Quote:
|
Originally Posted by joswr1ght
|
I'm in Canada so it's Industry Canada that sets those regs, but yeah, they are fairly close in wording and intent.
Quote:
|
At Shmoocon, Laurent Butti and Franck Veysset presented on a WLAN IDS system they put together that, IMHO, rivaled some of the commercial offerings.
|
I was there watching that and was very impressed. It was freaking hilarious to find out that when they were demonstrating the dissasoc attack being detected by running void11, the goons airmagnet gear went apeshit and they ran in thinking someone was DoS'ing the WLAN and they wanted to make an example, only to find it was the speakers
Quote:
|
I believe their technique to identify a rogue network as connected to the "protected" network is to connect to the AP and attempt to ping a fixed internal address known to exist on the wired network. If they get a response, they know the rogue AP is connected to their network, and have no worries about DoS'ing it.
|
A fair bit of infrastructure required to keep everything in sync. I was playing with Void11 trying to create an 'enforcer' for a client who had problems with employees not using allowed hosts on the network (read: personal machines not vetted against the security policy). It's a simple office LAN, so just basic switches, firewall, etc. I was going to have Void11 sitting on top of the AP like g8t with his big barb wire covered bat, clobbering anyone using an unauthorised device. Problem was that it was in an office building and the chances of screwing with someone elses network was too big a risk.
To do a session containment setup like Laurent Butti and Franck Veysset had, required a fair bit of back end that does'nt scale to SMB networks very well (which is the market I service) Frankely the SMB market could use a decent IDS/Enforcer product to cover thier butts because they don't have the time/manpower to watch logs.
Quote:
|
Other vendors will monitor and build tables of known MAC addresses. By monitoring the wired interface of the WLAN IDS sensor as well as any other internal sources of MAC address (router ARP tables, switch CAM tables, NetDisco, whatever), a WLAN IDS system can populate a list of known-internal MAC addresses for the protected network. When a new rogue is discovered, some vendors categorize it as "unknown" until they observe a MAC address on the rogue network that matches the list of observed internal MAC addresses. Then, they can DoS the AP knowing that it is connected to their network and not a nearby "friendly".
|
Fair idea. Again, 'must be this tall to enter'. The trick now becomes, how do you stop your client machines from drifting and connecting to non-company AP's (not maliciously setup ones, but neighboors)?
An attacker might just penetrate the 'linksys' neighboor and wait for someone to drift over to that net from your WLAN and do god-knows-what (client FW's and other things should be installed, but you know what I mean)
Quote:
|
Something I left out of the paper - if I can determine the policy that causes the session containment features to kick-in, I can spoof a legitimate station's MAC address to have the WLAN IDS system deauth legitimate client stations. Handy!
|
Already crossed my mind. Spoofing client MAC's and tripping the sensors could cause enough 'false positives' to convince IT to disable the session containment. Once again, tuning is essential.
Quote:
|
Further, if I can tie-up your WLAN IDS and keep it busy attempting to contain legitimate stations on a different channel, chances are pretty good that I can attack other nodes on the network without fear of being detected. Even better!
|
Hide among the shitstorm. I like it
Quote:
|
When I finish the paper on evading WLAN IDS systems, I'll post a copy here.
|
Look forward to it.