IDS mailing list archives

RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?

From: "Gary Everekyan" <Gary.Everekyan () consumerinfo com>
Date: Fri, 24 Apr 2009 11:48:57 -0700


Hi Jeremy IMHO you just contradicted yourself. PCI DSS SCOPE  is for Cardholder Data Environment that deals with PAN 
Data. It is this type of scope creep that moves InfoSec professionals away from the business decisions. It is very 
costly to include all your network hence you do what is absolutely necessary to be complainant. (including segmentation)

Here is the excerpt from the PCI DSS 1.2 that talks about in scope and out of scope. You can get the document at  
https://www.pcisecuritystandards.org/
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

Scope of Assessment for Compliance with PCI DSS Requirements
..........................
Network Segmentation
Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate 
network is not a PCI
DSS requirement. However, it is recommended as a method that may reduce:
􀂃 The scope of the PCI DSS assessment
􀂃 The cost of the PCI DSS assessment
􀂃 The cost and difficulty of implementing and maintaining PCI DSS controls
􀂃 The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)
Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS 
assessment. .......................



Regards,
Gary Everekyan
CISSP, CISM, CHS-III, ISSAP, ISSPCS, ITILp, CGEIT, MCSE, MCT 
Gary_Everekyan () hotmail com


-----Original Message-----
From: Jeremy Bennett [mailto:jeremyfb () mac com] 
Sent: Friday, April 24, 2009 11:04 AM
To: Gary Everekyan; Taras P. Ivashchenko; focus-ids () securityfocus com
Subject: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?

Gary,

That is not true. The requirement for scanning for (and dealing with)
unauthorized APs or wireless devices is applicable to any physical location
that has a part of the CDE (Cardholder Data Environment). Whether you have a
wireless network and whether that wireless network is in or out of scope for
PCI DSS you are still required to scan.

There are a number of other wireless requirements if your WLAN *is* in scope
that you can avoid if you can move it out of scope but this is not one of
them.

Taras,

That requirement is focused on rogue detection and mitigation. If your WLAN
can be moved out of scope for PCI (using a stateful firewall) then you are
only required to scan for rogue devices.
You can either do walk-around scans using something like kismet or
NetStumbler or you can invest in a system with distributed sensors that can
scan for the rogue devices all the time. In theory you could build this with
low cost sensors running kismet and syslog and watch/filter the logs in a
central location. You'd need a way of filtering out the known neighbors and
internal devices and set up something to alert you, etc. I think you'll find
that it is a lot less "free" than you would hope.

-J


On 4/23/09 2:20 PM, "Gary Everekyan" <Gary.Everekyan () consumerinfo com>
wrote:

You can bypass the requirement if the WIFI Does  NOT in any way transmit or
connect to PAN data. If the Wireless network does not transmit PAN data and is
segmented from the wired network with VPN FW ACL etc. than your WIFI is out of
scope.


Regards,
Gary Everekyan
CISSP, CISM, CHS-III, ISSAP, ISSPCS, ITILp, CGEIT, MCSE, MCT
Gary_everekyan () hotmail com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Taras P. Ivashchenko
Sent: Thursday, April 23, 2009 12:51 PM
To: focus-ids () securityfocus com
Subject: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?

Hello, list!

There is requirement in PCI DSS v.1.2:

"...11.1 Test for the presence of wireless access points by using a wireless
analyzer at least quarterly or deploying a wireless IDS/IPS to identify all
wireless devices in use..."

I made some research for open source wireless IDSs and results are not good.
I found some articles about using together Kismet and Snort but it looks like
not best soliution.
Air Snort project is dead.
What wireless IDS/IPS (especially opensource/free) do you use?


--
Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru
----
"Software is like sex: it's better when it's free." - Linus Torvalds

Current thread:

PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Taras P. Ivashchenko (Apr 23)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
  - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
    - RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
    - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
    - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Joel Snyder (Apr 27)
    - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 27)
    - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Joel Snyder (Apr 27)
    - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 27)
    - RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Emm Maxim (Apr 27)
    - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Nelson Murilo (Apr 24)
  - RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Thiago Musa (Apr 24)
  - Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jason (Apr 24)
  - RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Emm Maxim (Apr 24)

(Thread continues...)