EE579T/11 #1 Spring 2005 © 2000-2005, Richard A. Stanley EE579T / CS525T Network Security 11: Intrusion Detection Systems; Wireless Security Prof. Richard.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Implementing Wireless LAN Security
Security+ Guide to Network Security Fundamentals, Third Edition
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
EE579T/GD_6 #1 Summer 2003 © , Richard A. Stanley EE579T Network Security 7: An Overview of SNMP and Intrusion Detection Prof. Richard A. Stanley.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Wired Equivalent Privacy (WEP)
EE579T/12 #1 Spring 2003 © , Richard A. Stanley EE579T / CS525T Network Security 12: Intrusion Detection Systems; Wireless Security Prof. Richard.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
EE579T/12 #1 Spring 2004 © , Richard A. Stanley EE579T Network Security 12: Intrusion Detection & Wireless Security Prof. Richard A. Stanley.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
Wireless Security Issues Implementing a wireless LAN without compromising your network Marshall Breeding Director for Innovative Technologies and Research.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
WLAN What is WLAN? Physical vs. Wireless LAN
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Mobile and Wireless Communication Security By Jason Gratto.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Wireless Networking.
A History of WEP The Ups and Downs of Wireless Security.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.
.  TJX used WEP security  They lost 45 million customer records  They settled the lawsuits for $40.9 million.
The University of Bolton School of Business & Creative Technologies Wireless Networks - Security 1.
Lecture 24 Wireless Network Security
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Wireless and Mobile Security
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
WLAN Security Condensed Version. First generation wireless security Many WLANs used the Service Set Identifier (SSID) as a basic form of security. Some.
Wireless Networks Standards and Protocols & x Standards and x refers to a family of specifications developed by the IEEE for.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.
Role Of Network IDS in Network Perimeter Defense.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Understand Wireless Security LESSON Security Fundamentals.
Wireless Protocols WEP, WPA & WPA2.
Presentation transcript:

EE579T/11 #1 Spring 2005 © , Richard A. Stanley EE579T / CS525T Network Security 11: Intrusion Detection Systems; Wireless Security Prof. Richard A. Stanley

EE579T/11 #2 Spring 2005 © , Richard A. Stanley Overview of Tonight’s Class Review last week’s lesson Final Exam –On the web page –Due to me electronically in 2 weeks (26 Apr) Project Scheduling –Presentations on 15 April –Keep presentations to 25 minutes including Q&A –Let’s have volunteers for each time slot, keeping in mind your work schedules Intrusion detection systems Wireless security

EE579T/11 #3 Spring 2005 © , Richard A. Stanley Summary SNMP is widely-used for managing clients distributed across a network SNMPv1 is simple, effective, and provides the majority of SNMP service in the field SNMPv2 adds some functionality to v1 SNMPv3 is a security overlay for either version, not a standalone replacement SNMP security is a major issue!

EE579T/11 #4 Spring 2005 © , Richard A. Stanley Intrusion Detection Systems Oddly enough, these are systems designed to detect intrusions into protected systems Security intrusion (per RFC 2828): –A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

EE579T/11 #5 Spring 2005 © , Richard A. Stanley What’s a Security Incident? A security event that involves a security violation. (See: CERT, GRIP, security event, security intrusion, security violation.) In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. "Any adverse event which compromises some aspect of computer or network security." [R2350] Source: RFC 2828, page 152; emphasis added

EE579T/11 #6 Spring 2005 © , Richard A. Stanley Why Do We Need This? With the exception of authentication systems, most of the defenses we have studied up to now are directed towards intruders coming from outside the firewall These systems are not perfect--some intruders will get through Moreover, defenses such as firewalls cannot protect against intruders on the inside

EE579T/11 #7 Spring 2005 © , Richard A. Stanley Intrusion Detection Functions Monitor protected networks and computers in real time (or as close to real time as is practicable) Detect security incidents –Requires a policy, and a way for the IDS to know what that policy is Respond –Raise an alarm –Send some automated response to the attacker

EE579T/11 #8 Spring 2005 © , Richard A. Stanley IDS vs. Auditing Audits tend to be a posteriori –But an IDS can be seen as performing a constant, near real time audit function To perform an audit, you need to know what the policy is –Audits measure departures from the policy norms –Audits depend on system logs

EE579T/11 #9 Spring 2005 © , Richard A. Stanley Early IDS’s Emulated the audit function –Crawled the logs, looking for deviations from policy-permitted actions –Intent was to speed up the audit, making it nearly real time –Still a useful approach IDS technology has been around only since the early 1990’s; not too mature

EE579T/11 #10 Spring 2005 © , Richard A. Stanley IDS Uses Monitor system usage –Determine access, usage patterns –Plan for capacity engineering Monitor specific problem areas Serve as a deterrent –Sort of like the “burglar alarm” label on a house, even if there is really no alarm

EE579T/11 #11 Spring 2005 © , Richard A. Stanley Log Files Are evidence if an intrusion occurs –Must be stored in their original, unmodified form, otherwise inadmissible in court –Provide data from which trends can be deduced –Can be subjected to forensic analysis –Probably needed to assess level of system compromise/damage and to restore to state prior to intrusion

EE579T/11 #12 Spring 2005 © , Richard A. Stanley Legal Issues - 1 Privacy of your employees –Courts have held that employees have little expectation of privacy in the workplace, especially if told so at the outset can be monitored at work by employer phone calls can be monitored at work by employer doing either of these things outside the workplace violates the wiretap statutes (18 USC § 2516, etc.)

EE579T/11 #13 Spring 2005 © , Richard A. Stanley Legal Issues - 2 What if the IDS discovers illegal acts being performed on/by your network? –Employees using the network for illegal activities –Outsiders having planted zombie programs so that your system attacks others –What is your responsibility and liability?

EE579T/11 #14 Spring 2005 © , Richard A. Stanley Legal Issues - 3 This may be a Catch-22 issue –If an attacker is using your system, law enforcement may want you to continue to allow that to happen so they can apprehend the attacker If you interrupt the attack, could be interpreted as obstruction of justice –But, if you allow the attack to continue, you may be liable for damages to those attacked Get legal advice--beforehand!

EE579T/11 #15 Spring 2005 © , Richard A. Stanley What About Automated Response? Tempting capability If attacking your system is illegal, what makes your attack on the attacker in response less illegal? What if you are, or are acting on behalf of, a governmental entity and the attacker is also a governmental entity? –Casus belli

EE579T/11 #16 Spring 2005 © , Richard A. Stanley IDS Architecture Sensor Management Console

EE579T/11 #17 Spring 2005 © , Richard A. Stanley Console Monitors and controls sensors –Sets policy, alarm levels, etc. –Stores logs Must have secure communications with sensors –Encrypted connection –Out of band (OOB)

EE579T/11 #18 Spring 2005 © , Richard A. Stanley IDS Types Network-based (NIDS) –Monitors the network backbone Network node-based (NNIDS) –Monitors network nodes, not the backbone Host-based (HIDS) –This is the “log crawler” that started it all Gateway (GIDS) –NIDS in series with the network

EE579T/11 #19 Spring 2005 © , Richard A. Stanley What Can It See? Network packets OS API calls System logs How do we merge this data to detect intrusions?

EE579T/11 #20 Spring 2005 © , Richard A. Stanley Host-Based Sits on a host as a background task Monitors (potentially) –traffic to and from the host –OS API calls –system logs Adds to processing load on the host, so host must be able to support the extra load

EE579T/11 #21 Spring 2005 © , Richard A. Stanley Network-based NIDS sensors placed on network backbone –Can view only packet traffic passing by, much like a classic passive sniffer –Does not place processing load on network, but the NIDS platform must be capable of dealing with network traffic speeds Software can usually handle  100 Mbps Hardware only 2-3 times faster If network is faster, looks only at subset of packets

EE579T/11 #22 Spring 2005 © , Richard A. Stanley Network Node-based Used to inspect intrusions directly into network nodes –Effectively a blending of HIDS and NIDS –Used to protect mission-critical machines –Again, a background process on existing nodes, so node must be able to handle added processing load

EE579T/11 #23 Spring 2005 © , Richard A. Stanley Gateway In series with network –Often set to block prohibited traffic automatically –Think of it as an in-network firewall with an extended rule set –Must be able to keep up with network load

EE579T/11 #24 Spring 2005 © , Richard A. Stanley Intrusion Protection Systems Latest trend in IDS technology Idea is to use what the IDS identifies to change the network rules ad hoc, in theory preventing further exploitation Very similar to GIDS

EE579T/11 #25 Spring 2005 © , Richard A. Stanley IPS Issues Attack signatures generally known only a posteriori Heuristic analysis has not worked very well in other venues, such as virus detection How long to maintain the “new” rules before reverting to the original ones? Exploitation of the IPS

EE579T/11 #26 Spring 2005 © , Richard A. Stanley Deployment Putting in an IDS is a complex and time- consuming affair –Typically, start simple and add functionality as you learn more about the network –NIDS tends to see more and load network least –Follow up with HIDS on selected hosts, perhaps NNIDS on critical nodes Policy has to be in place first

