Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
WIRELESS INTRUSION DETECTION SYTEMS Namratha Vemuri Balasubramanian Kandaswamy.
-
Upload
shavonne-miller -
Category
Documents
-
view
222 -
download
0
Transcript of WIRELESS INTRUSION DETECTION SYTEMS Namratha Vemuri Balasubramanian Kandaswamy.
WIRELESS INTRUSION WIRELESS INTRUSION DETECTION SYTEMSDETECTION SYTEMS
Namratha VemuriNamratha Vemuri
Balasubramanian KandaswamyBalasubramanian Kandaswamy
THREATSTHREATSVICTIMS VICTIMS IDSIDSTYPES OF IDSTYPES OF IDSARCHITECTUREARCHITECTURE IMPLEMENTATIONIMPLEMENTATIONTOOLS USEDTOOLS USEDADMINISTRATIONADMINISTRATION
THREATS THREATS
Reconnaissance, theft of identity and denial of service (DoS)
Signal range of authorized AP. Physical security of an authorized AP Rogue or unauthorized AP Easy installation of an AP Poorly configured AP Protocol weakness and capacity limits on AP
What are attacked?What are attacked? Corporate network and servers Attempted penetration through the official
access points(target 1) into the corporate network.
DOS attacks as most of them are TCP/IP based
Wireless Clients the Access point behaves as a hub connecting
the authorized wireless clients directly to the bad buys inevitably this will expose a connecting pc to a huge array of IP based attack.
Unauthorized Access pointUnauthorized Access point Unofficial access points installed by user
departments (target 4) represent a huge risk as the security configuration is often questionable
Bogus Access points (Target 5) represent a different threat as these can be used to hijack sessions at the data link layer and steal valuable information.
o Target 3 – The legitimate Access point
To protect our network where all access points reside on our
network
what actions to take to close down any unauthorized access points that do not confirm to the company security standards what wireless users are connected to our network
what unencrypted data is being accessed and exchanged by those users
What is IDS?What is IDS? IDS is not a firewallIDS is not a firewall
IDS watch network from the inside and report or alarm
IDS monitors APs ,compares security controls defined on the AP with predefined company security standards then reset or closedown any non-conforming AP’s they find.
IDS identifies,alerts on unauthorized MAC IDS identifies,alerts on unauthorized MAC addresses ,tracks down hackers.addresses ,tracks down hackers.
Intrusion detection systems are designed and built to monitor and report on network activities, or packets, between communicating devices.
Many commercial and open source tools are used:
TOOLS capture and store the WLAN traffic, analyse that traffic and create reports analyse signal strength and transmission
speedspeed
ID SYSTEM ACTIVITIESID SYSTEM ACTIVITIES
INFRASTRUCTUREINFRASTRUCTURE
ARCHITECTUREARCHITECTURE
IDS : IDS : a sensor (an analysis engine) that is a sensor (an analysis engine) that is
responsible for detecting intrusions responsible for detecting intrusions (contains decision making mechanism)(contains decision making mechanism)
Sensor recevies message from own IDS Sensor recevies message from own IDS knowledge base, syslog and audit trails.knowledge base, syslog and audit trails.
Syslog may include, for example, Syslog may include, for example, configuration of file system, user configuration of file system, user authorizations etc. This information authorizations etc. This information creates the basis for a further decision-creates the basis for a further decision-making process. making process.
TYPES OF IDSTYPES OF IDS
Misuse or Anomaly IDSMisuse or Anomaly IDS
Network based or Host based IDSNetwork based or Host based IDS
Passive or Reactive IDSPassive or Reactive IDS
ARCHITECTUREARCHITECTURE
CENTRALIZED : combination of individual CENTRALIZED : combination of individual sensors which collect and forward 802.11 sensors which collect and forward 802.11 data to a centralized management system.data to a centralized management system.
DISTRIBUTED : one or more devices that DISTRIBUTED : one or more devices that perform both the data gathering and perform both the data gathering and processing/reporting functions if various processing/reporting functions if various IDSIDS
Distributed is best suited for smaller Distributed is best suited for smaller WLANS due to cost and management WLANS due to cost and management issuesissues
Cost of many sensors with data Cost of many sensors with data processingprocessing
Management of multiple Management of multiple processing/reporting sensorsprocessing/reporting sensors
In centralized, it is to easy to maintain only In centralized, it is to easy to maintain only one IDS where all the data is analyzed one IDS where all the data is analyzed and formatted.and formatted.
Single point of failureSingle point of failure
Adds to ‘additional’ network traffic running Adds to ‘additional’ network traffic running concurrently, impact on network concurrently, impact on network performanceperformance
IMPLEMENATION OF IDSIMPLEMENATION OF IDS
Comprises of a mixture of hardware and Comprises of a mixture of hardware and software called intrusion detection software called intrusion detection sensors.sensors.
Located on the network and examines Located on the network and examines traffic.traffic.
Where the sensors should be placed??!!Where the sensors should be placed??!!How many do wee need??!!How many do wee need??!!
Not just to detect attackers..Not just to detect attackers..
Helps to Enforce PoliciesHelps to Enforce PoliciesPolcies for encryptionPolcies for encryptionCan report if a un encrypted packet is Can report if a un encrypted packet is
detectet.detectet.With proper enforcement WEP can be With proper enforcement WEP can be
acchieved (next slide)acchieved (next slide)
Why do we need theseWhy do we need these
To achieve WEPTo achieve WEPWhat's WEP? What's WEP?
