PCI Wireless Compliance

Products

Email QuoteRequest Quote
Previous
Next
PCI Security Retail Solution Point of Sale Hospitality Management Solution

PCI Wireless Compliance

CATEGORY:Software > Application
MANUFACTURER: OCR
PCI Wireless Compliance

PCI Wireless Compliance

After wireless technologies were introduced into retail environments, they provided a new way to breach data by circumventing existing security structures. A number of highly publicized retail data breaches have clearly revealed the vulnerabilities of wireless technologies. Attackers have accessed such sensitive information as credit and debit card data, resulting in damage to brands, disruptions in retail businesses, and financial and regulatory liabilities. The payment card industry (PCI) now mandates stricter security measures for wireless and imposes significant penalties for non-compliance. This PCI Wireless Compliance white paper explains the new requirements for wireless data security standards (DSS) and offers a summary of solutions designed by Motorola’s Enterprise Wireless LAN group to enable PCI compliance right out of the box, cost-effective validation of compliance, and strong wireless security.

Retail Wireless Risks

Over the last 20 years, retail wireless technology has been used to reduce costs and improve business efficiencies. However, sophisticated hackers and thieves recognized in these wireless applications the perfect points at which to access retail networks and steal valuable information from customer accounts.

Rogue Access Points

Rogue access points (APs) are wireless APs which have not been authorized to connect to the wired networks of retailers. Rogue APs might be deployed by a contractor or employee or by a malicious hacker. It must be understood that rogues can appear on any segment of a network, even in retail stores in which no WLAN has been deployed.

  • Rogue APs give attackers unrestricted access to internal networks and computers, the equivalent of an internal Ethernet port connection.
  • Rogue APs can be used on any or all networks, even a POS network that is deliberately segmented from a wireless network.
  • Rogue APs can be deployed in networks which clearly state their prohibition against wireless devices.
  • Identity Theft

    Hackers can falsely claim to be authorized wireless devices and connect to authorized APs. After entering the network, all of the rouge scenarios discussed above can occur.

    • ACLs based on MAC addresses are not effective because wireless MAC addresses are broadcasted. Hackers can simply change their device address to that of an authorized device.
    • Wired Equivalent Privacy (WEP), the original encryption standard usually used in retail WLAN, is easily and quickly cracked. After getting the WEP key, hackers have unfettered network access, permitting them to attack applications and internal servers.
    • Wi-Fi Protected Access (WPA) Pre-shared Key (PSK) is simple to deploy and is not as vulnerable to hacking as WEP; however, a common key is employed between several devices. Sometimes hackers have stolen portable data terminals or obtained the pre-shared key through social engineering. It is relatively easy to crack dictionary-based passwords. Once the pre-shared key is accessed, the whole network is at risk until network administrators replace that key on all APs and portable data terminals.

    Non-Compliant APs

    Frequently, wireless access points are incorrectly configured. Gartner has reported that most security incidents result from misconfigurations in devices due to bugs in the management software of the AP or human error, among other reasons.

    • Misconfigured APs in stores or distribution centers can be found and exploited to access the network.
    • Well-known vulnerabilities in infrastructure and WLAN APs can cause the escalation of privileges, disclosure of information, and unauthorized access by means of fixed authentication credentials.

    Denial of Service (DoS)

    Hackers can initiate denial of service (DoS) attacks to prevent wireless devices from performing properly and to close down essential business operations.

    • Wireless DoS attacks can easily cripple stores or distribution centers in spite of the deployment of the highest security standards.
    • Hackers, via wireless APs, can insert malicious broadcast or multicast frames into the internal wired network to wreak havoc.

    Cost of a Data Breach

    In 2007, the Ponemon Institute released a study of the costs borne by 35 businesses after they experienced a data breach. In 2007, the cost of data breaches averaged $197 for each exposed customer record, an increase from the 2006 average of $182. Lost opportunities in business, including those resulting from customer churn and brand damage, presented a larger cost increase, increasing to $128 in 2007 from $98 in 2006.

