In my first post, I discussed the wireless analyzer approach to complying with requirement 11.1. I documented where I think the current techniques fall short and give organizations a false sense of security. In this post, I am going to give you what I think are the shortcomings of wireless intrusion detection/prevention systems.
Wireless IDS/IPS seen to break down into two types, ones that work like the wireless analyzer approach from my previous post on this subject and the ones that work like an IDS/IPS. Let us discuss the analyzer IDS/IPS first.
From the analyzer IDS/IPS style products, I have had demonstrations of, most of these solutions work essentially the same way as the wireless analyzer methods I discussed in my last post. These products typically work with wireless sensors connected to your network and a central server that also provides analysis of the wired network when a suspect rogue AP is discovered. The wireless sensor is used as a wireless spectrum analyzer to locate potential rogue APs. The idea being that multiple sensors can triangulate on the rogue AP and provide the location. The ability of these sensors to accurately locate APs outside of a 15-foot radius can make things dicey and potentially expensive. Therefore, for large facilities, you can expect to have to spend a lot on sensors for full protection. For example, an average Wal*Mart is around 100,000 square feet. In order to provide adequate coverage, the average Wal*Mart store would require approximately 445 sensors.
On the wired side of things, these analyzer IDS/IPS solutions along with their exclusively wired solutions are looking for rogue network traffic, ICMP response, MAC address and/or SNMP information that indicates the device is a rogue AP. In the end, they sound sophisticated, but they still rely on the fact that the rogue access point is configured to be discovered.
Attackers know how these solutions operate and configure their rogue APs to deter or even avoid these identification techniques. As a result, these more sophisticated solutions are also blind to the truly rogue AP.
In addition to these obvious issues, false positives can be quite a problem for those solutions that conduct monitoring of the wireless spectrum. This is particularly true in situations where APs are added on a regular basis outside of your facilities. And with wireless becoming more and more common, that can keep your security team quite occupied while they sort through the false positives to find the real potential threats.
And then there is the whole issue of 802.11 devices being the only source of compromise. If an attacker is going to go to the length of compromising your network, why would they not use cellular technology and avoid 802.11 all together? With 3G cellular networking all the rage, the speed of these cellular solutions are no longer a limiting factor. None of these solutions truly addresses the cellular issue, so there is still a vulnerability. Unfortunately, the security vendors, PCI SSC and card brands seem to only react to incidents, not think ahead. So, until a breach occurs involving cellular, we will likely not see anything to address this risk.
And what about other forms of wireless such as Bluetooth and satellite? Before you write them off as either not having any transmission distance or being too complicated and expensive, it is that short sidedness that will get you in trouble. Believe it or not, there are Bluetooth USB adapters that have ranges of up to 350’. In addition, pairing and security codes are well documented by vendors so attaching to any Bluetooth device is an easy proposition. Bluetooth can be used to load malware on a system and begin the compromise process. If you think satellite is the last safe wireless solution, at this year’s Black Hat, Adam Laurie discussed not just hacking satellite TV but also data transmissions.
In the end, the important thing to remember is that the public airwaves are just that – ‘public’. And you must treat them as public or you will get burned.
In a future post, I will discuss my thoughts on how I think the PCI DSS should address these shortcomings.