Transcript Enterprise Wireless LAN (WLAN) Management and Services

Enhancing the Security of Corporate
Wi-Fi Networks Using DAIR
Paramvir Bahl, Ranveer Chandra, Jitendra Padhye,
Lenin Ravindranath, Manpreet Singh**, Alec Wolman,
Brian Zill
Microsoft Research
**Cornell University
Motivation
• Corporations becoming increasingly dependent on WLAN
infrastructure
– Worldwide enterprise WLAN business expected to grow from $1.1
billion this year to $3.5 billion in 2009
• Wi-Fi networks are vulnerable to many threats
– Rogue AP, Denial of Service, Phishing …
– DefCon 2005 : Wi-Fi Pistol, Wi-Fi Sniper Rifle, Wi-Fi Bouncing,
AirSnarf box
Example : Rogue AP
• Careless employee brings AP from home and plugs it into
corporate Ethernet
• Bypasses corporate Wi-Fi security measures
– For example: WPA, 802.1X
• Permits unauthorized users to connect to corporate network
– Malicious user outside the building?
• Widespread Problem
– Ongoing concern for MS IT department
– Surveyed two major US universities, found multiple rogue APs
Need for WiFi Monitoring Systems
• Preventive measures such as 802.1X do not
guarantee full security
• In addition, need WiFi monitoring system to detect
problems in operational WiFi networks
– Detect Rogue AP by overhearing packets containing
unknown BSSID
Challenges in Building an Enterprise-scale
WiFi Monitoring System
• Scale of WLAN
– Microsoft’s WLAN has over 5000 APs
• Need to deploy many monitors
– Rapid fading of signal in indoor environment
– Multiple orthogonal channels
– May need observations from multiple vantage points
 Pinpoint location of rogue AP
Example Scenario
X
80
X
DN
UP
60
EL 32
UP
X
20
40
DN
X
X
% Received
100
0
0
100
200
Time (Minutes)
300
Monitors
Rogue AP
and Client
Demonstrates need for dense deployment of monitors
State of the Art
• AP-based monitoring
[Aruba, AirDefense ..]
– Pros: Easy to deploy (APs are under central control)
– Cons: Single radio APs can not be effective monitors
• Specialized sensor boxes [Aruba, AirTight, …]
– Pros: Can provide detailed signal-level analysis
– Cons: Expensive, so can not deploy densely
• Monitoring by mobile clients [Adya et. al., MobiCom’04]
– Pros: Inexpensive, suitable for un-managed environments
– Cons:
 Coverage not predictable: mobile, battery-powered clients
 Only monitor the channel they are connected on
Observation
• Desktop PC’s with good wired connectivity are
ubiquitous in enterprises
+
• Outfitting a desktop PC with 802.11 wireless is
inexpensive
– Wireless USB dongles are cheap
 As low as $6.99 at online retailers
– PC motherboards are starting to appear with built-in 802.11
radios
Combine to create a dense deployment of
wireless sensors
DAIR: Dense Array of Inexpensive Radios
DAIR Architecture
Land Monitor
(1 per subnet)
AirMonitor
AirMonitor
Wired Network
Inference
Engine
Database
Other data:
SNMP,
Configuration
Monitor Architecture
Database
SQL Helper
Every 30
seconds:
Filter
Filter
Filter Processor
Submit list of all
unique BSSIDs
seen on a given
channel
Driver Interface
Wireless NIC Driver
Wired NIC Driver
Key Characteristics of DAIR
• High sensor density at low cost
– Leverages existing desktop resources
– Effective monitoring in indoor environments
– Can tolerate loss of a few sensors
• Sensors are (mostly) stationary
– Provides predictable coverage
– Permits meaningful historical analysis
Applications of the DAIR Platform
Security applications
– Detecting attacks on Wi-Fi networks
– Responding to such attacks
Performance management
– Monitor RF coverage
– Load balancing
Location service to support above applications
A Partial List of Threats to Wi-Fi Networks
• Rogue AP / Rogue Wireless Networks
• Denial of service
–
–
–
–
Fake Disassociation [Bellardo and Savage 2003]
