Mobile WLAN Intrusion Detection

1

• Mobile WLAN Intrusion Detection
• Mikael Westlund
• Introducing
• Airmobile Innovative WLAN Security Solution

2
AirMobile

• Swedish company
• AirMobile develops a WLAN security solution
  thats being sold through partners world wide.

Stockholm Sweden
3
The problem we solve

• One of the biggest security threats today
• Finding unknown Wireless Access Points or
  insecurely configured PCs, that allows access to
  corporate networks
• Pin pointing the exact location of found Access
  Points
• Great geographical coverage by using innovative
  technology with mobile agents

3
4
Wireless Surveillance

• Problem
• Employees installs unmanaged WLAN equipment in
  order to improve IT-services
• Staff connects insecurely configured Laptops to
  the network

• Who is the customer
• Midsize to Large Enterprises
• Government Defense
• Trading Finance
• High security oriented companies.
• Healthcare and Police

5
Live WLAN audit
6
Live WLAN audit
7
Wireless intrusions
8
Wi-Fi attacks behind the firewall

• Intruders gains direct access to your core
  network
• Intruders can use the network for illegal
  activities on the Internet
• Corporate firewalls are useless in this case

9
Peer to Peer
Peer To Peer configured Laptop
10
LAN attack via laptop
SSIDstarbucks WEPno
SSIDMyNetwork WEP128 Bit
SSIDstarbucks WEPno
11
Airmobile bullet points

• Airmobile is a automated WLAN security and watch
  guard system
• Protects your Network from attacks via Wi-Fi
• Clients are mobile No need to install sensors
• Rogue access point detection
• Automatic risk assessment
• Locates the switch port a rogue AP is connected
  to

11
12
Airmobile specs

• Linux appliance
• Client/Server solution.
• Licenses for 10, 50. 200 and gt500 agents
• Continuous scanning for b/g networks
• Easy to use Web based GUI
• Databases for trusted AP, black lists etc
• Standalone agent sw with track feature available

13
System Architecture

• Client application installed in to your PDA or
  Windows cellular phone or Win PC, Win PC is
  ideally used at small office locations where
  mobility makes no sense. For example AirMobile sw
  in DHCP server.
• Runs in background mode
• Sends information about APs to the AirMobile
  server for further risk assessment
• PDA requirements
• Windows Mobile 5 or 6
• Wi-Fi b/g support
• GPRS support (optional)

13
14
System Architecture
PDA Agent data sent over the internal network,
GPRS or Wi-Fi

• The server maintains a database of all found APs
• Threat levels based on several factors
• Encryption
• Signal strength
• Connected or not to known network devices
• GPS postition

Alarms prioritized and forwarded for actions
AirMobile win Agent for small offices Win PC,
always active sending data
14
15
GUI Client pda examples
Screen shot from Airmobile client in PDA. Showing
detected AP.
Agent are set up to report to the central server
but agents can also be used for tracking APs on
site.
15
16
GUI Client pda examples, continue
Screen shot from Airmobile client in PDA. Showing
GPS position.
Agent Tracker in the PDA now showing closest AP
without any security.
16
16
17
GUI Windows client, for small offices
Screen shot from Airmobile Windows client.
Showing detected AP.
AirMobile Win agent is fully integrated with
AirMobile Linux server
17
17
18
GUI Windows client, for small offices
AirMobile win agent, can be used to track AP if
laptop is used
18
18
19
GUI Server Application, Main
Maintain Blacklist, Trusted AP etc
Network Encryption Method
Name, Channel and Signal strengh
Estimating the risk of each found Access Point
19
20
GUI Server, building location finder
Neigbouring AP feauture will identify which
building new AP found belongs to even without GPS
20
20
21
GUI Server Application GPS
GPS position and integration of Google Maps on
server.
21
21
22
How Airmobile is used
Customers are typically placing the mobile agents
on personell that will cover the premises
periodically

• Patrolling security personnel
• Cleaning personnel
• Post delivery personnel

22
23
Airmobile

• Questions.
• info_at_airmobile.se

23