WIRELESS INTRUSION DETECTION SYTEMS - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

WIRELESS INTRUSION DETECTION SYTEMS

Description:

Reconnaissance, theft of identity and denial of service (DoS) Signal ... KISMET 802.11 a/b/g network sniffer. NETSTUMBLER. Kismet 802.11a/b/g network sniffer ... – PowerPoint PPT presentation

Number of Views:592
Avg rating:3.0/5.0
Slides: 40
Provided by: acsla
Category:

less

Transcript and Presenter's Notes

Title: WIRELESS INTRUSION DETECTION SYTEMS


1
WIRELESS INTRUSION DETECTION SYTEMS
  • Namratha Vemuri
  • Balasubramanian Kandaswamy

2
  • THREATS
  • VICTIMS
  • IDS
  • TYPES OF IDS
  • ARCHITECTURE
  • IMPLEMENTATION
  • TOOLS USED
  • ADMINISTRATION

3
THREATS
  • Reconnaissance, theft of identity and denial of
    service (DoS)
  • Signal range of authorized AP.
  • Physical security of an authorized AP
  • Rogue or unauthorized AP
  • Easy installation of an AP
  • Poorly configured AP
  • Protocol weakness and capacity limits on AP

4
(No Transcript)
5
What are attacked?
  • Corporate network and servers
  • Attempted penetration through the official access
    points(target 1) into the corporate network.
  • DOS attacks as most of them are TCP/IP based
  • Wireless Clients
  • the Access point behaves as a hub connecting the
    authorized wireless clients directly to the bad
    buys inevitably this will expose a connecting pc
    to a huge array of IP based attack.

6
  • Unauthorized Access point
  • Unofficial access points installed by user
    departments (target 4) represent a huge risk as
    the security configuration is often questionable
  • Bogus Access points (Target 5) represent a
    different threat as these can be used to hijack
    sessions at the data link layer and steal
    valuable information.
  • o Target 3 The legitimate Access point

7
  • To protect our network
  • where all access points reside on our network
  • what actions to take to close down any
    unauthorized access points that do not confirm to
    the company security standards what wireless
    users are connected to our network
  • what unencrypted data is being accessed and
    exchanged by those users

8
What is IDS?
  • IDS is not a firewall
  • IDS watch network from the inside and report or
    alarm
  • IDS monitors APs ,compares security controls
    defined on the AP with predefined company
    security standards then reset or closedown any
    non-conforming APs they find.
  • IDS identifies,alerts on unauthorized MAC
    addresses ,tracks down hackers.

9
  • Intrusion detection systems are designed and
    built to monitor and report on network
    activities, or packets, between communicating
    devices.
  • Many commercial and open source tools are
    used
  • TOOLS
  • capture and store the WLAN traffic,
  • analyse that traffic and create reports
  • analyse signal strength and transmission
  • speed

10
ID SYSTEM ACTIVITIES
11
INFRASTRUCTURE
12
ARCHITECTURE
13
  • IDS
  • a sensor (an analysis engine) that is responsible
    for detecting intrusions (contains decision
    making mechanism)
  • Sensor recevies message from own IDS knowledge
    base, syslog and audit trails.
  • Syslog may include, for example, configuration of
    file system, user authorizations etc. This
    information creates the basis for a further
    decision-making process.

14
TYPES OF IDS
  • Misuse or Anomaly IDS
  • Network based or Host based IDS
  • Passive or Reactive IDS

15
ARCHITECTURE
  • CENTRALIZED combination of individual sensors
    which collect and forward 802.11 data to a
    centralized management system.
  • DISTRIBUTED one or more devices that perform
    both the data gathering and processing/reporting
    functions if various IDS

16
  • Distributed is best suited for smaller WLANS due
    to cost and management issues
  • Cost of many sensors with data processing
  • Management of multiple processing/reporting
    sensors

17
  • In centralized, it is to easy to maintain only
    one IDS where all the data is analyzed and
    formatted.
  • Single point of failure
  • Adds to additional network traffic running
    concurrently, impact on network performance

18
IMPLEMENATION OF IDS
  • Comprises of a mixture of hardware and software
    called intrusion detection sensors.
  • Located on the network and examines traffic.
  • Where the sensors should be placed??!!
  • How many do wee need??!!

