RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?

["Thiago Musa" <klawiq () gmail com>]

Gary,

Actually, if I'm not wrong, the 11.1 requirement is looking for rogue AP's
on your network, it doesn't matter the scope of your wireless network.

Regards,


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Gary Everekyan
Sent: quinta-feira, 23 de abril de 2009 18:20
To: Taras P. Ivashchenko; focus-ids () securityfocus com
Subject: RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..".
Kismet+Snort?

You can bypass the requirement if the WIFI Does  NOT in any way transmit or
connect to PAN data. If the Wireless network does not transmit PAN data and
is segmented from the wired network with VPN FW ACL etc. than your WIFI is
out of scope.


Regards,
Gary Everekyan
CISSP, CISM, CHS-III, ISSAP, ISSPCS, ITILp, CGEIT, MCSE, MCT 
Gary_everekyan () hotmail com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Taras P. Ivashchenko
Sent: Thursday, April 23, 2009 12:51 PM
To: focus-ids () securityfocus com
Subject: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?

Hello, list!

There is requirement in PCI DSS v.1.2:

"...11.1 Test for the presence of wireless access points by using a wireless
analyzer at least quarterly or deploying a wireless IDS/IPS to identify all
wireless devices in use..."

I made some research for open source wireless IDSs and results are not good.
I found some articles about using together Kismet and Snort but it looks
like not best soliution.
Air Snort project is dead. 
What wireless IDS/IPS (especially opensource/free) do you use?


--
Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru
----
"Software is like sex: it's better when it's free." - Linus Torvalds