Enhancing the Security of Corporate Wi-Fi Networks Using DAIR
description
Transcript of Enhancing the Security of Corporate Wi-Fi Networks Using DAIR
![Page 1: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/1.jpg)
Enhancing the Security of Corporate
Wi-Fi Networks Using DAIR
Paramvir Bahl, Ranveer Chandra, Jitendra Padhye,
Lenin Ravindranath, Manpreet Singh, Alec Wolman,
Brian Zill
Presented By:J. Falquez
![Page 2: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/2.jpg)
Challenges in Building an Enterprise-scale WiFi Monitoring System
• Scale of WLAN– Microsoft’s WLAN has over 5000 APs
• Need to deploy many monitors– Rapid fading of signal in indoor environment
– Multiple orthogonal channels
– May need observations from multiple vantage pointsPinpoint location of rogue AP
![Page 3: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/3.jpg)
Taxonomy of Attacks on Wi-Fi Networks
• Eavesdropping – Passive snooping (perhaps with high-gain antennas)– Nearly impossible to detect– Cryptographic techniques generally considered sufficient.
• Intrusion– Rogue AP / Rogue Ad-hoc network
• Denial of Service– Fake deauthentication/disassociation, NAV attacks, DIFS attacks,
Jamming.
• Phishing– Acquire passwords
![Page 4: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/4.jpg)
Example : Rogue AP
• Careless employee brings AP from home and plugs it into corporate Ethernet
• Bypasses corporate Wi-Fi security measures – For example: WPA, 802.1X
• Permits unauthorized users to connect to corporate network
– Malicious user outside the building?
• Widespread Problem
– Ongoing concern for MS IT department
– Surveyed two major US universities, found multiple rogue APs
![Page 5: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/5.jpg)
Need for WiFi Monitoring Systems
• Preventive measures such as 802.1X do not guarantee full security
• In addition, need WiFi monitoring system to detect problems in operational WiFi networks– Detect Rogue AP by overhearing packets containing
unknown BSSID
![Page 6: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/6.jpg)
UP
DN
DN
UP
EL 32
%0%0
0%0%
0%0%
0%0%
97%1.7%
26%0%
Rapid loss of signal strength in indoor environments
0
20
40
60
80
100
0 100 200 300Time (Minutes)
% R
ec
eiv
ed
Complex, time-varying signal propagation
Example: Indoor WLAN Monitoring
Rogue AP and Client Monitors
Red: Beacon reception rateBlue: Data packet reception rate
![Page 7: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/7.jpg)
State of the Art
• AP-based monitoring [Aruba, AirDefense ..]
– Pros: Easy to deploy (APs are under central control)
– Cons: Single radio APs can not be effective monitors
• Specialized sensor boxes [Aruba, AirTight, …]
– Pros: Can provide detailed signal-level analysis
– Cons: Expensive, so can not deploy densely
• Monitoring by mobile clients [Adya et. al., MobiCom’04]
– Pros: Inexpensive, suitable for un-managed environments
– Cons: Coverage not predictable: mobile, battery-powered clients Only monitor the channel they are connected on
![Page 8: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/8.jpg)
Observation
• Desktop PC’s with good wired connectivity are ubiquitous in enterprises
• Outfitting a desktop PC with 802.11 wireless is inexpensive– Wireless USB dongles are cheap
As low as $6.99 at online retailers
– PC motherboards are starting to appear with built-in 802.11 radios
Combine to create a dense deployment of wireless sensors
DAIR: Dense Array of Inexpensive Radios
+
![Page 9: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/9.jpg)
Wired Network
Database
AirMonitor AirMonitorLand Monitor(1 per subnet)
Inference Engine
DAIR Architecture
Other data:SNMP,
Configuration
![Page 10: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/10.jpg)
Command Processor
Filter Processor
Driver Interface
Filter
WiFi Parser
SQL Client
Remote Object
Command (Enable/Disable Filter/
Send Packets)Heart Beat
CommandIssuer
Custom Wireless Driver SQL Server
Deliver Packets to all the Registered Filters
Enable/Disable Filters
Enable/Disable Promiscuous/Logging
Summarized Packet Information
Dump summarized data into the SQL Tables
Get Packets/Info from the Device
Send Packets/Query Driver
DHCP Parser
Other Parser
Wired NIC Driver
FilterFilter
Sender
Packet
Packet Constructor
Send Packet
Monitor Architecture
![Page 11: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/11.jpg)
Key Characteristics of DAIR
• High sensor density at low cost– Leverages existing desktop resources
– Effective monitoring in indoor environments
– Can tolerate loss of a few sensors
• Sensors are (mostly) stationary – Provides predictable coverage
– Permits meaningful historical analysis
![Page 12: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/12.jpg)
Applications of the DAIR Platform
Security applications– Detecting attacks on Wi-Fi networks
– Responding to such attacks
Performance management– Monitor RF coverage
– Load balancing
Location service to support above applications
![Page 13: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/13.jpg)
Rogue Wireless Networks
• An uninformed or careless employee who doesn’t understand (or chooses not to think about) the security implications– Brings AP from home, and attaches it to the corporate
