Backdoor Intrusion in Wireless Networks- problems and solutions
Neel Diksha, Agarwal Shubham
Indian Institute of Information Technology-Allahabad, Deoghat- Jhalwa, Allahabad- 211011, U.P, India
dpneel_wc04@wcc.iiita.ac.in, ssagrwal_02@iiita.ac.in
Abstract- Wireless networks and ubiquitous availability of
the global Internet have already changed dramatically the
way we communicate, conduct business, and organize our
society. With current research and developments in
sensor networks and pervasive computing, we are even
creating a new networked world. However, the benefits
associated with information and communication
technology imply new vulnerabilities. In wired networks
we have to take care of front door security but same
solutions do not apply to wireless networks and they have
weak security solutions. The Wireless networks by
inherently insecure. In this paper we address the threats
in wireless networks in detail and we propose novel
solutions which will not only detect the attack on the
network but will also take counter measures to save
integrity of wireless networks.
1. INTRODUCTION
For any enterprise, network security of its intellectual
property is very important- be it a source code or a
business plan, any important document, if, goes in
“wrong” hands then it can cause big damages. With the
introduction of wireless networks the threat is more
than that it was before due to weak security algorithms
and if at all strong security solutions are introduced, not
all wireless networks update themselves before a long
period of time. But this should not discourage any
enterprise to use wireless networks. If problems exist,
so do the solutions- we address the same issue here
The Misconception: "No Wi-Fi" Policy Keeps My
Network Safe-
One of the biggest misconceptions is that an enterprise
with a "no Wi-Fi" policy is immune to wireless threats.
This perception is due to the fact that many IT
administrators presume that without Wi-Fi
infrastructure, they are safe from wireless threats.
Unfortunately, even with a "no Wi-Fi" policy, Wi-Fi is
very likely entering your enterprise through embedded
clients in laptops or rogue access points. Over 45% of
laptops shipped in 2004 include embedded Wi-Fi, thus
an enterprise is likely to have wireless within its
premises. Access points are now commonly available in
retail stores and on the Internet for less than $30. A
recent survey showed that over 20% of enterprise CIOs
had found unsecured access points on their networks.
Once behind the firewall, these devices are presumed
‘safe’ and if unsecured provide anyone in range with
access to your network, potentially exposing
confidential data about your business, customers,
products and services. And, the benefits of using Wi-Fi
for productivity gains are too many to sacrifice due to
security concerns. Wi-Fi can be deployed securely, and
the enterprise can proactively scan and prevent wireless
threats without significant burden on the IT department.
A typical wired enterprise network
Any typical wired enterprise looks like the figure below:
Figure 1-A Wired Enterprise Network
One basic assumption is that enterprise premises by
themselves are secure and we have to shield our data
from outside world and that firewall is typical solution
in such networks. Corporate firewall secures your data
from outside hackers and different policies of firewalls
decide who can connect to your enterprise and
exchange data. Firewalls usually perform two tasks-
first task is to restrict access of outsides to the
enterprise networks and second task is to monitor
outgoing traffic and deny any service which is not
considered secure as per the policy of the enterprise
network. The problem is only to secure the front door.
There is no back door entry possible.
The problem of backdoor Intrusion
Consider a situation where your corporate network is
wired and a LAN terminal wire is hanging out from a
window. Any one who wishes to connect to network
just connects his device to the LAN and accesses the
network. The situation is too insecure and any
enterprise cannot afford it. This will expose their
confidential data to anyone.
The problem described above is same as the
problem in a wireless network where the signals go
outside enterprise walls and the above analogy shows
how big the problem of wireless security is now-a-days.
These problems should, of course, not stop enterprises
from using wireless networks. Today wireless networks
are common in enterprises and this new inclusion
brings new threats of intrusion. The problem of
backdoor attack is at its peak and enterprise data is at
stake- any hacker can take data in this unsecured
environment. In today’s industry either most people
don’t understand the importance of threat caused by the
network attacks in wireless network or the network is
itself unsecured and there is no foolproof solution for
securing a network from these kinds of attacks.
Figure 2: An Unsecured Wireless Network
The security solutions of wired networks do not work
for wireless networks. The range of wireless signals go
outside the walls and the corporate firewall can only
guard the front door. The enterprise walls no longer
remain safe and assumption that enterprise is by itself
safe no longer remains valid. There is no one in the
back door and the back door needs to be secured
otherwise any intruder can attack the network and steel
important data from the enterprise hence breaching
Intellectual property Rights.
2. WIRELESS THREAT CATEGORIES WHICH WILL
BREACH INTELLECTUAL PROPERTY
Wireless threats fall into two general categories,
common and malicious, with several types of threats
within each group.
Common Wireless Threats
Rogue Access Points
The most common as well as most dangerous wireless
threat is the rogue access point. The rogue access point
is typically low cost, brought in by an employee who
desires wireless access. The default access point
settings typically have no security enabled, and thus
when plugged into the corporate network create an
entryway for anyone with a Wi-Fi client within range.
The rogue access point can also be a client computer
which is in control of software setup and there is need
to remove such software rouge AP too.
