|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Wireless LAN Tools Part 4: Monitoring and Reporting — continued
VP Core Competence, Inc. [August 17, 2004] |
 |
WLAN surveillance
WLAN analyzers can also detect attempted attacks. As discussed in Part 3, analyzers
can be used for sampling traffic at regular intervals or stand-alone monitoring
in smaller networks. Wireless Intrusion Detection Systems are often used in
larger networks that require 24/7 distributed monitoring with central supervision.
Because stand-alone monitoring with analyzers and distributed monitoring with
IDS have much in common under the covers, several vendors sell both WLAN analyzers
and WIDS products.
Whether you monitor your WLAN with an analyzer, a WIDS, or both, it's important to understand the kinds of attacks that can be detected, how you'll be notified when suspicious events occur, the information available to assist with your investigation, and the steps you can take to respond to the incident.
Detection: Alerts that can be generated by WLAN analyzers vary quite a bit. Most can alert you to rogue AP and stations and deviations from common best practices. Commercial products tend to include more policy enforcement alerts, at more granular levels. They also do a better job of keeping up with new WLAN attack signatures, like denial-of-service (DoS) attacks (e.g., 802.11/802.1X floods, RF jamming, forged logoff or deauthenticate messages), attempted break-ins (e.g., password-guessing, forged MAC addresses), and attacks against wireless stations (e.g., soft or faked APs, traffic between wireless stations, ARP spoofing).
Notification:
Depending on the analyzer, alerts may be displayed on a console, sent to a logfile
or database, and/or forwarded to an upstream management systems (e.g., an SNMP
manager or WIDS server). To attract your attention, the analyzer may flash,
make noise, send e-mail, call your pager, or invoke a user-defined program.
For example, see this pair of Baseband LinkFerret
alarm configuration panels. To avoid being flooded with e-mail or pages, apply
these actions sparingly based on priority and set thresholds where available.
Response:
Alerts should be accompanied by enough information that you can take corrective
action to stop the attack or eliminate the vulnerability that was exploited—preferably
both. Although presentation styles vary, look for features that help you navigate
to related data, like traffic history associated with the affected AP or station.
For example, clicking on an AirMagnet alert provides detailed description of
both the alert and its subject.
Some
commercial WLAN analyzers can provide expert analysis of the attack and advice
on how to deal with it. For example, AiroPeek NX's Expert Problem Finder describes
the potential consequences and recommended actions for each reported problem.
During
incident investigation, intrusion detection systems and analyzers can play different
roles. Use a WIDS for tasks that require more breadth—for example, correlating
alerts from several sensors to pinpoint an attacker's approximate location,
or looking back weeks to find related incidents. Use analyzers for tasks that
require greater depth—for example, launching a capture to watch an attacker's
activities and gather evidence. Many analyzers can filter on extremely minute
protocol fields, as shown in this Ethereal
example. Some analyzers can automatically generate complex filter expressions
to watch the subject of an alert.
|
Page
2: WLAN surveillance
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q3 2008 Top U.S. ISPs by Subscriber (Updated 12/02/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers