Intrusion Detection in WLANs

•Maulik Mehta•Megha Sarang•Amisha Sheth•Karthik Raghavan•Rohan Gupte

Overview• Intruder and types of attacks.• Rouge Access Points and why they are a threat.• Attacks launched through Rouge Access Points.• Conventional security mechanisms and their inefficiency against Rouge

APs.• Intrusion detection as a solution.• Components of IDS.• Types of IDS.• General limitations.• Network-based and Host-based IDS.• Implementation process and working.• Signatures.• IDS and Ad Hoc Networks• IPS vs. IDS• Conclusions

Intruder and Attacks

• Intruder: An entity who tries to find a way to gain unauthorized access to information through a network, inflict harm or engage in other malicious activities.

• Types of Attacks:

Rogue Access Point• Unauthorized AP attached to wired enterprise network.• Personal AP used by employee (ignorant of risks), AP used

with a malicious intent.

• Windows 7 Virtual WiFi: Every Windows 7 laptop is a potential rogue AP.

• RF signal spillage: Access from outside the premises.

Attacks Launched through Rouge APs• Data leakage by passive sniffing.• Man-in –the-Middle Attack.• Network scans and Fingerprinting.• Enterprise Data Access. • Free Internet Access.• Denial of Service Attacks: ARP poisoning, IP spoofing, etc.

Protection Against Rogue APs and Attacks• Firewalls: Does not detect Rouge AP.

• WPA2: Rogue AP is not a managed AP. You can enforce security controls only on APs you can

manage. ‘Hole1961’, vulnerability found in WAP2.

Protection Against Rogue APs and Attacks• 802.1x port control: Cannot protect from all Rouge AP

configurations. E.g. case of a MAC spoofer.

• Most networks do not have 802.1x port control.

Protection Against Rogue APs and Attacks• Antivirus & Wired IDS: Does not detect Rouge APs, as they

work a layer below. Wired IDS ineffective against soft Rogue APs.

• NAC: Cannot protect from all rouge AP configurations. E.g. MAC spoofer.

Protection Against Rogue APs and Attacks• Intrusion Detection System is the solution!!!

Need for Intrusion Detection System (IDS)

• Similar to a burglar alarm/ lock system in a car.• Complements the Firewall security: IDS detects if someone

tries through break through the Firewall/ breaks in and tries to get unauthorized access.

• Firewalls effective in filtering incoming traffic from the internet. IDS is a security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization.

Components of an IDS•Management Console: Management and reporting console. Sensors report malicious activity to the Management Console.•Sensors: Monitor hosts or networks on a real-time basis. They match the malicious packet with a signature from a database.•A database of signatures: Patterns of different types of previously detected attacks.

Types of Intrusion Detection Systems

Note: Products may utilize more than one type of IDS.• Misuse IDS: Signature based detection. • Anomaly IDS: ‘Trained’ by administrator.• Network-based: Traffic flowing through the network is

analyzed.• Host-based: Involves only host-based sensors.• Passive IDS: Detects intrusion, logs information and alerts the

administrator.• Reactive IDS: Responds to the suspicious activity. E.g.: Logging

off the user/ shutting down of AP.

IDS and Ad Hoc Networks

• No supporting infrastructure.• Conventional methods of identification and authentication are

not available.• No Gateways, switches or routers on which IDS conventionally

relies.• Mobility introduces additional challenges.Some solutions/theories proposed:• Secured routing protocols like SecAODV.• Dempster-Shafer Theory.

Research still going on……

General Limitations of Intrusion Detection Systems

• IDS must be run online, in real time, 24x7. Needs human intervention.

• Additional network traffic generated when sensors relay data to a central point where it can be stored and analyzed.

• IDS is as good as the database of signatures. Regular updates needed.

• False alarms might lead to complacency.• Additional cost.