EE579T/11 #27 Spring 2005 © , Richard A. Stanley Attack Signatures Critical to success of any IDS Must be maintained, just like virus signatures –You want some visibility into this –Do you want strangers deciding what is an attack on your critical systems? Some IDS’s let you write/modify signatures, others do not CVE:

EE579T/11 #28 Spring 2005 © , Richard A. Stanley IDS Deployment First, design the IDS sensor and management layout Next, deploy the IDS –Test the network for normal operation –Test the IDS Run packaged attacks to see if all are detected Document performance and repeat test regularly –Tune the IDS

EE579T/11 #29 Spring 2005 © , Richard A. Stanley Sampling of IDS Products RealSecure: rise_protection/rsnetwork/sensor.php rise_protection/rsnetwork/sensor.php NFR: Snort: SnortSnarf: ortsnarf/ ortsnarf/

EE579T/11 #30 Spring 2005 © , Richard A. Stanley IDS Summary IDS’s can be useful in monitoring networks for intrusions and policy violations Up-to-date attack signatures and policy implementations essential Many types of IDS available, at least one as freeware Serious potential legal implications Automated responses to be avoided

EE579T/11 #31 Spring 2005 © , Richard A. Stanley Wireless Network Security Wireless networks growing at a rapid pace –Gartner Group predicts wireless installations will multiply >7X by 2007 to over 31M Business drivers –Installation cost and time –Mobility –Flexibility –Operating costs

EE579T/11 #32 Spring 2005 © , Richard A. Stanley Wireless Inherently Insecure Wired networks contain (or try) signals to a wired path, which must be physically tapped to compromise line security –Possible to physically discover the tap Wireless networks deliberately broadcast data into space, where it can be intercepted by anyone with proper receiver –Data tap impossible to discover

EE579T/11 #33 Spring 2005 © , Richard A. Stanley This Isn’t New News Since early days, wireless vendors strove to provide privacy equivalent to that available on the wired network –WEP = wired equivalent privacy –This is not a high standard to meet They succeeded, but that wasn’t good enough for user requirements

EE579T/11 #34 Spring 2005 © , Richard A. Stanley Wireless Security Issues How does a wireless network work? How can you “join up?” What about the encryption? Can it really be secure?

EE579T/11 #35 Spring 2005 © , Richard A. Stanley How It Works Clients send probes Access points broadcast beacons and, often, their Server Set ID (SSID) When a client finds an access point with an acceptable signal level and a matching SSID, a connection is established Many networks are built precisely to facilitate connection by “foreign” users

EE579T/11 #36 Spring 2005 © , Richard A. Stanley Wireless LAN Elements [AP] [STA]

EE579T/11 #37 Spring 2005 © , Richard A. Stanley Origins of WEP Marketing and Political Issues: –Developed as part of a wireless LAN research project at Apple Computer, Inc.. –Eavesdropping was perceived as a barrier to market acceptance. –Apple sells into a worldwide market so solution had to be exportable. –NSA only allowed 40-bit encryption to be exported.

EE579T/11 #38 Spring 2005 © , Richard A. Stanley Origins of WEP (cont.) Technical Issues: –Eavesdropping on wireless link => privacy and authentication problems. –Multiple network protocols (in 1993) => solution required at data link layer. –Data link layer is “best effort” => crypto-state (other than shared key) must accompany each frame.

EE579T/11 #39 Spring 2005 © , Richard A. Stanley WEP Solution Apple had unlimited RC4 license from RSA, Inc. Method and apparatus for variable- overhead cached encryption, US Patent 5,345,508 applied for 23 Aug 1993, granted 6 Sept Licensed for export in mid-1994.

EE579T/11 #40 Spring 2005 © , Richard A. Stanley WEP Encryption + Initialization Vector (IV) Secret Key Plaintext + Seed PRNG RC4() Ciphertext Cache Key Sequence (MAX_MSG_SZ) IV

EE579T/11 #41 Spring 2005 © , Richard A. Stanley IEEE ’s use of WEP IEEE runs by Robert’s Rules; “one man, one vote” Simple majority required to add text, 75% vote to change text in draft standard WEP introduced in March 1994 Strong pushback in committee regarding cost and overhead of encryption Dilution of proposal; privacy made optional

EE579T/11 #42 Spring 2005 © , Richard A. Stanley WEP Security Problems Papers submitted to committee highlight the problems with WEP; “Unsafe at any Key Size” presented in October Task Group I formed to solve WEP security problems Press gets wind of the issue Public domain attacks; “war driving”

