Enhancing the Security of Corporate Wi-Fi Networks Using DAIR

1
Enhancing the Security of Corporate Wi-Fi
Networks Using DAIR

• Paramvir Bahl, Ranveer Chandra, Jitendra Padhye,
• Lenin Ravindranath, Manpreet Singh, Alec
  Wolman,
• Brian Zill

Microsoft Research Cornell University
2
Motivation

• Corporations becoming increasingly dependent on
  WLAN infrastructure
• Worldwide enterprise WLAN business expected to
  grow from 1.1 billion this year to 3.5 billion
  in 2009
• Wi-Fi networks are vulnerable to many threats
• Rogue AP, Denial of Service, Phishing
• DefCon 2005 Wi-Fi Pistol, Wi-Fi Sniper Rifle,
  Wi-Fi Bouncing, AirSnarf box

3
Example Rogue AP

• Careless employee brings AP from home and plugs
  it into corporate Ethernet
• Bypasses corporate Wi-Fi security measures
• For example WPA, 802.1X
• Permits unauthorized users to connect to
  corporate network
• Malicious user outside the building?
• Widespread Problem
• Ongoing concern for MS IT department
• Surveyed two major US universities, found
  multiple rogue APs

4
Need for WiFi Monitoring Systems

• Preventive measures such as 802.1X do not
  guarantee full security
• In addition, need WiFi monitoring system to
  detect problems in operational WiFi networks
• Detect Rogue AP by overhearing packets containing
  unknown BSSID

5
Challenges in Building an Enterprise-scale WiFi
Monitoring System

• Scale of WLAN
• Microsofts WLAN has over 5000 APs
• Need to deploy many monitors
• Rapid fading of signal in indoor environment
• Multiple orthogonal channels
• May need observations from multiple vantage
  points
• Pinpoint location of rogue AP

6
Example Scenario
X
X
X
X
X
Monitors
Rogue AP and Client
Demonstrates need for dense deployment of monitors
7
State of the Art

• AP-based monitoring Aruba, AirDefense ..
• Pros Easy to deploy (APs are under central
  control)
• Cons Single radio APs can not be effective
  monitors
• Specialized sensor boxes Aruba, AirTight,
• Pros Can provide detailed signal-level analysis
• Cons Expensive, so can not deploy densely
• Monitoring by mobile clients Adya et. al.,
  MobiCom04
• Pros Inexpensive, suitable for un-managed
  environments
• Cons
• Coverage not predictable mobile, battery-powered
  clients
• Only monitor the channel they are connected on

8
Observation

• Desktop PCs with good wired connectivity are
  ubiquitous in enterprises
• Outfitting a desktop PC with 802.11 wireless is
  inexpensive
• Wireless USB dongles are cheap
• As low as 6.99 at online retailers
• PC motherboards are starting to appear with
  built-in 802.11 radios

Combine to create a dense deployment of wireless
sensors DAIR Dense Array of Inexpensive Radios
9
DAIR Architecture
Land Monitor (1 per subnet)
AirMonitor
Wired Network
Other data SNMP, Configuration
Inference Engine
Database
10
Monitor Architecture
SQL Helper
Database
Every 30 seconds Submit list of all unique
BSSIDs seen on a given channel
Filter
Filter
Filter Processor
Driver Interface
Wireless NIC Driver
Wired NIC Driver
11
Key Characteristics of DAIR

• High sensor density at low cost
• Leverages existing desktop resources
• Effective monitoring in indoor environments
• Can tolerate loss of a few sensors
• Sensors are (mostly) stationary
• Provides predictable coverage
• Permits meaningful historical analysis

12
Applications of the DAIR Platform

• Security applications
• Detecting attacks on Wi-Fi networks
• Responding to such attacks
• Performance management
• Monitor RF coverage
• Load balancing
• Location service to support above applications

13
A Partial List of Threats to Wi-Fi Networks

• Rogue AP / Rogue Wireless Networks
• Denial of service
• Fake Disassociation Bellardo and Savage 2003
• NAV attack Bellardo and Savage, 2003
• DIFS attack Raya, Hubaux and Aad 2004
• Jamming
• Phishing
• Set up a fake AP that advertises well known
  SSID
• Lure unsuspecting users
• Acquire passwords

14
Rogue Wireless Networks

• An uninformed or careless employee who doesnt
  understand (or chooses not to think about) the
  security implications
• Brings AP from home, and attaches it to the
  corporate network
• Configures desktop PC with wireless interface to
  create a rogue ad-hoc network
• Bypasses security measures such as WPA, 802.1X

15
Simple Solution
AirMonitor
0C3B5A JoesAP
Database
Known
Seen
BSSID SSID
0008AC MSFT
00093B MSRLAB
BSSID SSID
0008AC MSFT
00093B MSRLAB


BSSID SSID
0008AC MSFT
00093B MSRLAB
0C3B5A JoesAP

Inference Engine
16
Problem with the Simple Solution

• False Positives
• Multi-office buildings
• False negatives
• Malicious attacker fakes authorized SSID / BSSID
• DAIR can help reduce both false positives and
  false negatives
• No foolproof way to avoid false
  positives/negatives completely
• DAIR raises bar while generating fewer alarms

