This is an interesting one.
More and more merchants are looking at the rogue AP detection requirements of the PCI DSS from a technical solution angle. Makes sense right? Why pay a consultant each quarter to do a rogue AP sweep when you can implement a Wireless Intrusion Prevention System like Motorola AirDefense or AirTight and realize an ROI within half a year? Plus you get all of the cool add-ons like counter measures, 802.11x port blocking, et al. Makes sense right?
One of the approaches that has been coming up a lot is to address rogue AP exclusion using Network Access Control (NAC). The PCI SSC specifically addresses NAC as NOT BEING SUITABLE for rogue AP detection. The reason given is that it doesn’t allow the detection of laptops put into AP mode.
Now I understand that the only real way to detect a laptop that’s been put into AP mode is by sniffing the air. But here is the question – One of the key features that make WIPS attractive for addressing 11.1 is that they can cross match what’s on the wire with what’s in the air. Theoretically (and, more importantly, enough to satisfy most auditors) you can conclusively determine that a MAC address that you seen on the air IS connected to your network IF the MAC shows up in your switches ARP tables. THEREFORE if a MAC shows up on the air and ISN’T in the ARP tables, it’s highly unlikely that it’s a rogue AP that you have to worry about.
Right?
But hang on a second… A laptop that has been put into AP or peer to peer mode has two MAC addresses – one for the wireless card and another for the wired ethernet adapter connecting it to the LAN.
So what happens here?
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=65448f7b-ad3b-4acc-9331-46f682f67f11)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=1c2c5c6d-6d66-4758-8fa2-3cc12d5aec6f)
