07-06-2010, 07:48 PM
[attachment=3721]
WIRELESS INTRUSION DETECTION SYSTEMS (IDS) SOLUTION TO
WLAN THREATS
Presented By:
K R Patil 1 A A Sawant 2 P.D. Sheba Kezia Malarchelvi 3
1 Lecturer, BVCOEW, Pune, India, 2 Pune Institute of Engineering and Technolog, Pune, India, 3 Professor, J.J. College of Engg. & Tech., Tamilnadu,
ABSTRACT
Wireless technology is advancing and changing every day and its popularity is increasing. The biggest concern with wireless, however, has been security. Threats to wireless local area networks (WLANs) are numerous. Wireless LANs face all of the security challenges of any wired networks in addition to the new threats introduced by the wireless medium that connects stations and access points. To provide the defense and detection of these potential threats, WLANs should employ a security solution that includes a wireless intrusion detection system (IDS). Even organizations without a WLAN are at risk of wireless threats and should consider a wireless IDS solution. This paper will describe the need for wireless intrusion detection, provide an explanation of wireless intrusion detection systems, and identify the benefits and drawbacks of a wireless intrusion detection solution
Keywords: Wireless security, intrusion detection, intrusion detection systems (IDS).
1. THREATS TO WIRELESS LOCAL AREA NETWORKS (WLAN)
Because of the flexibility, affordability, and ease of installation, the use of wireless local area networks WLANs, and Wi-Fi) are increasing at a tremendous rate. There are currently more than 75million wireless LANs in use worldwide.
As wireless LAN deployments increase, so does the challenge to provide these networks with security. Wireless LANs face the same security challenges as their wired counterparts, and more. Because the medium for wireless is air, wireless LANs has the added issue of securing data that travels the airwaves. Wireless LAN signals can travel through the walls, ceilings, and windows of buildings up to thousands of feet outside of the building walls. That's why wireless local area networks are subject to a variety of threats. The standard 802.11 encryption method, Wired Equivalent Privacy (WEP) is observed to be weak. The WEP key of a wireless transmission can be acquired via brute force attack [1]. So even if WEP encryption is utilized on a WLAN, an attacker can potentially intercept and decrypt sensitive data from wireless communications. Hackers use tools such as WEPwedgie, WEPCrack, WEPAttack, BSD-Airtools, and AirSnort to break the Wired Equivalent Privacy (WEP) encryption standard.These tools exploit vulnerabilities in the WEP encryption algorithm by passively observing wireless LAN traffic until they collect enough data to recognize the pattern. They then use this information to break the encryption key.
Hackers can also attack a WLAN and gather sensitive data by introducing a rogue WAP into the WLAN coverage area [2]. The rogue WAP can be configured to look like a legitimate WAP and, since many wireless clients simply connect to the WAP with the best signal strength, users can be associating with the rogue WAP. Once a user is associated, the hacker through the rogue WAP can monitor all communications. In addition to hackers, users can also introduce rogue WAPs. Low cost and easy implementation coupled with the flexibility of wireless network communications makes WLANs highly desirable to users. By installing a WAP on an established LAN, a user can create a backdoor into the network, bypassing all the hard-wired security solutions and leaving the network open to hackers. That's why even organizations without a WLAN implementation must strongly consider deploying a wireless IDS solution. It is possible that users can and will install a rogue WAP, exposing even an exclusively hardwired organization to the risks of WLANs.
Wireless networks are also subject to a number of denial of service (DoS) attacks that can render a WLAN inoperable. Wireless communications are inherently vulnerable to signal degradation when encountering physical objects. Trees, buildings, rain, and hills are all variables, which can affect wireless communications. In addition tophysicalobstacles, many common devices such as microwave ovens, and cordless phones can also interfere with 802.11 networks. Hackers can also cause malicious DoS attacks by flooding WAPs with association requests and forcing them to reboot. In addition, they can use the rogue WAP to send repeated disassociate/deauthenticate requests to deny service to a wireless client.
Hackers can determine where WLANs are physically located and how they are configured via a technique known as "wardriving." Wardriving onsists of driving around in an automobile while using a laptop equipped with a wireless card to detect any wireless access points in the surrounding area. This information is then posted on websites such as wigle.net (which lists more than 7,00,000 access points and 11,00,000 wireless networks) and wifinder.com. If your location is in the list then chances of attacks on your network get increased. Hackers use these listings to look for access points with the same SSID (service set identifiers), access point MAC addresses, or the physical number of access points in a given address or location.
