RE: WLAN IDS

["Rob Shein" <shoten () starpower net>]

I wouldn't say that decryption of WEP at "wire speed" is a dream (unless you
really mean wire speed, in which case it IS a dream as there are obviously
no wires).  Remember, with WEP involved on 802.11b bandwidth drops to 2
Mbps, which is very simple to handle, even with the overhead of decryption.
The real issue is that above layer 2, a regular IDS can do the job anyways.
The only point to an IDS that focuses on WLANs is one that will spot
attacks/probes/oddness that are unique to WLANs, which all happen at layer
2.  That said, I think there is a place for a WLAN IDS that also checks for
sniffing activity, which is a greater problem with WLANs than with standard
wired networking.

And frankly, I don't think it would be a good idea to suggest to a client
that they "wait for 802.11i, for more robust security."  That's not going to
help them now, even if it turns out not to have any problems of its own, and
we are all employed to provide solutions now :)

> -----Original Message-----
> From: planz [mailto:planz235 () hotmail com] 
> Sent: Monday, February 10, 2003 11:57 PM
> To: Will Schmied; focus-ids () securityfocus com
> Subject: Re: WLAN IDS
>
>
> WLAN IDS is a Layer 2 thing.  At a maximum you can monitor 
> MAC addresses and DHCP and ARP requests.  (AirSnare).
>
> If you look at application layer, The packet data is 
> encrypted using WEP key. Therefore, IDS need to decrypt these 
> packets at wire-speed to analyse, which is a distant dream. 
>
> Let's wait for 802.1i,  for more robust security...
>
>
> ----- Original Message ----- 
> From: "Will Schmied" <dontpanic () cox net>
> To: <focus-ids () securityfocus com>
> Sent: Sunday, February 09, 2003 10:29 AM
> Subject: WLAN IDS
>
>
> > Has anyone got any thoughts about the various WLAN IDS 
> approaches out 
> > there?  Good, bad, other?  I'm really just collecting general 
> > information here...
> >
> > Thanks,
> > Will