Wireless Network Monitoring - PowerPoint PPT Presentation

About This Presentation
Title:

Wireless Network Monitoring

Description:

Title: Wireless Network Monitoring Author: Sandeep Last modified by: Sandeep Created Date: 5/23/2003 4:17:35 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:119
Avg rating:3.0/5.0
Slides: 34
Provided by: Sande8
Category:

less

Transcript and Presenter's Notes

Title: Wireless Network Monitoring


1
Wireless Network Monitoring
  • Plan B Project
  • Sandeep P Karanth
  • Advisor Prof. Anand Tripathi

2
Outline
  • Introduction
  • Overview of Konark
  • IEEE 802.11 Wireless LANs
  • Potential Threats to a Wireless LAN
  • Modes of Operation
  • Detection Logic
  • Conclusions and Future work

3
Introduction
  • Network Monitoring issues
  • Large Networks
  • Heterogeneous components
  • Distributed monitoring
  • Centralized event-viewing and control
  • Quick Response to alerts
  • Response against attackers/intruders
  • Response against misconfigurations/failures
  • Robust and Secure system

4
Konark Overview
  • Mobile-Agent based network monitoring
  • Object capable of migration
  • first-class objects altered remotely
  • Programming framework Ajanta
  • Script based detection techniques
  • tedious to install, debug and modify
  • coarse-grained protection

5
Konark Overview (Contd..)
  • Goals
  • Dynamically Extensible
  • Addition of new monitoring components
  • Modification of existing monitoring policies
  • Integration of tools
  • Active Monitoring
  • Modification of policies in response to events
  • Online Monitoring
  • Event monitoring in real-time

6
Konark Overview (Contd..)
  • Goals (contd..)
  • Resilience by diverse monitoring sources
  • Secure
  • System itself has to be secure
  • Robust
  • Automated recovery of failed system components
  • Scalable
  • Acceptable System Performance

7
Konark Overview (Contd..)
  • Publish-Subscribe network monitoring system
  • Monitoring agents equipped with detectors
  • Publisher-subscriber relationship is dynamic
  • Event model for information flow
  • Automated agent and detector recovery
  • Uses self-monitoring schemes
  • Authenticated inter-agent communication (RMI)
  • Challenge-response protocol

8
Konark Overview (Contd..)
9
IEEE 802.11 Wireless LAN
  • IEEE 802.11 operates at PHY and MAC
  • Operating modes
  • Infrastructure
  • Ad hoc
  • Carrier Sense Multiple Access (CSMA)
  • Collision Avoidance (CA)
  • Binary Exponential Back-off algorithm

10
IEEE 802.11 Wireless LAN (contd..)
  • Terminology
  • Access Point (AP)
  • Service Set Identifier (SSID)
  • Basic Service Set (BSS)
  • Independent BSS (IBSS) Adhoc network
  • Extended Service Set (ESS) APs having same
    SSID
  • Distribution System (DS) connects APs
  • Wired Equivalent Privacy (WEP)

11
IEEE 802.11 Wireless LAN (contd..)
  • Generic 802.11 frame format

12
IEEE 802.11 Wireless LAN (contd..)
  • Generic Management frame

13
IEEE 802.11 Wireless LAN (contd..)
  • Association Process

14
IEEE 802.11 Wireless LAN (contd..)
  • Frame types
  • Beacon Frame AP advertisement
  • Probe Request / Response
  • Reassociation Request / Response
  • Authentication
  • Open Authentication (MAC ACLs used)
  • Shared Key authentication

15
Potential Threats and Management Issues
  • MAC Address Spoofing
  • Attacker impersonates a legitimate client
  • Attacker fakes as a legitimate AP (Fake AP)
  • Attacker sends spoofed
    deauthenticate/disassociate frames
  • Denial-Of-Service Attacks
  • Authenticate/Associate message floods on AP
  • RTS frame floods

16
Potential Threats and Management issues (contd..)
  • Network Misconfigurations / Failures
  • AP failure
  • Unauthorized or Rogue APs
  • May not conform to security policies
  • Policy Conformance
  • Acceptable signal strengths
  • Acceptable data rate
  • Correct SSIDs
  • Attack Tools macchanger, FakeAP, LibRadiate

17
Design Goals
  • Monitoring Objectives
  • Attack Detection and response
  • Unauthorized use detection and response
  • Component failure detection
  • Service Provisioning Objectives
  • User tracking service Pervasive applications

