WIRELESS INTRUSION DETECTION SYTEMS
Download
Report
Transcript WIRELESS INTRUSION DETECTION SYTEMS
WIRELESS INTRUSION
DETECTION SYTEMS
Namratha Vemuri
Balasubramanian Kandaswamy
THREATS
VICTIMS
IDS
TYPES OF IDS
ARCHITECTURE
IMPLEMENTATION
TOOLS USED
ADMINISTRATION
THREATS
Reconnaissance, theft of identity and denial of
service (DoS)
Signal range of authorized AP.
Physical security of an authorized AP
Rogue or unauthorized AP
Easy installation of an AP
Poorly configured AP
Protocol weakness and capacity limits on AP
What are attacked?
Corporate network and servers
Attempted penetration through the official
access points(target 1) into the corporate
network.
DOS attacks as most of them are TCP/IP based
Wireless Clients
the Access point behaves as a hub connecting
the authorized wireless clients directly to the bad
buys inevitably this will expose a connecting pc
to a huge array of IP based attack.
Unauthorized Access point
Unofficial access points installed by user
departments (target 4) represent a huge risk as
the security configuration is often questionable
Bogus Access points (Target 5) represent a
different threat as these can be used to hijack
sessions at the data link layer and steal valuable
information.
o Target 3 – The legitimate Access point
To protect our network
where all access points reside on our
network
what actions to take to close down any
unauthorized access points that do not
confirm to the company security standards
what wireless users are connected to our
network
what unencrypted data is being accessed
and exchanged by those users
What is IDS?
IDS is not a firewall
IDS watch network from the inside and report or alarm
IDS monitors APs ,compares security controls defined on
the AP with predefined company security standards then
reset or closedown any non-conforming AP’s they find.
IDS identifies,alerts on unauthorized MAC addresses
,tracks down hackers.
Intrusion detection systems are designed and
built to monitor and report on network activities,
or packets, between communicating devices.
Many commercial and open source tools are
used:
TOOLS
capture and store the WLAN traffic,
analyse that traffic and create reports
analyse signal strength and transmission
speed
ID SYSTEM ACTIVITIES
INFRASTRUCTURE
ARCHITECTURE
IDS :
a sensor (an analysis engine) that is
responsible for detecting intrusions
(contains decision making mechanism)
Sensor recevies message from own IDS
knowledge base, syslog and audit trails.
Syslog may include, for example,
configuration of file system, user
authorizations etc. This information
creates the basis for a further decisionmaking process.
TYPES OF IDS
Misuse or Anomaly IDS
Network based or Host based IDS
Passive or Reactive IDS
ARCHITECTURE
CENTRALIZED : combination of individual
sensors which collect and forward 802.11
data to a centralized management system.
DISTRIBUTED : one or more devices that
perform both the data gathering and
processing/reporting functions if various
IDS
Distributed is best suited for smaller
WLANS due to cost and management
issues
Cost of many sensors with data
processing
Management of multiple
processing/reporting sensors
In centralized, it is to easy to maintain only
one IDS where all the data is analyzed
and formatted.
Single point of failure
Adds to ‘additional’ network traffic running
concurrently, impact on network
performance
IMPLEMENATION OF IDS
Comprises of a mixture of hardware and
software called intrusion detection
sensors.
Located on the network and examines
traffic.
Where the sensors should be placed??!!
How many do wee need??!!
Not just to detect attackers..
Helps to Enforce Policies
Polcies for encryption
Can report if a un encrypted packet is
detectet.
With proper enforcement WEP can be
acchieved (next slide)
Why do we need these
To achieve WEP
What's WEP?
Wired Equivalent Privacy
Why do we need it?
People responsible
IDS security analysts who can interpret the
alerts (Passive IDS).
IDS software programmers
IDS database administrators (misuse or
anomaly IDS)
Couple of open source IDS
KISMET 802.11 a/b/g network sniffer
NETSTUMBLER
Kismet 802.11a/b/g network sniffer
Passively collects network traffic(listens),
detects the standard named networks and
detecting hidden (non beaconing)
networks
Analyze the data traffic and build a
‘picture’ of data movement
NetStumbler
Sends 802.11 probes
Actively scans by sending out request
every second and reporting the responses
AP’s by default respond to these probes
Used for wardriving or wilding.
Who manages and administers
WIDS?
Large organization (Network Operations
group)
AirMagnet Distributed 4.0,
AirDefense Enterprise v4.1
Red-M
Small and Medium Organization
Managed Security Service Provider
(MSSP)
AirMagnet Distributed
Sensors report network performance information
Alerts management server
Airmagnet reporter generates reports from threat
summaries to channel RF signal strength
Ex: Using ‘Find’ tool, we can manually and
physically track down location of the rogue user
AirDefense
AirDefense system consists of a server
running Red Hat Linux with distributed
wireless AP sensors and a Java-based
Web console.
The AirDefense Web console and AP
sensors communicate on a secure
channel to the server
Red-M
Red-M includes Red-Alert and Red-Vision.
Red- Alert is a standalone wireless probe
which can detect unauthorized Bluetooth
devices as well as 802.11a/b/g networks.
Red-Vision ss a modular set of products
consisting of three main components:
Red-Vision Server, Red-Vision Laptop
Client and Red-Vision Viewer.
Red Vision (cont)
Red vision server (Heart)
Red vision laptop client (Ear)
Red Vision viewer ( Brain)
Wireless IDS drawbacks
Cost
Cost grows in conjunction with size of the
LAN
New emerging technology and hence may
contain many bugs and vulnerabilities.
A wireless IDS is only as effective as the
individuals who analyze and respond to
the data gathered by the system
Conclusion
Wireless intrusion detection systems are an
important addition to the security of
wireless local area networks. While there
are drawbacks to implementing a wireless
IDS, the benefits will most likely prove to
outweigh the downsides
QUESTIONS
What is Policy Enforcement ?
A policy is stated by IDS (Ex: all wireless
communications must be encrypted) to
detect the attack
What type of ID is AirDefense Guard?
It is misuse or signature based anomaly.
What are ‘dumb’ probes?
They collect all the network traffic and
send it to central server for analyses
REFERENCES
http://www.telecomweb.com/readingroom/
Wireless_Intrusion_Detection.pdf
http://www.giac.org/certified_professionals/
practicals/gsec/4210.php
http://www.sans.org/rr/whitepapers/wireles
s/1543.php
http://www-loud-fatbloke.co.uk/articles/widz-design.pdf
QUESTIONS?
THANKYOU