RE: WLAN IDS

From: Citadel Consulting (listserv@citadelconsulting.net)
Date: 02/20/03

  • Next message: Citadel Consulting: "RE: WLAN IDS" 
    From: "Citadel Consulting" <listserv@citadelconsulting.net>
To: "'Rob Shein'" <shoten@starpower.net>, "'planz'" <planz235@hotmail.com>, "'Will Schmied'" <dontpanic@cox.net>, <focus-ids@securityfocus.com>
Date: Thu, 20 Feb 2003 14:58:23 -0500

    I have been to some WLAN IDS training through a company called
    AirDefense. They have an excellent layer 2 WLAN IDS product as well as
    an intrusion prevention/honeypot hybrid solution. The latter will detect
    an intruder and associate them with a honeypot AP and log or respond
    according to the user's configuration parameters. The products are very
    unique and are primarily targeted at companies with a large amount of
    access points and when a more real time solution to layer2 IDS is
    required. If layer two isn't monitored, an attacker has an unlimited
    amount of time to sniff out packets using something like Wepcrack to
    break encryption or to spoof a mac address. Wired-side ids products are
    not very intuitive for reading and reporting the important wireless data
    (layer 2 management control frames), which are the real vulnerability
    with 802.11a,b,g...etc.

    The bottom line is if you think that you might have people bringing in
    access points as a quick way to connect to the network (rogue AP) or you
    have a large installation base of APs then this might be something to
    look into. Over the next two years it's not going to be possible to
    recognize rogue or unauthorized APs without an active monitoring and/or
    response system.

    Craig Baker
    CISSP, CCNP, MCSE
    Citadel Consulting, LLC
    CitadelConsulting.net
    Phone: 317.313.7666
    Fax: 866.615.2434
     
     

    -----Original Message-----
    From: Rob Shein [mailto:shoten@starpower.net]
    Sent: Wednesday, February 12, 2003 11:11 AM
    To: 'planz'; 'Will Schmied'; focus-ids@securityfocus.com
    Subject: RE: WLAN IDS

    I wouldn't say that decryption of WEP at "wire speed" is a dream (unless
    you
    really mean wire speed, in which case it IS a dream as there are
    obviously
    no wires). Remember, with WEP involved on 802.11b bandwidth drops to 2
    Mbps, which is very simple to handle, even with the overhead of
    decryption.
    The real issue is that above layer 2, a regular IDS can do the job
    anyways.
    The only point to an IDS that focuses on WLANs is one that will spot
    attacks/probes/oddness that are unique to WLANs, which all happen at
    layer
    2. That said, I think there is a place for a WLAN IDS that also checks
    for
    sniffing activity, which is a greater problem with WLANs than with
    standard
    wired networking.

    And frankly, I don't think it would be a good idea to suggest to a
    client
    that they "wait for 802.11i, for more robust security." That's not
    going to
    help them now, even if it turns out not to have any problems of its own,
    and
    we are all employed to provide solutions now :)

    > -----Original Message-----
    > From: planz [mailto:planz235@hotmail.com]
    > Sent: Monday, February 10, 2003 11:57 PM
    > To: Will Schmied; focus-ids@securityfocus.com
    > Subject: Re: WLAN IDS
    >
    >
    > WLAN IDS is a Layer 2 thing. At a maximum you can monitor
    > MAC addresses and DHCP and ARP requests. (AirSnare).
    >
    > If you look at application layer, The packet data is
    > encrypted using WEP key. Therefore, IDS need to decrypt these
    > packets at wire-speed to analyse, which is a distant dream.
    >
    > Let's wait for 802.1i, for more robust security...
    >
    >
    > ----- Original Message -----
    > From: "Will Schmied" <dontpanic@cox.net>
    > To: <focus-ids@securityfocus.com>
    > Sent: Sunday, February 09, 2003 10:29 AM
    > Subject: WLAN IDS
    >
    >
    > > Has anyone got any thoughts about the various WLAN IDS
    > approaches out
    > > there? Good, bad, other? I'm really just collecting general
    > > information here...
    > >
    > > Thanks,
    > > Will
    > >
    >

    -----------------------------------------------------------
    Does your IDS have Intelligent Attack Profiling?
    If not, see what you're missing.
    Download a free 15-day trial of StillSecure Border Guard.
    http://www.securityfocus.com/stillsecure

    Relevant Pages

    • Re: WLAN IDS
      ... WLAN IDS is a Layer 2 thing. ... (AirSnare). ... If you look at application layer, The packet data is encrypted using WEP key. ...
      (Focus-IDS)
    • Re: WLAN IDS
      ... It was always possible to include WLAN IDS module to an existing NIDS and perform L2 decryption as an additional Load. ... WLAN PCMCIA Cards with GPS transceiver built-in ... The real issue is that above layer 2, a regular IDS can do the job anyways. ...
      (Focus-IDS)
    • RE: WLAN IDS
      ... I wouldn't say that decryption of WEP at "wire speed" is a dream (unless you ... Mbps, which is very simple to handle, even with the overhead of decryption. ... > Subject: Re: WLAN IDS ...
      (Focus-IDS)
    • Quantcast