IDS mailing list archives
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?
From: Jeremy Bennett <jeremyfb () mac com>
Date: Sun, 26 Apr 2009 00:41:10 -0700
Joel, Interesting topic for debate and much more on topic to IDS than wireless scanning. The question, can NAC be effectively used to prevent unauthorized network devices from being connected to a network? NAC often implies more than what we really mean here so let's restrict it to more basic 802.1x port-level authentication. I can honestly see two sides to the argument but I'll assert that it is insufficient. The reason is that you cannot completely deploy 802.1x today. If EVERY port required 802.1x authentication then you could argue that no unauthorized devices could be connected. The problem is that not all network devices support 802.1x today. Examples include printers, IP cameras, networked scanners, and (sadly) access points. So, because you need to provide for these exceptions you cannot guarantee that no excepted device has been unplugged and an unauthorized device plugged in in it's place. I think we may get there someday but it is going to take a long time for networks to catch up. Until then unauthorized devices will be a problem. And, to answer your last question, rogue APs are more of a problem than any other unauthorized device because they extend a wired network into wireless. To the point, they take a physically localized network and push it into the parking lot. Most companies believe that their wired network is somewhat physically secured by receptionists, policy, and attentive employees. True or false, this makes unauthorized APs more of a perceived threat than someone bringing in an unauthorized printer. -J On 4/25/09 1:01 AM, "Joel Snyder" <Joel.Snyder () Opus1 COM> wrote:
This is way off-topic from IDS, I know, but couldn't you use NAC then to assert such a thing? Depending on what NAC you use, of course, but for most of them, the goal is that only authenticated and authorized devices are attached to your LAN. Wouldn't that let you assert, validly, that there are no rogue devices of ANY kind (why are APs so different from other kinds of devices anyway?) attached? jms Jeremy Bennett wrote:Gary, I'm sorry if my statements seemed to self-contradict. I'm a member of the Wireless SIG reporting to the PCI DSS. We've had numerous discussions on this topic and have been working to provide better guidance on all of this. So, let me put this another way. You must assert that there are no rogue APs connected to your CDE. By definition a rogue device is unauthorized and out of your control. Therefore you can't use networking technologies like firewalls to prevent someone from physically connecting a rogue device to your network. The only way to be certain that there are no rogue devices connected to your CDE is to scan for them. Hence 11.1 applies whether you have a wireless network or not. Is that more clear? -J On 4/24/09 11:48 AM, "Gary Everekyan" <Gary.Everekyan () consumerinfo com> wrote:Hi Jeremy IMHO you just contradicted yourself. PCI DSS SCOPE is for Cardholder Data Environment that deals with PAN Data. It is this type of scope creep that moves InfoSec professionals away from the business decisions. It is very costly to include all your network hence you do what is absolutely necessary to be complainant. (including segmentation) Here is the excerpt from the PCI DSS 1.2 that talks about in scope and out of scope. You can get the document at https://www.pcisecuritystandards.org/
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.htm>>> l
Scope of Assessment for Compliance with PCI DSS Requirements .......................... Network Segmentation Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. ....................... Regards, Gary Everekyan CISSP, CISM, CHS-III, ISSAP, ISSPCS, ITILp, CGEIT, MCSE, MCT Gary_Everekyan () hotmail com -----Original Message----- From: Jeremy Bennett [mailto:jeremyfb () mac com] Sent: Friday, April 24, 2009 11:04 AM To: Gary Everekyan; Taras P. Ivashchenko; focus-ids () securityfocus com Subject: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary, That is not true. The requirement for scanning for (and dealing with) unauthorized APs or wireless devices is applicable to any physical location that has a part of the CDE (Cardholder Data Environment). Whether you have a wireless network and whether that wireless network is in or out of scope for PCI DSS you are still required to scan. There are a number of other wireless requirements if your WLAN *is* in scope that you can avoid if you can move it out of scope but this is not one of them. Taras, That requirement is focused on rogue detection and mitigation. If your WLAN can be moved out of scope for PCI (using a stateful firewall) then you are only required to scan for rogue devices. You can either do walk-around scans using something like kismet or NetStumbler or you can invest in a system with distributed sensors that can scan for the rogue devices all the time. In theory you could build this with low cost sensors running kismet and syslog and watch/filter the logs in a central location. You'd need a way of filtering out the known neighbors and internal devices and set up something to alert you, etc. I think you'll find that it is a lot less "free" than you would hope. -J On 4/23/09 2:20 PM, "Gary Everekyan" <Gary.Everekyan () consumerinfo com> wrote:You can bypass the requirement if the WIFI Does NOT in any way transmit or connect to PAN data. If the Wireless network does not transmit PAN data and is segmented from the wired network with VPN FW ACL etc. than your WIFI is out of scope. Regards, Gary Everekyan CISSP, CISM, CHS-III, ISSAP, ISSPCS, ITILp, CGEIT, MCSE, MCT Gary_everekyan () hotmail com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Taras P. Ivashchenko Sent: Thursday, April 23, 2009 12:51 PM To: focus-ids () securityfocus com Subject: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Hello, list! There is requirement in PCI DSS v.1.2: "...11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use..." I made some research for open source wireless IDSs and results are not good. I found some articles about using together Kismet and Snort but it looks like not best soliution. Air Snort project is dead. What wireless IDS/IPS (especially opensource/free) do you use? -- Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds
Current thread:
- PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Taras P. Ivashchenko (Apr 23)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Joel Snyder (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Joel Snyder (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Emm Maxim (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Nelson Murilo (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Leon Ward (Apr 24)