PCI Compliance: Wireless Analyzer that "Detects" rogue AP's on the LAN?

Question

We're trying to fulfill the PCI Compliance requirement for a Wireless Analyzer that detects the presence of rogue AP's on the internal LAN.

Questions:

• Are there a class of devices that will accomplish this requirement?
• How does such a device determine the difference between an AP that's nearby (say from a local coffee shop) and one that's actually getting it's internet/network access from a hard line on the corporate LAN (USB AP tethered off a workstation, AP plugged into a wall jack in an office, etc.)
• Our AP is a DLink DWL-3200AP, which has a "wireless analyzer" built into it, but it does not seem to be able to do much more than a wifi card will do, since it simply detects every single AP that's broadcasting it's SSID nearby, regardless of whether or not that AP is connected to our LAN

EDIT: We're in a windows environment...

Any help would be much appreciated...

Answer 1

You can fairly reliably map out the access points broadcasting around you with Kismet. Unfortunately, you'll probably need to physically investigate in order to determine the source.

Answer 2

No, it is unlikely that device will help.

This is a fairly heavyweight requirement. Fulfilling it involves a combination of techniques, such as physical inspection, network and computer automated/enforced policies, and tools/products such as a wireless ids/ips.

A couple of ids/ips examples:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/wireless_ips.html
http://www.bluesocket.com/media/Bluesecure_IDS.pdf

Reviewing the actual text of the requirement, this can be challenging because an "access point" may be a wireless card (which can function as an AP), a phone, or some other USB connected device.

One possible interpretation is an auditor could conceivably test this by connecting a USB device or phone to a pc, and see if they can get access to your network, and it that is detected and an appropriate response is generated. Some organizations may fail one or more of these tests, so there would need to be "compensating controls" to mitigate the risk.

PCI DSS Requirements
11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.

Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

Testing Procedures 11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

• WLAN cards inserted into system components
• Portable wireless devices connected to system components (for example, by USB, etc.)
• Wireless devices attached to a network port or network device

11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to personnel.

11.1.e Verify the organizations incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.