Focus on IDS
PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 23 2009 07:50PM
Taras P. Ivashchenko (taras securityaudit ru) (2 replies)
RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 23 2009 10:04PM
Chris Waters (cwaters paglo com) (1 replies)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 06:43PM
Leon Ward (leon rm-rf co uk)
RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 23 2009 09:20PM
Gary Everekyan (Gary Everekyan consumerinfo com) (4 replies)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 07:40PM
Jason (securitux gmail com)
RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 07:27PM
Emm Maxim (maxus infosec ru) (1 replies)
RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 08:57PM
Gary Everekyan (Gary Everekyan consumerinfo com)
RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 06:35PM
Thiago Musa (klawiq gmail com)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 06:04PM
Jeremy Bennett (jeremyfb mac com) (2 replies)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 08:22PM
nelson pangeia com br (Nelson Murilo)
RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 06:48PM
Gary Everekyan (Gary Everekyan consumerinfo com) (1 replies)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 24 2009 07:00PM
Jeremy Bennett (jeremyfb mac com) (2 replies)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 25 2009 08:01AM
Joel Snyder (Joel Snyder Opus1 COM) (1 replies)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 26 2009 07:41AM
Jeremy Bennett (jeremyfb mac com) (1 replies)
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 27 2009 09:05AM
Joel Snyder (Joel Snyder Opus1 COM) (1 replies)

> The reason is that you cannot completely deploy 802.1x today. If EVERY port
> required 802.1x authentication then you could argue that no unauthorized
> devices could be connected. The problem is that not all network devices
> support 802.1x today.

Yes, this is true, but there is a common strategy in NAC where 802.1X
fails over to MAC authentication. Thus, you would say that a printer
with a known MAC address can connect to a particular port, but if
someone attached a different device to the port (with a different MAC
address), then the port would not open up. In Cisco-speak, they call
this MAC Address Fallback, but all modern switches allow for it.

> Examples include printers, IP cameras, networked
> scanners, and (sadly) access points. So, because you need to provide for
> these exceptions you cannot guarantee that no excepted device has been
> unplugged and an unauthorized device plugged in in it's place.

Now, of course, anyone with a strong knowledge of networking is aware
that MAC addresses can be cloned (in fact, access points often make this
easy to help work-around MAC limitations by broadband ISPs), and thus
the use of the word "guarantee" is a very difficult one. But you might
also claim (in fact, I'd be happy to claim this) that someone who is
intentionally subverting network security would also be easily capable
of avoiding a wireless IDS/IPS scanner.

Thus a wireless IDS/IPS scanner might help to tune the window of
vulnerability down, but at what potential cost?

(I am not arguing against wireless IDS, by the way; I am just asking
these questions to get some general ideas out on the table and see how
domain experts in the PCI area are reacting--whether NAC provides a
"guarantee" if implemented correctly, for example)

As long as I'm throwing hard questions out there: how many people with
wireless IDS/IPS are, perhaps illegally, using a different regulatory
regime in order to catch the clever attacker who is using channel 120 in
Fargo (an EMEA-only channel) or channel 165 (a US-only channel) in Florence?

jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms (at) Opus1 (dot) COM [email concealed] http://www.opus1.com/jms

[ reply ]
Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 27 2009 03:28PM
Jeremy Bennett (jeremyfb mac com)
RE: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Apr 25 2009 05:04AM
Emm Maxim (maxus infosec ru)


 

Privacy Statement
Copyright 2010, SecurityFocus