    Retail Wireless Exposure

    Recently, a number of high-profile breaches have directly resulted from these vulnerabilities in wireless networks. The most recent breach, at TJX, was widely publicized; more than 45.7 million debit and credit card accounts were compromised. The Wall Street Journal reported that the breach at TJX was the direct result of inadequate wireless security. The US Department of Justice reported in August 2008 that “eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft.” These indictments claim that, in this sophisticated conspiracy, the perpetrators got the numbers of credit and debit accounts by “wardriving” and by hacking the wireless computer networks of such large retailers as DSW, Forever 21, Sports Authority, Barnes & Noble, Boston Market, OfficeMax, BJ’s Wholesale Club, and TJX Companies. Once into the networks, the perpetrators deployed “sniffer” programs to capture passwords, card numbers, and account information, as they riffled through the debit- and credit-processing networks of the retailers.

    PCI Wireless Compliance Overview

    The frightening increase of identity theft and compromised debit and credit cards in retail businesses has inspired the enforcement of new, more stringent standards for information security. Requirements specific to the wireless industry have also been strengthened because retailers consider wireless security and compliance to be their Achilles’ heel.

    The PCI Security Standards Council, a worldwide open forum, was founded by Visa International, MasterCard Worldwide, JCB, Discover Financial Services, and American Express for the implementation of security standards for the protection of account data, including continuing development and enhancement and improved storage and dissemination.

    PCI’s updated version of the Data Security Standard (DSS), the PCI DSS 4, version 1.2, was adopted by the major card brands on October 1, 2008, as the global standard for all enterprises that transmit, store, or process cardholder data. Its steps mirror best practices for data security.

    PCI DSS Goals & Broad Requirements

    Design and Maintain Network Security

    • Deploy and support a firewall structure for data protection.
    • Use no defaults supplied by a vendor for security parameters like system passwords.

    Provide Protection for Cardholder Data

    • Set up protection for stored data.
    • Encrypt sensitive information and cardholder data when transmitting across public networks.

    Maintain a Program to Manage Vulnerability

    • Regularly update and use anti-virus software.
    • Build and maintain secure applications and systems.

    Deploy Strong Access Controls

    • Use a need-to-know rule to restrict access to data.
    • Assign each person with access to a computer a unique ID.
    • Limit physical access to cardholder data.

    Test and Monitor Networks Regularly

    • Monitor and track all access to cardholder and data network resources.
    • Test processes and security systems regularly.

    Establish a Policy for Information Security

    • Support and maintain an information security policy.

    PCI DSS 5, version 1.2, gives special importance to WLAN security. Cardholder data environments (CDE) are required to clearly define the policies for wireless usage, log all wireless activity, prevent physical access to wireless devices, delete all rogue and unauthorized devices, deploy robust encryption, and replace such wireless defaults as keys, SSIDs, passwords, etc.), as seen in the table below. The PCI DSS requirements for wireless can be divided into two major categories.

    Wireless requirements applicable universally:

    These requirements should be adopted by all companies to protect wired networks from attacks by way of unknown or rogue wireless APs and clients, regardless of whether these companies use wireless technology or not. In other words, they apply universally to all companies wanting to be compliant with the PCI DSS.

    Wireless requirements applicable to in-scope networks:

    To protect their wireless systems, all companies reliant upon wireless technology are required to meet these requirements for PCI DSS compliance. They refer specifically to wireless technology usage in-scope and are in addition to the universal requirements described above.

    PCI DSS 1.2 Wireless Requirements

    Universally Applicable Requirements

    • Identify unauthorized and rogue wireless devices
    • Remove unauthorized wireless devices

    Scoping

    • Use firewall between wireless and cardholder network

    Requirements for In-Scope Wireless Networks

    • Change wireless default settings
    • Encrypt wireless networks
    • Secure wireless devices physically
    • Audit wireless activity logs
    • Use intrusion prevention (IPS) for wireless traffic
    • Develop usage procedures and policies for wireless

    Universally Applicable PCI Wireless Requirements

    Beyond the PCI DSS requirements to secure existing wireless technologies are additional validation requirements which cover not only the authorized wireless devices but also the potentially dangerous and unknown rogue devices that might permit access to the card data environment.

    Wireless networks can be outside PCI scope if (i) wireless has not been deployed or (ii) wireless is deployed but has been segmented from the CDE. If wireless has not been deployed, regularly scheduled monitoring is required to keep rogue or unauthorized wireless devices from breaching CDE security. Typically, a firewall is required between the CDE and the wireless network to segment a wireless network out of PCI scope.