A variety of other WLAN threats exist. The threats are real, they can cause extensive damage, and they are becoming more prevalent as the wireless technology grows in popularity. Without some sort of detection mechanism, it can be difficult to identify the threats to a WLAN. To provide a wireless security, developing and implementing WIDS systems is definitely a step in the right direction.
A lack of threat awareness can lead to a network not adequately secured against the threats facing it.Only when the threats to the network are realized can the WLAN be properly equipped with the necessary security measures.
2. INTRUSION DETECTION
The idea behind an ID is simple: an agent monitors file activity on a host or traffic on a network, and reports strange behavior to an administrator. An Intrusion Detection System (abbreviated as IDS) is a defense system, which detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress.
A wireless IDS systems monitor traffic on your network looking for and logging threats and alerting personnel to respond. An IDS usually performs this task in one of two ways, with either signature-based or anomaly-based detection. The anomaly detection, explores issues in intrusion detection associated with deviations from normal system or user behavior. The second employs signature detection to discriminate between anomaly or attack patterns (signatures) and knownintrusion detection signatures.
An Intrusion Detection System (IDS) is a software or hardware tool used to detect unauthorized access of a computer system or network[12]. Intrusion detection systems (IDSs) tries to identify computer system and network intrusions and misuse by gathering and analyzing data. A wireless IDS performs this task exclusively for the wireless network. These wireless IDSs can monitor and analyze user and system activities, recognize patterns of known attacks, identify abnormal network activity, and detect policy violations for WLANs. Wireless IDSs gather all local wireless transmissions and generate alerts based either on predefined signatures [3] or on anomalies in the traffic [4].
A Wireless IDS is similar to a standard, wired IDS, but has additional deployment requirements as well as some unique features specific to WLAN intrusion and misuse detection
3. MARKETPLACE OF WIRELESS INTRUSION DETECTION SYSTEMS
The traditional wired IDS is a great system, but unfortunately it does little for the wireless world. The problem with wireless is that in addition to attacks that may be performed on a wired network, the medium itself has to be protected. To do this there are many measures, which can be taken, however there are even more tools designed to break them. Due to the nature of wireless LANs (WLAN), it can be difficult to control the areas of access. Often the range of a wireless network reaches outside the physical boundaries of an organization. This creates limited control because it means an attacker can now sit in a car a mile away while he attempts to penetrate your network. With such a problem with wireless security, developing and implementing WIDS systems is definitely a step in the right direction. If you have wireless and are concerned about attacks and intruders, a WIDS may be a great idea.
Popular wireless IDS solutions include Airdefense RogueWatch and Airdefense Guard [5], and Internet Security Systems Realsecure Server sensor and wireless scanner products [6], and Aruba Wireless Networks. A homegrown wireless IDS [7] can be developed with the use of the Linux operating system, for example, and some freely available software. Open source solutions include Snort-Wireless [8] and WIDZ [9], among others.
4. ARCHITECTURE OF WIRELESS IDS
The current approach to IDS in wireless LANs is two tiered - looking for wireless attacks and looking for IP based attacks. The wireless IDS focuses primarily on wireless attacks and does not perform IP-based intrusion detection. If we want to watch for IP-based attacks, then we simply put a NIDS at the wireless AP choke point. That will take care of most attacks, the ones your IDS has signatures for, but does not protect against wireless attacks. The NIDS cannot detect wireless attacks, so a wireless NIDS implementation is therefore needed.
A wireless network will require both IDS technologies to provide proper visibility and coverage. The wired NIDS cannot detect any wireless based attacks or wireless threats including: rogue access points, soft access points, ad-hoc networks,sniffers, netstumbler probes or kismet users to name a few. Basically, a wired NIDS is useless against wireless attacks, but can detect wireless born IP based attacks once it hits the wire.The wireless IDS can detect the above-mentioned attacks.
Figure 1: Secure Wireless Network
An intrusion detection system always has its core element - a sensor. Sensor is an analysis engine that is responsible for detecting intrusions. This sensor contains decision-making mechanisms regarding intrusions. Sensors receive raw data from three major information sources (Figure 2): own IDS knowledge base, syslog and audit trails (or event log). The syslog may includes configurationof file system, user authorizations etc. Thisinformation creates the basis for a further decisionmaking process.
A wireless IDS can be centralized or decentralized. In a decentralized environment each WIDS operates independently, logging, and alerting on its own. That means each WIDS has to be administered independently.
