|
|
Wireless intrusion detection is a bit of a black art. For one thing, many activities that could be considered an intrusion can be explained away by honest configuration mistakes made by users. Another problem with trying to detect wireless intrusions is that unlike typical IDSs where you can monitor traffic at a few key points, in order for a wireless IDS (WIDS) to be effective, it needs to cover all the ground that your APs do. Even if you use free software, the cost in hardware can be prohibitive.
Another problem with wireless IDSs is that there are so many events for an attacker to hide behind. If an attacker wants to set up a rogue AP, he's not going to leave the SSID linksys and drop it in the middle of your sensor range. He's going to clone the MAC and SSID of an AP on one side of your installation and set up shop somewhere on the other side. How many administrators or applications are going to notice one of your APs duplicating itself?
Finally, the most prohibitive factor against using wireless IDSs is that they cost a lot. Many of the large enterprise solutions simply have a price tag that says, "call us," which is never a good sign. This section covers the basics of what an open source-based wireless IDS can do, and briefly mentions some of the features of the big commercial products as well.
One of the most unique features of wireless IDSs, which some commercial products have, is the ability to analyze non-802.11 interference. It would be interesting to see what would happen if someone wrote the code to combine both kismet and WiSPY (a cheap 2.4-Ghz frequency analyzer) into some sort of dynamic duo of 802.11 intrusion detection. Until then, this below-the-link-layer analysis will remain the realm of commercial products.
When evaluating a wireless IDS system, the following list serves as a good minimum feature set:
Catch script kiddies using NetStumbler
Perform 802.11 frame sequence analysis
Detect rogue APs
Detect unencrypted (or incorrectly encrypted) traffic
Detect blatant DoS attacks (deauths, CTS floods, and so on)
Detect signatures of well-known device driver exploits
While wireless IDSs may be only moderately effective in detecting a knowledgeable attacker, their most redeeming quality is that the high-end ones can pull double duty. For example, since you spent all that money deploying sensors, most WIDS can provide accurate statistics on WLAN use, signal strength, and saturation.
Currently, I feel that most organizations willing to spend the money on a commercial wireless IDS would be better served by strong 802.1X-based authentication and upgrading their infrastructure to WPA2. If an organization already has this infrastructure in place, and wireless is so important that they still think an IDS is worth deploying, then it might be an avenue worth exploration. If you are expecting your wireless IDS to catch a savvy attacker, then you are probably in for an unpleasant surprise. If you think an IDS would be a good tool to enforce your wireless usage policy on users (by detecting rogue and/or unencrypted APs), then you probably have your expectations set at the correct level.
|
|