WIRELESS INTRUSION WIRELESS INTRUSION DETECTION SYTEMSDETECTION SYTEMS

Namratha VemuriNamratha Vemuri

Balasubramanian KandaswamyBalasubramanian Kandaswamy

THREATSTHREATSVICTIMS VICTIMS IDSIDSTYPES OF IDSTYPES OF IDSARCHITECTUREARCHITECTURE IMPLEMENTATIONIMPLEMENTATIONTOOLS USEDTOOLS USEDADMINISTRATIONADMINISTRATION

THREATS THREATS

Reconnaissance, theft of identity and denial of service (DoS)

Signal range of authorized AP. Physical security of an authorized AP Rogue or unauthorized AP Easy installation of an AP Poorly configured AP Protocol weakness and capacity limits on AP

What are attacked?What are attacked? Corporate network and servers Attempted penetration through the official

access points(target 1) into the corporate network.

DOS attacks as most of them are TCP/IP based

Wireless Clients the Access point behaves as a hub connecting

the authorized wireless clients directly to the bad buys inevitably this will expose a connecting pc to a huge array of IP based attack.

Unauthorized Access pointUnauthorized Access point Unofficial access points installed by user

departments (target 4) represent a huge risk as the security configuration is often questionable

Bogus Access points (Target 5) represent a different threat as these can be used to hijack sessions at the data link layer and steal valuable information.

o Target 3 – The legitimate Access point

To protect our network where all access points reside on our

network

what actions to take to close down any unauthorized access points that do not confirm to the company security standards what wireless users are connected to our network

what unencrypted data is being accessed and exchanged by those users

What is IDS?What is IDS? IDS is not a firewallIDS is not a firewall

IDS watch network from the inside and report or alarm

IDS monitors APs ,compares security controls defined on the AP with predefined company security standards then reset or closedown any non-conforming AP’s they find.

IDS identifies,alerts on unauthorized MAC IDS identifies,alerts on unauthorized MAC addresses ,tracks down hackers.addresses ,tracks down hackers.

Intrusion detection systems are designed and built to monitor and report on network activities, or packets, between communicating devices.

Many commercial and open source tools are used:

TOOLS capture and store the WLAN traffic, analyse that traffic and create reports analyse signal strength and transmission

speedspeed

ID SYSTEM ACTIVITIESID SYSTEM ACTIVITIES

INFRASTRUCTUREINFRASTRUCTURE

ARCHITECTUREARCHITECTURE

IDS : IDS : a sensor (an analysis engine) that is a sensor (an analysis engine) that is

responsible for detecting intrusions responsible for detecting intrusions (contains decision making mechanism)(contains decision making mechanism)

Sensor recevies message from own IDS Sensor recevies message from own IDS knowledge base, syslog and audit trails.knowledge base, syslog and audit trails.

Syslog may include, for example, Syslog may include, for example, configuration of file system, user configuration of file system, user authorizations etc. This information authorizations etc. This information creates the basis for a further decision-creates the basis for a further decision-making process. making process.

TYPES OF IDSTYPES OF IDS

Misuse or Anomaly IDSMisuse or Anomaly IDS

Network based or Host based IDSNetwork based or Host based IDS

Passive or Reactive IDSPassive or Reactive IDS

ARCHITECTUREARCHITECTURE

CENTRALIZED : combination of individual CENTRALIZED : combination of individual sensors which collect and forward 802.11 sensors which collect and forward 802.11 data to a centralized management system.data to a centralized management system.

DISTRIBUTED : one or more devices that DISTRIBUTED : one or more devices that perform both the data gathering and perform both the data gathering and processing/reporting functions if various processing/reporting functions if various IDSIDS

Distributed is best suited for smaller Distributed is best suited for smaller WLANS due to cost and management WLANS due to cost and management issuesissues

Cost of many sensors with data Cost of many sensors with data processingprocessing

Management of multiple Management of multiple processing/reporting sensorsprocessing/reporting sensors

In centralized, it is to easy to maintain only In centralized, it is to easy to maintain only one IDS where all the data is analyzed one IDS where all the data is analyzed and formatted.and formatted.

Single point of failureSingle point of failure

Adds to ‘additional’ network traffic running Adds to ‘additional’ network traffic running concurrently, impact on network concurrently, impact on network performanceperformance

IMPLEMENATION OF IDSIMPLEMENATION OF IDS

Comprises of a mixture of hardware and Comprises of a mixture of hardware and software called intrusion detection software called intrusion detection sensors.sensors.

Located on the network and examines Located on the network and examines traffic.traffic.

Where the sensors should be placed??!!Where the sensors should be placed??!!How many do wee need??!!How many do wee need??!!

Not just to detect attackers..Not just to detect attackers..

Helps to Enforce PoliciesHelps to Enforce PoliciesPolcies for encryptionPolcies for encryptionCan report if a un encrypted packet is Can report if a un encrypted packet is

detectet.detectet.With proper enforcement WEP can be With proper enforcement WEP can be

acchieved (next slide)acchieved (next slide)

Why do we need theseWhy do we need these

To achieve WEPTo achieve WEPWhat's WEP? What's WEP?

