Wireless IDS systems have started toemerge in an effort to assist IT person-nel in detecting malicious activities on awireless network. The scope and com-plexity of the current offering of wirelessIDS’s vary dramatically. From home-grown wireless IDS’s based on opensource software to plug-ins to large com-mercial IDS/IPS systems, there aremany options available today for thoseinterested in detecting wireless LANattacks.

Purpose of wireless IDSIt is important to understand the breadthof the wireless security space in order tounderstand what a wireless IDS shouldreally be doing. There is the obviousexample of an attacker using a wirelessnetwork to launch attacks against wiredtargets. However, by and large, theseattacks are no different from their wiredcounterparts.

Rogue access point detection is animportant aspect of wireless IDS.Rogue access points come in two vari-eties. Internal rogue access points arethose that (for instance) an employeebrings in and plugs into a corporate net-work. The access point is outside thecontrol of IT personnel and serves as agateway for attackers to enter the enter-prise. It is key to detect these rogueaccess points as quickly as possible toremove them (and the threat of attack)from your network.

The other type of rogue access point ismore difficult to control. The external

rogue access point is one that is con-trolled by an attacker and designed tospoof legitimate clients into connectingto it rather than the correct access point.Usually this is accomplished by settingthe rogue access point SSID to the sameSSID as the friendly access point andthen boosting the signal of the rogueaccess point. This will cause client associ-ations to come to the rogue access point.The attacker may then attempt to stealuser’s credentials via spoofed Web pagesand portals designed to trick users intogiving up passwords, credit card numbersand other personal information. Thesetypes of rogue access points are generallyeasy to detect but difficult to turn off asthe attacker then needs to be physicallylocated.

Other types of attacks include MACaddress spoofing by an attacker to bypassaccess control lists, password guessing for802.1x authentication methods that relyon passwords, denial-of-service attacksagainst the wireless infrastructure, sessionhijacking, and clients using weak IV’s instandard WEP that allow attackers to

determine the WEP key with ease. Theseand other wireless attacks are supportedby free tools from the Internet enablingunsophisticated users to launch them onany network.

Commercial productsGiven the size of the wireless LAN mar-ket, many companies have been runningto create and sell wireless IDS systems. Airdefense is a company focused on creating wireless securityproducts.1 Their flagship wireless IDShas been around for a number of years and has matured with respect to thetechnology and the integration in enter-prise management systems. The appli-ance-based solution goes beyond awireless IDS to provide diagnostic andfault information on wireless LANdeployments. While new to the IDSscene, Airdefense has a solid grasp ofwireless security and has built a capableproduct.

Internet Security Systems (ISS) is a well-known wired IDS vendor with a vast product line.2 Their wirelessoffering, however, is limited to a wire-less scanner that watches for rogueaccess points and clients using weak connections. It is not a full-fledged wireless IDS in the sense that it does not cover the breadth of wireless-specific attacks pos-sible on a wireless LAN. However, ISS’s wireless scanner integrates well into their products. This allows enterprises that already use theother ISS products to easily integrate abaseline level of wireless intrusiondetection.

There are many other wireless IDSproducts on the market. The majorityof IDS vendors either have some wireless

4

wireless security

W

W I RE LESSW I RE LESS SECURITYSECURITYWireless intrusion detectionBruce Potter

As wireless LAN’s have gained popularity, so have attacks against them. Attackerscan exploit rogue access points within an enterprise or poorly configuredhotspots to launch attacks. These attacks may be targeted at a client workstation,an internal server, or ultimately a remote Internet-connected host.Unfortunately, standard IDS products are unable to detect attacks specificallyagainst a wireless network.

W

W I RE LESSW I RE LESS SECURITYSECURITY

Wireless IDS systems arestarting to emerge

functionality or plan to have wirelesssupport in the near future. There arealso new companies developing wirelessIDS products that may suit the needs ofmany enterprises. As this marketmatures, the feature set offered by thesevendors will homogenize, easing the taskof selection.

Open source optionsOn the open source front, there are some complete wireless IDS systems and there are other wireless utilities thatcan be utilized (with some supportingcode and process) as a wireless IDS.Snort-wireless is a wireless IDS designedto integrate into a Snort 2.x environ-ment. 3 Snort is the most widelydeployed open source IDS, so a wirelessplug-in makes sense for many enterpris-es. Snort-wireless allows for customrules to be created based on framinginformation from a wireless packet. Italso contains rules to attempt to findrogue access points, wardrivers, and adhoc networks.

Kismet is a utility commonly used forwardriving.4 However, starting withKismet 2, a distributed ‘sensor’ based model has been adopted. Thisallows for multiple Kismet sensors to be placed around an enterprise andreporting wireless events back to a centralconsole. This is a very common architecture for IDS’s; so many havetaken to using Kismet as a wireless IDSsystem. Via some custom software andhomemade attack rules, Kismet can makea very effective and extensible wirelessIDS.

LimitationsWireless IDS is a new product area, andas such, there are still plenty of roughedges and problems to overcome.Probably the foremost problem for most is the deployment of sensors.Unlike a wired IDS where sensors can be deployed at chokepoints within a log-ical infrastructure (a central switch, in front of/behind a firewall, etc.) wireless IDS sensors need to be installed

based on physical location. Sensorsmust be able to pick up radio signalsfrom all legitimate and malicious sourcesyou care able. This means that internaldata centers, office space, and even park-ing lots need to have sensors to ensure allactors are detected.

Further, wireless IDS’s cannot detectwhen an attacker is passively sniffing data.A savvy attacker will spend time sniffing anetwork before transmitting any frames.

This ‘quiet’ period of passive recon ispotentially quite dangerous to an enter-prise, but due to the nature of wireless transmissions, there is nothing awireless IDS can do about it. To prevent a passive sniffer from obtainingcritical information about your infra-structure, it is key that all wireless usersuse proper link-level and network levelencryption.

This underscores the fact that a wireless IDS system, like their wired brethren, is only a part of the security puzzle. Proper policy, proce-dures, configuration, and auditing allmust be used in conjunction with a wireless intrusion detection system tokeep your wireless network safe andsecure.

References:

1http://www.airdefense.net/ 2 http://www.iss.net/ 3 http://www.snort-wireless.org/4 http://www.kismetwireless.net/

About the authorBruce Potter has a broad information secu-rity background that includes deployment ofwireless networks. Trained in computer sci-ence at the University of Alaska Fairbanks,he served as a senior technologist at severalhi-tech companies. Bruce is the founder andPresident of Capital Area Wireless Network.In 1999 he founded The Shmoo Group.Bruce co-authored 802.11 Security pub-lished through O'Reilly and Associates andhas co-authored Mac OS X Security. He iscurrently a senior security consultant atBooz Allen Hamilton.

5

wireless security

Wireless IDS’s cannotdetect when an attacker is

passively sniffing data