EE579T/12 #1 Spring 2004 © , Richard A. Stanley EE579T Network Security 12: Intrusion Detection & Wireless Security Prof. Richard A. Stanley

EE579T/12 #2 Spring 2004 © , Richard A. Stanley Overview of Today’s Class Administrivia Review last week’s lesson Intrusion Detection Wireless security

EE579T/12 #3 Spring 2004 © , Richard A. Stanley Reminders April 20/21: class at usual time with project presentations Final for this course is take-home –Final exam was distributed on the web site today –Exam is due 27 April

EE579T/12 #4 Spring 2004 © , Richard A. Stanley Last time… Firewalls are an important item in network security, but not a cure-all There are many ways to employ firewalls, and care must be taken to analyze what is to be protected, and how SNMP is widely-used for managing clients distributed across a network SNMP security is a major issue!

EE579T/12 #5 Spring 2004 © , Richard A. Stanley Intrusion Detection Systems Oddly enough, these are systems designed to detect intrusions into protected systems Security intrusion (per RFC 2828): –A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

EE579T/12 #6 Spring 2004 © , Richard A. Stanley What’s a Security Incident? A security event that involves a security violation. (See: CERT, GRIP, security event, security intrusion, security violation.) In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. "Any adverse event which compromises some aspect of computer or network security." [R2350] Source: RFC 2828, page 152; emphasis added

EE579T/12 #7 Spring 2004 © , Richard A. Stanley Why Do We Need This? With the exception of authentication systems, most of the defenses we have studied up to now are directed towards intruders coming from outside the firewall These systems are not perfect--some intruders will get through Moreover, defenses such as firewalls cannot protect against intruders on the inside

EE579T/12 #8 Spring 2004 © , Richard A. Stanley Intrusion Detection Functions Monitor protected networks and computers in real time (or as close to real time as is practicable) Detect security incidents –Requires a policy, and a way for the IDS to know what that policy is Respond –Raise an alarm –Send some automated response to the attacker

EE579T/12 #9 Spring 2004 © , Richard A. Stanley IDS vs. Auditing Audits tend to be a posteriori –But an IDS can be seen as performing a constant, near real time audit function To perform an audit, you need to know what the policy is –Audit measures departures from the policy norms –Audits depend on system logs

EE579T/12 #10 Spring 2004 © , Richard A. Stanley Early IDS’s Emulated the audit function –Crawled the logs, looking for deviations from policy-permitted actions –Intent was to speed up the audit, making it nearly real time –Still a useful approach IDS technology has been around only since the early 1990’s; not too mature

EE579T/12 #11 Spring 2004 © , Richard A. Stanley IDS Uses Monitor system usage –Determine access, usage patterns –Plan for capacity engineering Monitor specific problem areas Serve as a deterrent –Sort of like the “burglar alarm” label on a house, even if there is really no alarm

EE579T/12 #12 Spring 2004 © , Richard A. Stanley Log Files Are evidence if an intrusion occurs –Must be stored in their original, unmodified form, otherwise inadmissible in court –Provide data from which trends can be deduced –Can be subjected to forensic analysis –Probably needed to assess level of system compromise/damage and to restore to state prior to intrusion

EE579T/12 #13 Spring 2004 © , Richard A. Stanley Legal Issues - 1 Privacy of your employees –Courts have held that employees have little expectation of privacy in the workplace, especially if told so at the outset can be monitored at work by employer phone calls can be monitored at work by employer doing either of these things outside the workplace violates the wiretap statutes (18 USC § 2516, etc.)

EE579T/12 #14 Spring 2004 © , Richard A. Stanley Legal Issues - 2 What if the IDS discovers illegal acts being performed on/by your network? –Employees using the network for illegal activities –Outsiders having planted zombie programs so that your system attacks others –What is your responsibility and liability?

