WIRELESS INTRUSION DETECTION SYTEMS Namratha Vemuri Balasubramanian Kandaswamy

THREATS THREATS VICTIMS VICTIMS IDS IDS TYPES OF IDS TYPES OF IDS ARCHITECTURE ARCHITECTURE IMPLEMENTATION IMPLEMENTATION TOOLS USED TOOLS USED ADMINISTRATION ADMINISTRATION

THREATS Reconnaissance, theft of identity and denial of service (DoS) Signal range of authorized AP. Physical security of an authorized AP Rogue or unauthorized AP Easy installation of an AP Poorly configured AP Protocol weakness and capacity limits on AP

What are attacked? Corporate network and servers Attempted penetration through the official access points(target 1) into the corporate network. DOS attacks as most of them are TCP/IP based Wireless Clients the Access point behaves as a hub connecting the authorized wireless clients directly to the bad buys inevitably this will expose a connecting pc to a huge array of IP based attack.

Unauthorized Access point Unauthorized Access point Unofficial access points installed by user departments (target 4) represent a huge risk as the security configuration is often questionable Bogus Access points (Target 5) represent a different threat as these can be used to hijack sessions at the data link layer and steal valuable information. o Target 3 – The legitimate Access point

To protect our network where all access points reside on our network what actions to take to close down any unauthorized access points that do not confirm to the company security standards what wireless users are connected to our network what unencrypted data is being accessed and exchanged by those users

What is IDS? IDS is not a firewall IDS is not a firewall IDS watch network from the inside and report or alarm IDS monitors APs,compares security controls defined on the AP with predefined company security standards then reset or closedown any non-conforming AP’s they find. IDS identifies,alerts on unauthorized MAC addresses,tracks down hackers. IDS identifies,alerts on unauthorized MAC addresses,tracks down hackers.

Intrusion detection systems are designed and built to monitor and report on network activities, or packets, between communicating devices. Many commercial and open source tools are used: TOOLS capture and store the WLAN traffic, analyse that traffic and create reports analyse signal strength and transmission speed speed

ID SYSTEM ACTIVITIES

INFRASTRUCTURE

ARCHITECTURE

IDS : IDS : a sensor (an analysis engine) that is responsible for detecting intrusions (contains decision making mechanism) a sensor (an analysis engine) that is responsible for detecting intrusions (contains decision making mechanism) Sensor recevies message from own IDS knowledge base, syslog and audit trails. Sensor recevies message from own IDS knowledge base, syslog and audit trails. Syslog may include, for example, configuration of file system, user authorizations etc. This information creates the basis for a further decision- making process. Syslog may include, for example, configuration of file system, user authorizations etc. This information creates the basis for a further decision- making process.

TYPES OF IDS Misuse or Anomaly IDS Misuse or Anomaly IDS Network based or Host based IDS Network based or Host based IDS Passive or Reactive IDS Passive or Reactive IDS

ARCHITECTURE CENTRALIZED : combination of individual sensors which collect and forward data to a centralized management system. CENTRALIZED : combination of individual sensors which collect and forward data to a centralized management system. DISTRIBUTED : one or more devices that perform both the data gathering and processing/reporting functions if various IDS DISTRIBUTED : one or more devices that perform both the data gathering and processing/reporting functions if various IDS

Distributed is best suited for smaller WLANS due to cost and management issues Distributed is best suited for smaller WLANS due to cost and management issues Cost of many sensors with data processing Cost of many sensors with data processing Management of multiple processing/reporting sensors Management of multiple processing/reporting sensors

In centralized, it is to easy to maintain only one IDS where all the data is analyzed and formatted. In centralized, it is to easy to maintain only one IDS where all the data is analyzed and formatted. Single point of failure Single point of failure Adds to ‘additional’ network traffic running concurrently, impact on network performance Adds to ‘additional’ network traffic running concurrently, impact on network performance

IMPLEMENATION OF IDS Comprises of a mixture of hardware and software called intrusion detection sensors. Comprises of a mixture of hardware and software called intrusion detection sensors. Located on the network and examines traffic. Located on the network and examines traffic. Where the sensors should be placed??!! Where the sensors should be placed??!! How many do wee need??!! How many do wee need??!!

Not just to detect attackers.. Helps to Enforce Policies Helps to Enforce Policies Polcies for encryption Polcies for encryption Can report if a un encrypted packet is detectet. Can report if a un encrypted packet is detectet. With proper enforcement WEP can be acchieved (next slide) With proper enforcement WEP can be acchieved (next slide)

Why do we need these To achieve WEP To achieve WEP What's WEP? Wired Equivalent Privacy What's WEP? Wired Equivalent Privacy Why do we need it? Why do we need it?

