802.11w's Impacts on WIPS

Transcription

1 802.11w's Impacts on WIPS Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Part number:

2 Contents w's impacts on WIPS 1 Technical background 1 Impacts 1 Impacts on malformed packet detection 1 Impacts on countermeasures against rogue devices 2 Impacts because of software version limitations 3 i

3 802.11w's impacts on WIPS This document covers the impacts of the w protocol on the Wireless Intrusion Prevention System (WIPS). Technical background As a broadcast medium, Wi-Fi enables both legitimate and rogue devices to sniff and access the network. Wireless clients use management frames, including association, disassociation, authentication, deauthentication, beacon, and probe frames, to establish and terminate network service sessions. During Wi-Fi communication, data frames are encrypted to enhance data security. However, management frames were designed to be transmitted unencrypted to ensure that all devices can hear and understand these frames. As a result, attackers can easily initiate attacks by spoofing the management frames. For example, an attacker might broadcast spoofed deauthentication frames to disassociate legitimate clients from an AP. Figure 1 Deauthentication flood attack AP Attacker Legitimate clients 1. Clients connect to the AP. 2. The attacker broadcasts spoofed deauthentication frames. 3. Clients believe the spoofed deauthentication frames come from the AP. 4. Clients disconnect from the AP. Impacts Both WIPS and the w protocol can protect clients from spoofed management frame attacks. However, if you enable both WIPS and the w protocol in a WLAN, some functions of WIPS might be affected because robust management frames such as disassociation, deauthentication, and robust action frames encrypted by the w protocol cannot be parsed by WIPS. Impacts on malformed packet detection The w protocol encrypts the payload of a disassociation, deauthentication, or robust action frame, so malformed packet detection on payloads of disassociation, deauthentication, and robust 1

4 action frames is affected. Figure 2 and Figure 3 show examples of an unencrypted deauthentication frame where the deauthentication reason code is obtained and an encrypted deauthentication frame where the deauthentication reason code is not obtained. Figure 2 Unencrypted deauthentication frame Figure 3 Encrypted deauthentication frame Impacts on countermeasures against rogue devices When WIPS detects a rogue device, it sends deauthentication frames to disconnect the device from the WLAN. If the rogue device is enabled with the w protocol, the deauthentication frames sent by 2

5 WIPS will be discarded as invalid frames. Therefore, WIPS cannot take countermeasures against such rogue devices. Figure 4 Impacts on countermeasures against rogue devices AC AP PMF connection Sensor Deauth frames for countermeasure Invalid management frame, discard Rogue device Impacts because of software version limitations WIPS detects flood attacks by monitoring transmitted frames, and removes a client from the detected device list when it detects a deauthentication or disassociation frame for the client during device discovery. As shown in Figure 5, both flood attack detection and device discovery are performed after malformed packet detection in WIPS. In R2607P23, R3507P23 or earlier versions, WIPS identifies w-encrypted deauthentication or disassociation frames as malformed packets during malformed packet detection and sends the packets for statistics without further processing. Therefore, the following functions of WIPS are affected: Signature-based deauthentication and disassociation flood attack Removal of clients from the detected device list. A client is removed from the detected device list only after its aging time expires. These problems will be resolved in later versions. 3

6 Figure 5 Packet analysis procedure for WIPS 5. Attack detection 1. ADoS 3. Signature analysis Flood attack detection; Custom attack 4. Wireless topology MAC spoofing; Weak IV; Ad hoc network; Invalid OUI; AP spoofing. 6. Statistics Frame statistics based on channel; Frame statistics based on device; Prohibited channel Rate monitoring; Rate limit; Frame filtering; DoS attack 2. Protocol analysis Device discovery; Wireless network service discovery; Device classification. Frame analysis; Malformed packet Malformed packets 4