Escolar Documentos
Profissional Documentos
Cultura Documentos
Abstract- Wireless networks and ubiquitous availability of ‘safe’ and if unsecured provide anyone in range with
the global Internet have already changed dramatically the access to your network, potentially exposing
way we communicate, conduct business, and organize our confidential data about your business, customers,
society. With current research and developments in products and services. And, the benefits of using Wi-Fi
sensor networks and pervasive computing, we are even
for productivity gains are too many to sacrifice due to
creating a new networked world. However, the benefits
associated with information and communication security concerns. Wi-Fi can be deployed securely, and
technology imply new vulnerabilities. In wired networks the enterprise can proactively scan and prevent wireless
we have to take care of front door security but same threats without significant burden on the IT department.
solutions do not apply to wireless networks and they have
weak security solutions. The Wireless networks by A typical wired enterprise network
inherently insecure. In this paper we address the threats Any typical wired enterprise looks like the figure below:
in wireless networks in detail and we propose novel
solutions which will not only detect the attack on the
network but will also take counter measures to save
integrity of wireless networks.
1. INTRODUCTION
2. WIRELESS THREAT CATEGORIES WHICH WILL Evil Twin/Honey pot Access Points
BREACH INTELLECTUAL PROPERTY Malicious hackers are known to set up Honey pot APs
with default SSIDs (Service Set Identifier, Network
Wireless threats fall into two general categories, Name), hotspot SSIDs, and even corporate SSIDs
common and malicious, with several types of threats outside buildings and watch a large number of clients
within each group. automatically connect to the AP. These APs can then
inflict a variety of attacks on the client or attempt
Common Wireless Threats password stealing by presenting a login page to the
client over the mis-associated wireless connection.
Rogue Access Points Rogue Clients
The most common as well as most dangerous wireless Rogue clients are those that are unauthorized to attach
threat is the rogue access point. The rogue access point to an authorized corporate wireless network. This may
is typically low cost, brought in by an employee who occur through an authorized access point that has been
desires wireless access. The default access point mis-configured with encryption turned off, or through
settings typically have no security enabled, and thus an access point that has had its encryption/
when plugged into the corporate network create an authentication compromised and uses the key to
entryway for anyone with a Wi-Fi client within range. connect to a properly configured authorized access
The rogue access point can also be a client computer point.
Denial of Service Attacks impossible to keep signatures up-to-date with the latest
A threat to enterprises and service providers delivering and most sophisticated attacks.
hot spot services, denial of service attacks are a threat
that can wreak havoc on a large number of users 3. ATTRIBUTES NEEDED IN TODAY’S WORLD FOR
simultaneously. There are various forms of wireless SECURING A WIRELESS NETWORK
denial of service attacks, but they typically involve
flooding a channel or channels with de authentication or Wireless intrusion prevention systems stop attacks
similar packets that terminate all current and attempted before they penetrate and harm the enterprise. WIPS
client associations to access points. solutions detect each category of attack using
deterministic techniques involving a combination of
Detection or Prevention? device and event auto-classification, protocol analysis
Earlier generations of wireless security systems focused and association analysis. Signatures are only used to
on detection. Wireless Intrusion Detection Systems provide additional details and are not necessary for
(WIDS) typically rely on signature analysis to provide detection. Key attributes of a wireless intrusion
an alert that a threat is occurring. The WIDS analyzes prevention system are:-
the information it gathers and compares it to large 1. Monitoring/Detection: All channels in the 2.4 GHz
databases of attack signatures. Essentially, the WIDS (802.11b, 802.11b/g) and 5 GHz (802.11a) bands
looks for a specific attack that has already been should be scanned. It needs to analyze, aggregate, and
documented. As with wire-line detection systems, the correlate information reported by different sensors.
solution is only as good as the database of threats. 2. Auto-Classification: With increasing penetration of
Some systems combine this with anomaly-based WLANs, there is a need to accurately and automatically
detection methods. Anomaly-based systems identify sort harmful activity from the harmless activity in the
traffic or application content presumed to be different shared wireless medium. As an example, in
from ‘normal' activity on the network or host. In organizations with official WLAN infrastructure, the
anomaly detection, the system administrator defines the intrusion prevention system must be able to
baseline, or normal, state of the network's traffic load, differentiate between authorized, rogue, and external
breakdown, protocol, and typical packet size. The wireless activities. This type of classification minimizes
anomaly detector monitors network segments to annoying false alarms and volumes of irrelevant alerts
compare their state to the normal baseline and look for from the security standpoint, both of which make the
anomalies. Wireless Intrusion Detection Systems were security system unusable. Figure 3 here shows need for
appropriate with small numbers of access points and classification between Rouge AP (RED) External AP
Wi-Fi clients. However, with the exponential growth of (Blue) and Authenticated AP (Green) by Senor (White).
