IDS mailing list archives

Re: wlan ids

From: pbsarnac () ThoughtWorks com
Date: Thu, 24 Oct 2002 09:40:18 -0500


I think you're missing the point of wireless IDS. You don't actually need
to detect IP-based attacks... that's what conventional NIDS do. Just throw
a sensor off the back of your WLAN choke-point and be done with it. (You're
not actually connecting a bunch of access points directly to your LAN, are
you? Wireless access points should be on their own network firewalled off
from the internal LAN, which conveniently provides a place to look for
standard network attacks.)

What wireless IDS actually does is look for attacks directly against your
wireless network such as MAC spoofing, forged 802.11 management frames,
wireless DOS, man-in-the-middle, rogue access points, etc. In this case,
WEP doesn't matter, because these attacks take place against unencrypted
802.11 headers and management frames.

I had a chance to talk with the AirDefense guys at Defcon, and they fired
up a demo for me in the main conference room. The number and types of
attacks that were picked up was definitely impressive. If you're concerned
about the types of attacks mentioned above, they I would certainly
recommend the product. If, on the other hand, you're concerned about a
wardriver launching attacks against your intranet servers, then you should
really look at standard NIDS. Since the NIDS will hang of the back of your
wireless network, you won't have to worry about WEP... the access points
will have already decrypted the traffic for you.

You can see Robert Baird and Michael Lynn's Black Hat presentation here. It
mentions some of the attacks possible against 802.11 networks and mentions
countermeasures (including the use of AirDefense, of course.)

http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Baird

----- Original Message -----
From: "cyclon jet" <cyclonjet () hotmail com>
To: <focus-ids () securityfocus com>
Sent: Tuesday, October 22, 2002 8:21 AM
Subject: wlan ids

Hi,

Will wireless ids actually help in protecting WLAN if encryption is

already

on?
Has anyone come across airdefense?
Any feedback about their wireless ids?

Regards,
cj

_________________________________________________________________
Unlimited Internet access for only $21.95/month. Try MSN!
http://resourcecenter.msn.com/access/plans/2monthsfree.asp

Current thread:

wlan ids cyclon jet (Oct 22)
- Re: wlan ids Jérôme Tytgat (Oct 23)
  - Re: wlan ids Frank Knobbe (Oct 24)
- <Possible follow-ups>
- RE: wlan ids Alan Shimel (Oct 22)
- Re: wlan ids pbsarnac (Oct 24)