Most security administrators are familiar with the capabilities of modern intrusion-detection systems and the benefits of incorporating this technology into their network security infrastructure. The proliferation of wireless networking introduces new challenges in intrusion detection.
Hackers have taken the old practice of war dialing to the next level with the use of war driving attacks. These simple attacks are passive in nature. The perpetrator simply drives up and down city streets with a wireless-enabled laptop looking for active network signals. This can be done with tools like NetStumbler (which is even available in a PocketPC edition) or with the built-in capability of Windows XP to search out Wireless Access Points (WAPs).
What's an intrusion-detection conscious network administrator to do? Actually, the best starting point is to implement a solid base of traditional intrusion-detection systems designed to detect malicious activity on your network. Chances are that hackers sneaking in through your wireless network will attempt to perform the same malicious activities that they would when sneaking in through a wired network. Once you have that in place, you may wish to consider implementing special measures to deal with two common concerns: unauthorized wireless clients and unauthorized wireless access points.
The issue of detecting unauthorized clients can be somewhat tricky. If you have a finite number of authorized clients, you can simply monitor the wireless network for unfamiliar users. However, networks that provide public access present a thornier issue. Your best bet is to rely upon traditional IDS technology to seek out patterns of malicious activity that require investigation. Additionally, you should watch your networks for the familiar signatures of wireless LAN discovery tools. Joshua Wright has written an excellent white paper on this topic.
Unauthorized access points are a common issue in organizations. All too often, overly ambitious employees decide to plug in a WAP without seeking permission from the MIS organization and unwittingly open up significant security vulnerabilities on the network network perimeter. Fortunately, these rouge WAPs are relatively easy to detect, provided that you're willing to expend a little bit of effort. If your organization uses a single small facility, you can probably simply run a tool like NetStumbler on a single system sitting on your desk and watch for unauthorized access points to appear in your vicinity. Larger facilities and distributed campuses may require a number of sensors strategically placed throughout the organization to provide comprehensive coverage.
Of course, intrusion detection is only one component of a solid security posture. If you're looking for proactive ways to keep intruders off your wireless network, consider implementing the security-conscious 802.11X protocol.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
