Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Wireless Intrusion Detection
- Ron Taylor
February 27, 2005, 3:24 am
rate this thread
Re: Wireless Intrusion Detection
I'm not using such products.
I would first try to use functionality of the better AP like Cisco or
Proxim together with a solid WLAN network management concept.
This isn't really possible, if the intruder knows how such systems work.
If you log all unsuccessful association attempts (wrong SSID, wrong WEP
key, wrong MAC address, unsuccessful EAP) you have to pay lots of time
to analyze tons of log files.
Understand how the Windows Zero Configuration Service tries to find
which AP to associate to if configured for more than *one* network and
perhaps you know how many criteria must be concerned to distinguish
rogue attempts from "normal use" failures. Consider the number of
network interfaces a recent business class notebook has. (WLAN,
Ethernet, Firewire, Bluetooth...)
I haven't seen any WLAN IDS that can detect a 802.11FH AP wireless, you
only have to overwrite the Ethernet MAC address to a allowed one and
filter the IAPP broad- and multicasts. So you cannot find the rogue AP
from both wired *and* wireless side.
IMHO the only attempt is a consequent use of 802.1x for *all* ports too.
Your RADIUS logs have all the info you want. Wireless and wired.
Better than only curing the symptoms.
These opinions are mine. All found typos are yours.
- Lassi Hippel√§inen
February 27, 2005, 7:18 pm