EE579T/12 #15 Spring 2004 © , Richard A. Stanley Legal Issues - 3 This may be a Catch-22 issue –If an attacker is using your system, law enforcement may want you to continue to allow that to happen so they can apprehend the attacker If you interrupt the attack, could be interpreted as obstruction of justice –But, if you allow the attack to continue, you may be liable for damages to those attacked Get legal advice--beforehand!

EE579T/12 #16 Spring 2004 © , Richard A. Stanley What About Automated Response? Tempting capability If attacking your system is illegal, what makes your attack on the attacker less illegal? What if you are, or are acting on behalf of, a governmental entity and the attacker is also a governmental entity? –Casus belli

EE579T/12 #17 Spring 2004 © , Richard A. Stanley IDS Architecture Sensor Management Console

EE579T/12 #18 Spring 2004 © , Richard A. Stanley Console Monitors and controls sensors –Sets policy, alarm levels, etc. –Stores logs Must have secure communications with sensors –Encrypted connection –Out of band (OOB)

EE579T/12 #19 Spring 2004 © , Richard A. Stanley IDS Types Network-based (NIDS) –Monitors the network backbone Network node-based (NNIDS) –Monitors network nodes, not the backbone Host-based (HIDS) –This is the “log crawler” that started it all Gateway (GIDS) –NIDS in series with the network –Leads to Intrusion Protection Systems (IPS)

EE579T/12 #20 Spring 2004 © , Richard A. Stanley What Can It See? Network packets OS API calls System logs How do we merge this data to detect intrusions?

EE579T/12 #21 Spring 2004 © , Richard A. Stanley Host-Based Sits on a host as a background task Monitors (potentially) –traffic to and from the host –OS API calls –system logs Adds to processing load on the host, so host must be able to support the extra load

EE579T/12 #22 Spring 2004 © , Richard A. Stanley Network-based NIDS sensors placed on network backbone –Can view only packet traffic passing by, much like a classic passive sniffer –Does not place processing load on network, but the NIDS platform must be capable of dealing with network traffic speeds Software can usually handle 100 Mbps Hardware only 2-3 times faster If network is faster, looks only at subset of packets

EE579T/12 #23 Spring 2004 © , Richard A. Stanley Network Node-based Used to inspect intrusions directly into network nodes –Effectively a blending of HIDS and NIDS –Used to protect mission-critical machines –Again, a background process on existing nodes, so node must be able to handle added processing load

EE579T/12 #24 Spring 2004 © , Richard A. Stanley Gateway In series with network –Often set to block prohibited traffic automatically –Think of it as an in-network firewall with an extended rule set –Must be able to keep up with network load

EE579T/12 #25 Spring 2004 © , Richard A. Stanley Deployment Putting in an IDS is a complex and time- consuming affair –Typically, start simple and add functionality as you learn more about the network –NIDS tends to see more and load network least –Follow up with HIDS on selected hosts, perhaps NNIDS on critical nodes Policy has to be in place first

EE579T/12 #26 Spring 2004 © , Richard A. Stanley Attack Signatures Critical to success of any IDS Must be maintained, just like virus signatures –You want some visibility into this –Do you want strangers deciding what is an attack on your critical systems? Some IDS’s let you write/modify signatures, others do not CVE:

EE579T/12 #27 Spring 2004 © , Richard A. Stanley IDS Deployment First, design the IDS sensor and management layout Next, deploy the IDS –Test the network for normal operation –Test the IDS Run packaged attacks to see if all are detected Document performance and repeat test regularly –Tune the IDS

EE579T/12 #28 Spring 2004 © , Richard A. Stanley Sampling of IDS Products RealSecure: rise_protection/rsnetwork/sensor.php rise_protection/rsnetwork/sensor.php NFR: Snort: SnortSnarf: ortsnarf/ ortsnarf/

EE579T/12 #29 Spring 2004 © , Richard A. Stanley IDS Summary IDS’s can be useful in monitoring networks for intrusions and policy violations Up-to-date attack signatures and policy implementations essential Many types of IDS available, at least one as freeware Serious potential legal implications Automated responses to be avoided

