PAPER PRESENTATION ON INNOVATIVE TRENDS IN IT

(WIRELESS TECHNOLOGY)

BY N.Madhan Kumar Final Year EIE

CONTENTS

1.INTRODUCTION 2.BACKGROUND
Problem with wireless network

3.SOLUTION
Whiff wireless instrusion detection system

4.WHIFF IN DETAIL 5.CONCLUSION 6.REFERENCES

Whiff is a system that solves several ABSTRACT current, real-world wireless

security problems. Whiff identifies and

Monitors wireless networks and devices, alerting administrators to exposures in real time. Whiff is comprised of multiple listeners, which monitor all wireless activity and report to a central There is a need for a wireless intrusion detection The correlation engine delivers to multiple users a complete asset inventory of wireless devices and access points as well as a GPS map of signal propagation. The system integrates intrusion detection capabilities, alerting administrators to wireless and traditional intrusion attempts, rogue access points, and rogue clients. system that could keep 1. INTRODUCTION:

correlation engine.

administrators informed about what was happening on their network. At about the same time, the conducted studies of wireless networks found many lacked the basic configurations necessary to provide even minimal levels of security. Hence Whiff has been developed, a wireless intrusion detection system that provides network administrators with constant security reports, allowing them

This paper focuses on the security features of Whiff. It describes the systems purpose, how it works (including collection methodologies, reporting mechanisms, and underlying security architecture), and how it can be used to improve wireless network security. Our goal is to provide administrators with an image of what is happening on their network. Armed with this information, they will be able to make better decisions and take actions to improve network security.

to make informed security decisions. Wireless communication is the transfer of information over a distance without the use of electrical conductors or "wires". The distances involved may be short (a few meters as in television remote control) or very long (thousands or even millions of kilometers for radio communications). Wireless

communications offer organizations and users many benefits such as portability and flexibility, increased productivity, and lower installation costs.

However, risks are inherent in any wireless technology. Some of these risks are similar to those of wired networks; some are exacerbated by wireless

of the Internet and the adoption of wide area networks, administrators were

forced to defend their network not only against those with physical access, but against the larger community of people with Internet access or even just modems. Hackers began using

connectivity; some are new. Perhaps the most significant source of risks in wireless networks is that the technologys

underlying

automated scripts to call phone numbers at random, searching they for could modems access

communications medium, the airwave, is open to intruders. The loss of

through networks.

which

confidentiality and integrity and the threat of denial of service (DoS) attacks are risks typically associated with

This became known as war dialing. Still, attackers had to enter the network from a known point, such as a telephone number or IP address, making them at least somewhat traceable.

wireless communications. Unauthorized users may gain access to agency systems and information, corrupt the agencys data, consume network bandwidth,

degrade network performance, launch attacks that prevent authorized users from accessing the network, or use agency resources to launch attacks on other networks. Hence we go for the concept of Whiff. In recent years an entirely new class of attacks has emerged. Proliferation of wireless attackers technologies to enter has enabled quite

networks,

literally, out of thin air. Using simple, free software, a new generation of

2. BACKGROUND: Problems with Wireless Network Security

hackers is able to locate wireless networks, communications, eavesdrop and on

commandeer

In the early days of local area networks security was addressed by controlling physical access to facilities, and insiders were the primary threat. With the advent

resources. The practice of wandering around in search of wireless networks is referred to as war driving, which is a play on the earlier modem discovery

technique. With the proper antenna, the attack can come from as far as several miles away. Thus detection and

defenses. Much of the security must therefore be handled at the host and application levels. Solid host security and higher-level encryption protocols such as IPSec address many of the vulnerabilities introduced through the use of wireless networks. Still, if network administrators are to make

identification of the intruder presents unique challenges, which render many traditional intrusion detection techniques ineffective.

Compounding the problem is the fact that the 802.11b wireless Ethernet standard contains fundamental security vulnerabilities. Recognizing that

informed security decisions, implement sound policies, and deploy available security technology effectively, they must be able to identify wireless assets, monitor network activity, and detect intruders.

eavesdropping is an inherent problem in any wireless system because of the inability to control the propagation of radio waves, the designers of the standard included WEP, the wired equivalent privacy protocol, in 802.11b. WEP is a layer two-security protocol that employs the RC4 encryption

3.