19
Not just to detect attackers..
  • Helps to Enforce Policies
  • Polcies for encryption
  • Can report if a un encrypted packet is detectet.
  • With proper enforcement WEP can be acchieved
    (next slide)

20
Why do we need these
  • To achieve WEP
  • What's WEP?
    Wired Equivalent Privacy
  • Why do we need it?

21
People responsible
  • IDS security analysts who can interpret the
    alerts (Passive IDS).
  • IDS software programmers
  • IDS database administrators (misuse or anomaly
    IDS)

22
Couple of open source IDS
  • KISMET 802.11 a/b/g network sniffer
  • NETSTUMBLER

23
Kismet 802.11a/b/g network sniffer
  • Passively collects network traffic(listens),
    detects the standard named networks and detecting
    hidden (non beaconing) networks
  • Analyze the data traffic and build a picture of
    data movement

24
(No Transcript)
25
NetStumbler
  • Sends 802.11 probes
  • Actively scans by sending out request every
    second and reporting the responses
  • APs by default respond to these probes
  • Used for wardriving or wilding.

26
(No Transcript)
27
Who manages and administers WIDS?
  • Large organization (Network Operations group)
  • AirMagnet Distributed 4.0,
  • AirDefense Enterprise v4.1
  • Red-M
  • Small and Medium Organization
  • Managed Security Service Provider (MSSP)

28
  • AirMagnet Distributed
  • Sensors report network performance information
  • Alerts management server
  • Airmagnet reporter generates reports from threat
    summaries to channel RF signal strength
  • Ex Using Find tool, we can manually and
    physically track down location of the rogue user

29
(No Transcript)
30
  • AirDefense
  • AirDefense system consists of a server running
    Red Hat Linux with distributed wireless AP
    sensors and a Java-based Web console.
  • The AirDefense Web console and AP sensors
    communicate on a secure channel to the server

31
(No Transcript)
32
  • Red-M
  • Red-M includes Red-Alert and Red-Vision.
  • Red- Alert is a standalone wireless probe which
    can detect unauthorized Bluetooth devices as well
    as 802.11a/b/g networks.
  • Red-Vision ss a modular set of products
    consisting of three main components
  • Red-Vision Server, Red-Vision Laptop Client
    and Red-Vision Viewer.

33
Red Vision (cont)
  • Red vision server (Heart)
  • Red vision laptop client (Ear)
  • Red Vision viewer ( Brain)

34
Wireless IDS drawbacks
  • Cost
  • Cost grows in conjunction with size of the LAN
  • New emerging technology and hence may contain
    many bugs and vulnerabilities.
  • A wireless IDS is only as effective as the
    individuals who analyze and respond to the data
    gathered by the system

35
Conclusion
  • Wireless intrusion detection systems are an
    important addition to the security of wireless
    local area networks. While there are drawbacks to
    implementing a wireless IDS, the benefits will
    most likely prove to outweigh the downsides

36
QUESTIONS
  • What is Policy Enforcement ?
  • A policy is stated by IDS (Ex all wireless
    communications must be encrypted) to detect the
    attack
  • What type of ID is AirDefense Guard?
  • It is misuse or signature based anomaly.
  • What are dumb probes?
  • They collect all the network traffic and send
    it to central server for analyses

37
REFERENCES
  • http//www.telecomweb.com/readingroom/Wireless_Int
    rusion_Detection.pdf
  • http//www.giac.org/certified_professionals/practi
    cals/gsec/4210.php
  • http//www.sans.org/rr/whitepapers/wireless/1543.p
    hp
  • http//www-loud-fat-bloke.co.uk/articles/widz-desi
    gn.pdf

38
  • QUESTIONS?

39
  • THANKYOU
Write a Comment
User Comments (0)
About PowerShow.com