NAV attack [Bellardo and Savage, 2003]
DIFS attack [Raya, Hubaux and Aad 2004]
Jamming
• Phishing
– Set up a “fake” AP that advertises well known SSID
– Lure unsuspecting users
– Acquire passwords
Rogue Wireless Networks
• An uninformed or careless employee who
doesn’t understand (or chooses not to think
about) the security implications
– Brings AP from home, and attaches it to the corporate
network
– Configures desktop PC with wireless interface to create a
rogue ad-hoc network
• Bypasses security measures such as WPA,
802.1X
Simple Solution
AirMonitor
AirMonitor
0C:3B:5A:
Joe’sAP
Database
Known:
BSSID
Inference
Engine
Seen:
SSID
00:08:AC …
MSFT
00:09:3B …
MSRLAB
BSSID
SSID
00:08:AC …
MSFT
00:09:3B …
MSRLAB
0C:3B:5A:
Joe’sAP
Problem with the Simple Solution
• False Positives
– Multi-office buildings
• False negatives
– Malicious attacker fakes authorized SSID / BSSID
• DAIR can help reduce both false positives and
false negatives
– No foolproof way to avoid false positives/negatives
completely
– DAIR raises bar while generating fewer alarms
Reducing False Positives
• Detect whether rogue AP is connected to
corporate wired network
• Series of tests:
– Association test
– Source/destination address test
– Replay test
Association Test
0C:3B:5A:
AirMonitor
Joe’sAP
?
Database
Inference
Engine
Machine inside
corporate firewall
If AirMonitor can connect to machine inside firewall via AP then
AP is connected to corporate wired network
Association Test
• Test will fail if AP uses WEP or MAC address
filtering
– People configure home APs with WEP or MAC filtering
• Failure means we need additional tests …
Source / Destination Address Test
AirMonitor
?
Land Monitor
Database
Inference
Engine
Subnet Router
MAC Addrs
Of Subnet Routers
08:5B:3F: …
08:3C:4F:…
Source / Destination Address Test
802.11 Data Frame (with encryption):
Unencrypted Header
Encrypted Payload
MAC Addresses:
Receiver
Access Point
Transmitter
Client
Destination
Known Address?
If Destination Address belongs to a subnet router, then AP
Is connected to corporate wired network
Similar test for Source Address
Source / Destination Address Test
• Test will fail if AP is really a NAT/Router
– Many home APs combine AP and NAT/router
functionality
• Failure means that additional tests are needed
Replay Test
X
3
AirMonitor
1
2
4
?
?
X
X
X
X
Inference
Engine
Land Monitor
AirMonitors
capture
data
packetsto
At the
time
LandMonitors
arecaptured
alerted
watch
Onesame
of the
AirMonitors
replays
packets
forEach
duplicate
packets
on multiple
wired network.
packet
replayed
times
Replay Test
• No need to decrypt packets
• Works for NAT/Routers
– Even rogue ad-hoc networks
• Fails if replay-resistant crypto scheme is used
– WPA2
Scalability
• Load on database server
• Load on individual AirMonitors
• Additional wired network traffic
Load on Database Server
CPU Load (%)
100
80
60
40
20
0
1AM
5AM
9AM
1PM
5PM
9PM
1AM
12 AirMonitors
AirMonitors submit summarized data every 2 minutes
Database Server: MS-SQL 2005, 1.7GHz P4 with 1GB RAM
Load on Client Machine
Load (%)
Machine running AirMonitor
100
75
50
25
0
1AM
5AM
9AM
1PM
5PM
9PM
1AM
Load (%)
Machine not running AirMonitor
100
75
50
25
0
1AM
5AM
9AM
1PM
5PM
9PM
1AM
Additional Network Traffic: 2-5Kbps per AirMonitor
Summary
• Built a scalable, cost-effective, dense WLAN
monitoring platform in a corporate environment
• Explored ways to leverage the platform to monitor
threats to Wi-Fi networks
Related Work
• Campus-wide Wi-Fi monitoring system [Kotz and Essin
2005]
• Monitoring corporate network for mobility patterns
[Balazinska and Castro 2003]
• Tools for analysis of packet-level Wi-Fi traces
– WIT [Mahajan et. al. 2006]
– JigSaw [Cheng et. al. 2006]
DAIR ongoing work
• Which channels should each AirMonitor listen on?
