Académique Documents
Professionnel Documents
Culture Documents
(WIRELESS TECHNOLOGY)
CONTENTS
1.INTRODUCTION 2.BACKGROUND
Problem with wireless network
3.SOLUTION
Whiff wireless instrusion detection system
Monitors wireless networks and devices, alerting administrators to exposures in real time. Whiff is comprised of multiple listeners, which monitor all wireless activity and report to a central There is a need for a wireless intrusion detection The correlation engine delivers to multiple users a complete asset inventory of wireless devices and access points as well as a GPS map of signal propagation. The system integrates intrusion detection capabilities, alerting administrators to wireless and traditional intrusion attempts, rogue access points, and rogue clients. system that could keep 1. INTRODUCTION:
correlation engine.
administrators informed about what was happening on their network. At about the same time, the conducted studies of wireless networks found many lacked the basic configurations necessary to provide even minimal levels of security. Hence Whiff has been developed, a wireless intrusion detection system that provides network administrators with constant security reports, allowing them
This paper focuses on the security features of Whiff. It describes the systems purpose, how it works (including collection methodologies, reporting mechanisms, and underlying security architecture), and how it can be used to improve wireless network security. Our goal is to provide administrators with an image of what is happening on their network. Armed with this information, they will be able to make better decisions and take actions to improve network security.
to make informed security decisions. Wireless communication is the transfer of information over a distance without the use of electrical conductors or "wires". The distances involved may be short (a few meters as in television remote control) or very long (thousands or even millions of kilometers for radio communications). Wireless
communications offer organizations and users many benefits such as portability and flexibility, increased productivity, and lower installation costs.
However, risks are inherent in any wireless technology. Some of these risks are similar to those of wired networks; some are exacerbated by wireless
of the Internet and the adoption of wide area networks, administrators were
forced to defend their network not only against those with physical access, but against the larger community of people with Internet access or even just modems. Hackers began using
connectivity; some are new. Perhaps the most significant source of risks in wireless networks is that the technologys
underlying
automated scripts to call phone numbers at random, searching they for could modems access
through networks.
which
confidentiality and integrity and the threat of denial of service (DoS) attacks are risks typically associated with
This became known as war dialing. Still, attackers had to enter the network from a known point, such as a telephone number or IP address, making them at least somewhat traceable.
wireless communications. Unauthorized users may gain access to agency systems and information, corrupt the agencys data, consume network bandwidth,
degrade network performance, launch attacks that prevent authorized users from accessing the network, or use agency resources to launch attacks on other networks. Hence we go for the concept of Whiff. In recent years an entirely new class of attacks has emerged. Proliferation of wireless attackers technologies to enter has enabled quite
networks,
literally, out of thin air. Using simple, free software, a new generation of
commandeer
In the early days of local area networks security was addressed by controlling physical access to facilities, and insiders were the primary threat. With the advent
resources. The practice of wandering around in search of wireless networks is referred to as war driving, which is a play on the earlier modem discovery
technique. With the proper antenna, the attack can come from as far as several miles away. Thus detection and
defenses. Much of the security must therefore be handled at the host and application levels. Solid host security and higher-level encryption protocols such as IPSec address many of the vulnerabilities introduced through the use of wireless networks. Still, if network administrators are to make
identification of the intruder presents unique challenges, which render many traditional intrusion detection techniques ineffective.
Compounding the problem is the fact that the 802.11b wireless Ethernet standard contains fundamental security vulnerabilities. Recognizing that
informed security decisions, implement sound policies, and deploy available security technology effectively, they must be able to identify wireless assets, monitor network activity, and detect intruders.
eavesdropping is an inherent problem in any wireless system because of the inability to control the propagation of radio waves, the designers of the standard included WEP, the wired equivalent privacy protocol, in 802.11b. WEP is a layer two-security protocol that employs the RC4 encryption
3.
SOLUTION:
WHIFF
Wireless
Whiff dynamically creates and reports a complete asset inventory of wireless devices, detects the presence of rogue wireless clients or access points, detects wireless and traditional intrusion
algorithm. While the algorithm itself is sound, the implementation is flawed, allowing WEP to be broken in a matter of minutes. To a determined attacker, it is a mere inconvenience.
Alerts Whiff includes one or more listeners, which continuously monitor all wireless activity in their vicinity and report back
Administrators of wireless networks must recognize, however, that many attacks originate behind these outer
to a central correlation engine. The listeners generate four classes of alerts: Rogue access points Rogue clients Traditional IDS alerts Wireless-specific alerts
alerts are collected by each listener and periodically transmitted back to the correlation engine, where they are sorted in a manner similar to that of the rogue MAC alerts and added to the database.
