Upload
solomon-gaines
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Enhancing the Security of Corporate
Wi-Fi Networks Using DAIR
Paramvir Bahl, Ranveer Chandra, Jitendra Padhye,
Lenin Ravindranath, Manpreet Singh, Alec Wolman,
Brian Zill
Presented By:J. Falquez
Challenges in Building an Enterprise-scale WiFi Monitoring System
• Scale of WLAN– Microsoft’s WLAN has over 5000 APs
• Need to deploy many monitors– Rapid fading of signal in indoor environment
– Multiple orthogonal channels
– May need observations from multiple vantage pointsPinpoint location of rogue AP
Taxonomy of Attacks on Wi-Fi Networks
• Eavesdropping – Passive snooping (perhaps with high-gain antennas)– Nearly impossible to detect– Cryptographic techniques generally considered sufficient.
• Intrusion– Rogue AP / Rogue Ad-hoc network
• Denial of Service– Fake deauthentication/disassociation, NAV attacks, DIFS attacks,
Jamming.
• Phishing– Acquire passwords
Example : Rogue AP
• Careless employee brings AP from home and plugs it into corporate Ethernet
• Bypasses corporate Wi-Fi security measures – For example: WPA, 802.1X
• Permits unauthorized users to connect to corporate network
– Malicious user outside the building?
• Widespread Problem
– Ongoing concern for MS IT department
– Surveyed two major US universities, found multiple rogue APs
Need for WiFi Monitoring Systems
• Preventive measures such as 802.1X do not guarantee full security
• In addition, need WiFi monitoring system to detect problems in operational WiFi networks– Detect Rogue AP by overhearing packets containing
unknown BSSID
UP
DN
DN
UP
EL 32
%0%0
0%0%
0%0%
0%0%
97%1.7%
26%0%
Rapid loss of signal strength in indoor environments
0
20
40
60
80
100
0 100 200 300Time (Minutes)
% R
ec
eiv
ed
Complex, time-varying signal propagation
Example: Indoor WLAN Monitoring
Rogue AP and Client Monitors
Red: Beacon reception rateBlue: Data packet reception rate
State of the Art
• AP-based monitoring [Aruba, AirDefense ..]
– Pros: Easy to deploy (APs are under central control)
– Cons: Single radio APs can not be effective monitors
• Specialized sensor boxes [Aruba, AirTight, …]
– Pros: Can provide detailed signal-level analysis
– Cons: Expensive, so can not deploy densely
• Monitoring by mobile clients [Adya et. al., MobiCom’04]
– Pros: Inexpensive, suitable for un-managed environments
– Cons: Coverage not predictable: mobile, battery-powered clients Only monitor the channel they are connected on
Observation
• Desktop PC’s with good wired connectivity are ubiquitous in enterprises
• Outfitting a desktop PC with 802.11 wireless is inexpensive– Wireless USB dongles are cheap
As low as $6.99 at online retailers
– PC motherboards are starting to appear with built-in 802.11 radios
Combine to create a dense deployment of wireless sensors
DAIR: Dense Array of Inexpensive Radios
+
Wired Network
Database
AirMonitor AirMonitorLand Monitor(1 per subnet)
Inference Engine
DAIR Architecture
Other data:SNMP,
Configuration
Command Processor
Filter Processor
Driver Interface
Filter
WiFi Parser
SQL Client
Remote Object
Command (Enable/Disable Filter/
Send Packets)Heart Beat
CommandIssuer
Custom Wireless Driver SQL Server
Deliver Packets to all the Registered Filters
Enable/Disable Filters
Enable/Disable Promiscuous/Logging
Summarized Packet Information
Dump summarized data into the SQL Tables
Get Packets/Info from the Device
Send Packets/Query Driver
DHCP Parser
Other Parser
Wired NIC Driver
FilterFilter
Sender
Packet
Packet Constructor
Send Packet
Monitor Architecture
Key Characteristics of DAIR
• High sensor density at low cost– Leverages existing desktop resources
– Effective monitoring in indoor environments
– Can tolerate loss of a few sensors
• Sensors are (mostly) stationary – Provides predictable coverage
– Permits meaningful historical analysis
Applications of the DAIR Platform
Security applications– Detecting attacks on Wi-Fi networks
– Responding to such attacks
Performance management– Monitor RF coverage
– Load balancing
