Most security administrators are familiar with the capabilities of modern intrusion-detection systems and the benefits of incorporating this technology into their network security infrastructure. The proliferation of

Requires Free Membership to View

wireless networking introduces new challenges in intrusion detection.

Hackers have taken the old practice of war dialing to the next level with the use of war driving attacks. These simple attacks are passive in nature. The perpetrator simply drives up and down city streets with a wireless-enabled laptop looking for active network signals. This can be done with tools like NetStumbler (which is even available in a PocketPC edition) or with the built-in capability of Windows XP to search out Wireless Access Points (WAPs).

What's an intrusion-detection conscious network administrator to do? Actually, the best starting point is to implement a solid base of traditional intrusion-detection systems designed to detect malicious activity on your network. Chances are that hackers sneaking in through your wireless network will attempt to perform the same malicious activities that they would when sneaking in through a wired network. Once you have that in place, you may wish to consider implementing special measures to deal with two common concerns: unauthorized wireless clients and unauthorized wireless access points.

The issue of detecting unauthorized clients can be somewhat tricky. If you have a finite number of authorized clients, you can simply monitor the wireless network for unfamiliar users. However, networks that provide public access present a thornier issue. Your best bet is to rely upon traditional IDS technology to seek out patterns of malicious activity that require investigation. Additionally, you should watch your networks for the familiar signatures of wireless LAN discovery tools. Joshua Wright has written an excellent white paper on this topic.

Unauthorized access points are a common issue in organizations. All too often, overly ambitious employees decide to plug in a WAP without seeking permission from the MIS organization and unwittingly open up significant security vulnerabilities on the network network perimeter. Fortunately, these rouge WAPs are relatively easy to detect, provided that you're willing to expend a little bit of effort. If your organization uses a single small facility, you can probably simply run a tool like NetStumbler on a single system sitting on your desk and watch for unauthorized access points to appear in your vicinity. Larger facilities and distributed campuses may require a number of sensors strategically placed throughout the organization to provide comprehensive coverage.

Of course, intrusion detection is only one component of a solid security posture. If you're looking for proactive ways to keep intruders off your wireless network, consider implementing the security-conscious 802.11X protocol.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.


This was first published in November 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.