Download presentation
Presentation is loading. Please wait.
1
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. NETW 05A: APPLIED WIRELESS SECURITY Additional Security Solutions By Mohammad Shanehsaz Spring 2005
2
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Describe the following types of intrusion detection methods and tools for WLANs: 24x7 centralized, skilled monitoring Honey pots Professional security audits Accurate, timely reporting Distributed agent software Security spot checking Available wireless LAN intrusion detection software and hardware tools
3
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Intrusion Detection Systems An IDS inspects inbound and outbound traffic and attempts to identify suspicious activity An IDS is different from firewall in that a firewall monitors for intrusion to stop them while an IDS signals an alarm Wireless IDS can search a WLAN for vulnerabilities, detect and respond to intruders, and help manage it Wireless IDS use sensors that monitor all wireless traffic and report them to the central server The sensors provide 24x7 real-time monitoring
4
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Features of IDS Network-based vs. host-based monitoring Passive vs. Reactive monitoring Misuse detection Anomaly detection Vulnerability detection Performance monitoring
5
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Network-based vs. Host-based Network-based IDS listen on the wireless segment through wireless sensors To monitor all wireless traffic, sensors must be placed at, in, or near every access point Host-based IDS, examine data on each host computer, require that IDS agents be running on each node in order to report suspicious activity back to the central server They are able to monitor attacks against an individual computer more thoroughly
6
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Passive vs. Reactive IDS in passive mode - if any attacks occur, will raise various alarms to inform the appropriate security personnel to take action IDS in reactive mode, IDS react to attacks and eliminate them by shutting down services, restrict access to services or disconnecting them altogether Active vs. reactive settings configured through policy settings in the IDS
7
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Misuse Detection To detect misuse, the IDS must monitor business rules for WLAN, some of which are: Limit access points to only operate on specific channels Require all wireless LAN traffic to be encrypted Prohibit SSIDs from being broadcast unmasked Limit traffic on the wireless LAN to occur only within certain hours of the day
8
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Anomaly Detection Monitors network segments to compare their current status to the normal baseline Baselines should be established for typical network load, protocols, and packet size Appropriate personnel should be alerted to any anomalies
9
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Vulnerability Detection Vulnerabilities to wireless LANs can be detected in real-time Locating any ad-hoc networks that are actively transmitting traffic, is one way to keep peer-to-peer attacks from occurring Locating an open rogue access point that has hi-jacked an authorized user is another one
10
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Performance Monitoring Since WLAN has limited bandwidth we need to determine who is using the bandwidth and when We don’t need performance monitoring if IDS has built-in rate Limiter functionality, but we can use it to report on usage statistics, for future growth
11
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Monitoring and Maintenance Monitoring must be active 24x7 to be effective The security policy must define contact personnel, and what steps to take to respond properly The reports that are generated from an IDS must be treated with utmost importance Periodic upgrades and ongoing training for the IDS specialist ensure continued success in effective use of the IDS Periodic spot-checking of the IDS should be considered mandatory
12
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Thin Clients Based on a hybrid of the mainframe-terminal and the client-server model Clients run an OS of their own, but all processing is done at the server Come in the form of thin client software running on a notebook computer or an actual machine Low Total Cost of Ownership Peer-to-peer attacks yield no useful info They pass screenshots, mouse clicks, and screen updates which use minimal bandwidth Client authentication is required SSH2 can be used to authenticate and tunnel encrypted traffic
13
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Authenticated DHCP Services IETF RFC 3118 adds authentication to DHCP DHCP clients and server are able to authenticate one another IP connectivity is given only to authorized clients Prevents rogue and malicious DHCP clients and servers from unauthorized access, DoS, theft of services or hijacking attacks To implement it, administrators must deploy RFC 3118 compatible software on all PCs, and upgrade existing DHCP servers to support DHCP authentication Users must also devise an authentication key scheme and distribute it to all authenticated DHCP clients
14
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Traffic Baselining Analyze the performance of a selected network segment over a period of time (represent network normalcy) Provides reference points for current use, and for required modifications when adding new services or users (baselining for performance) Identify performance issues and provide info for security (min, max, or average values from baseline data can be used for setting alarm thresholds in IDS)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.