EE579T/11 #43 Spring 2005 © , Richard A. Stanley WEP Security Problems (cont.) Passive attacks to decrypt traffic based on statistical analysis Active ‘known plaintext’ attack to inject new traffic from unauthorized mobile stations Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attack; real-time automated decryption of all traffic after a day’s sampling

EE579T/11 #44 Spring 2005 © , Richard A. Stanley Task Group I Long term security architecture for Based on 802.1X authentication standard and two new encryption protocols (TKIP and CCMP) – Labeled Robust Security Network (RSN) Uses Upper Layer Authentication (ULA) protocols outside the scope of i (e.g. EAP/TLS, PEAP)

EE579T/11 #45 Spring 2005 © , Richard A. Stanley Robust Security Network Includes: Better key derivation/distribution based on 802.1X –For TKIP: per message 128 bit key derivation Improved encryption (TKIP, CCMP) Stronger keyed Message Integrity Checks –Custom MIC for TKIP with 22 bit effective strength –Strong AES based MIC for CCMP IV sequencing to control message replay –44 bits to avoid re-keying (4 bits for QoS)

EE579T/11 #46 Spring 2005 © , Richard A. Stanley RSN Data Privacy Protocols Temporal Key Integrity Protocol (TKIP) –a cipher suite enhancing the WEP protocol on pre-RSN hardware Counter Mode/CBC-MAC Protocol –based on AES and Counter-Mode/CBC-MAC (CCM) –Mandatory for RSN compliance

EE579T/11 #47 Spring 2005 © , Richard A. Stanley 802.1X Originally designed as port-based network access control for PPP Provides support for a centralized management model Primary encryption keys are unique to each station and generated dynamically Provides support for strong upper layer authentication

EE579T/11 #48 Spring 2005 © , Richard A. Stanley 802.1X Architectural Framework Employs Extensible Authentication Protocol (EAP) –EAP built around challenge-response paradigm –operates at network layer = flexibility Provides transport for ULA protocols – EAP/TLS, PEAP, EAP-TTLS, LEAP Two sets of keys dynamically generated –Session Keys, Group Keys

EE579T/11 #49 Spring 2005 © , Richard A. Stanley Authentication and Key Mgmt. EAP Wired LAN Services Unauthorized Port Controlled Port STA AP AS Uncontrolled Port EAPoLRADIUS Supplicant Authenticator Authentication Server EAP

EE579T/11 #50 Spring 2005 © , Richard A. Stanley Existing Solutions & Other Methods MAC address filtering Access Point Placement Virtual Private Networks (VPNs)

EE579T/11 #51 Spring 2005 © , Richard A. Stanley Enter The Wi-Fi Alliance Wi-Fi Alliance – nonprofit International association formed in member companies as of today Mission: Certify interoperability of Wireless LAN products based on IEEE specification

EE579T/11 #52 Spring 2005 © , Richard A. Stanley Wi-Fi Protected Access - WPA WPA is a response by the industry to offer strong and immediate security solution that would replace WEP It is a subset of i draft standard and is going to maintain forward compatibility Main idea - “Bring what is ready now to the market” Increases the level of security for Wireless LAN It is a standards-based, interoperable security specification

EE579T/11 #53 Spring 2005 © , Richard A. Stanley WPA Provides user authentication –Central authentication server (like RADIUS) –Via 802.1x and EAP Improves data encryption –Temporal Key Integrity Protocol (TKIP) Eventually will support full i compliance

EE579T/11 #54 Spring 2005 © , Richard A. Stanley i Status? Many devices fielded since 2003 have silicon implementations in them to support full i –Supports AES –Other features –Firmware updates should turn on features Standard ratified in late 2004

EE579T/11 #55 Spring 2005 © , Richard A. Stanley NetStumbler

EE579T/11 #56 Spring 2005 © , Richard A. Stanley Exploitation Tools Wardriving: Warchalking: Airsnort: WEPCrack: What other little “gifts” await us?

EE579T/11 #57 Spring 2005 © , Richard A. Stanley Best Practice for now WEP is better than nothing; change keys often Physical placement of Access Points Upgrade firmware and drivers on APs and Wireless Cards as they are released VPN (treat wireless users as you would dial-in users) Check for 802.1x support before buying

EE579T/11 #58 Spring 2005 © , Richard A. Stanley Wireless Security Summary It’s a problem, owing to the nature of wireless transmission So far, security implementations have left a lot to be desired Project presentations will provide added details Growth is explosive, both in legitimate and illegitimate wireless activity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.