    PCI DSS Requirements for Testing Procedure

    Determine the presence of wireless APs by at least quarterly testing with a wireless analyzer or by identifying all of the wireless devices in current use by deploying a wireless intrusion detection/prevention system (IDS/IPS).

    Use a wireless analyzer quarterly at least, or configure and implement a wireless IDS/IPS to identify all wireless devices in use.

    Verify that the configuration of the wireless IDS/IPS will initiate alerts to the appropriate personnel.

    Verify that the company’s incident response plan (Requirement 12.9) requires an alert if unauthorized wireless devices are discovered.

    Specify designated personnel to be ready 24/7 to respond quickly to alerts.

    Review personnel observations and company policies to verify that around-the-clock monitoring and incident responses will detect unauthorized activity, unauthorized wireless APs, vital IDS alerts, changes in content files or a report of an unauthorized critical system.

    Wireless Scanning

    Requirement 11.1 ensures that a rogue or unauthorized wireless device is not able to access the CDE. The requirement is intended to prevent attackers from employing rogue wireless devices to compromise cardholder data security. The use of a wireless analyzer or such a preventative control as a wireless intrusion detection/prevention system (IDS/IPS) is acceptable for reaching the standard.

    A rogue device can appear at any location on a network, so all locations must be either scanned periodically or wireless IDS/IPS systems must be employed in all locations. An organization or business cannot sample only some sites to attain compliance with the standard; they must scan every site quarterly to comply. Each organization is responsible for ensuring that the CDE meets compliance requirements at all times. In a PCI DSS assessment, the assessor or the organization is given the discretion to decide whether to validate their compliance by choosing only a sampling of all locations, but the assessor must be certain that the organization uses appropriate technologies and processes to comply at all of their locations.

    PCI DSS requirements clearly specify use of wireless analyzers or wireless IDS/IPS systems for scanning. Wired network side-scanning tools that can reveal questionable hardware MAC addresses on switches might be able to identify some rouge devices, but they have a very high rate of false positives and negatives. They often miss rogue wireless devices that are skillfully disguised and hidden or devices that are connected to isolated segments of a network. Wired scanning also misses many rogue wireless clients. The wireless connection of a rouge wireless client is not intended in the CDE. Although not enough on their own, wired analysis tools might be valuable if used with wireless analyzers to provide higher quality scan results.

    Organizations can turn a laptop into a wireless analyzer by running such easily available programs as Kismet or NetStumbler. An auditor or technician simply walks around the site with the laptop to detect wireless devices. Each device can then be manually investigated to determine whether it allows CDE access, in order to classify the device as a rogue or just a wireless device in a friendly neighboring network. This method is acceptable technically, but it is often costly, error prone, and tedious. Figure 3 presents a scan of all wireless devices within several blocks of 5th Avenue in New York City. The scan of such an area would likely detect many devices; sorting true rogues on the network from neighboring devices would be prone to errors and very tedious if performed manually. Therefore, automated wireless scanning is recommended, employing wireless IDS/IPS systems able to accurately and automatically classify rogue devices that co-exist in the shared wireless environment.

    The PCI DSS standard does not specifically state the desired output of the wireless analysis, but it does suggest that the analysis should be developed, reviewed, and employed to alleviate the risk of rogue or unauthorized wireless devices. At the least, the survey of wireless devices should certainly identify all rogues connected to the network. In order to comply with requirement 11.1, organizations should promptly eliminate the rogue threat as specified in requirement 12.9 and very quickly thereafter rescan the environment. as stated in other PCI DSS verifications requirements. In short, manual scanning and remediation are often tedious; therefore, an automatic process employing a wireless IDS/IPS that is centrally managed is recommended.

    Segmenting Wireless Networks

    PCI compliance requires that a firewall must be installed between wireless networks that are capable of gaining access to the CDE and the CDE itself. If wireless networks do not transmit, process or store cardholder data, they should be separated from the CDE by robust firewalls, an established method for containing and isolating segments of a network. The intention is to stop unauthorized users from gaining access via a wireless network to the CDE for any purposes other than credit card transactions. Wireless firewalls must perform three general functions: (i) filter the packets originated by the wireless network segments, (ii) do stateful inspections of the connections, and (iii) log the traffic that the firewall has allowed or denied.

