My understanding of PCI v1.1 section 11.1 for wireless scanning, is that scanning must be performed even if wireless technology is stated to not be used. This would be to detect rogue wireless devices, and validate if wireless is indeed used.

For a merchant with a large quantity of small retail outlets, does it need to scan all retail stores, or can it justifiably scan a sample of the stores to comply with the wireless scanning obligations?

From 11.1.b, "Verify that a wireless analyzer is used at least
quarterly to identify all wireless devices."

I can't see this being interpreted as not requiring all sites ("identify all wireless devices") to be covered.

Some wireless detection engines work by scanning for MAC addresses in the wired network. Such tools may reduce the need for site visits.

A quarterly cycle of wireless testing is expected. A set of weekly/monthly visits to different stores, perhaps as part of normal maintenance visits could also be employed, again minimising the need for specific site visits.

Can the work be delegated to staff who do visit stores regularly?

You can certainly delegate this task to staff who visit the stores regularly. The frequency is not defined so you should use your best judgment and monthly visits should be appropriate.


The problem with this requirement is that it is very difficult to implement due to (1) numerous distributed stored and (2) no specification on the frequency of the scanning.

If a retail merchant has 1,000 retail stores how do they test this at every store. I advise that companies scan for wireless devices from the 'wire'. This means scanning the known internal IP address range with a tool to fingerprint the TCP/IP stack (i.e. nmap or hping) and report on the OS identified. If you see something like "Cisco Aironet" or "Linksys" then you have a wireless access point.

If a retail merchant has 1,000 retail stores how do they test this at every store. I advise that companies scan for wireless devices from the 'wire'. This means scanning the known internal IP address range with a tool to fingerprint the TCP/IP stack (i.e. nmap or hping) and report on the OS identified. If you see something like "Cisco Aironet" or "Linksys" then you have a wireless access point.

Of course there's a couple of challenges there. That method won't detect Ad-hoc networks formed by user client devices, also it'll miss users user software like HostAP on linux systems

You can prevent ad-hoc networks by disabling wireless through the GPO or service level access restrictions. This should also eliminate the usage of programs such as HostAP, etc.

From 11.1.b, "Verify that a wireless analyzer is used at least
quarterly to identify all wireless devices."

I(snip)
Some wireless detection engines work by scanning for MAC addresses in the wired network. Such tools may reduce the need for site visits.



Let's say the attacker is using a Linux platform - not at all uncommon - and have successfully associated with the network.

They could have forged their MAC to be in the vendor OID range used by the location. They could also use a loadable kernel module to change the "personality" of their kernel in response to tcp/ip fingerprint attempts, and look for all intents and purposes just like a Symbol hand scanner.

Many retail locations I've examined don't even have a lock on the room where the wire closet is. Taking over an AP is as easy as a null modem cable, reboot, and key sequence, and it's yours. How do you know the AP ruleset is still trusted?

Of course then you have physical access to the switch, too. A bad guy could easily leave behind a linux system with a wireless card in, MAC changed, kernel personality, plugged in. When a tech shows up to fix something else that's broken, do you think he's going to pay attention to the extra box in the corner? or notice the funny antenna on the back? not likely.

How about a Windows PC with 2 ethernet cards, packet forwarding enabled, but a firewall policy set to not allow traffic from the network to the 2nd interface on the PC, but traffic from the 2nd interface (with the AP hanging off it) is allowed into the network?

Having done a lot of retail testing in the past, I can tell you that many retail chains allow a scary amount of traffic from the stores to the corporate core.

The only reliable way to find rogue AP is to wirelessly scan for them.

Doing remote asset identification isn't a bad idea to keep track of asset inventory etc and look for unauthorized systems, but it's not the total solution especially when it comes to wireless.

Forgive my probable naiveity as I'm no expert but scanning seems an unreasonable requirement for retailers in terms of cost and effort.

I think the standard would be better off assuming network access has been achieved and then go about protecting the card holders data. After all a criminal would only need a few hours access to get a huge amount of data and periodic scanning isn't going to stop that from happening and if card holder data is secure from a malicious employee then it should also be secure from a hacker with access to the network.

Just a thought

Remember that the requirement 11.2 says, "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network..."

The external network scans must be completed by an Approved Scan Vendor (ASV), but the internal network scans can be done by the company themselves. The external network scans would not address each retail store unless they are all directly connected to the Internet.

The cost should not be hard. I'm sure people here can recommend several low-cost & high-quality scanning vendors.