SOLUTION:

WHIFF

Wireless

Intrusion Detection System

Whiff dynamically creates and reports a complete asset inventory of wireless devices, detects the presence of rogue wireless clients or access points, detects wireless and traditional intrusion

algorithm. While the algorithm itself is sound, the implementation is flawed, allowing WEP to be broken in a matter of minutes. To a determined attacker, it is a mere inconvenience.

attempts, and alerts administrators to exposures.

Traditional network security models rely heavily on perimeter protection.

Alerts Whiff includes one or more listeners, which continuously monitor all wireless activity in their vicinity and report back

Administrators of wireless networks must recognize, however, that many attacks originate behind these outer

to a central correlation engine. The listeners generate four classes of alerts: Rogue access points Rogue clients Traditional IDS alerts Wireless-specific alerts

alerts are collected by each listener and periodically transmitted back to the correlation engine, where they are sorted in a manner similar to that of the rogue MAC alerts and added to the database.

Wireless-Specific Alerts Wireless-specific alerts are a function of

Rogue Clients and Access Points Detecting the presence of MAC addresses not included in a known good list identifies rogue clients and access points. The correlation engine updates the list of known access points periodically. Upon detection of a rogue MAC address, the listener generates an alert, which it transmits to the

the Kismet wireless sniffer, an open source program upon which much of this project is based. Wireless-specific alerts are generated by conditions matching special signatures that would arise only in a wireless network, such as the presence of a Nets tumbler probe. Wireless-specific alerts are handled in a batch fashion, just like traditional IDS alerts.

correlation engine. The engine filters all incoming alerts (removing duplicates), loads a record of the alerts into a database, and notifies administrators via e-mail.

Web Interface In addition to automated e-mail

notifications, alerts may be viewed through a web interface on the

correlation engine. The web interface Traditional IDS Alerts Traditional IDS alerting is facilitated through the use of Snort, an open source intrusion detection system. Snort may also be used to update configuration files automatically distributed to the listeners, view various statistics

regarding the status of the network, configure administrator accounts, add MAC addresses to the known good list, and view a propagation map

definitions may be customized and prioritized based on the needs of a specific environment. Traditional IDS

displaying

the

wireless

network

antenna range and report a variety of anomalies back to the correlation server. To limit bandwidth usage, much of the initial processing is performed on the listeners, with only anomalies and summary data reported to the next

footprint. Communication with the web interface is secured through certificatebased authentication and SSL

encryption.

4. WHIFF in Detail

module, the correlation engine.

Architecture The components of the Whiff system architecture were selected to provide the best possible functionality, given a number of technical and financial

Correlation The correlation module receives data from the listener and processes it into a series of MySQL tables for use by the interface module. If there are multiple listeners, the Perl scripts first compare all of the alerts and eliminate duplicates. If a rogue client is detected, a correlation script determines if the client has associated itself with the network. If the client has been assigned an IP number,

constraints. These constraints included the need to limit the amount of additional strain on the network and to make any machines and traffic added to the network as secure as possible

The Whiff architecture comprises the following four modules, diagramed in Figure 1: Listener Correlation Notification Interface.

the script launches an Nmap port scan and attempts to determine the host operating system. This information, which may aid in tracking down the rogue host, is delivered to the

administrator as part of the alert notification and is also entered into the database. A second benefit of the Nmap scan is that it serves as a shot across the bow, letting possible intruders know they are being tracked. If an intruder were running a personal firewall, they

Listener The listeners act as continuous collection points for wireless data. These machines passively monitor 802.11b traffic within

would probably be notified that they are being port-scanned, which might

investigation. They can also add rogue devices to the known good list. Access to this system is secured by a certificatebased SSL connection, coupled with a username/password login. This module, which resides on the same correlation server, dynamically generates Whiff views from the MySQL database through a series of PHP scripts. These

encourage them to look elsewhere. The correlation script then uses GPS Map to build a propagation map from the GPS and wireless network data. The display characteristics of this map are

configurable in the interface.