EE579T/12 #30 Spring 2004 © , Richard A. Stanley Wireless Security: What’s the Problem? Rapid, extensive wireless deployment Little to no installation RF engineering Ineffective built-in security protocols Lack of awareness of ways that wireless access can compromise networks –Inadvertently –Maliciously

EE579T/12 #31 Spring 2004 © , Richard A. Stanley Standards This is new territory Until the late 1990’s, no overall standards existed for WLANs –Each manufacturer did their own thing –Interoperability virtually nonexistent Cross-vendor operability still an issue in some settings

EE579T/12 #32 Spring 2004 © , Richard A. Stanley WLANs Today Are Largely Standardized Dominant -- but not only -- standard is IEEE x –802.11b: currently most popular, large $$ 2.4 gHz ISM band, DSSS, 1-11 MBps –802.11a: about to take over? 5 gHz UNII band, OFDM, up to 54 MBps –802.11i: coming on fast, includes integrated, improved security features Intended to be a compatible Single standard allows intruders to focus their efforts to maximum effect Incompatible

EE579T/12 #33 Spring 2004 © , Richard A. Stanley Most Common WLAN Standards

EE579T/12 #34 Spring 2004 © , Richard A. Stanley WLANs Don’t Usually Stand Alone Wireless LANs are usually extensions to wired LANs, using access points (AP) –An AP functions as an IP bridge between the wired and wireless media While all-wireless LANs are possible, they are uncommon as intentional configurations

EE579T/12 #35 Spring 2004 © , Richard A. Stanley WLAN Operation Probes –Signals from clients seeking to connect –Elicit response from potential APs –Connection established w/strongest signal Beacons –Advertise presence and ID of AP –Provide public notice of network presence

EE579T/12 #36 Spring 2004 © , Richard A. Stanley Typical WLAN Topology AP

EE579T/12 #37 Spring 2004 © , Richard A. Stanley But What If The Topology Actually Looks Like This? Unauthorized Client

EE579T/12 #38 Spring 2004 © , Richard A. Stanley Internal Security Vulnerabilities Rogue WLANs –Created by unauthorized APs on network –Modern computer configurations facilitate Accidental Associations –WLAN client inadvertently associating with another network within range Insecure Network Configurations

EE579T/12 #39 Spring 2004 © , Richard A. Stanley External Security Vulnerabilities Eavesdropping –Common, easy to do Denial of service & interference –Simply a jamming problem Masquerade –Capture legitimate info, use to log on Man-in-the-middle attacks

EE579T/12 #40 Spring 2004 © , Richard A. Stanley RF Engineering Issues Most WLANs are installed without benefit of detailed RF engineering Access points, although low power, still can cover a large geographic area Addition of directional antennas to AP or receiver can further extend range

EE579T/12 #41 Spring 2004 © , Richard A. Stanley RF Issues Mapping the coverage of your APs is critical, but seldom done Widely available data on WLAN coverage that can be used for “free” service It isn’t just your system. What about overlapping coverage from your neighbors?

EE579T/12 #42 Spring 2004 © , Richard A. Stanley Measured Coverage of One Access Point in Lawrence, KS It was intended to cover only the interior of the building in red!

EE579T/12 #43 Spring 2004 © , Richard A. Stanley Northeast US Wi-Fi Coverage

EE579T/12 #44 Spring 2004 © , Richard A. Stanley Free Wi-Fi in NYC (one view)

EE579T/12 #45 Spring 2004 © , Richard A. Stanley Rogue WLANs “Standard” computer configuration today includes WLAN NIC, especially on laptops (cf. Intel Centrino ® ) Result is same as when modems connecting around the firewall were the primary problem User may be totally unaware W/L device is activated and in use

EE579T/12 #46 Spring 2004 © , Richard A. Stanley Inadvertent Association When the client can “see” multiple APs, it may be difficult to force it to associate with the correct one Result: network client connected to foreign network, which can leak sensitive info and anything else available over the network

EE579T/12 #47 Spring 2004 © , Richard A. Stanley Insecure Configurations Default settings SSID broadcast Weak or no encryption Weak authentication Beware the “helpful” employee or the power-up reset menu!

