Transcript WIRELESS INTRUSION DETECTION SYTEMS

WIRELESS INTRUSION
DETECTION SYTEMS
Namratha Vemuri
Balasubramanian Kandaswamy
THREATS
 VICTIMS
 IDS
 TYPES OF IDS
 ARCHITECTURE
 IMPLEMENTATION
 TOOLS USED
 ADMINISTRATION

THREATS







Reconnaissance, theft of identity and denial of
service (DoS)
Signal range of authorized AP.
Physical security of an authorized AP
Rogue or unauthorized AP
Easy installation of an AP
Poorly configured AP
Protocol weakness and capacity limits on AP
What are attacked?
Corporate network and servers
 Attempted penetration through the official
access points(target 1) into the corporate
network.
 DOS attacks as most of them are TCP/IP based
Wireless Clients
 the Access point behaves as a hub connecting
the authorized wireless clients directly to the bad
buys inevitably this will expose a connecting pc
to a huge array of IP based attack.

Unauthorized Access point
Unofficial access points installed by user
departments (target 4) represent a huge risk as
the security configuration is often questionable

Bogus Access points (Target 5) represent a
different threat as these can be used to hijack
sessions at the data link layer and steal valuable
information.

o Target 3 – The legitimate Access point
To protect our network
 where all access points reside on our
network

what actions to take to close down any
unauthorized access points that do not
confirm to the company security standards
what wireless users are connected to our
network

what unencrypted data is being accessed
and exchanged by those users
What is IDS?

IDS is not a firewall

IDS watch network from the inside and report or alarm

IDS monitors APs ,compares security controls defined on
the AP with predefined company security standards then
reset or closedown any non-conforming AP’s they find.

IDS identifies,alerts on unauthorized MAC addresses
,tracks down hackers.
Intrusion detection systems are designed and
built to monitor and report on network activities,
or packets, between communicating devices.



Many commercial and open source tools are
used:
TOOLS
capture and store the WLAN traffic,
analyse that traffic and create reports
analyse signal strength and transmission
speed
ID SYSTEM ACTIVITIES
INFRASTRUCTURE
ARCHITECTURE
IDS :
 a sensor (an analysis engine) that is
responsible for detecting intrusions
(contains decision making mechanism)

Sensor recevies message from own IDS
knowledge base, syslog and audit trails.

Syslog may include, for example,
configuration of file system, user
authorizations etc. This information
creates the basis for a further decisionmaking process.
TYPES OF IDS

Misuse or Anomaly IDS

Network based or Host based IDS

Passive or Reactive IDS
ARCHITECTURE

CENTRALIZED : combination of individual
sensors which collect and forward 802.11
data to a centralized management system.

DISTRIBUTED : one or more devices that
perform both the data gathering and
processing/reporting functions if various
IDS

Distributed is best suited for smaller
WLANS due to cost and management
issues

Cost of many sensors with data
processing

Management of multiple
processing/reporting sensors

In centralized, it is to easy to maintain only
one IDS where all the data is analyzed
and formatted.

Single point of failure

Adds to ‘additional’ network traffic running
concurrently, impact on network
performance
IMPLEMENATION OF IDS
Comprises of a mixture of hardware and
software called intrusion detection
sensors.
 Located on the network and examines
traffic.
 Where the sensors should be placed??!!
 How many do wee need??!!

Not just to detect attackers..
Helps to Enforce Policies
 Polcies for encryption
 Can report if a un encrypted packet is
detectet.
 With proper enforcement WEP can be
acchieved (next slide)

Why do we need these
To achieve WEP
 What's WEP?
Wired Equivalent Privacy
 Why do we need it?

People responsible
IDS security analysts who can interpret the
alerts (Passive IDS).
 IDS software programmers
 IDS database administrators (misuse or
anomaly IDS)

Couple of open source IDS
KISMET 802.11 a/b/g network sniffer
 NETSTUMBLER

Kismet 802.11a/b/g network sniffer
Passively collects network traffic(listens),
detects the standard named networks and
detecting hidden (non beaconing)
networks
 Analyze the data traffic and build a
‘picture’ of data movement

NetStumbler

Sends 802.11 probes
Actively scans by sending out request
every second and reporting the responses
 AP’s by default respond to these probes
 Used for wardriving or wilding.

Who manages and administers
WIDS?
Large organization (Network Operations
group)
 AirMagnet Distributed 4.0,
 AirDefense Enterprise v4.1
 Red-M
Small and Medium Organization
 Managed Security Service Provider
(MSSP)
AirMagnet Distributed
 Sensors report network performance information

Alerts management server

Airmagnet reporter generates reports from threat
summaries to channel RF signal strength
Ex: Using ‘Find’ tool, we can manually and
physically track down location of the rogue user
AirDefense

AirDefense system consists of a server
running Red Hat Linux with distributed
wireless AP sensors and a Java-based
Web console.

The AirDefense Web console and AP
sensors communicate on a secure
channel to the server
Red-M
 Red-M includes Red-Alert and Red-Vision.

Red- Alert is a standalone wireless probe
which can detect unauthorized Bluetooth
devices as well as 802.11a/b/g networks.

Red-Vision ss a modular set of products
consisting of three main components:
Red-Vision Server, Red-Vision Laptop
Client and Red-Vision Viewer.
Red Vision (cont)
Red vision server (Heart)
 Red vision laptop client (Ear)
 Red Vision viewer ( Brain)

Wireless IDS drawbacks
Cost
 Cost grows in conjunction with size of the
LAN
 New emerging technology and hence may
contain many bugs and vulnerabilities.
 A wireless IDS is only as effective as the
individuals who analyze and respond to
the data gathered by the system

Conclusion
Wireless intrusion detection systems are an
important addition to the security of
wireless local area networks. While there
are drawbacks to implementing a wireless
IDS, the benefits will most likely prove to
outweigh the downsides
QUESTIONS

What is Policy Enforcement ?
A policy is stated by IDS (Ex: all wireless
communications must be encrypted) to
detect the attack

What type of ID is AirDefense Guard?
It is misuse or signature based anomaly.

What are ‘dumb’ probes?
They collect all the network traffic and
send it to central server for analyses
REFERENCES

http://www.telecomweb.com/readingroom/
Wireless_Intrusion_Detection.pdf

http://www.giac.org/certified_professionals/
practicals/gsec/4210.php

http://www.sans.org/rr/whitepapers/wireles
s/1543.php

http://www-loud-fatbloke.co.uk/articles/widz-design.pdf
QUESTIONS?
THANKYOU