NETW 05A: APPLIED WIRELESS SECURITY Additional Security Solutions

1
NETW 05A APPLIED WIRELESS SECURITY Additional
Security Solutions

• By Mohammad Shanehsaz
• Spring 2005

2
Objectives

• Describe the following types of intrusion
  detection methods and tools for WLANs
• 24x7 centralized, skilled monitoring
• Honey pots
• Professional security audits
• Accurate, timely reporting
• Distributed agent software
• Security spot checking
• Available wireless LAN intrusion detection
  software and hardware tools

3
Intrusion Detection Systems

• An IDS inspects inbound and outbound traffic and
  attempts to identify suspicious activity
• An IDS is different from firewall in that a
  firewall monitors for intrusion to stop them
  while an IDS signals an alarm
• Wireless IDS can search a WLAN for
  vulnerabilities, detect and respond to intruders,
  and help manage it
• Wireless IDS use sensors that monitor all
  wireless traffic and report them to the central
  server
• The sensors provide 24x7 real-time monitoring

4
Features of IDS

• Network-based vs. host-based monitoring
• Passive vs. Reactive monitoring
• Misuse detection
• Anomaly detection
• Vulnerability detection
• Performance monitoring

5
Network-based vs. Host-based

• Network-based IDS listen on the wireless segment
  through wireless sensors
• To monitor all wireless traffic, sensors must be
  placed at, in, or near every access point
• Host-based IDS, examine data on each host
  computer, require that IDS agents be running on
  each node in order to report suspicious activity
  back to the central server
• They are able to monitor attacks against an
  individual computer more thoroughly

6
Passive vs. Reactive

• IDS in passive mode - if any attacks occur, will
  raise various alarms to inform the appropriate
  security personnel to take action
• IDS in reactive mode, IDS react to attacks and
  eliminate them by shutting down services,
  restrict access to services or disconnecting them
  altogether
• Active vs. reactive settings configured through
  policy settings in the IDS

7
Misuse Detection

• To detect misuse, the IDS must monitor business
  rules for WLAN, some of which are
• Limit access points to only operate on specific
  channels
• Require all wireless LAN traffic to be encrypted
• Prohibit SSIDs from being broadcast unmasked
• Limit traffic on the wireless LAN to occur only
  within certain hours of the day

8
Anomaly Detection

• Monitors network segments to compare their
  current status to the normal baseline
• Baselines should be established for typical
  network load, protocols, and packet size
• Appropriate personnel should be alerted to any
  anomalies

9
Vulnerability Detection

• Vulnerabilities to wireless LANs can be detected
  in real-time
• Locating any ad-hoc networks that are actively
  transmitting traffic, is one way to keep
  peer-to-peer attacks from occurring
• Locating an open rogue access point that has
  hi-jacked an authorized user is another one

10
Performance Monitoring

• Since WLAN has limited bandwidth we need to
  determine who is using the bandwidth and when
• We dont need performance monitoring if IDS has
  built-in rate Limiter functionality, but we can
  use it to report on usage statistics, for future
  growth

11
Monitoring and Maintenance

• Monitoring must be active 24x7 to be effective
• The security policy must define contact
  personnel, and what steps to take to respond
  properly
• The reports that are generated from an IDS must
  be treated with utmost importance
• Periodic upgrades and ongoing training for the
  IDS specialist ensure continued success in
  effective use of the IDS
• Periodic spot-checking of the IDS should be
  considered mandatory

12
Thin Clients

• Based on a hybrid of the mainframe-terminal and
  the client-server model
• Clients run an OS of their own, but all
  processing is done at the server
• Come in the form of thin client software running
  on a notebook computer or an actual machine
• Low Total Cost of Ownership
• Peer-to-peer attacks yield no useful info
• They pass screenshots, mouse clicks, and screen
  updates which use minimal bandwidth
• Client authentication is required
• SSH2 can be used to authenticate and tunnel
  encrypted traffic

13
Authenticated DHCP Services

• IETF RFC 3118 adds authentication to DHCP
• DHCP clients and server are able to authenticate
  one another
• IP connectivity is given only to authorized
  clients
• Prevents rogue and malicious DHCP clients and
  servers from unauthorized access , DoS, theft of
  services or hijacking attacks
• To implement it, administrators must deploy RFC
  3118 compatible software on all PCs, and upgrade
  existing DHCP servers to support DHCP
  authentication
• Users must also devise an authentication key
  scheme and distribute it to all authenticated
  DHCP clients

14
Traffic Baselining

• Analyze the performance of a selected network
  segment over a period of time (represent network
  normalcy)
• Provides reference points for current use, and
  for required modifications when adding new
  services or users (baselining for performance)
• Identify performance issues and provide info for
  security (min, max, or average values from
  baseline data can be used for setting alarm
  thresholds in IDS)