EE579T/12 #48 Spring 2004 © , Richard A. Stanley Configuration Settings As with so many other network elements, many default settings remain at their factory setting in deployed nets SSIDs should always be changed from the default, and rarely broadcast –This makes it harder, but far from impossible, for intruders to “find” the net

EE579T/12 #49 Spring 2004 © , Richard A. Stanley WEP: Too Literal An Implementation WEP=Wired Equivalent Privacy –That’s exactly what it provides, perhaps even better than that –Problem? That isn’t enough Wired signals are confined to cables (mostly) Wireless signals are available to all listeners Although flawed, WEP is better than nothing, but most users turn it off

EE579T/12 #50 Spring 2004 © , Richard A. Stanley Origins of WEP Marketing and Political Issues: –Developed as part of a wireless LAN research project at Apple Computer, Inc. –Eavesdropping was perceived as a barrier to market acceptance –Apple sells into a worldwide market so solution had to be exportable –When WEP developed, NSA allowed only 40- bit encryption to be exported

EE579T/12 #51 Spring 2004 © , Richard A. Stanley Origins of WEP (cont.) Technical Issues: –Eavesdropping on wireless link => privacy and authentication problems –Multiple network protocols (in 1993) => solution required at data link layer –Data link layer is “best effort” => crypto-state (other than shared key) must accompany each frame

EE579T/12 #52 Spring 2004 © , Richard A. Stanley WEP Solution Apple had unlimited RC4 license from RSA, Inc. Method and apparatus for variable- overhead cached encryption, US Patent 5,345,508 applied for 23 Aug 1993, granted 6 Sept 1994 Licensed for export in mid-1994

EE579T/12 #53 Spring 2004 © , Richard A. Stanley WEP Encryption + Initialization Vector (IV) Secret Key Plaintext + Seed PRNG RC4() Ciphertext Cache Key Sequence (MAX_MSG_SZ) IV The problems with this approach are obvious!

EE579T/12 #54 Spring 2004 © , Richard A. Stanley IEEE ’s use of WEP WEP introduced in March 1994 Strong pushback in standards committee regarding cost and overhead of encryption Dilution of proposal; privacy in x made optional –By default, WEP is not activated in x devices; requires positive user intervention

EE579T/12 #55 Spring 2004 © , Richard A. Stanley WEP Security Problems Papers submitted to committee highlight the problems with WEP; “Unsafe at any Key Size” presented in October Task Group I formed to solve WEP security problems Press gets wind of the issue Public domain attacks; “war driving”

EE579T/12 #56 Spring 2004 © , Richard A. Stanley WEP Security Problems (cont.) Passive attacks to decrypt traffic based on statistical analysis Active ‘known plaintext’ attack to inject new traffic from unauthorized mobile stations Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attack; real-time automated decryption of all traffic after a day’s sampling

EE579T/12 #57 Spring 2004 © , Richard A. Stanley Wardriving Sample

EE579T/12 #58 Spring 2004 © , Richard A. Stanley The Threat: A Sampler of WLAN Hacker Tools Courtesy AirDefense

EE579T/12 #59 Spring 2004 © , Richard A. Stanley Task Group I Long term security architecture for Based on 802.1X authentication standard and two new encryption protocols (TKIP and CCMP) – Labeled Robust Security Network (RSN) Uses Upper Layer Authentication (ULA) protocols outside the scope of i (e.g. EAP/TLS)

EE579T/12 #60 Spring 2004 © , Richard A. Stanley RSN Data Privacy Protocols Temporal Key Integrity Protocol (TKIP) –a cipher suite enhancing the WEP protocol on pre-RSN hardware Counter Mode/CBC-MAC Protocol –based on AES and Counter-Mode/CBC-MAC (CCM) –Mandatory for RSN compliance