Detecting wireless from the wire is haphazard at best. Most attackers know that this is one of the ways they will be detected and configure their rogue APs so that a WEP/WPA key is required, SNMP is properly secured and the device does not respond to pings.

Disabling wireless via GPO is another problem as you are focusing on portable devices that have wireless for a reason. Think senior executives and other management that travel to all of the remote locations and need access through the hotel's wireless to get their email. What about all of those store inventory management systems that were installed to increase productivity?

I've looked at a number of commercial solutions and they all have the same issues. They use a variety of techniques to detect rogues, but their techniques appear to be defeatable. The attackers also know this and configure their rogues accordingly.

Architecting the network to not trust the wireless segment also does not ensure security. If someone is attaching a rogue AP, they will likely plug it into a port that is not on the wireless segment, thus defeating this approach.

At the moment, I don't think there are any good answers to this situation short of periodic physical scans of all locations for APs.

A skilled attacker will almost always evade detection. The goal of this requirement was not to detect stealth-attack APs, as those can rarely be determined, but to reduce the number of employee installed APs.

Of course, if you wanted a method to find all rogue APs you could just dump the ARP tables on all routers/switches and identify the MAC or IP addresses in use. This would enable you to tell what is yours and what is not.

Michael,

I tend to agree with the last post of yours, in that he goal of this requirement was not to detect stealth-attack APs, as those can rarely be determined, but to reduce the number of employee installed APs. However I see it conflicting with the Aegenis wireless whitepaper at http://www.aegenis.com/UserFiles/File/Reports%20and%20Papers/PCI%20DSS%20Wireless%20Security%20FAQ.pdf. In that, it says:
"To comply with PCI DSS 11.1, can I use a wired network scanning tool instead of a wireless analyzer?
No. To comply with 11.1, a company must mitigate the risk of unauthorized or rogue wireless devices. This is most often achieved by the use of a wireless analyzer. Scanning the wired network for wireless devices may identify some unauthorized wireless devices but may not identify other important wireless attack vectors. The first omission of wired network scanning is that it may miss cleverly hidden and disguised rogue wireless devices that are connected to isolated network segments. Another omission of wired scanning is that it cannot detect rogue wireless clients. A rogue wireless client is any device that has a wireless interface that is not intended to be present in the environment. Although insufficient on their own, wired analysis tools can be very valuable when used in conjunction with wireless analyzers to improve the quality of the scan results. "

I think every competent security pro would agree that wired scanning for rogue wireless devices could easily be tricked by a skilled attacker. So, scanning from the wire is not the most effective method for the best SECURITY. But is it good enough for PCI compliance?

I could agree with adding a customer requirement that they do OCCASIONAL on-site wireless walkthroughs and visual inspections, but not at the defined quarterly level. For extremely large retailers, the quarterly wireless walkthrough OR and WIPS is very unreasonable. Imagine any customer with anything more than 100+ sites trying to do those things. They either have someone visiting one of those sites almost EVERY DAY to do wireless walkthroughs OR they invest in expensive wireless IPS devices to the tune of potentially millions of dollars just for this one requirement. Anything involving examining switch MAC tables is also unreasonable for large organizations as well.

Basically, I would have to disagree with the Aegenis Wireless response that wired scanning is not acceptable simply because the alternative is extremely unreasonable for large organizations with lots of sites.

I think that if such an organization used a wired scanner quarterly perhaps in conjunction with having IT staff who might visit the site occasionally perform wireless walkthroughs (not quarterly, but as part of whenever they happen to visit that site- again, quarterly onsite becomes ridiculous upwards of 100 sites), that would be sufficient to meet the intent of the req, which as you said, was to prevent the employee-plugging-in-a-wap scenario.

Do you disagree?

As El_Luke points out, wireless is a problem.

However, I think your proposed solution for large merchants is workable and could be easily justified as a compensating control given the incredible number of facilities a large retailer might have.

Regardless of PCI compliance, the more I work with wireless the more I'm convinced that the best approach is to isolate it from any internal network and treat it as we treat the Internet, useful but not trustworthy. Therefore, you require users that desire access to internal resources to gain access to those internal resources through a secure VPN connection or other secure methods. That way you get the benefits of wireless without the risk.

For those that want to use wireless for PCI purposes such as the garden shop out in the parking lot for example. Make sure that you use wireless bridging and that you not only make the wireless secure with WPA or WPA2, but then use a secure VPN tunnel over the wireless connection just to be sure.