WIRELESS INTRUSION DETECTION SYTEMS

1
WIRELESS INTRUSION DETECTION SYTEMS

• Namratha Vemuri
• Balasubramanian Kandaswamy

2

• THREATS
• VICTIMS
• IDS
• TYPES OF IDS
• ARCHITECTURE
• IMPLEMENTATION
• TOOLS USED
• ADMINISTRATION

3
THREATS

• Reconnaissance, theft of identity and denial of
  service (DoS)
• Signal range of authorized AP.
• Physical security of an authorized AP
• Rogue or unauthorized AP
• Easy installation of an AP
• Poorly configured AP
• Protocol weakness and capacity limits on AP

4
(No Transcript)
5
What are attacked?

• Corporate network and servers
• Attempted penetration through the official access
  points(target 1) into the corporate network.
• DOS attacks as most of them are TCP/IP based
• Wireless Clients
• the Access point behaves as a hub connecting the
  authorized wireless clients directly to the bad
  buys inevitably this will expose a connecting pc
  to a huge array of IP based attack.

6

• Unauthorized Access point
• Unofficial access points installed by user
  departments (target 4) represent a huge risk as
  the security configuration is often questionable
• Bogus Access points (Target 5) represent a
  different threat as these can be used to hijack
  sessions at the data link layer and steal
  valuable information.
• o Target 3 The legitimate Access point

7

• To protect our network
• where all access points reside on our network
• what actions to take to close down any
  unauthorized access points that do not confirm to
  the company security standards what wireless
  users are connected to our network
• what unencrypted data is being accessed and
  exchanged by those users

8
What is IDS?

• IDS is not a firewall
• IDS watch network from the inside and report or
  alarm
• IDS monitors APs ,compares security controls
  defined on the AP with predefined company
  security standards then reset or closedown any
  non-conforming APs they find.
• IDS identifies,alerts on unauthorized MAC
  addresses ,tracks down hackers.

9

• Intrusion detection systems are designed and
  built to monitor and report on network
  activities, or packets, between communicating
  devices.
• Many commercial and open source tools are
  used
• TOOLS
• capture and store the WLAN traffic,
• analyse that traffic and create reports
• analyse signal strength and transmission
• speed

10
ID SYSTEM ACTIVITIES
11
INFRASTRUCTURE
12
ARCHITECTURE
13

• IDS
• a sensor (an analysis engine) that is responsible
  for detecting intrusions (contains decision
  making mechanism)
• Sensor recevies message from own IDS knowledge
  base, syslog and audit trails.
• Syslog may include, for example, configuration of
  file system, user authorizations etc. This
  information creates the basis for a further
  decision-making process.

14
TYPES OF IDS

• Misuse or Anomaly IDS
• Network based or Host based IDS
• Passive or Reactive IDS

15
ARCHITECTURE

• CENTRALIZED combination of individual sensors
  which collect and forward 802.11 data to a
  centralized management system.
• DISTRIBUTED one or more devices that perform
  both the data gathering and processing/reporting
  functions if various IDS

16

• Distributed is best suited for smaller WLANS due
  to cost and management issues
• Cost of many sensors with data processing
• Management of multiple processing/reporting
  sensors

17

• In centralized, it is to easy to maintain only
  one IDS where all the data is analyzed and
  formatted.
• Single point of failure
• Adds to additional network traffic running
  concurrently, impact on network performance

18
IMPLEMENATION OF IDS

• Comprises of a mixture of hardware and software
  called intrusion detection sensors.
• Located on the network and examines traffic.
• Where the sensors should be placed??!!
• How many do wee need??!!

19
Not just to detect attackers..

• Helps to Enforce Policies
• Polcies for encryption
• Can report if a un encrypted packet is detectet.
• With proper enforcement WEP can be acchieved
  (next slide)

20
Why do we need these

• To achieve WEP
• What's WEP?
  Wired Equivalent Privacy
• Why do we need it?

21
People responsible

• IDS security analysts who can interpret the
  alerts (Passive IDS).
• IDS software programmers
• IDS database administrators (misuse or anomaly
  IDS)

22
Couple of open source IDS

• KISMET 802.11 a/b/g network sniffer
• NETSTUMBLER

23
Kismet 802.11a/b/g network sniffer

• Passively collects network traffic(listens),
  detects the standard named networks and detecting
  hidden (non beaconing) networks
• Analyze the data traffic and build a picture of
  data movement

24
(No Transcript)
25
NetStumbler

• Sends 802.11 probes
• Actively scans by sending out request every
  second and reporting the responses
• APs by default respond to these probes
• Used for wardriving or wilding.

26
(No Transcript)
27
Who manages and administers WIDS?

• Large organization (Network Operations group)
• AirMagnet Distributed 4.0,
• AirDefense Enterprise v4.1
• Red-M
• Small and Medium Organization
• Managed Security Service Provider (MSSP)

28

• AirMagnet Distributed
• Sensors report network performance information
• Alerts management server
• Airmagnet reporter generates reports from threat
  summaries to channel RF signal strength
• Ex Using Find tool, we can manually and
  physically track down location of the rogue user

29
(No Transcript)
30

• AirDefense
• AirDefense system consists of a server running
  Red Hat Linux with distributed wireless AP
  sensors and a Java-based Web console.
• The AirDefense Web console and AP sensors
  communicate on a secure channel to the server

31
(No Transcript)
32

• Red-M
• Red-M includes Red-Alert and Red-Vision.
• Red- Alert is a standalone wireless probe which
  can detect unauthorized Bluetooth devices as well
  as 802.11a/b/g networks.
• Red-Vision ss a modular set of products
  consisting of three main components
• Red-Vision Server, Red-Vision Laptop Client
  and Red-Vision Viewer.

33
Red Vision (cont)

• Red vision server (Heart)
• Red vision laptop client (Ear)
• Red Vision viewer ( Brain)

34
Wireless IDS drawbacks

• Cost
• Cost grows in conjunction with size of the LAN
• New emerging technology and hence may contain
  many bugs and vulnerabilities.
• A wireless IDS is only as effective as the
  individuals who analyze and respond to the data
  gathered by the system

35
Conclusion

• Wireless intrusion detection systems are an
  important addition to the security of wireless
  local area networks. While there are drawbacks to
  implementing a wireless IDS, the benefits will
  most likely prove to outweigh the downsides

36
QUESTIONS

• What is Policy Enforcement ?
• A policy is stated by IDS (Ex all wireless
  communications must be encrypted) to detect the
  attack
• What type of ID is AirDefense Guard?
• It is misuse or signature based anomaly.
• What are dumb probes?
• They collect all the network traffic and send
  it to central server for analyses

37
REFERENCES

• http//www.telecomweb.com/readingroom/Wireless_Int
  rusion_Detection.pdf
• http//www.giac.org/certified_professionals/practi
  cals/gsec/4210.php
• http//www.sans.org/rr/whitepapers/wireless/1543.p
  hp
• http//www-loud-fat-bloke.co.uk/articles/widz-desi
  gn.pdf

38

• QUESTIONS?

39

• THANKYOU