network
– Configures desktop PC with wireless interface to create a rogue ad-hoc network
• Bypasses security measures such as WPA, 802.1X
![Page 14: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/14.jpg)
Simple Solution
Database
AirMonitor AirMonitor
Inference Engine
BSSID SSID
00:08:AC … MSFT
00:09:3B … MSRLAB
Known: Seen:
BSSID SSID
00:08:AC … MSFT
00:09:3B … MSRLAB
0C:3B:5A: Joe’sAP
BSSID SSID
00:08:AC … MSFT
00:09:3B … MSRLAB
0C:3B:5A: Joe’sAP
![Page 15: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/15.jpg)
Problem with the Simple Solution• False Positives
– Multi-office buildings
• False negatives– Malicious attacker fakes authorized SSID / BSSID
• DAIR can help reduce both false positives and false negatives – No foolproof way to avoid false positives/negatives
completely
– DAIR raises bar while generating fewer alarms
![Page 16: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/16.jpg)
Reducing False Negatives
• Suspect is using an “authorized” SSID / BSSID
• If the “real” AP is still active– Packet sequence numbers not monotonic
• If real AP is not active– Determine location of suspect
– If different than expected, raise alarm
![Page 17: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/17.jpg)
Reducing False Positives
• Detect whether rogue AP is connected to corporate wired network
• Series of tests:– Association test
– Source/destination address test
– Replay test
![Page 18: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/18.jpg)
Association Test
Database
AirMonitor
Inference Engine
0C:3B:5A: Joe’sAP
?
Machine inside corporate firewall
If AirMonitor can connect to machine inside firewall via AP thenAP is connected to corporate wired network
![Page 19: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/19.jpg)
Association Test
• Test will fail if AP uses WEP or MAC address filtering
– People configure home APs with WEP or MAC filtering
• Failure means we need additional tests …
![Page 20: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/20.jpg)
Source / Destination Address Test
Database
AirMonitor
Inference Engine
?Land Monitor
08:5B:3F: …
08:3C:4F:…
MAC AddrsOf Subnet RoutersSubnet Router
![Page 21: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/21.jpg)
Source / Destination Address Test
Unencrypted Header Encrypted Payload
Receiver Transmitter DestinationAccess Point Client
802.11 Data Frame (with encryption):
MAC Addresses:
Known Address?
If Destination Address belongs to a subnet router, then APIs connected to corporate wired network
Similar test for Source Address
![Page 22: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/22.jpg)
Source / Destination Address Test
• Test will fail if AP is really a NAT/Router – Many home APs combine AP and NAT/router
functionality
• Failure means that additional tests are needed
![Page 23: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/23.jpg)
Replay Test
AirMonitor
Inference Engine
?
Land Monitor
123 4
X
XXXX
AirMonitors capture data packetsOne of the AirMonitors replays captured packetsEach packet replayed multiple times
At the same time LandMonitors are alerted to watch for duplicate packets on wired network.
?
![Page 24: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/24.jpg)
Replay Test
• AirMonitors replay packets with suspect BSSID– No need to decrypt packet
• Each packet is replayed multiple times (say 5)
• LandMonitors detect if duplicate packets are seen on wired network
• Works for NAT/Routers – Even rogue ad-hoc networks
• Fails if suspect is using WPA2 or other crypto schemes that are robust against replay attacks
![Page 25: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/25.jpg)
Scalability
• Load on database server
• Load on individual AirMonitors
• Additional wired network traffic
![Page 26: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/26.jpg)
Load on Database Server
12 AirMonitorsAirMonitors submit summarized data every 2 minutes
Database Server: MS-SQL 2005, 1.7GHz P4 with 1GB RAM
0
20
40
60
80
100
1AM9PM5PM1PM9AM5AM1AM
CP
U L
oad
(%)
![Page 27: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/27.jpg)
![Page 28: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/28.jpg)
Load on Client Machine
0 25 50 75
100
1AM9PM5PM1PM9AM5AM1AM
Loa
d (
%)
Machine not running AirMonitor
0 25 50 75
100
1AM9PM5PM1PM9AM5AM1AM
Loa
d (
%)
Machine running AirMonitor
Additional Network Traffic: 2-5Kbps per AirMonitor
![Page 29: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/29.jpg)
Summary
• Built a scalable, cost-effective, dense WLAN monitoring platform in a corporate environment
• Explored ways to leverage the platform to monitor threats to Wi-Fi networks
![Page 30: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/30.jpg)
DAIR ongoing work
• Which channels should each AirMonitor listen on?
– What scanning strategy to use? [Deshpande et. al. 2006]
– Depends on density of AirMonitors, environment
• Building an effective location system
• Building performance management tools
![Page 31: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR](https://reader035.fdocuments.net/reader035/viewer/2022062500/56814fa5550346895dbd62da/html5/thumbnails/31.jpg)
Questions?