IDS mailing list archives

Re: Wired detection of rogue access points

From: "Eric Hacker" <my.self () erichacker com>
Date: Thu, 29 Mar 2007 14:21:37 -0400

On 3/28/07, Adam Graham <agraham () datastreamcowboys net> wrote:

Why is everyone concentrating on MAC filtering..... MAC filters are just a
front line first wave deterrent.


There are two main problems here.

One the administrative difficulties of any MAC based solution quickly
outweigh the benefits.

More importantly, Ethernet ONLY has MAC authentication. It doesn't
matter that all your legitimate access points are outside the firewall
if all you LAN ports are inside and my rouge access point is on one of
those.

From that perspective, 802.11 is more secure than 802.3. Even with

WEP, one has to expend some effort trying to crack keys. On Ethernet,
all one needs is the MAC. Ethernet is wide open, except that it is
physically harder to get to than wireless.

Any authentication layered on top of Ethernet cannot stop a motivated
attacker unless it authenticates every single packet. That means
encryption or at least IPSec AH. All 802.1x does is force an
authentication every now and then of the MAC and or IP address. If one
is worried about financially motivated espionage, that is not good
enough.

That's why the focus on MAC address is so important. Too many people
think that it is way more valuable than it is.

The network is defined layers. Security must be applied in layers. If
you don't understand the security of a given layer, then it must be
considered worthless as far as what you know. Assume you know and
you're sure to fall.

One can attempt to rebuild the levies protecting New Orleans and hope
they'll hold next time, but one must also begin to restore the natural
wetlands that used to protect New Orleans before the 20th century.
Sure levies provide some protection, but defense in depth of hundreds
of square miles of protection is the only viable long term solution.
If the levies reduce the political will to rebuild the wetlands, then
they have already failed.

Regards,
--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

Re: Wired detection of rogue access points, (continued)
- Re: Wired detection of rogue access points Chris Waters (Mar 21)
  - Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
    - RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points krymson (Mar 26)
  - Re: Wired detection of rogue access points Chad Mano (Mar 26)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points jay.tomas (Mar 27)
- Re: Wired detection of rogue access points Adam Powers (Mar 29)
  - Re: Wired detection of rogue access points tim_holman (Mar 29)
  - RE: Wired detection of rogue access points Adam Graham (Mar 29)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 30)
  - RE: Wired detection of rogue access points Adam Graham (Mar 30)