WIRELESS INTRUSION DETECTION SYTEMS Namratha Vemuri Balasubramanian Kandaswamy
THREATS VICTIMS IDS TYPES OF IDS ARCHITECTURE IMPLEMENTATION TOOLS USED ADMINISTRATION
THREATS Reconnaissance, theft of identity and denial of service (DoS) Signal range of authorized AP. Physical security of an authorized AP Rogue or unauthorized AP Easy installation of an AP Poorly configured AP Protocol weakness and capacity limits on AP
What are attacked? Corporate network and servers Attempted penetration through the official access points(target 1) into the corporate network. DOS attacks as most of them are TCP/IP based Wireless Clients the Access point behaves as a hub connecting the authorized wireless clients directly to the bad buys inevitably this will expose a connecting pc to a huge array of IP based attack.
Unauthorized Access point Unofficial access points installed by user departments (target 4) represent a huge risk as the security configuration is often questionable Bogus Access points (Target 5) represent a different threat as these can be used to hijack sessions at the data link layer and steal valuable information. o Target 3 – The legitimate Access point
To protect our network where all access points reside on our network what actions to take to close down any unauthorized access points that do not confirm to the company security standards what wireless users are connected to our network what unencrypted data is being accessed and exchanged by those users
What is IDS? IDS is not a firewall IDS watch network from the inside and report or alarm IDS monitors APs ,compares security controls defined on the AP with predefined company security standards then reset or closedown any non-conforming AP’s they find. IDS identifies,alerts on unauthorized MAC addresses ,tracks down hackers.
Intrusion detection systems are designed and built to monitor and report on network activities, or packets, between communicating devices. Many commercial and open source tools are used: TOOLS capture and store the WLAN traffic, analyse that traffic and create reports analyse signal strength and transmission speed
ID SYSTEM ACTIVITIES
INFRASTRUCTURE
ARCHITECTURE
IDS : a sensor (an analysis engine) that is responsible for detecting intrusions (contains decision making mechanism) Sensor recevies message from own IDS knowledge base, syslog and audit trails. Syslog may include, for example, configuration of file system, user authorizations etc. This information creates the basis for a further decision-making process.
TYPES OF IDS Misuse or Anomaly IDS Network based or Host based IDS Passive or Reactive IDS
ARCHITECTURE CENTRALIZED : combination of individual sensors which collect and forward 802.11 data to a centralized management system. DISTRIBUTED : one or more devices that perform both the data gathering and processing/reporting functions if various IDS
Distributed is best suited for smaller WLANS due to cost and management issues Cost of many sensors with data processing Management of multiple processing/reporting sensors
In centralized, it is to easy to maintain only one IDS where all the data is analyzed and formatted. Single point of failure Adds to ‘additional’ network traffic running concurrently, impact on network performance
IMPLEMENATION OF IDS Comprises of a mixture of hardware and software called intrusion detection sensors. Located on the network and examines traffic. Where the sensors should be placed??!! How many do wee need??!!
Not just to detect attackers.. Helps to Enforce Policies Polcies for encryption Can report if a un encrypted packet is detectet. With proper enforcement WEP can be acchieved (next slide)
Why do we need these To achieve WEP What's WEP? Wired Equivalent Privacy Why do we need it?
People responsible IDS security analysts who can interpret the alerts (Passive IDS). IDS software programmers IDS database administrators (misuse or anomaly IDS)
Couple of open source IDS KISMET 802.11 a/b/g network sniffer NETSTUMBLER
Kismet 802.11a/b/g network sniffer Passively collects network traffic(listens), detects the standard named networks and detecting hidden (non beaconing) networks Analyze the data traffic and build a ‘picture’ of data movement
NetStumbler Sends 802.11 probes Actively scans by sending out request every second and reporting the responses AP’s by default respond to these probes Used for wardriving or wilding.
Who manages and administers WIDS? Large organization (Network Operations group) AirMagnet Distributed 4.0, AirDefense Enterprise v4.1 Red-M Small and Medium Organization Managed Security Service Provider (MSSP)
AirMagnet Distributed Sensors report network performance information Alerts management server Airmagnet reporter generates reports from threat summaries to channel RF signal strength Ex: Using ‘Find’ tool, we can manually and physically track down location of the rogue user
AirDefense AirDefense system consists of a server running Red Hat Linux with distributed wireless AP sensors and a Java-based Web console. The AirDefense Web console and AP sensors communicate on a secure channel to the server
Red-M Red-M includes Red-Alert and Red-Vision. Red- Alert is a standalone wireless probe which can detect unauthorized Bluetooth devices as well as 802.11a/b/g networks. Red-Vision ss a modular set of products consisting of three main components: Red-Vision Server, Red-Vision Laptop Client and Red-Vision Viewer.
Red Vision (cont) Red vision server (Heart) Red vision laptop client (Ear) Red Vision viewer ( Brain)
Wireless IDS drawbacks Cost Cost grows in conjunction with size of the LAN New emerging technology and hence may contain many bugs and vulnerabilities. A wireless IDS is only as effective as the individuals who analyze and respond to the data gathered by the system
Conclusion Wireless intrusion detection systems are an important addition to the security of wireless local area networks. While there are drawbacks to implementing a wireless IDS, the benefits will most likely prove to outweigh the downsides
QUESTIONS What is Policy Enforcement ? A policy is stated by IDS (Ex: all wireless communications must be encrypted) to detect the attack What type of ID is AirDefense Guard? It is misuse or signature based anomaly. What are ‘dumb’ probes? They collect all the network traffic and send it to central server for analyses
REFERENCES http://www.telecomweb.com/readingroom/Wireless_Intrusion_Detection.pdf http://www.giac.org/certified_professionals/practicals/gsec/4210.php http://www.sans.org/rr/whitepapers/wireless/1543.php http://www-loud-fat-bloke.co.uk/articles/widz-design.pdf
QUESTIONS?
THANKYOU