Rogue Clients and Access Points Detecting the presence of MAC addresses not included in a known good list identifies rogue clients and access points. The correlation engine updates the list of known access points periodically. Upon detection of a rogue MAC address, the listener generates an alert, which it transmits to the
the Kismet wireless sniffer, an open source program upon which much of this project is based. Wireless-specific alerts are generated by conditions matching special signatures that would arise only in a wireless network, such as the presence of a Nets tumbler probe. Wireless-specific alerts are handled in a batch fashion, just like traditional IDS alerts.
correlation engine. The engine filters all incoming alerts (removing duplicates), loads a record of the alerts into a database, and notifies administrators via e-mail.
correlation engine. The web interface Traditional IDS Alerts Traditional IDS alerting is facilitated through the use of Snort, an open source intrusion detection system. Snort may also be used to update configuration files automatically distributed to the listeners, view various statistics
regarding the status of the network, configure administrator accounts, add MAC addresses to the known good list, and view a propagation map
definitions may be customized and prioritized based on the needs of a specific environment. Traditional IDS
displaying
the
wireless
network
antenna range and report a variety of anomalies back to the correlation server. To limit bandwidth usage, much of the initial processing is performed on the listeners, with only anomalies and summary data reported to the next
footprint. Communication with the web interface is secured through certificatebased authentication and SSL
encryption.
4. WHIFF in Detail
Architecture The components of the Whiff system architecture were selected to provide the best possible functionality, given a number of technical and financial
Correlation The correlation module receives data from the listener and processes it into a series of MySQL tables for use by the interface module. If there are multiple listeners, the Perl scripts first compare all of the alerts and eliminate duplicates. If a rogue client is detected, a correlation script determines if the client has associated itself with the network. If the client has been assigned an IP number,
constraints. These constraints included the need to limit the amount of additional strain on the network and to make any machines and traffic added to the network as secure as possible
The Whiff architecture comprises the following four modules, diagramed in Figure 1: Listener Correlation Notification Interface.
the script launches an Nmap port scan and attempts to determine the host operating system. This information, which may aid in tracking down the rogue host, is delivered to the
administrator as part of the alert notification and is also entered into the database. A second benefit of the Nmap scan is that it serves as a shot across the bow, letting possible intruders know they are being tracked. If an intruder were running a personal firewall, they
Listener The listeners act as continuous collection points for wireless data. These machines passively monitor 802.11b traffic within
would probably be notified that they are being port-scanned, which might
investigation. They can also add rogue devices to the known good list. Access to this system is secured by a certificatebased SSL connection, coupled with a username/password login. This module, which resides on the same correlation server, dynamically generates Whiff views from the MySQL database through a series of PHP scripts. These
encourage them to look elsewhere. The correlation script then uses GPS Map to build a propagation map from the GPS and wireless network data. The display characteristics of this map are
Notification The notification and correlation modules are conceptually distinct but technically intertwined. The function of the
PHP scripts also make it easy to change data or remote listener configurations from the administrator console.
Configuration changes are saved to files on the server, where they are read by the listeners during each reporting interval.
notification script is to gather alert data from the correlation processes and deliver it to an administrator in real time. The notification module may be
Features In designing Whiff, our goal was a feature set that would not only enhance the overall security of networks, but would also make the network administrators job a little easier. While this feature set is by no means complete, we feel it includes for an appropriate initial
configured to enable or disable Nmap scans and can deliver messages to any email address or administrator list. Alert messages are simple and text based, so they display correctly on a pager or wireless PDA.
Interface The interface module provides a webbased console to view alerts, IDS incidents, and rogue clients and access points. It also provides a wide variety of detail views and allows administrators to tag or add comments to alerts following
functionality implementation.
Centralized Administration The majority of Whiff installations will be of a distributed nature with multiple listeners reporting back to a single
server. Manageability issues with this type of architecture make centralized administration requirement. Whiff User Whiff user administration is performed through the web interface, with user data, including hashed passwords, stored in the user table of the database. As illustrated in Figure 3, administrators can add or remove users, or update user information, such as changing the associated group. a key system
configuration, data storage, and notifications require sensitive files to be transferred between listeners and the server. Client certificates are used to authenticate listeners when they attempt to connect to the server to pickup configuration
updates or deliver network and alert data. Role-based Security Whiff offers role-based security to ensure that users with different functions have access to only those features they need to do their jobs. the wireless
features that enhance its own security. Certificate-based User Authentication The wealth of information Whiff provides about
network should not be available to just anyone. The Whiff web server
5. CONCLUSION:
what's been done has been, the sorts of risks that are deemed unacceptable, and
Throughout the project, the extent of the problems with wireless network security became increasingly obvious.
what has been done to minimize the organization's exposure to them. Security is everybody's business, and
Clearly there is an urgent need to gather information about what is happening on wireless networks. Whiff provides a picture of the boundaries of a wireless network, the devices connected to it, and the traffic flowing over it. While identification of attacks and
vulnerabilities is only one part of an overall security plan, it is a critical first step in the effort to improve wireless network security. Many people pay great amounts of lip service to security, but do not want to be bothered with it when it gets in their way. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him. Users who find security policies and systems too
restrictive will find ways around them. It's important to get their feedback to understand what can be improved, and it's important to let them know why