EE579T/12 #61 Spring 2004 © , Richard A. Stanley Robust Security Network Includes: Better key derivation/distribution based on 802.1X –For TKIP: per message 128 bit key derivation Improved encryption (TKIP, CCMP) Stronger keyed Message Integrity Checks –Custom MIC for TKIP with 22 bit effective strength –Strong AES-based MIC for CCMP IV sequencing to control message replay –44 bits to avoid re-keying (4 bits for QoS)

EE579T/12 #62 Spring 2004 © , Richard A. Stanley 802.1X Originally designed as port-based network access control for PPP Provides support for a centralized management model Primary encryption keys are unique to each station and generated dynamically Provides support for strong upper layer authentication (ULA)

EE579T/12 #63 Spring 2004 © , Richard A. Stanley 802.1X Architectural Framework Employs Extensible Authentication Protocol (EAP) –EAP built around challenge-response paradigm –operates at network layer = flexibility Provides transport for ULA protocols Two sets of keys dynamically generated –Session Keys, Group Keys

EE579T/12 #64 Spring 2004 © , Richard A. Stanley 802.1X Overview Generic method for Port Based Network Access and Authentication for IEEE 802 LAN’s Specifies protocol between devices (wireless clients) desiring access to the bridged LAN and devices (Access Points) providing access to the bridged LAN Specifies the protocol between the authentication server (e.g. RADIUS) and the authenticator Specifies different levels of access control Specifies the behavior of the port providing access to the LAN

EE579T/12 #65 Spring 2004 © , Richard A. Stanley 802.1x Definitions Authenticator : System port that is responsible for granting access to services that are accessible via the port (e.g. AP) Supplicant : The port requesting access to the service via the authenticator (e.g. wireless client) Port Access Entity: The software that is associated with the port. It supports the functionality of Authenticator, Supplicant or both Authentication Server: An entity that provides the authentication service to the authenticator. Usually an external or remote server (e.g. RADIUS)

EE579T/12 #66 Spring 2004 © , Richard A. Stanley

EE579T/12 #67 Spring 2004 © , Richard A. Stanley Description cont. IEEE 802.1X Terminology Controlled port Uncontrolled port SupplicantAuthentication ServerAuthenticator Pieces of the system.

EE579T/12 #68 Spring 2004 © , Richard A. Stanley Normal Data Blocked Authentication traffic flows Wireless laptopAuthentication ServerAccess Point 802.1X trafficAuthentication traffic Normal Data Initially Blocked by Access Point Wireless client associates with the AP Only Authentication Traffic is allowed to flow through Access Point The Access Point Blocks all Normal Data Traffic Access point correctly encapsulates the 802.1x traffic and Authentication Traffic

EE579T/12 #69 Spring 2004 © , Richard A. Stanley Wireless laptop (Supplicant) Authentication ServerAccess Point (Authenticator) 802.1X trafficAuthentication traffic Mutual Authentication The Supplicant securely obtains the WEP key during Proper Authentication The RADIUS Server sends the WEP Key to the Access Point The WEP Key is then used by the Access Point to send the Broadcast WEP key Normal Data Traffic is still blocked Only Authentication Traffic is passed by the AP

EE579T/12 #70 Spring 2004 © , Richard A. Stanley Wireless laptop (Supplicant) Authentication ServerAccess Point (Authenticator) 802.1X trafficAuthentication traffic Client Access Granted The client decrypts the broadcast key using the session WEP key The client sets the broadcast WEP key through the NIC interface Successful EAP Authentication Normal Data traffic is now enabled Authentication traffic flows Data traffic flows

EE579T/12 #71 Spring 2004 © , Richard A. Stanley Wireless laptop (Supplicant) Authentication ServerAccess Point (Authenticator) 802.1X trafficAuthentication traffic New Authentication Types Only Authentication server is aware of the authentication type, e.g. - Kerberos - One Time Password Client and AP need not be modified to add new authentication types

