1 wireless network monitoring plan b project sandeep p karanth advisor: prof. anand tripathi
TRANSCRIPT
2
Outline
• Introduction• Overview of Konark• IEEE 802.11 Wireless LANs• Potential Threats to a Wireless LAN• Modes of Operation• Detection Logic • Conclusions and Future work
3
Introduction
• Network Monitoring issues:• Large Networks• Heterogeneous components• Distributed monitoring• Centralized event-viewing and control• Quick Response to alerts
• Response against attackers/intruders• Response against misconfigurations/failures
• Robust and Secure system
4
Konark: Overview
• Mobile-Agent based network monitoring
• Object capable of migration• first-class objects – altered remotely• Programming framework – Ajanta
• Script based detection techniques• tedious to install, debug and modify• coarse-grained protection
5
Konark: Overview (Contd..)
•Goals:• Dynamically Extensible
• Addition of new monitoring components• Modification of existing monitoring policies• Integration of tools
• Active Monitoring• Modification of policies in response to events
• Online Monitoring• Event monitoring in real-time
6
Konark: Overview (Contd..)
•Goals (contd..):• Resilience by diverse monitoring sources • Secure
• System itself has to be secure• Robust
• Automated recovery of failed system components
• Scalable• Acceptable System Performance
7
Konark: Overview (Contd..)• Publish-Subscribe network monitoring system• Monitoring agents equipped with detectors• Publisher-subscriber relationship is dynamic• Event model for information flow• Automated agent and detector recovery
• Uses self-monitoring schemes• Authenticated inter-agent communication (RMI)
• Challenge-response protocol
9
IEEE 802.11 Wireless LAN
• IEEE 802.11 operates at PHY and MAC• Operating modes:
• Infrastructure• Ad hoc
• Carrier Sense Multiple Access (CSMA)• Collision Avoidance (CA)• Binary Exponential Back-off algorithm
10
IEEE 802.11 Wireless LAN (contd..)
• Terminology:• Access Point (AP) • Service Set Identifier (SSID)• Basic Service Set (BSS)• Independent BSS (IBSS) – Adhoc network• Extended Service Set (ESS) – APs having same SSID• Distribution System (DS) – connects APs• Wired Equivalent Privacy (WEP)
14
IEEE 802.11 Wireless LAN (contd..)
• Frame types:• Beacon Frame – AP advertisement• Probe Request / Response • Reassociation Request / Response
• Authentication:• Open Authentication (MAC ACLs used)• Shared Key authentication
15
Potential Threats and Management Issues
• MAC Address Spoofing:• Attacker impersonates a legitimate client• Attacker fakes as a legitimate AP (Fake AP)• Attacker sends spoofed deauthenticate/disassociate frames
• Denial-Of-Service Attacks:• Authenticate/Associate message floods on AP• RTS frame floods
16
Potential Threats and Management issues (contd..)
• Network Misconfigurations / Failures• AP failure• Unauthorized or Rogue APs
• May not conform to security policies• Policy Conformance
• Acceptable signal strengths• Acceptable data rate• Correct SSIDs
• Attack Tools: macchanger, FakeAP, LibRadiate
17
Design Goals
• Monitoring Objectives• Attack Detection and response• Unauthorized use detection and response• Component failure detection
• Service Provisioning Objectives:• User tracking service – Pervasive applications
18
Modes of Monitoring System Operation:
• Mode 1:• Notebooks/PCs executing a monitoring daemon• Statically placed• Strategically placed to get entire network coverage
• Mode 2:• A PDA/handheld running a monitoring daemon
19
Modes of Monitoring System Operation(Contd…)
• Mode 2: (contd..)• Campus walk taken by wireless security auditor
• Mode 3:• Access Points log information to a syslog file• Syslog file analyzed for event generation
21
Detection Logic and Response
• Sequence number Analysis:• Each frame has a 12-bit sequence number• Put in by the firmware• Range of sequence numbers: 0 - 4095• Sequence numbers of 2 stations are not likely to be the same• Fake and legitimate station will have out-of-order sequence numbers
22
Detection Logic and Response (contd..)
• Sequence number analysis (contd..):• Packet capturing software and dump analyzer used to analyze • Dump analyzer slower than capturing software (packets captured are dropped)• Only 1 in 10 beacon frames analyzed to account for slow analysis•Threshold of 20 chosen for difference in seq. no. for the same source
23
Detection Logic and Response (contd..)
• Sequence number analysis (contd..):• Detection Capabilities:
• Faking client detection• Fake AP detection• Forced disassociation/deauthentication
• Fails if unauthorized user connects in a disjoint time frame
• Likely time policy• Inform users when they connect
24
Detection Logic and Response (contd..)
• Sequence number analysis (contd..):• Fails if unauthorized user connects to another BSS in an ESS
• Konark monitoring agents perform distributed correlations to detect this• Correlation of events among AP logs helps us detect this
25
Detection Logic and Response (contd..)
• Packet counting and analysis• Packets sent to an AP are recorded• Many packets in a small adjustable interval indicate a DOS attack• AP logs also examined to detect such attacks
26
Detection Logic and Response (contd..)
• Misconfiguration/Failure detection• Missing beacons imply AP failure
• Beacons may be disabled in an AP (policy)• Ping every AP with a probe request
• Extraneous beacons/ frames with unknown BSSID implies Rogue APs
• Network baseline fed to the daemon at startup
• Repeated associations, DHCP denials or unknown frame transmittals imply brute force attacks or client misconfiguration
28
Experimental Setup
• Experiments conducted on the EECS building wireless LAN (802.11b)• Cisco Access Points (Aironet 340/350 series)• Notebook PCs running Linux used to conduct experiments• Cisco 340/350 wireless cards used for wireless connectivity
29
Experimental Setup (contd..)
• Packet capturing software used Kismet (Development version 2.8.1)• Dump analyzer – Ethereal
Kismet EtherealMonitoringDaemon
Named pipe
Pipe
Capture packets Decode packets Analyze decoded packets
30
Experimental Setup
• About 90-95% of the frames observed are IEEE 802.11 management frames• Beacon frames form 90% of the management frames• Beacon interval is 0.1024 seconds
31
Experimental Setup
Mon May 26 15:31:00 2003 Deauthentication SrcAddr:00:40:96:47:99:13 DestAddr:00:40:96:33:4c:8c BSSID:00:40:96:47:99:13
Mon May 26 15:31:00 2003 Deauthentication SrcAddr:00:40:96:47:99:13 DestAddr:00:40:96:33:4c:8c BSSID:00:40:96:47:99:13
Mon May 26 15:31:00 2003 Authentication SrcAddr:00:40:96:33:4c:8c DestAddr:00:40:96:47:e6:ec BSSID:00:40:96:47:e6:ec
Mon May 26 15:31:01 2003 Sequence number mismatch: SrcAddr:00:40:96:41:d4:01 Details:Unauthorized Client suspected
Mon May 26 15:31:01 2003 Reassociation Request SrcAddr:00:40:96:33:4c:8c DestAddr:00:40:96:47:e6:ec BSSID:00:40:96:47:e6:ec
Mon May 26 15:31:04 2003 Sequence number mismatch: SrcAddr: 00:40:96:41:d4:01 Details:Unauthorized Client suspected
32
Conclusions
• A MAC layer monitoring tool is required• A proof-of-concept monitoring tool is implemented• Such tools can be easily integrated with existing monitoring systems (Konark)