In a large network this can quickly become overwhelming and inefficient, and therefore is not recommend for networks with more than one or two access points. The idea behind a centralized WIDS is that sensors are deployed that collect and forward all 802.11 data to a central management system, where the wireless IDS data is stored and processed. This one point would send alerts and log events as well as serve as a single point of administration for all sensors. Another advantage to a centralized approach is that sensors can collaborate with one another in order to detect a wider range of events with more accuracy.
The decentralized method is best suited for smaller (1 -2 WAP) WLANs due to cost and management issues. The cost of sensors with data processing capability can become prohibitive when many sensors are required. Also, management of multiple processing/reporting sensors can be more time intensive than in a centralized model.
WLANs typically encompass a relatively large physical coverage area. In this situation, many WAPs can be deployed in order to provide adequate signal strength to the given area. An essential aspect of implementing a wireless IDS solution is to deploy sensors wherever a WAP islocated. By providing comprehensive coverage of the physical infrastructure with sensors at all WAP locations, the majority of attacks and misuse can be detected. Another benefit of positioning the sensors in close proximity to the WAPs is the enhanced ability to physically pinpoint the geographical location of an attacker.
Some access points on the market are able to simultaneously function as an AP and WIDS sensor. This
option has the potential to be less expensive than the others however there is a downside. Using the AP for both functions will reduce the performance, potentially creating a "bottle neck" on the network. The second option is to deploy "dumb" sensors. These devices simply relay all information to the central server and rely on the server to detect all events.
5. INCIDENT RESPONSE
When your wireless network is under attack. That would be considered an "Incident". An incident can be defined as an assessed event of attempted entry, unauthorized entry, or an information attack. There are various steps to follow when your wireless network is under attack such as, preparation, identification of an incident, initial response, formulate response strategy, investigation, reporting and documentation, and resolution.
Preparation means setting up systems to detect threats, creating policies, and organizing a response team that can respond when needed. Setting up your WIDS would be part of this first step. Identification of an incident can also be provided in part by a WIDS that logs and alerts to potential threats. Initial Response consist of recording what is taking place along with bringing in necessary staff or teams to start investigating and responding to the alert, as well as informing any higher authorities necessary. Formulating the response strategy consists of determining the best plan of action, get approval and proceed with plan. Investigation includes collecting a complete record of what happened including any data involved, what was done and by whom, along with when it happened and how to prevent it. This may include gathering logs stored from the WIDS system, as well as determining any settings that may be modified to help prevent the threat in the future. Reporting and documenting every step and action taken, down to any command entered and by whom, is perhaps one of the most important steps involved in an incident response. Resolution means trying to prevent this from happening again.
Physical location detection is a pivotal aspect of a wireless IDS. Wireless attacks are often carried out in close proximity to the WAP and can be performed in an extremely short timeframe. Therefore, the response to attacks needs to not only is logical, like standard IDSs (i.e. Block the offending IP address), the response also needs to incorporate the physical deployment of individuals to identify the attacker - and the response must be timely. Unlike wired attacks where the hacker is usually great physical distances from the victim network, wireless attackers are often physically located on the local premises.A wireless IDS can aid in detecting the attacker's location by providing at least a general estimate of their physical location. The physical location of the attacker can be easily found by correlating the captured wireless data with the sensor location as well as the location of the victim WAP. An even more ambitious approach to physical location identification would be to also use directional antennae in an effort to triangulate the wireless attacker signal source [10].Once the physical location has been narrowed, a response team equipped with good wireless security tools can scan the general area identified by the IDS to further narrow the search for theattackers.
6. POLICY ENFORCEMENT
A wireless IDS can also help to enforce policy. WLANs have a number of security-related issues, but many of the security weaknesses are fixable. With a strong wireless policy [13] and proper enforcement, a wireless network can be as secure as the wired equivalent - and a wireless IDS can help with the enforcement of such a policy. Suppose policy states that all wireless communications must be encrypted. A wireless IDS can continually monitor the wireless communications and if a WAP or other wireless devices is detected communicating without encryption, the IDS will detect and notify on the activity. If the wireless IDS is pre-configured with all the authorized WAPs and an unknown (rogue) WAP is introduced to the area, the IDS will promptly identify it. Features such as rogue WAP detection, and policy enforcement in general, go a long way to increase the security of the WLAN. The additional assistance a wireless IDS provides with respect to policy enforcement can also maximize human resource allocation. This is because the IDS can automate some of the functions that humans would ordinarily be required to manually accomplish, such as monitoring for rogue WAPs.