Mis-configured Access Points
For enterprises with a wireless LAN infrastructure, one
potential threat can arise from their equipment itself.
An access point which becomes mis-configured can
potentially open up a door to the corporate network,
particularly if the access point is reset to network
defaults or the security settings are turned off. If the
access point is not centrally managed, then the
likelihood of it going unnoticed is high. Employees will
still be able to connect and no problem will be reported.
Client Mis-associations
Embedded Wi-Fi clients in laptops are now relatively
common. Even for those enterprises with a "no Wi-Fi"
policy, a Windows XP laptop with a wireless client will
automatically try to connect to a server to which it had
successfully connected before. This scenario is very
common. Neighboring Wi-Fi networks can spill into the
enterprise and curious users connect to these open,
insecure, and distrusted networks while still being
connected on the wired side of the trusted network.
Users may also connect to these networks if their
internal network firewall does not permit POP email
accounts, does not permit access to certain web sites, or
they do not want their outbound traffic monitored.
These users of enterprise networks can in turn allow
another person to read important data of the enterprise.
Ad Hoc Connections
Wireless clients can also create peer-to-peer
connections. A peer-to-peer connection can be
exploited by a malicious hacker who may try to then
inflict a variety of attacks on the client such as port
scanning to explore and exploit client vulnerabilities.
Malicious Wireless Threats
Evil Twin/Honey pot Access Points
Malicious hackers are known to set up Honey pot APs
with default SSIDs (Service Set Identifier, Network
Name), hotspot SSIDs, and even corporate SSIDs
outside buildings and watch a large number of clients
automatically connect to the AP. These APs can then
inflict a variety of attacks on the client or attempt
password stealing by presenting a login page to the
client over the mis-associated wireless connection.
Rogue Clients
Rogue clients are those that are unauthorized to attach
to an authorized corporate wireless network. This may
occur through an authorized access point that has been
mis-configured with encryption turned off, or through
an access point that has had its encryption/
authentication compromised and uses the key to
connect to a properly configured authorized access
point.
Denial of Service Attacks
A threat to enterprises and service providers delivering
hot spot services, denial of service attacks are a threat
that can wreak havoc on a large number of users
simultaneously. There are various forms of wireless
denial of service attacks, but they typically involve
flooding a channel or channels with de authentication or
similar packets that terminate all current and attempted
client associations to access points.
Detection or Prevention?
Earlier generations of wireless security systems focused
on detection. Wireless Intrusion Detection Systems
(WIDS) typically rely on signature analysis to provide
an alert that a threat is occurring. The WIDS analyzes
the information it gathers and compares it to large
databases of attack signatures. Essentially, the WIDS
looks for a specific attack that has already been
documented. As with wire-line detection systems, the
solution is only as good as the database of threats.
Some systems combine this with anomaly-based
detection methods. Anomaly-based systems identify
traffic or application content presumed to be different
from ‘normal' activity on the network or host. In
anomaly detection, the system administrator defines the
baseline, or normal, state of the network's traffic load,
breakdown, protocol, and typical packet size. The
anomaly detector monitors network segments to
compare their state to the normal baseline and look for
anomalies. Wireless Intrusion Detection Systems were
appropriate with small numbers of access points and
Wi-Fi clients. However, with the exponential growth of
Wi-Fi clients and access points within the enterprise
and those within range from neighbors outside the
premises, WIDS creates an enormous burden for IT and
security administrators because they generate a huge
number of alerts, many or most of which turn out to be
false alarms. As a result, just as the market turned away
from IDS to IPS for wire line security, there has been a
rapid shift away from WIDS to a new generation of
wireless intrusion prevention systems. WIDS systems
are subject to significant numbers of false positives and
false negatives. Because they do not use deterministic
techniques, they typically cannot determine whether
encrypted APs or NATing APs are on the enterprise
network. More importantly, with the widespread use of
Wi-Fi in many enterprises, being unable to reliably
classify external APs creates huge administrative
challenges for IT managers who must deal with alerts
from remote sites. In addition, day zero attacks may go
undetected, until a new patch or fix is applied. Day zero
attacks refer to attacks that exploit vulnerabilities
whose detection logic is not supported in the intrusion
detection system. Day zero attacks are a huge problem
for signature based detection systems, since it is
impossible to keep signatures up-to-date with the latest
and most sophisticated attacks.
3. ATTRIBUTES NEEDED IN TODAY’S WORLD FOR
SECURING A WIRELESS NETWORK
Wireless intrusion prevention systems stop attacks
before they penetrate and harm the enterprise. WIPS
solutions detect each category of attack using
deterministic techniques involving a combination of
device and event auto-classification, protocol analysis
and association analysis. Signatures are only used to
provide additional details and are not necessary for
detection. Key attributes of a wireless intrusion
prevention system are:-
1. Monitoring/Detection: All channels in the 2.4 GHz
(802.11b, 802.11b/g) and 5 GHz (802.11a) bands
should be scanned. It needs to analyze, aggregate, and
correlate information reported by different sensors.
