Effective wireless scanning to meet PCI DSS 11.1?

Question

PCI-DSS section 11.2 requires the business to "Test for the presence of wireless access points and detect unauthorized wireless access points". However, this is more easily said than done. Simply scanning to detect wireless access points (as many suggested here) pulls up over 120 APs, both on adjoining floors of our building and in surrounding buildings - in one case, a department store half a dozen floors down and over a long block away!

The biggest problem with walkarounds is that signal strength is a poor tool for location, and as @AviD pointed out in the other thread, a wireless AP could easily be so small or hidden that detecting it on walkaround is highly unlikely. Are there cheap, readily available antennas to provide good directional cues, a poor man's triangulation?

I know that Wireless IDS solutions like Aruba Networks can deploy sensors to perform triangulation. I have seen very few such solutions actually deployed, and when deployed they require sensitive care and tuning. I'm not eager to see what the false positive rate would look like given the number of APs on floors above and below us. But maybe someone has experience with a product that they felt was worth it?

So, I guess my question is - what are people doing to meet 11.1 that provides some security benefit, as opposed to policy compliance?

(I also find it hard to bite into this problem because it's so pointless. Most cell phones could provide a tethered connection between the corporate network and the outside world and be invisible to wireless scanning. And if it was scanned, it would look just like all the worker bees using their phones, and it can't be jammed legally. But that's not in PCI-DSS, so don't worry about it!)

Answer 1

So, I guess my question is - what are people doing to meet 11.1 that provides some security benefit, as opposed to policy compliance?

Check out section 11.1b as that's the integral part of the test:

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

• WLAN cards inserted into system components
• Portable wireless devices connected to system components (for example, by USB, etc.)
• Wireless devices attached to a network port or network device

None of this relates to finding radio signals. What you should be focusing on is having a regular inventory of computer systems with effective detection of changes in installed hardware. Since almost anything in your PCI-DSS scope is likely to be a hardwired machine that the system/network administrators have administrative access to (and the users don't), this task shouldn't be too rough. If for some reason your machines do have wireless devices that need to be enabled, control and monitor their configuration to stay on your network.

• Prevent hardware from being activated without administrative privileges

• Inventory hardware

• Prevent users from having rights to configure hardware that is there

• Log hardware configuration changes (installation, driver parameters)

The second part is port control. Ideally, use 802.1X-2010. Log any hardware addresses not recognized and any transfer of an address between different switch ports.

Answer 2

I'd start my answer as with any on PCI compliance which is, do check what your QSA requires, I've seen a couple of different reasonings around the wireless side of things and they're the guys who sign off on compliance...

That said I do a fair bit of wireless reviewing and for locating APs what I usually find is that directional antennas aren't always the best solution. If you are going to go the wireless side scanning approach (as opposed to WIDS or wired side scanning) then just using a relatively low powered wireless card (that supports 2.4GHz and 5GHz ranges) in a laptop that will support monitor mode + either airodump-ng or kismet should work relatively well.

As a basic methodology, walk the site with the card on and look at all the signals. If you've covered the whole site then and the strongest signal you get is really weak, it's unlikely that the AP is located on your site (side-note, I know that it's possible that someone's hidden a deliberately low-powered AP somewhere on a site but unless your threat model makes that a likely risk, personally I wouldn't worry too much about it).

As an addition to this another thing to do is to do a review from outside the site as well and look at signal strengths there. If it's much stronger outside than inside that's another indicator that it's likely not to be located within your site.

Then once you've got the list of APs, discard the one's you know you've got and if you have any unknowns left, use airodump-ng or kismet (personally I prefer airodump-ng for this) with the scanner locked to the channel and BSSID of the AP you're looking for. then walk the building till you get the strongest possible signal. Usually at this point if you can get a strong signal, you'll be close enough to the AP that you'll be able to see it (or ask someone if anyone has an AP running (e.g. personal Access Point devices). The key is locking onto the channel so that the scanner isn't jumping around a lot, it makes tracking APs much easier.

Answer 3

The latest Aruba Networks IAP line of wireless access points offer IDS which can scan, detect and deter unauthorized wireless access points. We recently caught one inappropriately connected to our LAN at one of our remote sites.