Re: Wireless Intrusion Detection

From: Uli Link (VonRechts.NachLinks_at_usenet.arcornews.de)
Date: 02/27/05 

Date: Sun, 27 Feb 2005 11:49:34 +0100

Ron Taylor schrieb:

> Is anyone out there using Wireless Intrusion Detection products? How
> well do they work for you?

I'm not using such products.
I would first try to use functionality of the better AP like Cisco or
Proxim together with a solid WLAN network management concept.

> I'm interesting in a product that can
> detect rogue access points,

This isn't really possible, if the intruder knows how such systems work.

> malicious connection attempts, intruder
> connections, and the like.

If you log all unsuccessful association attempts (wrong SSID, wrong WEP
key, wrong MAC address, unsuccessful EAP) you have to pay lots of time
to analyze tons of log files.
Understand how the Windows Zero Configuration Service tries to find
which AP to associate to if configured for more than *one* network and
perhaps you know how many criteria must be concerned to distinguish
rogue attempts from "normal use" failures. Consider the number of
network interfaces a recent business class notebook has. (WLAN,
Ethernet, Firewire, Bluetooth...)

I haven't seen any WLAN IDS that can detect a 802.11FH AP wireless, you
only have to overwrite the Ethernet MAC address to a allowed one and
filter the IAPP broad- and multicasts. So you cannot find the rogue AP
from both wired *and* wireless side.

IMHO the only attempt is a consequent use of 802.1x for *all* ports too.
Your RADIUS logs have all the info you want. Wireless and wired.
Better than only curing the symptoms. 

-- 
Uli
These opinions are mine. All found typos are yours.

Relevant Pages

  • [Full-Disclosure] Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability
    ... problem, which affects almost every network as Ethernet, WLAN, but also ... > PDA and a commonly available wireless networking card may cause ... > that makes identification and localisation of the attacker difficult. ...
    (Full-Disclosure)
  • Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?
    ... A laptop with a wifi interface connected to the network with the intention ... to have a wireless interface and a wired interface. ... they should be tracked down and disabled just like rogue APs. ... Wireless SIG reporting to the PCI DSS. ...
    (Focus-IDS)
  • Re: Doesnt anyone Know anything about roaming?
    ... I assume you use WZC on the Windows XP clients (and not a third party WLAN ... Then the selection of the SSID is done by WZC, ... make sure everything you buy conforms to the dominant wireless ... >> you can mix brands, operating systems, even network a Mac to a Windows PC ...
    (microsoft.public.internet.radius)
  • Re: Wired detection of rogue access points
    ... Wireless security is just as important to companies without wireless networks as it is to those with! ... Wired detection of rogue access points ... A wireless router is hooked up to the network jack of a printer. ...
    (Focus-IDS)
  • Cant detect wireless networks; HP Wireless Asst. doesnt acknowle
    ... So there was a network with a strong signal. ... The wireless switch is set to on. ... a mention of WLAN. ... Wireless Assistant was set to show the icon in the notification area, ...
    (microsoft.public.windows.vista.networking_sharing)