    PCI DSS Requirement Testing Procedure

    Deploy perimeter firewalls between the cardholder data environment (CDE) and any wireless networks; set up these firewalls to control (if the traffic is essential for conducting business) or deny all traffic from the wireless environment into the CDE.

    Be certain that perimeter firewalls are installed between wireless networks and systems that store data of cardholders; verify that these firewalls control (if the traffic is essential for conducting business) or deny traffic from the wireless environment into the CDE.

    PCI DSS requires that all security and firewall policies must be verified and audited at least every 6 months to earn compliance. If firewalls between wireless and related applications and protocols are shared, by default the packets and connections inbound to the CDE should be blocked unless they have been specifically allowed. This policy is far more secure than permitting all traffic and connections by default and then blocking specific connections and traffic. Traffic should explicitly be blocked if it originates in networks using wireless. Organizations can further secure their networks by considering outbound traffic filtering which reduces the possibility of attacks from internal sources. As a general rule, any traffic and protocol not needed in the CDE for credit card transactions should be blocked, resulting in fewer attack risks, less traffic and easier monitoring.

    Requirements Applicable for In-scope Wireless Networks

    PCI DSS-compliant in-scope wireless networks must have (i) strong encryption and authentication; (ii) changing default settings and passwords on all wireless devices; (iii) physical security for wireless devices (iv); a log of all wireless accesses and intrusion preventions (v); enforcement of policies for wireless usage.

    Strong Authentication and Encryption

    In 2001, a set of independent studies by a number of commercial and academic institutions identified vulnerabilities in the Wired Equivalent Privacy protocol (WEP), the first security protocol of the 802.11 specification by the Institute of Electrical and Electronics Engineers (IEEE). The studies revealed that an intruder, provisioned with appropriate tools and some technical knowledge, had little trouble in gaining unauthorized access into a wireless network by way of the WLAN -- even when WEP was enabled.

    The Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA™) in 2003 as a robust, standards-based, interoperable security policy for Wi-Fi. WPA ensures that data will be protected and that networks can be accessed only by authorized users. WPA employs Temporal Key Integrity Protocol (TKIP) to change the encryption keys on a per packet basis for data encryption.

    The Wi-Fi Alliance introduced its second generation of Wi-Fi security in 2004, Wi-Fi Protected Access 2 (WPA2™). Similar to WPA, WPA2 gives Wi-Fi users assurance that data is protected and wireless networks can be accessed only by authorized users. WPA2, based on the last IEEE 802.11i amendment to the 802.11 standard, was ratified in June 2004. WPA2 employs the Advanced Encryption Standard (AES) for encrypting data and qualifies for FIPS (Federal Information Processing Standards) 140-2 compliance.

    To comply with PCI DSS 1.2, WEP must be discontinued, and users must move to the more robust authentication and encryption delivered by IEEE 802.11i. The Wi-Fi Alliance guarantees products as WPA-compatible or WPA2-compatible for 802.11i-based interoperability.

    PCI DSS Requirement Testing Procedure

    Ensure that wireless networks which transmit cardholder data or connect to the CDE employ best-practice industry standards (i.e., IEEE 802.11i) to accomplish robust encryption for transmission and authentication.

    • New installations of WEP are prohibited after March 31, 2009.
    • Current implementations are prohibited from using WEP after June 30, 2010.

    Verify the following vendor default settings in wireless networks and be certain that every wireless network implements robust encryption mechanisms (e.g., AES):

    • Encryption keys are changed from default when installed, and are changed each time a person who knows the keys leaves the company or moves to a different position.
    • Default SNMP community strings are changed on wireless devices.
    • Default passphrases and passwords are changed on APs.
    • Wireless device firmware is revised to support stronger encryption for transmission and authentication over wireless networks (e.g., WPA and WPA2).
    • Other security-related defaults for wireless vendors are changed, if applicable.

    WPA and WPA2 have two modes -- enterprise and personal, each offering a solution for encryption and authentication.

