Intrusion Detection Presentation For WLANs Class

2. Megha Sarang

3. Amisha Sheth

4. Karthik Raghavan

6. Intruder and Attacks Intruder: An entity who tries to find a way to gain unauthorized access to information through a network, inflict harm or engage in other malicious activities. Types of Attacks:

7. Rogue Access Point Unauthorized AP attached to wired enterprise network. Personal AP used by employee (ignorant of risks), AP used with a malicious intent. Windows 7 Virtual WiFi: Every Windows 7 laptop is a potential rogue AP. RF signal spillage: Access from outside the premises.

8. Attacks Launched through Rouge APs Data leakage by passive sniffing. Man-in –the-Middle Attack. Network scans and Fingerprinting. Enterprise Data Access. Free Internet Access. Denial of Service Attacks: ARP poisoning, IP spoofing, etc.

9. Protection Against Rogue APs and Attacks Firewalls: Does not detect Rouge AP. WPA2: Rogue AP is not a managed AP. You can enforce security controls only on APs you can manage. ‘Hole1961’, vulnerability found in WAP2.

10. Protection Against Rogue APs and Attacks 802.1x port control: Cannot protect from all Rouge AP configurations. E.g. case of a MAC spoofer. Most networks do not have 802.1x port control.

11. Protection Against Rogue APs and Attacks Antivirus & Wired IDS: Does not detect Rouge APs, as they work a layer below. Wired IDS ineffective against soft Rogue APs. NAC: Cannot protect from all rouge AP configurations. E.g. MAC spoofer.

12. Protection Against Rogue APs and Attacks Intrusion Detection System is the solution!!!

13. Need for Intrusion Detection System (IDS) Similar to a burglar alarm/ lock system in a car. Complements the Firewall security: IDS detects if someone tries through break through the Firewall/ breaks in and tries to get unauthorized access. Firewalls effective in filtering incoming traffic from the internet. IDS is a security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization.

15. Sensors: Monitor hosts or networks on a real-time basis. They match the malicious packet with a signature from a database.

17. IDS and Ad Hoc Networks No supporting infrastructure. Conventional methods of identification and authentication are not available. No Gateways, switches or routers on which IDS conventionally relies. Mobility introduces additional challenges. Some solutions/theories proposed: Secured routing protocols like SecAODV. Dempster-Shafer Theory. Research still going on……

18. General Limitations of Intrusion Detection Systems IDS must be run online, in real time, 24x7. Needs human intervention. Additional network traffic generated when sensors relay data to a central point where it can be stored and analyzed. IDS is as good as the database of signatures. Regular updates needed. False alarms might lead to complacency. Additional cost.

19. Network-based IDS Inspects all network activity to identify suspicious patterns. Signature detection (use of signature database) vs. Anomaly detection (packet sizes/ protocols/ traffic load). Not just large number of signatures but a number of signatures for wide variety of attack types. E.g.: Buffer overflows, stealth port scans, CGI attacks, SMB probes, NMAP probes, fragment attacks, and OS fingerprinting attempts. ( Example of a product: Netprowler) Passive ( logs information and sends alerts) vs. Reactive (features like killing processes, disabling user accounts, shunning attacker IP addresses, etc) Limitations: False positives, TCP Stream Reassembly/IP Defragmentation, Switched Networks.

20. Host-based IDS Monitors individual systems on the network. Sensors located inside a host to monitor system level behavior. Types: Host wrappers (or personal firewalls) Tools that can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine. Agent-based software: Also detect changes in system files and changes in user privileges. Effective against masking techniques like out-of-order delivery, and switched networks. Limitations: Cannot fend off attacks against the protocol stack itself.

21. Implementation of an IDS The success of an IDS implementation depends to a large extent on how it has been deployed. In most cases, it is desirable to implement a hybrid solution of network based and host based IDS to benefit from both. Detailed analysis about the building structure, Number and location of authorized Access Points, List of MAC addresses used, etc. Get an overall picture of the WLAN deployed using a sniffing software like Kismet, NetStumbler. Determine the number and location of sensors. Trained people who can understand alerts, program correlation tools, manage signature database, etc. ‘Off the shelf’ product vs. Managed Security Service Provider (MSSP).

23. After Detecting a Rogue AP….. Over the air quarantine: Blocking by transmitting spoofed disconnection frames. Vendor neutral. Switch port disable: Disables the switch port using SNMP. Switch vendor interoperability issues.

24. Signatures A pattern we want to look for in network traffic. What qualifies for a signature? Connection attempt from reserved IP address. Packet with illegal (bad) TCP flag combination. Email containing a virus. Tracking the number of times a command is issued to check DOS attacks. File access attack involves accessing FTP without logging in. Specific data in the header file.

25. Creating Signatures Use of Honeypots: Honeypots are decoy computer resources set up for the purpose of monitoring and logging the activities of entities that probe, attack or compromise them. They generate signatures. Types of Honeypots: dummy items in a database, low-interaction network components like preconfigured traffic sinks, or full-interaction hosts with real operating systems and services.

26. Examples of Signatures generated by Honeycomb

27. IPS vs. IDS

28. IPS vs. IDS

29. Conclusions Modern day IDSs are far from bulletproof. However, adds significant security. With better understanding of threats and attacks, vendors need to continuously upgrade their IDSs. IDS is not a substitute for a well-defined security policy. Need of an able security/network administrator. Easier for big technology players to implement than small start ups, due to availability of specialist resources. Opportunity for Managed Security Service Providers (MSSPs) to offer IDS along with their other security services.

30. References White papers from http://www.sans.org/reading_room/whitepapers/wireless http://blog.airtightnetworks.com/category/wireless-security/ http://www.comnews.com/WhitePaper_Library/Security http://conferences.sigcomm.org/hotnets/2003/papers/honeycomb.pdf http://www.symantec.com/connect/articles/ http://www.ischool.utexas.edu/~netsec/ids.html http://www.designmpire.com/mohteshim.com/projects/anp.pdf http://rogueap.com/rogue-ap-docs/RogueAP-FAQ.pdf http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

31. THANK YOU! Questions???