Location service to support above applications
Rogue Wireless Networks
• An uninformed or careless employee who doesn’t understand (or chooses not to think about) the security implications– Brings AP from home, and attaches it to the corporate
network
– Configures desktop PC with wireless interface to create a rogue ad-hoc network
• Bypasses security measures such as WPA, 802.1X
Simple Solution
Database
AirMonitor AirMonitor
Inference Engine
BSSID SSID
00:08:AC … MSFT
00:09:3B … MSRLAB
Known: Seen:
BSSID SSID
00:08:AC … MSFT
00:09:3B … MSRLAB
0C:3B:5A: Joe’sAP
BSSID SSID
00:08:AC … MSFT
00:09:3B … MSRLAB
0C:3B:5A: Joe’sAP
Problem with the Simple Solution• False Positives
– Multi-office buildings
• False negatives– Malicious attacker fakes authorized SSID / BSSID
• DAIR can help reduce both false positives and false negatives – No foolproof way to avoid false positives/negatives
completely
– DAIR raises bar while generating fewer alarms
Reducing False Negatives
• Suspect is using an “authorized” SSID / BSSID
• If the “real” AP is still active– Packet sequence numbers not monotonic
• If real AP is not active– Determine location of suspect
– If different than expected, raise alarm
Reducing False Positives
• Detect whether rogue AP is connected to corporate wired network
• Series of tests:– Association test
– Source/destination address test
– Replay test
Association Test
Database
AirMonitor
Inference Engine
0C:3B:5A: Joe’sAP
?
Machine inside corporate firewall
If AirMonitor can connect to machine inside firewall via AP thenAP is connected to corporate wired network
Association Test
• Test will fail if AP uses WEP or MAC address filtering
– People configure home APs with WEP or MAC filtering
• Failure means we need additional tests …
Source / Destination Address Test
Database
AirMonitor
Inference Engine
?Land Monitor
08:5B:3F: …
08:3C:4F:…
MAC AddrsOf Subnet RoutersSubnet Router
Source / Destination Address Test
Unencrypted Header Encrypted Payload
Receiver Transmitter DestinationAccess Point Client
802.11 Data Frame (with encryption):
MAC Addresses:
Known Address?
If Destination Address belongs to a subnet router, then APIs connected to corporate wired network
Similar test for Source Address
Source / Destination Address Test
• Test will fail if AP is really a NAT/Router – Many home APs combine AP and NAT/router
functionality
• Failure means that additional tests are needed
Replay Test
AirMonitor
Inference Engine
?
Land Monitor
123 4
X
XXXX
AirMonitors capture data packetsOne of the AirMonitors replays captured packetsEach packet replayed multiple times
At the same time LandMonitors are alerted to watch for duplicate packets on wired network.
?
Replay Test
• AirMonitors replay packets with suspect BSSID– No need to decrypt packet
• Each packet is replayed multiple times (say 5)
• LandMonitors detect if duplicate packets are seen on wired network
• Works for NAT/Routers – Even rogue ad-hoc networks
• Fails if suspect is using WPA2 or other crypto schemes that are robust against replay attacks
Scalability
• Load on database server
• Load on individual AirMonitors
• Additional wired network traffic
Load on Database Server
12 AirMonitorsAirMonitors submit summarized data every 2 minutes
Database Server: MS-SQL 2005, 1.7GHz P4 with 1GB RAM
0
20
40
60
80
100
1AM9PM5PM1PM9AM5AM1AM
CP
U L
oad
(%)
Load on Client Machine
0 25 50 75
100
1AM9PM5PM1PM9AM5AM1AM
Loa
d (
%)
Machine not running AirMonitor
0 25 50 75
100
1AM9PM5PM1PM9AM5AM1AM
Loa
d (
%)
Machine running AirMonitor
Additional Network Traffic: 2-5Kbps per AirMonitor
Summary
• Built a scalable, cost-effective, dense WLAN monitoring platform in a corporate environment
• Explored ways to leverage the platform to monitor threats to Wi-Fi networks
DAIR ongoing work
• Which channels should each AirMonitor listen on?
– What scanning strategy to use? [Deshpande et. al. 2006]
– Depends on density of AirMonitors, environment
• Building an effective location system
• Building performance management tools
Questions?