    Personal mode is intended for homes and users in small office/home office (SOHO) environments with no access to authentication servers. Personal mode is unmanaged and employs a pre-shared key (PSK) to authenticate traffic, rather than IEEE 802.1X. This applied authentication uses a passphrase, the PSK, that is manually entered on the AP to initiate the encryption key; this mode is clearly not appropriate in growing enterprises. Typically, users share the PSK. If passphrases are weak, they are vulnerable to attacks. A completely random passphrase using at least 13 characters chosen from the 95 permitted characters is probably sufficient protection in a brute force attack. Rainbow tables, which are computer-generated password hashes created from an immense list of possible character combinations, are available from the “Church of WiFi” 6 for popular service set identifiers (SSIDs) for a number of different WPA/WPA2 passphrases. For better protection against intrusion, the SSID of a WPA-PSK network should be unique.

    The enterprise mode can meet the rigorous security standards required by businesses. This mode builds on the IEEE 802.1X authentication framework by using an Extensible Authentication Protocol (EAP) along with an authentication server, providing robust mutual authentication between the authentication server (via the AP) and the client. Every user receives a different key mechanism to gain access to the WLAN, so individuals are afforded a very high level of privacy. Temporal Key Integrity Protocol (TKIP) encryption is used for WPA. It uses an encryption cipher to issue encryption keys for each packet of data transmitted in each session of each individual user, creating an encryption code that is extremely challenging to break. For WPA2, Advanced Encryption Standard (AES), stronger than TKIP, provides added network protection.

    Changing Default Settings

    Changing the default settings of factory default shared keys, administrative passwords, reset functions, automatic network connection functions, encryption settings, and Simple Network Management Protocol (SNMP) access will help to eliminate many network vulnerabilities that affect CDE security.

    PCI DSS Requirement Testing Procedure

    In wireless environments that transmit cardholder data or are connected to a cardholder data environment, change defaults of wireless vendors, including but not only SNMP community strings, passwords, and default wireless encryption keys. Ensure that security settings for wireless devices are equipped with strong encryption technology for transmission and authentication.

    Verify the following steps that pertain to vendor default settings in wireless environments and be certain that all wireless networks set up strong encryption mechanisms (e.g., AES):

    • Encryption keys are changed from default when installed, and are changed each time a person who knows the keys leaves the company or moves to a different position.
    • Default SNMP community strings are changed on wireless devices.
    • Default passphrases and passwords are changed on APs.
    • Wireless device firmware is revised to support stronger encryption for transmission and authentication over wireless networks (e.g., WPA and WPA2).
    • Other security-related defaults for wireless vendors are changed, if applicable.

    WLAN devices are often shipped with pre-set default settings, and some of these contain intrinsic security vulnerabilities. A prime example is the administrator password. On some access points, the factory default requires no password or a blank field is left for the password. Other APs may use such simple, often-used default passwords as “admin” or “password.” Unauthorized users have no trouble gaining access to the management console of the device when such defaults are not changed. The factory settings of other wireless APs might allow unencrypted wireless access because they are pre-set for WEP access with overly simple keys like “111111.”

    Some wireless access points employ Simple Network Management Protocol (SNMP) agents that enable network management software to monitor the state of wireless clients and APs. SNMPv1 and SMPv2, the first versions of SNMP, are very insecure because they support only inadequate authentication using plain-text community strings. SNMPv3, however, includes functions that offer strong security and is recommended highly. When SNMP is not needed on the network, network managers should disable it. It is well known that the default SNMP community string often used by SNMP agents is the word “public” with assigned “read and write” or “read” privileges. When default strings are not changed, devices are susceptible to attacks. When organizations require SNMP, they should switch the default community string to a stronger one as often as it is needed. Privileges should be designated “read only” if that phrase is the only access required by a system or a user.

    All Wi-Fi access points have a service set ID (SSID), usually a simple ASCII character string that is sometimes called the “network name.” The SSID assigns an identifier to the service set (wireless network). Clients wanting to join a network can scan for available networks in an area and provide the correct SSID to join. If the broadcast SSID in the access points is disabled, a client device is forced to actively scan by probing by with a specific SSID. The SSID default values of many vendors of 802.11 wireless LAN products have been published and are well-known to potential adversaries. Suppression of the SSID does not necessarily provide security because hackers might still sniff the SSID by using fairly commonplace techniques. However, it is not recommended to broadcast an SSID that is easily identified with an organization or its name.