Wired Equivalent PrivacyWired Equivalent PrivacyWhy do we need it?Why do we need it?
People responsiblePeople responsible
IDS security analysts who can interpret the IDS security analysts who can interpret the alerts (Passive IDS).alerts (Passive IDS).
IDS software programmersIDS software programmers IDS database administrators (misuse or IDS database administrators (misuse or
anomaly IDS)anomaly IDS)
Couple of open source IDSCouple of open source IDS
KISMET 802.11 a/b/g network snifferKISMET 802.11 a/b/g network snifferNETSTUMBLERNETSTUMBLER
Kismet Kismet 802.11a/b/g network sniffer802.11a/b/g network sniffer Passively collects network traffic(listens), Passively collects network traffic(listens),
detects the standard named networks and detects the standard named networks and detecting hidden (non beaconing) detecting hidden (non beaconing) networksnetworks
Analyze the data traffic and build a Analyze the data traffic and build a ‘picture’ of data movement ‘picture’ of data movement
NetStumblerNetStumbler Sends 802.11 probes Sends 802.11 probes
Actively scans by sending out request Actively scans by sending out request every second and reporting the responsesevery second and reporting the responses
AP’s by default respond to these probesAP’s by default respond to these probesUsed for wardriving or wilding.Used for wardriving or wilding.
Who manages and administers Who manages and administers WIDS?WIDS?
Large organization (Network Operations Large organization (Network Operations group)group)
AirMagnet Distributed 4.0,AirMagnet Distributed 4.0,AirDefense Enterprise v4.1AirDefense Enterprise v4.1Red-MRed-M
Small and Medium OrganizationSmall and Medium Organization Managed Security Service Provider Managed Security Service Provider
(MSSP)(MSSP)
AirMagnet DistributedAirMagnet Distributed Sensors report network performance informationSensors report network performance information
Alerts management serverAlerts management server
Airmagnet reporter generates reports from threat Airmagnet reporter generates reports from threat summaries to channel RF signal strengthsummaries to channel RF signal strength
Ex: Using ‘Find’ tool, we can manually and Ex: Using ‘Find’ tool, we can manually and physically track down location of the rogue userphysically track down location of the rogue user
AirDefense
AirDefense system consists of a server running Red Hat Linux with distributed wireless AP sensors and a Java-based Web console.
The AirDefense Web console and AP sensors communicate on a secure channel to the server
Red-MRed-M includes Red-Alert and Red-Vision.
Red- Alert is a standalone wireless probe which can detect unauthorized Bluetooth devices as well as 802.11a/b/g networks.
Red-Vision ss a modular set of products consisting of three main components:
Red-Vision Server, Red-Vision Laptop Client and Red-Vision Viewer.
Red Vision (cont)Red Vision (cont)
Red vision server (Heart)Red vision server (Heart)Red vision laptop client (Ear)Red vision laptop client (Ear)Red Vision viewer ( Brain)Red Vision viewer ( Brain)
Wireless IDS drawbacksWireless IDS drawbacks
CostCostCost grows in conjunction with size of the Cost grows in conjunction with size of the
LANLANNew emerging technology and hence may New emerging technology and hence may
contain many bugs and vulnerabilities.contain many bugs and vulnerabilities.A wireless IDS is only as effective as the A wireless IDS is only as effective as the
individuals who analyze and respond to individuals who analyze and respond to the data gathered by the system the data gathered by the system
ConclusionConclusion
Wireless intrusion detection systems are an Wireless intrusion detection systems are an important addition to the security of important addition to the security of wireless local area networks. While there wireless local area networks. While there are drawbacks to implementing a wireless are drawbacks to implementing a wireless IDS, the benefits will most likely prove to IDS, the benefits will most likely prove to outweigh the downsides outweigh the downsides
QUESTIONSQUESTIONSWhat is Policy Enforcement ?What is Policy Enforcement ? A policy is stated by IDS (Ex: all wireless A policy is stated by IDS (Ex: all wireless
communications must be encrypted) to communications must be encrypted) to detect the attackdetect the attack
What type of ID is AirDefense Guard?What type of ID is AirDefense Guard? It is misuse or signature based anomaly.It is misuse or signature based anomaly.
What are ‘dumb’ probes?What are ‘dumb’ probes? They collect all the network traffic and They collect all the network traffic and
send it to central server for analysessend it to central server for analyses
REFERENCESREFERENCEShttp://www.telecomweb.com/readingroom/http://www.telecomweb.com/readingroom/
Wireless_Intrusion_Detection.pdfWireless_Intrusion_Detection.pdf
http://www.giac.org/http://www.giac.org/certified_professionals/practicals/gsec/certified_professionals/practicals/gsec/4210.php4210.php
http://www.sans.org/rr/whitepapers/http://www.sans.org/rr/whitepapers/wireless/1543.phpwireless/1543.php
http://www-loud-fat-bloke.co.uk/articles/http://www-loud-fat-bloke.co.uk/articles/widz-design.pdfwidz-design.pdf
QUESTIONS?QUESTIONS?
THANKYOUTHANKYOU