Title: Enhancing the Security of Corporate Wi-Fi Networks Using DAIR
1Enhancing the Security of Corporate Wi-Fi
Networks Using DAIR
- Paramvir Bahl, Ranveer Chandra, Jitendra Padhye,
- Lenin Ravindranath, Manpreet Singh, Alec
Wolman, - Brian Zill
Microsoft Research Cornell University
2Motivation
- Corporations becoming increasingly dependent on
WLAN infrastructure - Worldwide enterprise WLAN business expected to
grow from 1.1 billion this year to 3.5 billion
in 2009 - Wi-Fi networks are vulnerable to many threats
- Rogue AP, Denial of Service, Phishing
- DefCon 2005 Wi-Fi Pistol, Wi-Fi Sniper Rifle,
Wi-Fi Bouncing, AirSnarf box
3Example Rogue AP
- Careless employee brings AP from home and plugs
it into corporate Ethernet - Bypasses corporate Wi-Fi security measures
- For example WPA, 802.1X
- Permits unauthorized users to connect to
corporate network - Malicious user outside the building?
- Widespread Problem
- Ongoing concern for MS IT department
- Surveyed two major US universities, found
multiple rogue APs
4Need for WiFi Monitoring Systems
- Preventive measures such as 802.1X do not
guarantee full security - In addition, need WiFi monitoring system to
detect problems in operational WiFi networks - Detect Rogue AP by overhearing packets containing
unknown BSSID
5Challenges in Building an Enterprise-scale WiFi
Monitoring System
- Scale of WLAN
- Microsofts WLAN has over 5000 APs
- Need to deploy many monitors
- Rapid fading of signal in indoor environment
- Multiple orthogonal channels
- May need observations from multiple vantage
points - Pinpoint location of rogue AP
-
6Example Scenario
X
X
X
X
X
Monitors
Rogue AP and Client
Demonstrates need for dense deployment of monitors
7State of the Art
- AP-based monitoring Aruba, AirDefense ..
- Pros Easy to deploy (APs are under central
control) - Cons Single radio APs can not be effective
monitors -
- Specialized sensor boxes Aruba, AirTight,
- Pros Can provide detailed signal-level analysis
- Cons Expensive, so can not deploy densely
- Monitoring by mobile clients Adya et. al.,
MobiCom04 - Pros Inexpensive, suitable for un-managed
environments - Cons
- Coverage not predictable mobile, battery-powered
clients - Only monitor the channel they are connected on
8Observation
- Desktop PCs with good wired connectivity are
ubiquitous in enterprises - Outfitting a desktop PC with 802.11 wireless is
inexpensive - Wireless USB dongles are cheap
- As low as 6.99 at online retailers
- PC motherboards are starting to appear with
built-in 802.11 radios
Combine to create a dense deployment of wireless
sensors DAIR Dense Array of Inexpensive Radios
9DAIR Architecture
Land Monitor (1 per subnet)
AirMonitor
Wired Network
Other data SNMP, Configuration
Inference Engine
Database
10Monitor Architecture
SQL Helper
Database
Every 30 seconds Submit list of all unique
BSSIDs seen on a given channel
Filter
Filter
Filter Processor
Driver Interface
Wireless NIC Driver
Wired NIC Driver
11Key Characteristics of DAIR
- High sensor density at low cost
- Leverages existing desktop resources
- Effective monitoring in indoor environments
- Can tolerate loss of a few sensors
- Sensors are (mostly) stationary
- Provides predictable coverage
- Permits meaningful historical analysis
12Applications of the DAIR Platform
- Security applications
- Detecting attacks on Wi-Fi networks
- Responding to such attacks
- Performance management
- Monitor RF coverage
- Load balancing
- Location service to support above applications
13A Partial List of Threats to Wi-Fi Networks
- Rogue AP / Rogue Wireless Networks
- Denial of service
- Fake Disassociation Bellardo and Savage 2003
- NAV attack Bellardo and Savage, 2003
- DIFS attack Raya, Hubaux and Aad 2004
- Jamming
- Phishing
- Set up a fake AP that advertises well known
SSID - Lure unsuspecting users
- Acquire passwords
14Rogue Wireless Networks
- An uninformed or careless employee who doesnt
understand (or chooses not to think about) the
security implications - Brings AP from home, and attaches it to the
corporate network - Configures desktop PC with wireless interface to
create a rogue ad-hoc network - Bypasses security measures such as WPA, 802.1X
15Simple Solution
AirMonitor
0C3B5A JoesAP
Database
Known
Seen
BSSID SSID
0008AC MSFT
00093B MSRLAB
BSSID SSID
0008AC MSFT
00093B MSRLAB
BSSID SSID
0008AC MSFT
00093B MSRLAB
0C3B5A JoesAP
Inference Engine
16Problem with the Simple Solution
- False Positives
- Multi-office buildings
- False negatives
- Malicious attacker fakes authorized SSID / BSSID
- DAIR can help reduce both false positives and
false negatives - No foolproof way to avoid false
positives/negatives completely - DAIR raises bar while generating fewer alarms
17Reducing False Positives
- Detect whether rogue AP is connected to corporate
wired network - Series of tests
- Association test
- Source/destination address test
- Replay test
18Association Test
0C3B5A JoesAP
?