    Physical Security of Wireless Devices

    PCI DSS recommends a requirement for the physical security of devices that are accessible to the public or risky. Organizations do not need to physically cage APs or chain down handheld devices, but it would be prudent to reasonably secure devices that are accessible to the public and might be lost or stolen.

    PCI DSS Requirement Testing Procedure

    Restrict physical access to handheld devices, wireless access points, and gateways.

    Verify that physical access is appropriately restricted to handheld devices, gateways and wireless access points.

    The requirements do not specify how to secure these devices, but physical security can be implemented in many ways. For example, many access points sold to consumers include a factory reset feature, posing a special problem because it permits an individual to cancel security settings configured by administrators and restores the default factory settings. Default settings usually do not need an administrative password and might disable encryption. By simply inserting a pen point into the reset hole and pushing down, a user can return the configuration to the factory defaults. A malicious user, once he has physical access to a device, can utilize the reset function to eliminate the administrator’s security settings. In addition, physical access permits resets to be remotely performed over a management interface or through a serial console interface on the access point.

    Many options are available to secure wireless devices, including restricting physical access by placing APs in difficult-to-reach places such as high ceilings and employing tamper-proof enclosures to disable the factory reset options and console interface. Many enterprise access points come with mounting brackets to prevent easy access to the Ethernet cable.

    Laptops and handheld wireless devices are more puzzling to secure because users must have physical access to them. It is recommended that no passwords and PSKs be printed on the device and that missing devices can be reported and tracked through the organization’s inventory management system.

    Wireless Intrusion Prevention and Access Logging

    Intrusion detection refers to monitoring and analyzing the events transpiring in a computer network or system for evidence of possible violations or imminent threats to standard security practices, acceptable use policies, and security policies. Software for intrusion detection systems (IDS) automates the process of detecting intrusions. An intrusion prevention system (IPS) performs the same functions as an IDS but it also attempts to prevent incidents.

    PCI DSS Requirement Testing Procedure

    Use IDS and/or IPS in cardholder data environments to monitor all network traffic. Alert personnel when compromises are suspected. Continually update all intrusion detection and intrusion prevention engines.

    Verify the use of IDS and/or IPS and confirm that all traffic in the cardholder data environment is being monitored.

    Confirm that intrusion detection and/or intrusion prevention systems are set up to alert personnel of suspicious compromises.

    Examine IDS/IPS settings and verify that the IDS/IPS devices are set up, maintained, and updated to assure the most protection, according to the vendor’s instructions. Wireless IDS/IPS products provide widely varying capabilities because they are relatively new to the IDS/IPS field.

    Almost all wireless IDS/IPS create and manage an inventory of the WLAN devices they observe, including ad hoc clients (peer-to-peer), WLAN clients and APs. The inventory usually consists of the MAC addresses and SSIDs of the wireless network cards in the observed devices. Other systems might observe traffic using fingerprinting techniques to verify the vendor, rather than MAC addresses, which might be spoofed. In addition, the inventory can serve as a profile to pinpoint new WLAN devices and to note existing devices that have been removed. Each entry can then be tagged by administrators as either authorized, rouge, or benign neighboring WLANs (e.g., another business in the same location). When considering systems, enterprises should evaluate the potential of the automatic device classification of the wireless IDS/IPS.

    Wireless IDS/IPS usually carry out exhaustive data logging of alerts. This data is used to investigate incidents, confirm that alerts are valid, and correlate the alerts between other logging sources and the IDS/IPS. Data fields that are commonly logged include the following: (i) the time stamp (usually time and date), (ii) the alert type or event, (iii) the severity or priority rating, (iv) the source MAC address (the address can identify the vendor), (v) the channel number, and (vi) the event location or the ID of the sensor that observed the event. A wireless IDS/IPS can determine misconfigurations, policy violations, and attacks at the WLAN protocol level, chiefly by checking the IEEE 802.11 protocol communication. It usually does not check communications at IP addresses, application payloads and other higher layers of networking. Some wireless IDS/IPS do only basic signature-based detection, but others employ a combination of anomaly-based detection, stateful protocol analysis, and signature-based detection. Enterprises should deploy wireless IDS/IPS products that employ a combination of techniques for broader, more accurate detection.