EE579T/12 #72 Spring 2004 © , Richard A. Stanley Key Distribution Dynamic Session Key - Session key depends on EAP authentication type - The client specific session key is sent to the AP from the RADIUS Broadcast Key - The Dynamic session Key is used to encrypt the broadcast key sent from the AP to the wireless client - Authentication server timeouts can be configured to re-authenticate the client (adds extra security)

EE579T/12 #73 Spring 2004 © , Richard A. Stanley Client-AP Implementation Client (Supplicant) - Prior to 802.1x authentication, the client-AP use an open authentication model - On authentication, dynamic WEP is used - Both the client and AP must be able to support WEP and non- WEP traffic Access Point (Authenticator) - Communicates with the client using 802.1x - Communicates with the Authentication Server using RADIUS - Encapsulates incoming EAPOL traffic into RADIUS traffic

EE579T/12 #74 Spring 2004 © , Richard A. Stanley Drawbacks EAPOL traffic for Shared-Media LANS means that WLANs should be encrypted. Encryption of EAPOL not mandatory in 802.1x Port Based Network access defined only for “Infrastructure Mode” of WLANs. Peer-to- peer (Ad Hoc) mode not dealt with.

EE579T/12 #75 Spring 2004 © , Richard A. Stanley EAP Summary EAP is an end-to-end security solution –Mitigates the current WLAN security threats of stolen hardware and rogue access points. –User-specific session-based WEP keys used. Reduces risk of static WEP keys lying around on clients and APs –Replaces currently deployed Static WEP with a more secure Dynamic WEP key distribution mechanism –Centralized authentication and access model via the RADIUS server

EE579T/12 #76 Spring 2004 © , Richard A. Stanley i - Summary Draft provides a system to greatly enhance security for users of Wi-Fi equipment Improved encryption and 802.1X standard for authentication – address all the shortfalls in the current standard Draft standard expected to be ratified in fall of 2003

EE579T/12 #77 Spring 2004 © , Richard A. Stanley Issues i draft standard exists on paper, but compliance cannot be claimed before ratification Solution required now Current proprietary solutions do not interoperate

EE579T/12 #78 Spring 2004 © , Richard A. Stanley Existing Solutions & Other Methods MAC address filtering Access Point Placement Proprietary Solutions –Cisco’s LEAP –NextComm’s Key Hopping –3Com’s Embedded firewall in wireless APs Virtual Private Networks (VPNs)

EE579T/12 #79 Spring 2004 © , Richard A. Stanley Wi-Fi Protected Access - WPA WPA is a response by the industry to offer strong and immediate security solution that would replace WEP It is a subset of i draft standard and is going to maintain forward compatibility Main idea - “Bring what is ready now to the market” Increases the level of security for Wireless LAN It is a standards-based, interoperable security specification

EE579T/12 #80 Spring 2004 © , Richard A. Stanley WPA Provides user authentication –Central authentication server (like RADIUS) –Via 802.1x and EAP Improves data encryption –Temporal Key Integrity Protocol (TKIP) Eventually will support full i compliance Some implementation issues remain

EE579T/12 #81 Spring 2004 © , Richard A. Stanley Best Practices For Now WEP is better than nothing; turn it on and change keys often Engineer placement of access points Upgrade firmware and drivers on APs and wireless cards as they are released VPN (treat wireless users as you would dial-in users) –No panacea, but much better than nothing Check for 802.1x support before buying

EE579T/12 #82 Spring 2004 © , Richard A. Stanley The Future Improved encryption and authentication –Part of i standard –Likely to be deployed soon (2004?) –Major problems with installed base Increased user sensitivity to security issues driving demand for solutions Products entering the marketplace to automatically identify vulnerabilities

EE579T/12 #83 Spring 2004 © , Richard A. Stanley Summary Wireless is becoming the preferred method for mobile users to connect to LANs Wireless brings with it many security issues, which span several technical fields Careful attention must be paid to wireless security issues, else the entire network will be compromised