17
Reducing False Positives

• Detect whether rogue AP is connected to corporate
  wired network
• Series of tests
• Association test
• Source/destination address test
• Replay test

18
Association Test
0C3B5A JoesAP
?
AirMonitor
Database
Inference Engine
Machine inside corporate firewall
If AirMonitor can connect to machine inside
firewall via AP then AP is connected to corporate
wired network
19
Association Test

• Test will fail if AP uses WEP or MAC address
  filtering
• People configure home APs with WEP or MAC
  filtering
• Failure means we need additional tests

20
Source / Destination Address Test
?
AirMonitor
Land Monitor
Database
Inference Engine
MAC Addrs Of Subnet Routers
Subnet Router
085B3F
083C4F


21
Source / Destination Address Test
802.11 Data Frame (with encryption)
Unencrypted Header
Encrypted Payload
MAC Addresses
Receiver
Transmitter
Destination
Access Point
Client
Known Address?
If Destination Address belongs to a subnet
router, then AP Is connected to corporate wired
network
Similar test for Source Address
22
Source / Destination Address Test

• Test will fail if AP is really a NAT/Router
• Many home APs combine AP and NAT/router
  functionality
• Failure means that additional tests are needed

23
Replay Test
X
1
2
3
4
?
AirMonitor
X
?
X
X
X
Inference Engine
Land Monitor
AirMonitors capture data packets
At the same time LandMonitors are alerted to
watch for duplicate packets on wired network.
One of the AirMonitors replays captured
packets Each packet replayed multiple times
24
Replay Test

• No need to decrypt packets
• Works for NAT/Routers
• Even rogue ad-hoc networks
• Fails if replay-resistant crypto scheme is used
• WPA2

25
Scalability

• Load on database server
• Load on individual AirMonitors
• Additional wired network traffic

26
Load on Database Server
100
80
60
CPU Load ()
40
20
0
1AM
9PM
5PM
1PM
9AM
5AM
1AM
12 AirMonitors AirMonitors submit summarized
data every 2 minutes Database Server MS-SQL
2005, 1.7GHz P4 with 1GB RAM
27
Load on Client Machine
Additional Network Traffic 2-5Kbps per AirMonitor
28
Summary

• Built a scalable, cost-effective, dense WLAN
  monitoring platform in a corporate environment
• Explored ways to leverage the platform to monitor
  threats to Wi-Fi networks

29
Related Work

• Campus-wide Wi-Fi monitoring system Kotz and
  Essin 2005
• Monitoring corporate network for mobility
  patterns Balazinska and Castro 2003
• Tools for analysis of packet-level Wi-Fi traces
• WIT Mahajan et. al. 2006
• JigSaw Cheng et. al. 2006

30
DAIR ongoing work

• Which channels should each AirMonitor listen on?
• What scanning strategy to use? Deshpande et. al.
  2006
• Depends on density of AirMonitors, environment
• Building an effective location system
• Building performance management tools

31
Backup slides
32
Wired Solutions

• Monitor CAM tables for unauthorized Ethernet
  addresses
• Not scalable
• Easy to fake Ethernet address
• Monitor DHCP requests, deny from unauthorized
  clients
• Bypassed using authorized client as forwarder
• IPSec
• Not widely used hard to manage in heterogeneous
  environments
• Bypassed using authorized clients acting as
  forwarders
• Many machines on corporate LANs do not use IPSec
• Management servers on switches, printers
• Gateway machines

33
Reducing False Negatives

• Suspect is using an authorized SSID / BSSID
• If the real AP is still active
• Packet sequence numbers not monotonic
• If real AP is not active
• Determine location of suspect
• If different than expected, raise alarm

34
Example Indoor WLAN Monitoring
0 0
26 0
0 0
97 1.7
0 0
0 0
Rapid loss of signal strength in indoor
environments
Complex, time-varying signal propagation
Red Beacon reception rate Blue Data packet
reception rate
35
(No Transcript)
36
Taxonomy of Attacks on Wi-Fi Networks

• Eavesdropping
• Passive snooping (perhaps with high-gain
  antennas)
• Nearly impossible to detect
• Cryptographic techniques generally considered
  sufficient.
• Intrusion
• Rogue AP / Rogue Ad-hoc network
• Cryptographic techniques not enough, need
  continuous monitoring
• Denial of Service
• Fake deauthentication/disassociation, NAV attacks
• Need monitoring system.
• Phishing

37
Enterprise-scale WLAN Monitoring System
Challenges and Design Requirements

• Rapid fading in indoor environments
• Complex, time-varying signal propagation
• Many orthogonal channels
• Need information from many monitors

• Dense deployment of monitors

• Monitors must be self-configuring
• Scalable data gathering and processing
• Must cope with incomplete data

38
Replay Test

• AirMonitors replay packets with suspect BSSID
• If suspect is AP, only replay packets with ToDS
  bit set
• No need to decrypt packet
• Each packet is replayed multiple times (say 5)
• LandMonitors detect if duplicate packets are seen
  on wired network
• Works for rogue ad-hoc networks
• Fails if suspect is using WPA2 or other crypto
  schemes that are robust against replay attacks

39
Monitor Architecture