Quote:
|
Originally Posted by faq
To*comply*with*PCI*DSS*11.1,*can*I*use*a*wired*net work*scanning*tool*instead*of*a*wireless*
analyzer?*
No. To comply with 11.1, a company must mitigate the risk of unauthorized or rogue wireless
devices. This is most often achieved by the use of a wireless analyzer. Scanning the wired network
for wireless devices may identify some unauthorized wireless devices but may not identify other
important wireless attack vectors. The first omission of wired network scanning is that it may miss
cleverly hidden and disguised rogue wireless devices that are connected to isolated network segments.
Another omission of wired scanning is that it cannot detect rogue wireless clients. A rogue wireless
client is any device that has a wireless interface that is not intended to be present in the environment.
Although insufficient on their own, wired analysis tools can be very valuable when used in
conjunction with wireless analyzers to improve the quality of the scan results.
|
Oh here's why they're doing it. It's right there in the FAQ
Quote:
|
Originally Posted by http://www.aegenis.com/whitepaper/PCI%20DSS%20Wireless%20Security%20FAQ.pdf
To*comply*with*PCI*DSS*11.1,*may*I*have*technical* staff*members*physically*walk*through*each*of*
my*sites*with*a*wireless*analyzer*instead*of*autom ating*the*process?*
Yes. Although this method is technically possible it is often times operationally tedious, error prone,
and costly. Companies can use freely available tools such as NetStumbler or Kismet as wireless
analyzers. Using one of these tools, a technician or auditor can physically visit each site and obtain a
list of the wireless devices nearby. The technician is then required to manually investigate each
device to determine if it allows access to CDE.
|