AirMonitor
Database
Inference Engine
Machine inside corporate firewall
If AirMonitor can connect to machine inside
firewall via AP then AP is connected to corporate
wired network
19Association Test
- Test will fail if AP uses WEP or MAC address
filtering - People configure home APs with WEP or MAC
filtering - Failure means we need additional tests
20Source / Destination Address Test
?
AirMonitor
Land Monitor
Database
Inference Engine
MAC Addrs Of Subnet Routers
Subnet Router
085B3F
083C4F
21Source / Destination Address Test
802.11 Data Frame (with encryption)
Unencrypted Header
Encrypted Payload
MAC Addresses
Receiver
Transmitter
Destination
Access Point
Client
Known Address?
If Destination Address belongs to a subnet
router, then AP Is connected to corporate wired
network
Similar test for Source Address
22Source / Destination Address Test
- Test will fail if AP is really a NAT/Router
- Many home APs combine AP and NAT/router
functionality - Failure means that additional tests are needed
23Replay Test
X
1
2
3
4
?
AirMonitor
X
?
X
X
X
Inference Engine
Land Monitor
AirMonitors capture data packets
At the same time LandMonitors are alerted to
watch for duplicate packets on wired network.
One of the AirMonitors replays captured
packets Each packet replayed multiple times
24Replay Test
- No need to decrypt packets
- Works for NAT/Routers
- Even rogue ad-hoc networks
- Fails if replay-resistant crypto scheme is used
- WPA2
25Scalability
- Load on database server
- Load on individual AirMonitors
- Additional wired network traffic
26Load on Database Server
100
80
60
CPU Load ()
40
20
0
1AM
9PM
5PM
1PM
9AM
5AM
1AM
12 AirMonitors AirMonitors submit summarized
data every 2 minutes Database Server MS-SQL
2005, 1.7GHz P4 with 1GB RAM
27Load on Client Machine
Additional Network Traffic 2-5Kbps per AirMonitor
28Summary
- Built a scalable, cost-effective, dense WLAN
monitoring platform in a corporate environment - Explored ways to leverage the platform to monitor
threats to Wi-Fi networks
29Related Work
- Campus-wide Wi-Fi monitoring system Kotz and
Essin 2005 - Monitoring corporate network for mobility
patterns Balazinska and Castro 2003 - Tools for analysis of packet-level Wi-Fi traces
- WIT Mahajan et. al. 2006
- JigSaw Cheng et. al. 2006
30DAIR ongoing work
- Which channels should each AirMonitor listen on?
- What scanning strategy to use? Deshpande et. al.
2006 - Depends on density of AirMonitors, environment
- Building an effective location system
- Building performance management tools
31Backup slides
32Wired Solutions
- Monitor CAM tables for unauthorized Ethernet
addresses - Not scalable
- Easy to fake Ethernet address
- Monitor DHCP requests, deny from unauthorized
clients - Bypassed using authorized client as forwarder
- IPSec
- Not widely used hard to manage in heterogeneous
environments - Bypassed using authorized clients acting as
forwarders - Many machines on corporate LANs do not use IPSec
- Management servers on switches, printers
- Gateway machines
33Reducing False Negatives
- Suspect is using an authorized SSID / BSSID
- If the real AP is still active
- Packet sequence numbers not monotonic
- If real AP is not active
- Determine location of suspect
- If different than expected, raise alarm
34Example Indoor WLAN Monitoring
0 0
26 0
0 0
97 1.7
0 0
0 0
Rapid loss of signal strength in indoor
environments
Complex, time-varying signal propagation
Red Beacon reception rate Blue Data packet
reception rate
35(No Transcript)
36Taxonomy of Attacks on Wi-Fi Networks
- Eavesdropping
- Passive snooping (perhaps with high-gain
antennas) - Nearly impossible to detect
- Cryptographic techniques generally considered
sufficient. - Intrusion
- Rogue AP / Rogue Ad-hoc network
- Cryptographic techniques not enough, need
continuous monitoring - Denial of Service
- Fake deauthentication/disassociation, NAV attacks
- Need monitoring system.
- Phishing
37Enterprise-scale WLAN Monitoring System
Challenges and Design Requirements
- Rapid fading in indoor environments
- Complex, time-varying signal propagation
- Many orthogonal channels
- Need information from many monitors
- Dense deployment of monitors
- Monitors must be self-configuring
- Scalable data gathering and processing
- Must cope with incomplete data
38Replay Test
- AirMonitors replay packets with suspect BSSID
- If suspect is AP, only replay packets with ToDS
bit set - No need to decrypt packet
- Each packet is replayed multiple times (say 5)
- LandMonitors detect if duplicate packets are seen
on wired network - Works for rogue ad-hoc networks
- Fails if suspect is using WPA2 or other crypto
schemes that are robust against replay attacks
39Monitor Architecture