snort.

As it happens, I have quite a bit of experience with Cisco's CIDS as well. Nice interface, good integration with Ciscoworks, etc. but notably sub-par in terms of accuracy of detection - at least, that's my opinion based on informal comparison.

FWIW, there's no real difference between IDS for a wired and wireless ethernet network. If you're talking about access control mechanisms to prevent unwanted / unauthorised users from accessing your wireless, that's a whole different ball of wax.

Yeah, I'm looking more on the commercial side. The three that most appeal to me so far is Newbury Networks, Aruba and Trapeze. I particularly like Newburys virtual physical perimeter. But I think I'm leaning towards Aruba.

The problem with the CISCO solution is that they use AP and periodically turn it into a scanner, therefore your IDS is not online 100% of the time - And users get disassociated.

WRT the manufacturers listed above, which products are you looking at specifically?

I think you may have missed my point a bit when I mentioned that IDS for wireless networks is not really different to IDS for wired networks. In both cases, you're just trying to sniff the traffic as it crosses your network for potential malicious content.

What would make sense in this context would to have a properly-engineered network with the wireless on its own VLANs and controls on the traffic passing from those VLANs onto the wired networks. This would mean that you could run a single NIDS for both the wired and wireless sides, cutting down on deployment, support, and other headaches associated with disparate networking architectures.

Also, make sure that you're using IDS and IPS in the correct sense here - I notice from a quick browse of those manufacturers' sites that they have both products available, and one is not necessarily the same as the other (though there are areas where their functionality overlaps).

I'm not sure where you've heard this, but in our deployment (approximately 300 Aironet APs), I'm not aware of this being the case.

Having said that, if you're just dropping your wireless straight onto the existing wired segments without any network-level controls on the traffic you've got potentially greater issues to tackle than what flavour of IDS you go with.

Skroo,

Be careful with VLAN's - for a test, we setup a senario with VLANs and found that they were proven not to be secure. VLANs CAN be broken and a malicious user could end up on your wired network. Hense, our policy for wireless is, totally wired seperately. Yes, when I saw it done, it was a jaw dropper.

I was actually at a wireless security conference recently in DC where both AirDefense and AirMagnet were doing their 'let's sniff the network and talk about how foolish everyone is in our marketing propaganda' deal. I'm sure you've seen their press releases after big conferences.

Well...one of the vendors was hawking their WLAN wares and had a WLAN setup. I set myself up as a man in the middle (with the vendor's permission) and intercepted a lot of traffic intended for them. No big deal there, easy to do...now the scary part..

Neither AirDefense nor AirMagnet was able to pick up my activity. I went so far as to tell them what I was doing and gave them my (spoofed) MAC and the were able to identify that I was actively accepting connections, but they were not able to ID me as a malicious MITM. Very disheartening.

I offered my services (for free) to both WLAN IDS vendors to help them develop appropriate signatures, but neither has contacted me (although both said they would). Maybe they developed their own signatures without help, I don't know. This was about 2-3 months ago.

I was able to test out an AirDefense setup in our lab for a few months and my impression was that it offered very little functionality over that of Kismet, except in the report writing and pretty interface areas. I don't think that any kind of passive MITM attack would trip the sensor, unless it detected you as an unauthorized AP, which it could do.

Correct, it is absolutely possible - given a skilled attacker and the right scenario to make it happen. I do agree, though. Having said that, my experience has been that most places doing a wireless deployment have a tendency to want to place the APs on the same physical segment as the wired devices (usually out of DHCP concerns - or, at least, that's the excuse they give). VLANs are at least a major improvement over this, which is largely what I meant by 'proper network design'.

Okay, it would have been helpful to know this in the first place. Still, though, a single NIDS can handle both physical wired and wireless segments in this scenario - just use multiple interfaces on the same sensor. If it's a good enough IDS, it'll even let you define each interface as a separate detecting node, so if you're exporting events back to a database (for example), it'll be easier to distinguish between events on the wired network and events on the wireless network.

But getting back to my original question (and hopefully rather more on-track again)... Which products were you evaluating? Without knowing that it's hard to give any really helpful answer.