    The kinds of events that wireless IDS/IPS detect include the following:

    • Unauthorized WLAN devices and WLANs: Wireless IDS/IPS, using their information-gathering functions, can detect unauthorized STAs, rogue APs, and unauthorized WLANs in both the infrastructure and the ad hoc mode.
    • Poorly protected WLAN devices: Many wireless IDS/IPS can detect STAs and APs with improper security controls, including weak WLAN protocols and misconfigurations. They identify deviations from organization-specific policy regarding the setting of channels, SSID names, data rates, authentication, and encryption. Wireless IDS/IPS can determine, for example, that a wireless device is employing WEP rather than WPA2.
    • Unusual patterns of usage: By anomaly-based detection methods, some wireless IDS/IPS detect unusual usage patterns in the WLAN. It might detect many more clients than usual on a specific AP or notably higher network traffic between a client and an AP. It could mean that one device has been compromised or that unauthorized parties are using the WLAN. Many systems are able to identify failures to access the WLAN by alerting when there are a large number of failed attempts in a short time, perhaps indicating attempts to get unauthorized access. Other systems also alert when off-hours activity is detected. Denial of service (DoS) attacks include such logical attacks as flooding (sending an AP huge numbers of messages at a great rate), spoofing (sending false data meant to confuse wireless connections) and physical attacks like jamming (emitting electromagnetic energy on the frequencies of the WLAN to interfere with communications or surveillance). DoS attacks are often detected by stateful protocol analysis and anomaly detection, which determine whether the activity observed is the activity expected. Many DoS attacks are found by counting the number of events during specific periods and alerting when those threshold numbers are exceeded. As an example, when many alerts correlate with the termination of wireless network sessions, a DoS attack can be suspected.
    • Man-in-the-middle and impersonation attacks: Some wireless IDS/IPS are able to detect the attempt of one device to spoof the identity of a second IDS/IPS by identifying subtle differences in activity characteristics, such as the certain values in frames.

    Wireless IDS/IPS is able to identify the actual location of a discovered threat by signal strength triangulation. By measuring the strength of the threat’s signal to multiple sensors, the approximate physical location of the threat can be calculated by triangulation. An organization can then send security staff to that location to find and disarm the threat. Wireless IDS/IPS uses the floor plans of buildings to figure out whether the threat is outside or inside the building, in a public space or in a secured area. This information can find and stop the threat, but it can also prioritize responses to the threat. Wireless IDS/IPS can also set priorities for the alerts based partially on the locations of the threats. Wireless IDS/IPS sniffers installed in laptops can precisely locate threats, especially when fixed sensors have no capabilities for triangulation or the threat is mobile.

    Development and Enforcement of Wireless Usage Policies

    The PCI DSS requires approved usage procedures and policies, including wireless device usage policies. Of most importance, organizations must understand how wireless technology is to be employed in their environment, how to secure and deploy wireless, and how they will handle incidents. The policy should state how employees should use the wireless devices authorized for their use. For instance, employees receiving laptops must understand not only the proper use of the laptop -- protection, access, and storage -- but also the responsibilities of wireless networking in an organization.

    PCI DSS Requirement Testing Procedure

    Develop policies for use of vital employee-facing technologies (e-mail and Internet usage, personal data/digital assistants (PDAs), laptops, removable electronic media, wireless technologies, and remote-access technologies) in order to define appropriate usage of these technologies by both contractors and employees.

    Acquire and inspect the policy for employee-facing technologies.

    PCI compliance requires organizations to confirm that their usage policies must have the explicit approval of management to use wireless networks in the card data environment. Unsanctioned wireless must be eliminated from the CDE. User IDs and passwords or other authentications, such as tokens, are required by usage policies to authenticate wireless access, a requirement that is supported by WPA Enterprise. In organizations that use PSKs, they must be rotated whenever an employee with wireless access leaves the organization. Access for individual users can be centrally enabled or disabled in the enterprise mode. For PCI compliance, the organization is also required to keep a listing of approved products. If a wireless AP should need replacement, for example, a non-sanctioned AP substitute is not acceptable.

