Detecting 802.11 Discovery Apps

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "

Wrong approach

[bobthemuse]

Any 802.xx network near a public area is going to be stumbled upon eventually... why not encrypt your traffic rather then spending them time detecting some geek walking buy with an 802.xx handheld running out of his bag?

Ok, so you've detected an intrusion...

[lorcha]

... now what? No, seriously, what do you do once you've detected unauthorized access short of looking out your window for a guy with a Pringles can?

Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.

Don't route his packets

[upper]

Put your wireless network segment behind a firewall which proxies encrypted SSH connections and passes nothing else.