Notification The notification and correlation modules are conceptually distinct but technically intertwined. The function of the

PHP scripts also make it easy to change data or remote listener configurations from the administrator console.

Configuration changes are saved to files on the server, where they are read by the listeners during each reporting interval.

notification script is to gather alert data from the correlation processes and deliver it to an administrator in real time. The notification module may be

Features In designing Whiff, our goal was a feature set that would not only enhance the overall security of networks, but would also make the network administrators job a little easier. While this feature set is by no means complete, we feel it includes for an appropriate initial

configured to enable or disable Nmap scans and can deliver messages to any email address or administrator list. Alert messages are simple and text based, so they display correctly on a pager or wireless PDA.

Interface The interface module provides a webbased console to view alerts, IDS incidents, and rogue clients and access points. It also provides a wide variety of detail views and allows administrators to tag or add comments to alerts following

functionality implementation.

Centralized Administration The majority of Whiff installations will be of a distributed nature with multiple listeners reporting back to a single

server. Manageability issues with this type of architecture make centralized administration requirement. Whiff User Whiff user administration is performed through the web interface, with user data, including hashed passwords, stored in the user table of the database. As illustrated in Figure 3, administrators can add or remove users, or update user information, such as changing the associated group. a key system

restricts access by performing user authentication based on client

certificates distributed only to valid parties.

Certificate-based File Transfers Whiffs centralized listener

configuration, data storage, and notifications require sensitive files to be transferred between listeners and the server. Client certificates are used to authenticate listeners when they attempt to connect to the server to pickup configuration

Security Whiff, a security tool for wireless networks, also incorporates

updates or deliver network and alert data. Role-based Security Whiff offers role-based security to ensure that users with different functions have access to only those features they need to do their jobs. the wireless

features that enhance its own security. Certificate-based User Authentication The wealth of information Whiff provides about

network should not be available to just anyone. The Whiff web server

Figure 1: Whiff Modules and Architecture

5. CONCLUSION:

what's been done has been, the sorts of risks that are deemed unacceptable, and

Throughout the project, the extent of the problems with wireless network security became increasingly obvious.

what has been done to minimize the organization's exposure to them. Security is everybody's business, and

Clearly there is an urgent need to gather information about what is happening on wireless networks. Whiff provides a picture of the boundaries of a wireless network, the devices connected to it, and the traffic flowing over it. While identification of attacks and

only with everyone's cooperation, an intelligent policy, and consistent

practices, will it be achievable

vulnerabilities is only one part of an overall security plan, it is a critical first step in the effort to improve wireless network security. Many people pay great amounts of lip service to security, but do not want to be bothered with it when it gets in their way. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him. Users who find security policies and systems too

restrictive will find ways around them. It's important to get their feedback to understand what can be improved, and it's important to let them know why

6. REFERENCE: 1. www.bitpipe.com 2. www.interhack.net 3. www.foundstone.com 4. www.kismetwireless.net 5. www.csrc.nist.gov 6. www.wikipedia.com

Wireless Communications - Principles and Practice by T. S. Rappaport. 2nd Ed. Prentice Hall, 2001. Principles of Mobile Communications by G. L. Stuber. 2nd Ed. Kluwer Academic Publishers, 2001. Fundamentals of Wireless Communication by D. Tse and P. Viswanath, Cambridge University Press, 2005. Microwave Mobile Communications, W. C. Jakes, Wiley: 1974. Also IEEE Press: 1993. The Mobile Radio Propagation Channel, J.D. Parsons, Wiley: 1992. Digital Communication Techniques: Signal Design and Detection , M. K. Simon, S. M. Hinedi, and W. C. Lindsey, Prentice Hall: 1995. Digital Communications, J.G. Proakis, 4th Ed., McGraw-Hill: 2001. Digital Communications over Fading Channels, A Unified Approach to Performance Analysis M. K. Simon and M.-S. Alouini, Wiley: 2000.