NIST’s Draft SP 800-153 provides continuous monitoring recommendations for wireless networks. NIST recommendations contained in the draft Guidelines for Securing Wireless Local Area Networks (WLANs) include implementing continuous monitoring tools which can detect all of the following:
— Unauthorized WLAN devices, including rogue APs and unauthorized client devices
— WLAN devices that are misconfigured or using weak WLAN protocols and protocol implementations
— Unusual WLAN usage patterns, such as extremely high numbers of client devices using a particular AP, abnormally high volumes of WLAN traffic involving a particular client device, or many failed attempts to join the WLAN in a short period of time
— The use of active WLAN scanners (e.g., war driving tools) that generate WLAN traffic. The use of passive sensors cannot be detected through monitoring controls.
— DoS attacks and conditions (e.g., network interference). Many denial of service attacks are detected by counting events during periods of time and alerting when threshold values are exceeded. For example, a large number of events involving the termination of WLAN sessions can indicate a DoS attack.
— Impersonation and man-in-the-middle attacks. For example, some WIDPS sensors can detect when a device is attempting to spoof the identity of another device.
The complete document is attached below.
Leave a Reply