7. THREAT DETECTION
A wireless IDS can also aid in the detection of a number of attacks. Not only can a wireless IDS detect rogue WAPS, identify non-encrypted 802.11 traffic, and help isolate an attacker's physical location, as mentioned earlier - a wireless IDS can detect many of the standard (and not-so standard) wireless attacks and probes as well [14].
In an effort to identify potential WAP targets, hackers commonly use scanning software. Hackers or curious individuals will use tools such as Nets tumbler or Kismet[11] to map out a given area's WAPs. Used in conjunction with a Global Positioning System (GPS) these scans not only locate WAPs, but also log their geographical coordinates. These tools have become so popular that there are web sites dedicated to mapping the world's WAP geography. A wireless IDS can detect these and other scans, helping to improve awareness of the threats to the WLAN. More critical than probe detection, a wireless IDS can also detect some DoS attacks. DoS attacks are relatively common with wireless networks, as many DoSs occur from signal loss due to a frequency conflict or a building that just went up across the street. Sometimes though, as mentioned earlier, hackers can attack the WLAN with the intent of denying it service. A wireless IDS candetect many of the attacks used to DoS WLANs, such as flooding authentication requests or disassociation/deauthentication frames.
In addition to the aforementioned attacks and probes, a wireless IDS can spot many of the other 802.11 threats as well. MAC address spoofing, one of the more common attacks, can be used by an attacker to masquerade as a WAP or wireles s client. MAC address spoofing is also used in several tools including HostAP and WLAN-jack. A wireless IDS can detect the presence of MAC address spoofing in a number of ways, including sequence number analysis [15]. A wireless IDS also has the ability to recognize ad-hoc networks, a common configuration which potentially allows hackers to exploit a wireless device. In contrast, a wireless IDS can detect unique and non-standard threats through the utilization of user developed rules. This flexibility, common with standard IDSs, allows a wireless IDS to be scaleable and to address many distinctive detection requirements.
These features can add a strong layer of security to a WLAN. In addition to threat detection, merely letting people know that an IDS is in operation can add an element of deterrence and therefore, enhance security.
8. WIRELESS IDS DRAWBACKS
The benefits to a wireless IDS are numerous, but there are several drawbacks to consider before deploying such a system. Wireless intrusion detection is a rather new technology. Caution should be taken before applying any new technology to an operational network. Because the technology is new, there may be bugs, or worse vulnerabilities, which could potentially weaken the WLAN security. Wireless IDS technology is developing at a rapid pace though, and this caveat may not be a deterrent in the future. A potential turn-off to a wireless IDS solution may be cost.
The expense of the vendor solutions may be prohibitive. In such a case, a homegrown solution can be developed, but this approach may prove costly as well due to the extensive human capital that may be required to develop such a solution. Also, the cost of the wireless IDS solution (vendorbased or homegrown) will grow in conjunction with the size of the WLAN to be monitored, due to the requirement for a greater number of sensors.Therefore, the larger the WLAN, the more expensive the wirless IDS deployment will be.
A wireless IDS is only as effective as the individuals who analyze and respond to the data gathered by the system. A wireless IDS, like a standard IDS, can require vast human resources to analyze and respond to threat detection. In fact, it can be argued that a wireless IDS will require more human resources than a standard IDS because with a wireless IDS, individuals will be required to both attend to the logical (alert data) and physical aspects (finding and catching the hackers) of an attack. While the technology is still relatively new, the costs may be prohibitive, and the human capital outlay may be higher than that of standard IDS, a wireless IDS can still prove to be a beneficial component of a security solution.
9. IMPLEMENTATION
As a M.E dissertation, WIDS is developed. It helps to detect and prevent security risks. It takes care of the job by performing comprehensive monitoring for rogues, and intrusions.
The main goal of WIDS is intrusion detection. In previous sections we discuss lot of threats to wireless networks. By considering those threats WIDS is developed to identify intrusion. It tries to track the Media Access Control (MAC) ddress of network adapters attempting to associate with the network. If the MAC address does not occur in the whitelist or is blacklisted, it is flagged as a possible intruder. This procedure is commonly known as MAC filtering.
As nearly all wireless NICs permit changing their MAC address to an arbitrary value through vendor supplied drivers, open-source drivers or various application programming frameworks - it is trivial for an at6tacker to wreak havoc on a target wireless LAN. MAC addresses are not totally random. The first three bytes are specific to each manufacturer and manufacturers usually utilize only a small range of the available addresses. By checking each MAC address against such patterns, it would be possible to determine forged addresses randomly generated by intruders. It is possible for users or attackers to change MAC addresses reducing the effectiveness of using patterns.