18
Modes of Monitoring System Operation
  • Mode 1
  • Notebooks/PCs executing a monitoring daemon
  • Statically placed
  • Strategically placed to get entire network
    coverage
  • Mode 2
  • A PDA/handheld running a monitoring daemon

19
Modes of Monitoring System Operation(Contd)
  • Mode 2 (contd..)
  • Campus walk taken by wireless security auditor
  • Mode 3
  • Access Points log information to a syslog file
  • Syslog file analyzed for event generation

20
Modes of Monitoring System Operation(Contd)
21
Detection Logic and Response
  • Sequence number Analysis
  • Each frame has a 12-bit sequence number
  • Put in by the firmware
  • Range of sequence numbers 0 - 4095
  • Sequence numbers of 2 stations are not likely to
    be the same
  • Fake and legitimate station will have
    out-of-order sequence numbers

22
Detection Logic and Response (contd..)
  • Sequence number analysis (contd..)
  • Packet capturing software and dump analyzer used
    to analyze
  • Dump analyzer slower than capturing software
    (packets captured are dropped)
  • Only 1 in 10 beacon frames analyzed to account
    for slow analysis
  • Threshold of 20 chosen for difference in seq. no.
    for the same source

23
Detection Logic and Response (contd..)
  • Sequence number analysis (contd..)
  • Detection Capabilities
  • Faking client detection
  • Fake AP detection
  • Forced disassociation/deauthentication
  • Fails if unauthorized user connects in a
    disjoint time frame
  • Likely time policy
  • Inform users when they connect

24
Detection Logic and Response (contd..)
  • Sequence number analysis (contd..)
  • Fails if unauthorized user connects to another
    BSS in an ESS
  • Konark monitoring agents perform distributed
    correlations to detect this
  • Correlation of events among AP logs helps us
    detect this

25
Detection Logic and Response (contd..)
  • Packet counting and analysis
  • Packets sent to an AP are recorded
  • Many packets in a small adjustable interval
    indicate a DOS attack
  • AP logs also examined to detect such attacks

26
Detection Logic and Response (contd..)
  • Misconfiguration/Failure detection
  • Missing beacons imply AP failure
  • Beacons may be disabled in an AP (policy)
  • Ping every AP with a probe request
  • Extraneous beacons/ frames with unknown BSSID
    implies Rogue APs
  • Network baseline fed to the daemon at startup
  • Repeated associations, DHCP denials or unknown
    frame transmittals imply brute force attacks or
    client misconfiguration

27
Detection Logic and Response (contd..)
28
Experimental Setup
  • Experiments conducted on the EECS building
    wireless LAN (802.11b)
  • Cisco Access Points (Aironet 340/350 series)
  • Notebook PCs running Linux used to conduct
    experiments
  • Cisco 340/350 wireless cards used for wireless
    connectivity

29
Experimental Setup (contd..)
  • Packet capturing software used Kismet
    (Development version 2.8.1)
  • Dump analyzer Ethereal

Named pipe
Pipe
Kismet
Ethereal
Monitoring Daemon
Capture packets
Decode packets
Analyze decoded packets
30
Experimental Setup
  • About 90-95 of the frames observed are IEEE
    802.11 management frames
  • Beacon frames form 90 of the management frames
  • Beacon interval is 0.1024 seconds

31
Experimental Setup
  • Mon May 26 153100 2003 Deauthentication
    SrcAddr004096479913 DestAddr004096334c
    8c BSSID004096479913
  • Mon May 26 153100 2003 Deauthentication
    SrcAddr004096479913 DestAddr004096334c
    8c BSSID004096479913
  • Mon May 26 153100 2003 Authentication
    SrcAddr004096334c8c DestAddr00409647e6
    ec BSSID00409647e6ec
  • Mon May 26 153101 2003 Sequence number
    mismatch SrcAddr00409641d401
    DetailsUnauthorized Client suspected
  • Mon May 26 153101 2003 Reassociation Request
    SrcAddr004096334c8c DestAddr00409647e6
    ec BSSID00409647e6ec
  • Mon May 26 153104 2003 Sequence number
    mismatch SrcAddr 00409641d401
    DetailsUnauthorized Client suspected

32
Conclusions
  • A MAC layer monitoring tool is required
  • A proof-of-concept monitoring tool is
    implemented
  • Such tools can be easily integrated with
    existing monitoring systems (Konark)

33
Future Directions
  • Cost efficient ways of monitoring MAC layer need
    to be determined
  • Efficient methodologies for building intrusion
    detection systems for thin clients are required
  • Ajanta agents need to be customized to run on
    handhelds and wearable computers
Write a Comment
User Comments (0)
About PowerShow.com