Network-based IDS• Inspects all network activity to identify suspicious patterns.• Signature detection (use of signature database) vs. Anomaly

detection (packet sizes/ protocols/ traffic load).• Not just large number of signatures but a number of signatures for

wide variety of attack types. E.g.: Buffer overflows, stealth port scans, CGI attacks, SMB probes, NMAP probes, fragment attacks, and OS fingerprinting attempts. ( Example of a product: Netprowler)

• Passive ( logs information and sends alerts) vs. Reactive (features like killing processes, disabling user accounts, shunning attacker IP addresses, etc)

• Limitations: False positives, TCP Stream Reassembly/IP Defragmentation, Switched Networks.

Host-based IDS

• Monitors individual systems on the network.• Sensors located inside a host to monitor system level

behavior.• Types: Host wrappers (or personal firewalls) Tools that can be configured to look at all network packets,

connection attempts, or login attempts to the monitored machine.

• Agent-based software: Also detect changes in system files and changes in user privileges.

• Effective against masking techniques like out-of-order delivery, and switched networks.

• Limitations: Cannot fend off attacks against the protocol stack itself.

Implementation of an IDS

• The success of an IDS implementation depends to a large extent on how it has been deployed.

• In most cases, it is desirable to implement a hybrid solution of network based and host based IDS to benefit from both.

• Detailed analysis about the building structure, Number and location of authorized Access Points, List of MAC addresses used, etc.

• Get an overall picture of the WLAN deployed using a sniffing software like Kismet, NetStumbler.

• Determine the number and location of sensors.• Trained people who can understand alerts, program correlation

tools, manage signature database, etc.• ‘Off the shelf’ product vs. Managed Security Service Provider

(MSSP).

Classification of APs

• Auto-classification of APs that can be seen on the airspace.

AP Connection TestingMAC Correlation:• Involves CAM table look up.• Detect all MAC addresses on the network.• Decide upon connectivity based on matches between MAC

addresses on wired and wireless networks.Signature Packet Insertion:• Inject signature packets in wired and wireless networks.• Detect APs that forward signature packets from wireless to

wired networks.• Superior to CAM table look up method in terms of speed,

accuracy and scalability.

After Detecting a Rogue AP…..

1. Over the air quarantine: Blocking by transmitting spoofed disconnection frames. Vendor neutral.

2. Switch port disable: Disables the switch port using SNMP. Switch vendor interoperability issues.

Signatures

A pattern we want to look for in network traffic.What qualifies for a signature?• Connection attempt from reserved IP address.• Packet with illegal (bad) TCP flag combination.• Email containing a virus.• Tracking the number of times a command is issued to check

DOS attacks.• File access attack involves accessing FTP without logging in.• Specific data in the header file.

Creating Signatures• Use of Honeypots: Honeypots are decoy computer resources

set up for the purpose of monitoring and logging the activities of entities that probe, attack or compromise them. They generate signatures.

• Types of Honeypots: dummy items in a database, low-interaction network components like preconfigured traffic sinks, or full-interaction hosts with real operating systems and services.

Examples of Signatures generated by Honeycomb

IPS vs. IDS

IPS vs. IDS

Conclusions• Modern day IDSs are far from bulletproof.• However, adds significant security.• With better understanding of threats and attacks, vendors

need to continuously upgrade their IDSs.• IDS is not a substitute for a well-defined security policy.• Need of an able security/network administrator.• Easier for big technology players to implement than small

start ups, due to availability of specialist resources.• Opportunity for Managed Security Service Providers (MSSPs)

to offer IDS along with their other security services.

References• White papers from

http://www.sans.org/reading_room/whitepapers/wireless• http://blog.airtightnetworks.com/category/wireless-security/• http://www.comnews.com/WhitePaper_Library/Security• http://conferences.sigcomm.org/hotnets/2003/papers/honey

comb.pdf• http://www.symantec.com/connect/articles/• http://www.ischool.utexas.edu/~netsec/ids.html• http://www.designmpire.com/mohteshim.com/projects/anp.

pdf• http://rogueap.com/rogue-ap-docs/RogueAP-FAQ.pdf• http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.p

df

THANK YOU!

Questions???