Let's wait for 802.1i, for more robust security... ----- Original Message ----- From: "Will Schmied" <dontpanic () cox net> To: <focus-ids () securityfocus com> Sent: Sunday, February 09, 2003 10:29 AM Subject: WLAN IDSHas anyone got any thoughts about the various WLAN IDSapproaches outthere? Good, bad, other? I'm really just collecting general information here... Thanks, Will
----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- WLAN IDS Will Schmied (Feb 10)
- Re: WLAN IDS planz (Feb 11)
- RE: WLAN IDS Rob Shein (Feb 12)
- Re: WLAN IDS planz (Feb 18)
- RE: WLAN IDS Citadel Consulting (Feb 20)
- RE: WLAN IDS Citadel Consulting (Feb 20)
- RE: WLAN IDS Rob Shein (Feb 12)
- Re: WLAN IDS planz (Feb 11)