– What scanning strategy to use? [Deshpande et. al. 2006]
– Depends on density of AirMonitors, environment
• Building an effective location system
• Building performance management tools
Backup slides
Wired Solutions
• Monitor CAM tables for unauthorized Ethernet addresses
– Not scalable
– Easy to fake Ethernet address
• Monitor DHCP requests, deny from unauthorized clients
– Bypassed using authorized client as forwarder
• IPSec
– Not widely used: hard to manage in heterogeneous environments
– Bypassed using authorized clients acting as forwarders
– Many machines on corporate LANs do not use IPSec
 Management servers on switches, printers
 Gateway machines
Reducing False Negatives
• Suspect is using an “authorized” SSID / BSSID
• If the “real” AP is still active
– Packet sequence numbers not monotonic
• If real AP is not active
– Determine location of suspect
– If different than expected, raise alarm
Example: Indoor WLAN Monitoring
% Received
100
0%
0%
80
60
DN
26%
0%
UP
EL 32
40
0%
0%
20
UP
DN
97%
1.7%
0
0
100
200
Time (Minutes)
300
0%
0%
%0
%0
Rapid loss
ofAP
signal
strength in Monitors
indoor environments
Rogue
and Client
Complex, Red:
time-varying
signal rate
propagation
Beacon reception
Blue: Data packet reception rate
Taxonomy of Attacks on Wi-Fi Networks
• Eavesdropping
– Passive snooping (perhaps with high-gain antennas)
– Nearly impossible to detect
– Cryptographic techniques generally considered sufficient.
• Intrusion
– Rogue AP / Rogue Ad-hoc network
– Cryptographic techniques not enough, need continuous monitoring
• Denial of Service
– Fake deauthentication/disassociation, NAV attacks
– Need monitoring system.
• Phishing
Enterprise-scale WLAN Monitoring System
Challenges and Design Requirements
•
•
•
•
Rapid fading in indoor environments
Complex, time-varying signal propagation
Many orthogonal channels
Need information from many monitors
• Dense deployment of monitors
• Monitors must be self-configuring
• Scalable data gathering and processing
• Must cope with incomplete data
Replay Test
• AirMonitors replay packets with suspect BSSID
– If suspect is AP, only replay packets with ToDS bit set
– No need to decrypt packet
• Each packet is replayed multiple times (say 5)
• LandMonitors detect if duplicate packets are seen on
wired network
• Works for rogue ad-hoc networks
• Fails if suspect is using WPA2 or other crypto schemes
that are robust against replay attacks
Monitor Architecture
Command
Issuer
Command
(Enable/Disable Filter/
Send Packets)
Remote
Object
Heart
Beat
Command Processor
Sender
Packet
Constructor
WiFi Parser
Enable/Disable
Filters
Send Packet
Filter Processor
Filter
Filter
DHCP Parser
Filter
Other Parser
Packet
Enable/Disable
Promiscuous/Logging
Deliver Packets to all the
Registered Filters
Driver Interface
Send Packets/
Query Driver
SQL Client
Dump summarized data
into the SQL Tables
Get Packets/Info
from the Device
Custom Wireless Driver
Summarized
Packet Information
Wired NIC Driver
SQL Server