Enhancing the Security of Corporate Wi-Fi Networks Using DAIR. Example : Rogue AP. Challenges in Building an Enterprise-scale WiFi Monitoring System

Transcription

1 Challenges in Building an Enterprise-scale WiFi Monitoring System Enhancing the Security of Corporate Wi-Fi Networks Using DAIR Scale of WLAN Microsoft s WLAN has over 5 APs Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh, Alec Wolman, Brian Zill Presented By: J. Falquez Need to deploy many monitors Rapid fading of signal in indoor environment Multiple orthogonal channels May need observations from multiple vantage points Pinpoint location of rogue AP Taxonomy of Attacks on Wi-Fi Networks Eavesdropping Passive snooping (perhaps with high-gain antennas) Nearly impossible to detect Cryptographic techniques generally considered sufficient. Intrusion Rogue AP / Rogue Ad-hoc network Denial of Service Fake deauthentication/disassociation, NAV attacks, DIFS attacks, Jamming. Phishing Acquire passwords Example : Rogue AP Careless employee brings AP from home and plugs it into corporate Ethernet Bypasses corporate Wi-Fi security measures For example: WPA, 82.1 Permits unauthorized users to connect to corporate network Malicious user outside the building Widespread Problem Ongoing concern for MS IT department Surveyed two major US universities, found multiple rogue APs Need for WiFi Monitoring Systems Example: Indoor WLAN Monitoring Preventive measures such as 82.1 do not guarantee full security In addition, need WiFi monitoring system to detect problems in operational WiFi networks Detect Rogue AP by overhearing packets containing unknown BSSID % Received % % 2 3 Time (Minutes) 26% 97% 1.7% Rapid loss Rogue of AP signal and Client strength in Monitors indoor environments Complex, Red: time-varying Beacon reception signal rate propagation Blue: Data packet reception rate 1

2 State of the Art AP-based monitoring [Aruba, AirDefense..] Pros: Easy to deploy (APs are under central control) Cons: Single radio APs can not be effective monitors Specialized sensor boxes [Aruba, AirTight, ] Pros: Can provide detailed signal-level analysis Cons: Expensive, so can not deploy densely Monitoring by mobile clients [Adya et. al., MobiCom 4] Pros: Inexpensive, suitable for un-managed environments Cons: Coverage not predictable: mobile, battery-powered clients Only monitor the channel they are connected on Observation Desktop PC s with good wired connectivity are ubiquitous in enterprises + Outfitting a desktop PC with wireless is inexpensive Wireless USB dongles are cheap As low as $6.99 at online retailers PC motherboards are starting to appear with built-in radios Combine to create a dense deployment of wireless sensors DAIR: Dense Array of Inexpensive Radios DAIR Architecture Command Issuer Monitor Architecture Command (Enable/Disable Filter/ Send Packets) Heart Beat Land Monitor (1 per subnet) Remote Object Command Processor WiFi Parser Sender Filter Processor DHCP Parser Wired Network Packet Constructor Filter Filter Filter Other Parser Driver Interface Summarized Packet Information SQL Client Other data: SNMP, Configuration Send Packets/ Get Packets/Info Query Driver from the Device Custom Wireless Driver Wired NIC Driver Dump summarized data into the SQL Tables SQL Server Key Characteristics of DAIR High sensor density at low cost Leverages existing desktop resources Effective monitoring in indoor environments Can tolerate loss of a few sensors Sensors are (mostly) stationary Provides predictable coverage Permits meaningful historical analysis Applications of the DAIR Platform Security applications Detecting attacks on Wi-Fi networks Responding to such attacks Performance management Monitor RF coverage Load balancing Location service to support above applications 2

3 Rogue Wireless Networks An uninformed or careless employee who doesn t understand (or chooses not to think about) the security implications Brings AP from home, and attaches it to the corporate network Configures desktop PC with wireless interface to create a rogue ad-hoc network Bypasses security measures such as WPA, 82.1 Simple Solution Known: BSSID SSID :8:AC MSFT :9:3B MSRLAB C:3B:5A: BSSID :8:AC :9:3B C:3B:5A: Joe sap Seen: SSID MSFT MSRLAB Joe sap Problem with the Simple Solution False Positives Multi-office buildings False negatives Malicious attacker fakes authorized SSID / BSSID DAIR can help reduce both false positives and false negatives No foolproof way to avoid false positives/negatives completely DAIR raises bar while generating fewer alarms Reducing False Negatives Suspect is using an authorized SSID / BSSID If the real AP is still active Packet sequence numbers not monotonic If real AP is not active Determine location of suspect If different than expected, raise alarm Reducing False Positives Association Test Detect whether rogue AP is connected to corporate wired network Series of tests: Association test Source/destination address test Replay test C:3B:5A: Joe sap Machine inside corporate firewall If can connect to machine inside firewall via AP then AP is connected to corporate wired network 3

4 Association Test Source / Destination Address Test Test will fail if AP uses WEP or MAC address filtering People configure home APs with WEP or MAC filtering Land Monitor Failure means we need additional tests Subnet Router MAC Addrs Of Subnet Routers 8:5B:3F: 8:3C:4F: Source / Destination Address Test Data Frame (with encryption): Unencrypted Header MAC Addresses: Encrypted Payload Receiver Transmitter Destination Access Point Client Known Address Source / Destination Address Test Test will fail if AP is really a NAT/Router Many home APs combine AP and NAT/router functionality Failure means that additional tests are needed If Destination Address belongs to a subnet router, then AP Is connected to corporate wired network Similar test for Source Address Replay Test Replay Test s replay packets with suspect BSSID No need to decrypt packet Land Monitor At the One same of the time s LandMonitors capture replays data are captured alerted packetsto packets watch for Each duplicate packet packets replayed on multiple wired network. times Each packet is replayed multiple times (say 5) LandMonitors detect if duplicate packets are seen on wired network Works for NAT/Routers Even rogue ad-hoc networks Fails if suspect is using WPA2 or other crypto schemes that are robust against replay attacks 4

5 Scalability Load on Server Load on database server Load on individual s CPU Load (%) Additional wired network traffic 5AM 9AM 1PM 5PM 9PM 12 s s submit summarized data every 2 minutes Server: MS-SQL 25, 1.7GHz P4 with 1GB RAM Load (%) Load on Client Machine Machine running 5AM 9AM 1PM 5PM 9PM Machine not running Load (%) AM 9AM 1PM 5PM 9PM Additional Network Traffic: 2-5Kbps per Summary DAIR ongoing work Built a scalable, cost-effective, dense WLAN monitoring platform in a corporate environment Which channels should each listen on What scanning strategy to use [Deshpande et. al. 26] Depends on density of s, environment Explored ways to leverage the platform to monitor threats to Wi-Fi networks Building an effective location system Building performance management tools 5

6 Questions 6