    PCI compliance requires that wireless sessions be automatically disconnected after inactivity for a specified period of time. As an example, an unattended wireless POS terminal should logout and disconnect from the CDE automatically.

    PCI compliance prohibits storing, copying, or moving cardholder data to removable electronic media and local hard drives when accessing cardholder data with wireless-access technologies. When a wireless POS is used, for example, cardholder data cannot be stored locally on that device; the data must be encrypted and transmitted.

    Motorola WLAN Solution for PCI Compliance

    Motorola’s comprehensive selection of WLAN infrastructure products enables a virtually wireless enterprise, from large organizations with locations around the globe to small businesses and branch offices. Motorola’s Wireless Enterprise products offer security, resilience, and performance comparable to or better than a wired network.

    Motorola’s wireless LAN infrastructure is based on an upgradeable integrated platform that permits organizations to extend wireless networking cost-efficiently and easily from headquarters to distribution centers to retail stores. The WS2000 Wireless Switch is an easy-to-use network-in-a-box answer for remote sites and small enterprises. It includes Power-over-Ethernet (PoE), a firewall, a gateway, and an integrated router. The RFS7000 offers highly scalable, robust support for business mobility: management features, quality of service, security, and enhanced roaming. Motorola’s RF Management Suite (RFMS), a powerhouse group of integrated applications, enables administrators to achieve end-to-end planning and management of wireless LANs, both before and after deployment. Motorola APs are all designed for wireless security in the enterprise classification. They support IEEE 802.11i (WPA and WPA2 certified) and 3DES IPSec encryption.

    Motorola Wireless IPS Solution

    The Motorola AirDefense Solution is built on a patented technology that includes distributed smart IEEE 802.11 sensors that report to a central server appliance. Remote sensors are positioned in retail headquarters, distributions centers, and stores, along with dedicated radios. On Motorola AP-5131 or AP-7131 dual-radio access points, one radio is dedicated for access and the other for monitoring. The sensors are monitoring all WLAN activities around the clock in their local airspace and the sensors maintain communications with the AirDefense server. The server analyzes and correlates the data to supply centralized, scalable management for operational support and security of the WLAN. Administrators use management console software to access the system.

    AirDefense can recognize all WLAN devices, including “soft APs” where stations function as APs, WLAN user stations, APs, and such specialty devices as mobile terminals and wireless barcode scanners for inventory or shipping operations. AirDefense can also detect rogue behavior from peer-to-peer or ad-hoc networking between accidental connections to friendly neighboring networks or between user stations. AirDefense Enterprise accurately distinguishes between neighboring devices and rogue devices that are connected to the retail network. In malls with a number of stores, it is common to see many neighboring wireless devices, so it is vital for a WIPS to be able to distinguish neighboring devices from rogue devices accurately.

    Motorola AirDefense Solutions

    AirDefense Enterprise can automatically terminate a rogue device over the air when so configured and the switch port suppression feature can block the device on the wired side. To determine the exact location of the rogue device, AirDefense employs map-based location tracking by means of signal strength triangulation. Sorting through many floor plans intelligently, the system enables IT administrators to perform real-time tracking and location of rogue devices.

    The vulnerabilities in retail wireless recently have been exploited by hackers searching for valuable data such as cardholder numbers and personal customer information. Highly publicized data breaches have heightened the need for monitoring and intrusion prevention in wireless retail environments. Data breaches result in substantial costs, from business disruption and immediate fines to legal liabilities and long-term damage to brands. The payment card industry (PCI) now enforces robust new data security standards with much stricter audit procedures and wireless controls. Motorola provides ready-to-use PCI-compliant solutions for WLAN infrastructure. Additionally, the Motorola AirDefense Wireless IPS system can secure the retail airspace and assure the finest wireless security in the industry while attaining cost-effective compliance with PCI standards.

Call us at 1-800-853-7226
Content on the OCR Web site is for informational purposes only. Please contact OCR sales representative for product details.
© 2017 OCR Canada Ltd. Main Website V1.03u All rights reserved. All other implied copyrights, trademarks, or patents are the property of their respective owners.