Wi-Fi clients and access points within the enterprise
and those within range from neighbors outside the
premises, WIDS creates an enormous burden for IT and
security administrators because they generate a huge
number of alerts, many or most of which turn out to be
false alarms. As a result, just as the market turned away
from IDS to IPS for wire line security, there has been a
rapid shift away from WIDS to a new generation of
wireless intrusion prevention systems. WIDS systems
are subject to significant numbers of false positives and Figure 3 : Need for classification
false negatives. Because they do not use deterministic
techniques, they typically cannot determine whether 3. Prevention: The WIPS must automatically and
encrypted APs or NATing APs are on the enterprise instantaneously block harmful wireless activity detected
network. More importantly, with the widespread use of by its wireless sensors. For example, it must block any
Wi-Fi in many enterprises, being unable to reliably client from connecting to a Rogue AP or a MAC
classify external APs creates huge administrative spoofing AP, prohibit formation of ad-hoc networks,
challenges for IT managers who must deal with alerts and mitigate any type of DOS attack. Furthermore, it
from remote sites. In addition, day zero attacks may go must block multiple simultaneous wireless threats while
undetected, until a new patch or fix is applied. Day zero continuing to scan for new threats.
attacks refer to attacks that exploit vulnerabilities Prevention of Wi-Fi threats must be carried out with
whose detection logic is not supported in the intrusion surgical precision to avoid disturbing legitimate WLAN
detection system. Day zero attacks are a huge problem activities. A well implemented WIPS Firewall should
for signature based detection systems, since it is not stop traffic on the authorized wireless network or a
neighboring Wi-Fi network.
4. Visualization: The spatial layout as well as materials packets from both the area and applying simple pattern
within the enterprise (walls, columns, windows, matching one can find that which AP is external and
furniture, etc.) interact with the radio coverage of the which is internal and after detecting external AP if we
security sensor in a complex way creating a significant find any connection which is not desired a De-
gap between rule-of-thumb placement and reality. A authentication attack can be launched as described
systematic, scientific, and scalable RF planning process above.
is therefore required for determining the right
placement of access points and wireless sensors. This Preventing
must be site-specific and not require time consuming Here we propose solution to one problem that is
manual surveys. Live RF maps should provide real time preventing external client to connect to AP using MAC
information on coverage of both authorized Wi-Fi spoofing or external AP acting as honey Pot to get
access points and security sensors. access on a client on enterprise network by using a
5. Location: Physical remediation is a final step in database of authenticated users.
permanently preventing the Wi-Fi threat and requires
knowledge of the physical location of these devices. MAC address of authenticated User
The WIPS Firewall must provide the location co- MAC address of authenticated users can be used to
ordinates of such a device inside and around the prevent spoofing of address. The enterprise can
perimeter of the enterprise premises without need for maintain a database which has MAC address of each
any specialized client side software or hardware. and every client as well as rouge APs MAC address of
all the APs present in the enterprise. If the Intrusion
Security Solutions in wireless Networks detection system which is typically a sensor finds more
To get a secure wireless network and prevent enterprise than one instances of MAC address in the same
client connection to external AP as well as prevent enterprise network, it can be sure that the MAC address
external client to connect to rouge AP in the enterprise has been spoofed and can block access to that MAC
network which can cause loss of enterprise confidential address temporarily.
data we propose a Denial of Service attack a De-
authentication attack to be launched by the intrusion 4. CONCLUSION
detection system present in constructive manner. The
requirement is that the intrusion detection system Today, the enterprise air space has become an asset. To
will have to first detect that external client is connected protect this asset, wireless intrusion prevention systems
to rouge AP or will have to give the information that are needed to provide 24 x 7 securities against
client is connected to external AP what ever the unintended and malicious Wi-Fi threats. As recent news
situation is and after detecting unwanted connection it events have shown, a lack of robust protection can lead
should launch a De-authentication attack to the to serious consequences including loss of confidential
unauthorized connection and disrupt the connection as data, customer trust and brand value. Wireless Intrusion
soon as possible. As the implementation of Prevention Systems complement today’s wired security
Authentication or De-authentication is done on solutions and keeps the enterprise network safe,
hardware hence external AP cannot deny de- whether or not a Wi-Fi network is currently in place.
authentication attack and hence the enterprise can be
secured by Constructive implementation of this De- REFERENCES
authentication attack. The first problem here is to detect
Rouge AP as well as external AP which is a problem [1] Mema Roussopoulous, Guido Appenzeller and Mary
known as Auto Classification. Baker, ”User-friendly access control for public network ports”,
IEEE INFOCOM, 1999.
How to Auto-classify [2] Elliot Poger and Mary Baker, “Secure public internet
The problem of auto classification is problem to access handler” December 1997.
differentiate between Rouge AP, External AP and [3] Harald Welte, “The netfilter framework”, Linux Congress,
2000.
Authorized AP as shown in figure 3. We here propose [4] Microsoft, msdn.microsoft.com. Microsoft Developer
method which can be implemented to differentiate Network: Firewall API.
between the three to will reduce the rate of false [5] Symantec. Security response. Virus-Worm activity details.
positive alarm as well as false negative alarm. [6] Port knocking: http://www.portknocking.org/
[7] Cisco: http://www.cisco.com/
Differentiating between External AP & Internal AP [8] Firewall : http://www.ipcortex.co.uk/wp/fw.rhtm
The solution which can be though of is quite a simple
one. The two APs External APs and internal APs must
have different kind of traffic and just by reading