10. CONCLUSION
Wireless intrusion detection systems are an important addition to the security of wireless local area networks. While there are drawbacks to implementing a wireless IDS, the benefits will most likely prove to outweigh the downsides. With the capability to detect probes, DoSs,
and variety of 802.11 attacks, in addition to assistance with policy enforcement, the benefits of a wireless IDS can be substantial. A large number of possible attacks can be detected by a WIDS. The following will list major attacks and events that can be detected with the help of a WIDS. Rogue devices, such as an employee plugging in an unauthorized wireless router, incorrect configurations, connectivity problems, jamming, man-in-themiddle attacks, wardrivers, scanning with programs like Netstumbler or Kismet, RF interference, MAC spoofing, DoS attacks, attempts of brute force to get pass 802.1x, strong RFI, or use of traffic injection tools.
Of course, just as with a wired network, an IDS is only one part of a greater security solution. WLANs require a number of other security measures to be employed before an adequate level of security can be reached, but the addition of a wireless IDS can greatly improve the security posture of the entire network. With the immense rate of wireless adoption, the ever-increasing number of threats to WLANs, and the growing complexity of attacks, a system to identify and report on threat information can greatly enhance the security of a wireless network.
REFERENCES
[1] Fluhrer, Mantin and Shamir. "Weaknesses in the Key Scheduling Algorithm of RC-4" [postscript] (2001) Website:http://cs.umd.edu/~waa/classpubs/ rc4_ksaproc.ps]
[2] Airdefense Inc. Wireless LAN Security: Enterprise Rouge Detection[Website:http://airdefense whitepapers /roguewatch_requ est2.php4]
[3] Mark Gerken. "Rule-Based Intrusion Detection" [Online]
(1997) [Website:
http://sei.cmu.edu/str/descriptions/rbid.html] [4] Jamil Farshchi. "Statistical-Based Intrusion Detection"
[Online] (2003) [Website:
http://securityfocusinfocus/1686]
[5] Airdefense [Website:
http://airdefenseproducts/index.html]
[6] Internet Security Systems Wireless Products [Website: http://documents.isswhitepapers/ActiveWirelessProt ection.pdf]
[7] Yu-Xi Lim, Tim Schmoyer, John Levine, Henry L. Owen."Wireless Intrusion Detection and Response". Proceedings of the 2003 IEEE Workshop on Information Assurance [Website:
http://users.ece.gatech.edu/~owen/Research/Conference
Publications/wireless_IAW2003.pdf]
[8] Snort-Wireless [Website: http://snort-wireless]
[9] WIDZ Wireless Intrusion Detection System [Website: http://loud-fatbloke. co.uk/articles/widz_design.pdf]
[10] Lackey, Roths, Goddard. "Wireless Intrusion Detection" (2003) [Website: http://www- 1.ibmservices/strategy /files2/wireless_intrusion_de tection.pdf]
[11] Kismet 802.11 Wireless Sniffer [Website: http://kismetwireless]
[12] Jeff Dixon. "Wireless Intrusion Detection Systems Including Incident Response & Wireless Policy" [Website: http://infosecwriters.com]
[13] Jamil Farshchi. "Wireless Network Policy Development" [Online](2003)[Website: http://securityfocus infocus/1732]
[14] LURHQ Threat Intelligence Group. "Intrusion Detection: In-Depth Analysis" [Online] [Website: http://lurhqidsindepth.html]
[15] Joshua Wright. "Detecting Wireless LAN MAC Address Spoofing"[Website:http://home.jwu.edu/jwright/papers/wla n-mac-spoof.pdff]
[16] Jeff Dixon. "Wireless Intrusion Detection Systems Including Incident Response & Wireless Policy"
AUTHOR PROFILE
Mr K R Patil,Designation:
Sr Lecturer,Vishwakarma Institute of Information Technology, Kondhwa, Pune,Qualification: M. E Computer,Research Interest: Network Security, wireless networking,Experince: 5+ years of Teaching experience.
Mr A V Dhaygude,Designation:
Lecturer,Bharati Vidyapeeths College of Engg, Pune,Qualification: M. E Computer,Research Interest: Network Security, computer networks,Experince: 4+ years of Teaching experience.
Prof. A A Sawant
Designation: Professor,Govt College of Engg, Pune,Qualification: M. E Computer,Research Interest: Wireless Security,Experince: 19+ years of Teaching experience.
