IDS mailing list archives

RE: WLAN IDS

From: "Citadel Consulting" <listserv () citadelconsulting net>
Date: Thu, 20 Feb 2003 15:46:11 -0500

Just a correction for the die-hards out there; Management and Control
frames are separate from one another and each serves a different
purposes. 

Craig Baker
CISSP, CCNP, MCSE
Citadel Consulting, LLC
Phone: 317.313.7666
Fax: 866.615.2434
 
 


-----Original Message-----
From: Citadel Consulting [mailto:listserv () citadelconsulting net] 
Sent: Thursday, February 20, 2003 2:58 PM
To: 'Rob Shein'; 'planz'; 'Will Schmied'; focus-ids () securityfocus com
Subject: RE: WLAN IDS

I have been to some WLAN IDS training through a company called
AirDefense. They have an excellent layer 2 WLAN IDS product as well as
an intrusion prevention/honeypot hybrid solution. The latter will detect
an intruder and associate them with a honeypot AP and log or respond
according to the user's configuration parameters. The products are very
unique and are primarily targeted at companies with a large amount of
access points and when a more real time solution to layer2 IDS is
required. If layer two isn't monitored, an attacker has an unlimited
amount of time to sniff out packets using something like Wepcrack to
break encryption or to spoof a mac address. Wired-side ids products are
not very intuitive for reading and reporting the important wireless data
(layer 2 management control frames), which are the real vulnerability
with 802.11a,b,g...etc.

The bottom line is if you think that you might have people bringing in
access points as a quick way to connect to the network (rogue AP) or you
have a large installation base of APs then this might be something to
look into. Over the next two years it's not going to be possible to
recognize rogue or unauthorized APs without an active monitoring and/or
response system.

Craig Baker
CISSP, CCNP, MCSE
Citadel Consulting, LLC
CitadelConsulting.net
Phone: 317.313.7666
Fax: 866.615.2434
 
 


-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Wednesday, February 12, 2003 11:11 AM
To: 'planz'; 'Will Schmied'; focus-ids () securityfocus com
Subject: RE: WLAN IDS

I wouldn't say that decryption of WEP at "wire speed" is a dream (unless
you
really mean wire speed, in which case it IS a dream as there are
obviously
no wires).  Remember, with WEP involved on 802.11b bandwidth drops to 2
Mbps, which is very simple to handle, even with the overhead of
decryption.
The real issue is that above layer 2, a regular IDS can do the job
anyways.
The only point to an IDS that focuses on WLANs is one that will spot
attacks/probes/oddness that are unique to WLANs, which all happen at
layer
2.  That said, I think there is a place for a WLAN IDS that also checks
for
sniffing activity, which is a greater problem with WLANs than with
standard
wired networking.

And frankly, I don't think it would be a good idea to suggest to a
client
that they "wait for 802.11i, for more robust security."  That's not
going to
help them now, even if it turns out not to have any problems of its own,
and
we are all employed to provide solutions now :)

-----Original Message-----
From: planz [mailto:planz235 () hotmail com] 
Sent: Monday, February 10, 2003 11:57 PM
To: Will Schmied; focus-ids () securityfocus com
Subject: Re: WLAN IDS

WLAN IDS is a Layer 2 thing.  At a maximum you can monitor 
MAC addresses and DHCP and ARP requests.  (AirSnare).

If you look at application layer, The packet data is 
encrypted using WEP key. Therefore, IDS need to decrypt these 
packets at wire-speed to analyse, which is a distant dream. 

Let's wait for 802.1i,  for more robust security...

----- Original Message ----- 
From: "Will Schmied" <dontpanic () cox net>
To: <focus-ids () securityfocus com>
Sent: Sunday, February 09, 2003 10:29 AM
Subject: WLAN IDS

Has anyone got any thoughts about the various WLAN IDS

approaches out

there?  Good, bad, other?  I'm really just collecting general 
information here...

Thanks,
Will



-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure

Current thread:

WLAN IDS Will Schmied (Feb 10)
- Re: WLAN IDS planz (Feb 11)
  - RE: WLAN IDS Rob Shein (Feb 12)
    - Re: WLAN IDS planz (Feb 18)
    - RE: WLAN IDS Citadel Consulting (Feb 20)
    - RE: WLAN IDS Citadel Consulting (Feb 20)