IDS mailing list archives
Re: Wired detection of rogue access points
From: "Eric Hacker" <my.self () erichacker com>
Date: Thu, 29 Mar 2007 14:21:37 -0400
On 3/28/07, Adam Graham <agraham () datastreamcowboys net> wrote:
Why is everyone concentrating on MAC filtering..... MAC filters are just a front line first wave deterrent.
There are two main problems here. One the administrative difficulties of any MAC based solution quickly outweigh the benefits. More importantly, Ethernet ONLY has MAC authentication. It doesn't matter that all your legitimate access points are outside the firewall if all you LAN ports are inside and my rouge access point is on one of those.
From that perspective, 802.11 is more secure than 802.3. Even with
WEP, one has to expend some effort trying to crack keys. On Ethernet, all one needs is the MAC. Ethernet is wide open, except that it is physically harder to get to than wireless. Any authentication layered on top of Ethernet cannot stop a motivated attacker unless it authenticates every single packet. That means encryption or at least IPSec AH. All 802.1x does is force an authentication every now and then of the MAC and or IP address. If one is worried about financially motivated espionage, that is not good enough. That's why the focus on MAC address is so important. Too many people think that it is way more valuable than it is. The network is defined layers. Security must be applied in layers. If you don't understand the security of a given layer, then it must be considered worthless as far as what you know. Assume you know and you're sure to fall. One can attempt to rebuild the levies protecting New Orleans and hope they'll hold next time, but one must also begin to restore the natural wetlands that used to protect New Orleans before the 20th century. Sure levies provide some protection, but defense in depth of hundreds of square miles of protection is the only viable long term solution. If the levies reduce the political will to rebuild the wetlands, then they have already failed. Regards, -- Eric Hacker, CISSP aptronym (AP-troh-NIM) noun A name that is especially suited to the profession of its owner I _can_ leave well enough alone, but my criteria for well enough is pretty darn high. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Wired detection of rogue access points, (continued)
- Re: Wired detection of rogue access points Chris Waters (Mar 21)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- Re: Wired detection of rogue access points krymson (Mar 26)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points jay.tomas (Mar 27)
- Re: Wired detection of rogue access points Adam Powers (Mar 29)
- Re: Wired detection of rogue access points tim_holman (Mar 29)
- RE: Wired detection of rogue access points Adam Graham (Mar 29)
- Re: Wired detection of rogue access points Eric Hacker (Mar 30)
- RE: Wired detection of rogue access points Adam Graham (Mar 30)
- Re: Wired detection of rogue access points Chris Waters (Mar 21)