|
|
#1
01-22-2010, 11:15 AM
|
|||
|
|||
Wireless sweeping tools
Hey all,
I know there's a general move towards wireless IDS in the industry, but for initial sweeps (proving a site is clean), I'm wondering what tools people use. At the moment I do a range of positional network listing using kismet and then use a little program I wrote to deal with the output and determine (approximately) where networks are situated. Something more precise would be good. I've seen this yellowjacket thing, and was considering building something like the shmoo bloodhound, but was wondering if anyone knew of any alternatives, or the costs of things like the yellowjacket. cheers, fp Last edited by FunPolice; 01-22-2010 at 11:50 PM. Reason: typo 
|
|
#2
01-23-2010, 04:06 AM
|
|||
|
|||
|
I use a low cost USB RF spectrum analyzer and a free SSID tracking utility for sweeps and for ongoing quarterly monitoring for any new rogue access points in place of a Wi-Fi IDS/IPS., i.e. for Requirement 11.1
Few merchants can afford the average Wi-Fi IDS/IPS technology as the cost runs around $2K per site for a single controller and probe and goes up incrementally as additional probes are added - an excellent product example in this category is Airmagnet
__________________
OJ Jonasson CMC
|
|
#3
01-23-2010, 04:36 PM
|
|||
|
|||
|
For those sites that can't afford a WIDS, simple laptops with 902.11a/b/g/n card capabilities (either internal, or usb/PCMCIA). Kismet, netstimber, inssider etc are some low cost tools to meet this intent.
That way the laptop can be used in between scan periods. lyalc
|
|
#4
01-24-2010, 05:10 AM
|
|||
|
|||
|
Quote:
You also need to wrap a substantive process around the use of these tools to demonstrate how PCI Requirement 11.1 will be met as this is exactly what your QSA will be looking for.
__________________
OJ Jonasson CMC
|
|
#5
01-24-2010, 11:21 AM
|
||||
|
||||
|
Quote:
What I have seen that assists in this sort of approach is the CACE Technologies wireless tools. In particular the application that allows for the generation of "heat maps" based on the signal strength of the wireless transmitters it encounters. In addition to the 2.4GHz spectrum, it will also do the 5GHz. The heat map allows even a rookie to determine where the Wi-Fi transmitters are. In the end, while I think requirement 11.1 had good intentions, it is a bad way to mitigate the threat of rogue wireless devices. Unfortunately, the cost of implementing a good WIDS/WIPS is outside of even some large corporation's IT budgets. That said, WIDS/WIPS is not necessarily the way to go either. I have a client that is a large merchant that is reconsidering their WIDS implementation after the initial trial roll out at 20 stores has become a nightmare. While they have done everything the WIDS vendor has told them to do, the number of false positives remains too high to manage. The interesting thing about the false positives they are seeing is that a lot of them are misconfigured PC wireless cards acting as APs.
__________________
Jeff Hall, Director, Risk Advisory Services RSM McGladrey Inc 801 Nicollet Mall, 11th Floor, West Tower Minneapolis, MN 55402-2526 612 376 9280 - office 612 395 7280 - facsimile www.mcgladrey.com The views presented are those of the writer and are not necessarily those of RSM McGladrey Inc
|
|
#6
02-04-2010, 11:53 PM
|
|||
|
|||
|
In addition to the wireless scanning products out there, I also like to do wired scanning.
Nessus has a plug-in for detection of APs - http://www.nessus.org/plugins/index....ingle&id=11026 And there is RogueScanner from Paglo that also does the trick. Kind regards, Daniel
|
|
#7
02-05-2010, 03:48 PM
|
|||
|
|||
|
Quote:
|
|
#8
02-06-2010, 07:32 AM
|
|||
|
|||
|
This thread seems to have gone astray - a frequent occurrence on this blog.
The original question was related to some inexpensive way for a merchant to satisfy Requirement 11.1. This is a very real and everyday challenge for my merchant clients as most complete a SAQ C or D which must be reviewed by a QSA (here in Canada only). The QSA inevitably picks up this question and asks for an description/ explanation of how Requirement 11.1 is being met by the merchant. No valid response - no certificate of validation.
__________________
OJ Jonasson CMC
|
|
#9
02-07-2010, 05:13 AM
|
||||
|
||||
|
__________________
Jeff Hall, Director, Risk Advisory Services RSM McGladrey Inc 801 Nicollet Mall, 11th Floor, West Tower Minneapolis, MN 55402-2526 612 376 9280 - office 612 395 7280 - facsimile www.mcgladrey.com The views presented are those of the writer and are not necessarily those of RSM McGladrey Inc
|
|
#10
02-08-2010, 08:23 AM
|
|||
|
|||
|
Jeff:
Thanks for the tip. This set of compensating controls has been around for some time and bantered about on a number of related blogs and discussion groups. The major difficulty is the degree of manual time, effort and technical complexity required to design, document, implement, maintain and enforce this approach in order to satisfy Requirement 11.1. It goes well beyond the "at least quarterly" testing asserted in 11.1 as it results in a more persistent form of rogue access point detection/prevention - albeit a superior information security implementation. Merchants validating with either a SAQ C or D must satisfy this requirement and this generally includes smaller merchants with very limited IT support resources. IMHO, activating/deactivating switch ports, maintaining MAC address filtering, monitoring the unplugging and/or replacement of devices on switches, SNMP monitoring, disabling DHCP and assigning static IP's on every device in the merchant's environment all border on rocket science for the vast majority of smaller merchants.
__________________
OJ Jonasson CMC
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
