Audit Logging
No matter how strong your security mechanisms are, if you are not logging and monitoring your logs, you are vulnerable to unforeseen attacks. Diligent logging and monitoring gives you the ability to react to attacks in real time, protecting yourself and your resources.
arpwatch
Due to the lack of physical security in a wireless network, low-level attacks are of a much greater concern than they would be on a wired network. ARP poisoning, as discussed in Chapter 2, allows a malicious host to act as a man in the middle for machines on the network. The static ARP settings discussed earlier in this chapter are one way to protect yourself from ARP-based problems.
However, being able to detect ARP issues on the network gives you a
window into the overall security of the network. If someone on the
network is attempting ARP spoofing attacks, it is safe to assume your
packets are being sniffed and your data is a risk. A program called
arpwatch
will watch the network for you and
report any unusual activity. In order to use
arpwatch
, the program must have access to raw
frames being sent across the wire. This requires CONFIG_PACKET
support in your kernel.
For a complete discussion of arpwatch
and how to
configure it, see Section 4.1.6.1.
syslog
syslog
is a common audit facility that any
application on a host can use. Many standard applications as well as
the kernel log send very useful information to
syslog
. Being able to direct
syslog
data to a desired location and monitor ...
Get 802.11 Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.