Wired Equivalent PrivacyWired Equivalent PrivacyWhy do we need it?Why do we need it?

People responsiblePeople responsible

IDS security analysts who can interpret the IDS security analysts who can interpret the alerts (Passive IDS).alerts (Passive IDS).

IDS software programmersIDS software programmers IDS database administrators (misuse or IDS database administrators (misuse or

anomaly IDS)anomaly IDS)

Couple of open source IDSCouple of open source IDS

KISMET 802.11 a/b/g network snifferKISMET 802.11 a/b/g network snifferNETSTUMBLERNETSTUMBLER

Kismet Kismet 802.11a/b/g network sniffer802.11a/b/g network sniffer Passively collects network traffic(listens), Passively collects network traffic(listens),

detects the standard named networks and detects the standard named networks and detecting hidden (non beaconing) detecting hidden (non beaconing) networksnetworks

Analyze the data traffic and build a Analyze the data traffic and build a ‘picture’ of data movement ‘picture’ of data movement

NetStumblerNetStumbler Sends 802.11 probes Sends 802.11 probes

Actively scans by sending out request Actively scans by sending out request every second and reporting the responsesevery second and reporting the responses

AP’s by default respond to these probesAP’s by default respond to these probesUsed for wardriving or wilding.Used for wardriving or wilding.

Who manages and administers Who manages and administers WIDS?WIDS?

Large organization (Network Operations Large organization (Network Operations group)group)

AirMagnet Distributed 4.0,AirMagnet Distributed 4.0,AirDefense Enterprise v4.1AirDefense Enterprise v4.1Red-MRed-M

Small and Medium OrganizationSmall and Medium Organization Managed Security Service Provider Managed Security Service Provider

(MSSP)(MSSP)

AirMagnet DistributedAirMagnet Distributed Sensors report network performance informationSensors report network performance information

Alerts management serverAlerts management server

Airmagnet reporter generates reports from threat Airmagnet reporter generates reports from threat summaries to channel RF signal strengthsummaries to channel RF signal strength

Ex: Using ‘Find’ tool, we can manually and Ex: Using ‘Find’ tool, we can manually and physically track down location of the rogue userphysically track down location of the rogue user

AirDefense

AirDefense system consists of a server running Red Hat Linux with distributed wireless AP sensors and a Java-based Web console.

The AirDefense Web console and AP sensors communicate on a secure channel to the server

Red-MRed-M includes Red-Alert and Red-Vision.

Red- Alert is a standalone wireless probe which can detect unauthorized Bluetooth devices as well as 802.11a/b/g networks.

Red-Vision ss a modular set of products consisting of three main components:

Red-Vision Server, Red-Vision Laptop Client and Red-Vision Viewer.

Red Vision (cont)Red Vision (cont)

Red vision server (Heart)Red vision server (Heart)Red vision laptop client (Ear)Red vision laptop client (Ear)Red Vision viewer ( Brain)Red Vision viewer ( Brain)

Wireless IDS drawbacksWireless IDS drawbacks

CostCostCost grows in conjunction with size of the Cost grows in conjunction with size of the

LANLANNew emerging technology and hence may New emerging technology and hence may

contain many bugs and vulnerabilities.contain many bugs and vulnerabilities.A wireless IDS is only as effective as the A wireless IDS is only as effective as the

individuals who analyze and respond to individuals who analyze and respond to the data gathered by the system the data gathered by the system

ConclusionConclusion

Wireless intrusion detection systems are an Wireless intrusion detection systems are an important addition to the security of important addition to the security of wireless local area networks. While there wireless local area networks. While there are drawbacks to implementing a wireless are drawbacks to implementing a wireless IDS, the benefits will most likely prove to IDS, the benefits will most likely prove to outweigh the downsides outweigh the downsides

QUESTIONSQUESTIONSWhat is Policy Enforcement ?What is Policy Enforcement ? A policy is stated by IDS (Ex: all wireless A policy is stated by IDS (Ex: all wireless

communications must be encrypted) to communications must be encrypted) to detect the attackdetect the attack

What type of ID is AirDefense Guard?What type of ID is AirDefense Guard? It is misuse or signature based anomaly.It is misuse or signature based anomaly.

What are ‘dumb’ probes?What are ‘dumb’ probes? They collect all the network traffic and They collect all the network traffic and

send it to central server for analysessend it to central server for analyses

REFERENCESREFERENCEShttp://www.telecomweb.com/readingroom/http://www.telecomweb.com/readingroom/

Wireless_Intrusion_Detection.pdfWireless_Intrusion_Detection.pdf

http://www.giac.org/http://www.giac.org/certified_professionals/practicals/gsec/certified_professionals/practicals/gsec/4210.php4210.php

http://www.sans.org/rr/whitepapers/http://www.sans.org/rr/whitepapers/wireless/1543.phpwireless/1543.php

http://www-loud-fat-bloke.co.uk/articles/http://www-loud-fat-bloke.co.uk/articles/widz-design.pdfwidz-design.pdf

QUESTIONS?QUESTIONS?

THANKYOUTHANKYOU