2. Auto-Classification: With increasing penetration of
WLANs, there is a need to accurately and automatically
sort harmful activity from the harmless activity in the
shared wireless medium. As an example, in
organizations with official WLAN infrastructure, the
intrusion prevention system must be able to
differentiate between authorized, rogue, and external
wireless activities. This type of classification minimizes
annoying false alarms and volumes of irrelevant alerts
from the security standpoint, both of which make the
security system unusable. Figure 3 here shows need for
classification between Rouge AP (RED) External AP
(Blue) and Authenticated AP (Green) by Senor (White).
Figure 3 : Need for classification
3. Prevention: The WIPS must automatically and
instantaneously block harmful wireless activity detected
by its wireless sensors. For example, it must block any
client from connecting to a Rogue AP or a MAC
spoofing AP, prohibit formation of ad-hoc networks,
and mitigate any type of DOS attack. Furthermore, it
must block multiple simultaneous wireless threats while
continuing to scan for new threats.
Prevention of Wi-Fi threats must be carried out with
surgical precision to avoid disturbing legitimate WLAN
activities. A well implemented WIPS Firewall should
not stop traffic on the authorized wireless network or a
neighboring Wi-Fi network.
4. Visualization: The spatial layout as well as materials
within the enterprise (walls, columns, windows,
furniture, etc.) interact with the radio coverage of the
security sensor in a complex way creating a significant
gap between rule-of-thumb placement and reality. A
systematic, scientific, and scalable RF planning process
is therefore required for determining the right
placement of access points and wireless sensors. This
must be site-specific and not require time consuming
manual surveys. Live RF maps should provide real time
information on coverage of both authorized Wi-Fi
access points and security sensors.
5. Location: Physical remediation is a final step in
permanently preventing the Wi-Fi threat and requires
knowledge of the physical location of these devices.
The WIPS Firewall must provide the location co-
ordinates of such a device inside and around the
perimeter of the enterprise premises without need for
any specialized client side software or hardware.
Security Solutions in wireless Networks
To get a secure wireless network and prevent enterprise
client connection to external AP as well as prevent
external client to connect to rouge AP in the enterprise
network which can cause loss of enterprise confidential
data we propose a Denial of Service attack a De-
authentication attack to be launched by the intrusion
detection system present in constructive manner. The
requirement is that the intrusion detection system
will have to first detect that external client is connected
to rouge AP or will have to give the information that
client is connected to external AP what ever the
situation is and after detecting unwanted connection it
should launch a De-authentication attack to the
unauthorized connection and disrupt the connection as
soon as possible. As the implementation of
Authentication or De-authentication is done on
hardware hence external AP cannot deny de-
authentication attack and hence the enterprise can be
secured by Constructive implementation of this De-
authentication attack. The first problem here is to detect
Rouge AP as well as external AP which is a problem
known as Auto Classification.
How to Auto-classify
The problem of auto classification is problem to
differentiate between Rouge AP, External AP and
Authorized AP as shown in figure 3. We here propose
method which can be implemented to differentiate
between the three to will reduce the rate of false
positive alarm as well as false negative alarm.
Differentiating between External AP & Internal AP
The solution which can be though of is quite a simple
one. The two APs External APs and internal APs must
have different kind of traffic and just by reading
packets from both the area and applying simple pattern
matching one can find that which AP is external and
which is internal and after detecting external AP if we
find any connection which is not desired a De-
authentication attack can be launched as described
above.
Preventing
Here we propose solution to one problem that is
preventing external client to connect to AP using MAC
spoofing or external AP acting as honey Pot to get
access on a client on enterprise network by using a
database of authenticated users.
MAC address of authenticated User
MAC address of authenticated users can be used to
prevent spoofing of address. The enterprise can
maintain a database which has MAC address of each
and every client as well as rouge APs MAC address of
all the APs present in the enterprise. If the Intrusion
detection system which is typically a sensor finds more
than one instances of MAC address in the same
enterprise network, it can be sure that the MAC address
has been spoofed and can block access to that MAC
address temporarily.
4. CONCLUSION
Today, the enterprise air space has become an asset. To
protect this asset, wireless intrusion prevention systems
are needed to provide 24 x 7 securities against
unintended and malicious Wi-Fi threats. As recent news
events have shown, a lack of robust protection can lead
to serious consequences including loss of confidential
data, customer trust and brand value. Wireless Intrusion
Prevention Systems complement today’s wired security
solutions and keeps the enterprise network safe,
whether or not a Wi-Fi network is currently in place.
REFERENCES
[1] Mema Roussopoulous, Guido Appenzeller and Mary
Baker, ”User-friendly access control for public network ports”,
IEEE INFOCOM, 1999.
[2] Elliot Poger and Mary Baker, “Secure public internet
access handler” December 1997.
[3] Harald Welte, “The netfilter framework”, Linux Congress,
2000.
[4] Microsoft, msdn.microsoft.com. Microsoft Developer
Network: Firewall API.
[5] Symantec. Security response. Virus-Worm activity details.
[6] Port knocking: http://www.portknocking.org/
[7] Cisco: http://www.cisco.com/
[8] Firewall : http://www.ipcortex.co.uk/wp/fw.rhtm