Back to list
PCI DSS: Wireless scanning to look for rogue APs
Oct 13 2009 11:06AM
Taras (taras securityaudit ru)
Re: PCI DSS: Wireless scanning to look for rogue APs
Oct 13 2009 03:58PM
Jeremy Bennett (jeremyfb mac com)
PCI DSS requires you to scan for the rogues and to have a policy for
dealing with them. Your policy should account for the tools that you
are using. If you want to go the route of manually scanning all sites
that have a CDE network presence on them then using Kismet then your
policy should describe what you do when you find an unknown device.
The first step is to determine if it is in your CDE or not. Next is to
deal with it and finally is to make changes so it can't happen again.
This last is extremely important when you choose to only do periodic
scans as you are open to having a leak in your CDE for months before
you find it.
Signal strength is definitely used by many of the Wireless IDS/IPS
products out there as a first cut between neighbors and rogues. Keep
in mind, though, that signal strength is going to be different
* Your receiver
* The strength of the transmitter
* Your location
* Distance to the transmitter
* Materials between you and the transmitter.
If you want to use the signal as a first-cut heuristic then you must
minimize the variables as much as possible:
* Always use the same laptop and card for all scans
* Conduct your survey in a consistent manner, always stop and scan
from predefined points
* For each point in the survey determine the strength of an AP just
outside your physical location and use something less than that as
your cut off.
When using signal strength my advice is to only use extremely low
values to eliminate neighbors, don't use it to try and determine the
difference between one room and another. Once you have eliminated the
neighbors you must now go and physically find each device. Signal
strength can be used here as a game of hot and cold until you either
physically disconnect the device or you are certain it is not in your
environment. Even then, you should try and figure out who owns it and
where it is.
As for clients signal is much harder to use as they do not transmit
nearly as consistently as APs do. Kismet does show signal for clients
when it receives frames from the but then resets it back to 0.
You may also want to invest in a full-blown WIPS solution. These,
generally, include locate functionality and can allow you to find
rogues much faster as well as generate the reports and logs you'll
need for PCI.
Best of luck,
On Oct 13, 2009, at 4:06 AM, Taras wrote:
> Hello, all!
> We have PCI DSS Requirement:
> "11.1 Test for the presence of wireless access points by using a
> analyzer at least quarterly or deploying a wireless IDS/IPS to
> identify all wireless devices in use."
> Ok, we can do this going through all CDEs and scan the air with e.g.
> Then we can make wireless APs/Clients table and and classify them as
> rogues or just friendly neighboring
> wireless devices.
> But how can we determine if this rogue AP and especially rogue
> clients (WLAN card into a back office server)
> are inside CDE? By signal level? But Kismet shows this information
> for APs (not for clients) :(
[ reply ]
Copyright 2010, SecurityFocus