People responsible IDS security analysts who can interpret the alerts (Passive IDS). IDS security analysts who can interpret the alerts (Passive IDS). IDS software programmers IDS software programmers IDS database administrators (misuse or anomaly IDS) IDS database administrators (misuse or anomaly IDS)

Couple of open source IDS KISMET a/b/g network sniffer KISMET a/b/g network sniffer NETSTUMBLER NETSTUMBLER

Kismet a/b/g network sniffer Passively collects network traffic(listens), detects the standard named networks and detecting hidden (non beaconing) networks Passively collects network traffic(listens), detects the standard named networks and detecting hidden (non beaconing) networks Analyze the data traffic and build a ‘picture’ of data movement Analyze the data traffic and build a ‘picture’ of data movement

NetStumbler  Sends probes Actively scans by sending out request every second and reporting the responses Actively scans by sending out request every second and reporting the responses AP’s by default respond to these probes AP’s by default respond to these probes Used for wardriving or wilding. Used for wardriving or wilding.

Who manages and administers WIDS? Large organization (Network Operations group) Large organization (Network Operations group) AirMagnet Distributed 4.0, AirMagnet Distributed 4.0, AirDefense Enterprise v4.1 AirDefense Enterprise v4.1 Red-M Red-M Small and Medium Organization Small and Medium Organization Managed Security Service Provider (MSSP) Managed Security Service Provider (MSSP)

AirMagnet Distributed AirMagnet Distributed Sensors report network performance information Sensors report network performance information Alerts management server Alerts management server Airmagnet reporter generates reports from threat summaries to channel RF signal strength Airmagnet reporter generates reports from threat summaries to channel RF signal strength Ex: Using ‘Find’ tool, we can manually and physically track down location of the rogue user Ex: Using ‘Find’ tool, we can manually and physically track down location of the rogue user

AirDefense AirDefense system consists of a server running Red Hat Linux with distributed wireless AP sensors and a Java-based Web console. The AirDefense Web console and AP sensors communicate on a secure channel to the server

Red-M Red-M includes Red-Alert and Red-Vision. Red- Alert is a standalone wireless probe which can detect unauthorized Bluetooth devices as well as a/b/g networks. Red-Vision ss a modular set of products consisting of three main components: Red-Vision Server, Red-Vision Laptop Client and Red-Vision Viewer.

Red Vision (cont) Red vision server (Heart) Red vision server (Heart) Red vision laptop client (Ear) Red vision laptop client (Ear) Red Vision viewer ( Brain) Red Vision viewer ( Brain)

Wireless IDS drawbacks Cost Cost Cost grows in conjunction with size of the LAN Cost grows in conjunction with size of the LAN New emerging technology and hence may contain many bugs and vulnerabilities. New emerging technology and hence may contain many bugs and vulnerabilities. A wireless IDS is only as effective as the individuals who analyze and respond to the data gathered by the system A wireless IDS is only as effective as the individuals who analyze and respond to the data gathered by the system

Conclusion Wireless intrusion detection systems are an important addition to the security of wireless local area networks. While there are drawbacks to implementing a wireless IDS, the benefits will most likely prove to outweigh the downsides

QUESTIONS What is Policy Enforcement ? What is Policy Enforcement ? A policy is stated by IDS (Ex: all wireless communications must be encrypted) to detect the attack A policy is stated by IDS (Ex: all wireless communications must be encrypted) to detect the attack What type of ID is AirDefense Guard? What type of ID is AirDefense Guard? It is misuse or signature based anomaly. It is misuse or signature based anomaly. What are ‘dumb’ probes? What are ‘dumb’ probes? They collect all the network traffic and send it to central server for analyses They collect all the network traffic and send it to central server for analyses

REFERENCES Wireless_Intrusion_Detection.pdf Wireless_Intrusion_Detection.pdf Wireless_Intrusion_Detection.pdf Wireless_Intrusion_Detection.pdf /practicals/gsec/4210.php /practicals/gsec/4210.php /practicals/gsec/4210.php /practicals/gsec/4210.php s/1543.php s/1543.php s/1543.php s/1543.php bloke.co.uk/articles/widz-design.pdf bloke.co.uk/articles/widz-design.pdf bloke.co.uk/articles/widz-design.pdf bloke.co.uk/articles/widz-design.pdf

QUESTIONS?

THANKYOU