IDS mailing list archives
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?
From: Joel Snyder <Joel.Snyder () Opus1 COM>
Date: Mon, 27 Apr 2009 11:05:28 +0200
The reason is that you cannot completely deploy 802.1x today. If EVERY port required 802.1x authentication then you could argue that no unauthorized devices could be connected. The problem is that not all network devicessupport 802.1x today.
Yes, this is true, but there is a common strategy in NAC where 802.1X fails over to MAC authentication. Thus, you would say that a printer with a known MAC address can connect to a particular port, but if someone attached a different device to the port (with a different MAC address), then the port would not open up. In Cisco-speak, they call this MAC Address Fallback, but all modern switches allow for it.
Examples include printers, IP cameras, networked scanners, and (sadly) access points. So, because you need to provide for these exceptions you cannot guarantee that no excepted device has been unplugged and an unauthorized device plugged in in it's place.
Now, of course, anyone with a strong knowledge of networking is aware that MAC addresses can be cloned (in fact, access points often make this easy to help work-around MAC limitations by broadband ISPs), and thus the use of the word "guarantee" is a very difficult one. But you might also claim (in fact, I'd be happy to claim this) that someone who is intentionally subverting network security would also be easily capable of avoiding a wireless IDS/IPS scanner.
Thus a wireless IDS/IPS scanner might help to tune the window of vulnerability down, but at what potential cost?
(I am not arguing against wireless IDS, by the way; I am just asking these questions to get some general ideas out on the table and see how domain experts in the PCI area are reacting--whether NAC provides a "guarantee" if implemented correctly, for example)
As long as I'm throwing hard questions out there: how many people with wireless IDS/IPS are, perhaps illegally, using a different regulatory regime in order to catch the clever attacker who is using channel 120 in Fargo (an EMEA-only channel) or channel 165 (a US-only channel) in Florence?
jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms () Opus1 COM http://www.opus1.com/jms
Current thread:
- PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Taras P. Ivashchenko (Apr 23)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Joel Snyder (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Joel Snyder (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Emm Maxim (Apr 27)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Nelson Murilo (Apr 24)
- RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Gary Everekyan (Apr 24)
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Leon Ward (Apr 24)
- <Possible follow-ups>
- Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Jeremy Bennett (Apr 27)