1 / 31

Enhancing the Security of Corporate Wi-Fi Networks Using DAIR

Enhancing the Security of Corporate Wi-Fi Networks Using DAIR. Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh, Alec Wolman, Brian Zill. Presented By: J. Falquez. Challenges in Building an Enterprise-scale WiFi Monitoring System. Scale of WLAN

calvin
Download Presentation

Enhancing the Security of Corporate Wi-Fi Networks Using DAIR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhancing the Security of Corporate Wi-Fi Networks Using DAIR Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh,Alec Wolman, Brian Zill Presented By: J. Falquez

  2. Challenges in Building an Enterprise-scale WiFi Monitoring System • Scale of WLAN • Microsoft’s WLAN has over 5000 APs • Need to deploy many monitors • Rapid fading of signal in indoor environment • Multiple orthogonal channels • May need observations from multiple vantage points • Pinpoint location of rogue AP

  3. Taxonomy of Attacks on Wi-Fi Networks • Eavesdropping • Passive snooping (perhaps with high-gain antennas) • Nearly impossible to detect • Cryptographic techniques generally considered sufficient. • Intrusion • Rogue AP / Rogue Ad-hoc network • Denial of Service • Fake deauthentication/disassociation, NAV attacks, DIFS attacks, Jamming. • Phishing • Acquire passwords

  4. Example : Rogue AP • Careless employee brings AP from home and plugs it into corporate Ethernet • Bypasses corporate Wi-Fi security measures • For example: WPA, 802.1X • Permits unauthorized users to connect to corporate network • Malicious user outside the building? • Widespread Problem • Ongoing concern for MS IT department • Surveyed two major US universities, found multiple rogue APs

  5. Need for WiFi Monitoring Systems • Preventive measures such as 802.1X do not guarantee full security • In addition, need WiFi monitoring system to detect problems in operational WiFi networks • Detect Rogue AP by overhearing packets containing unknown BSSID

  6. Rogue AP and Client Monitors Example: Indoor WLAN Monitoring 0% 0% 26% 0% 0% 0% 97% 1.7% 0% 0% %0 %0 Rapid loss of signal strength in indoor environments Complex, time-varying signal propagation Red: Beacon reception rate Blue: Data packet reception rate

  7. State of the Art AP-based monitoring [Aruba, AirDefense ..] Pros: Easy to deploy (APs are under central control) Cons: Single radio APs can not be effective monitors Specialized sensor boxes [Aruba, AirTight, …] Pros: Can provide detailed signal-level analysis Cons: Expensive, so can not deploy densely Monitoring by mobile clients [Adya et. al., MobiCom’04] Pros: Inexpensive, suitable for un-managed environments Cons: Coverage not predictable: mobile, battery-powered clients Only monitor the channel they are connected on

  8. Observation Desktop PC’s with good wiredconnectivity are ubiquitous in enterprises Outfitting a desktop PC with 802.11 wireless is inexpensive Wireless USB dongles are cheap As low as $6.99 at online retailers PC motherboards are starting to appear with built-in 802.11 radios + Combine to create a dense deployment of wireless sensors DAIR: Dense Arrayof Inexpensive Radios

  9. AirMonitor DAIR Architecture Land Monitor (1 per subnet) AirMonitor Wired Network Other data: SNMP, Configuration Inference Engine Database

  10. Monitor Architecture

  11. Key Characteristics of DAIR High sensor density at low cost Leverages existing desktop resources Effective monitoring in indoor environments Can tolerate loss of a few sensors Sensors are (mostly) stationary Provides predictable coverage Permits meaningful historical analysis

  12. Applications of the DAIR Platform Security applications Detecting attacks on Wi-Fi networks Responding to such attacks Performance management Monitor RF coverage Load balancing Location service to support above applications

  13. Rogue Wireless Networks • An uninformed or careless employee who doesn’t understand (or chooses not to think about) the security implications • Brings AP from home, and attaches it to the corporate network • Configures desktop PC with wireless interface to create a rogue ad-hoc network • Bypasses security measures such as WPA, 802.1X

  14. AirMonitor Simple Solution AirMonitor Database Known: Seen: Inference Engine

  15. Problem with the Simple Solution • False Positives • Multi-office buildings • False negatives • Malicious attacker fakes authorized SSID / BSSID • DAIR can help reduce both false positives and false negatives • No foolproof way to avoid false positives/negatives completely • DAIR raises bar while generating fewer alarms

  16. Reducing False Negatives • Suspect is using an “authorized” SSID / BSSID • If the “real” AP is still active • Packet sequence numbers not monotonic • If real AP is not active • Determine location of suspect • If different than expected, raise alarm

  17. Reducing False Positives • Detect whether rogue AP is connected to corporate wired network • Series of tests: • Association test • Source/destination address test • Replay test

  18. Association Test ? AirMonitor Database Inference Engine Machine inside corporate firewall If AirMonitor can connect to machine inside firewall via AP then AP is connected to corporate wired network

  19. Association Test • Test will fail if AP uses WEP or MAC address filtering • People configure home APs with WEP or MAC filtering • Failure means we need additional tests …

  20. Source / Destination Address Test ? AirMonitor Land Monitor Database Inference Engine MAC Addrs Of Subnet Routers Subnet Router

  21. Source / Destination Address Test 802.11 Data Frame (with encryption): Unencrypted Header Encrypted Payload MAC Addresses: Receiver Transmitter Destination Access Point Client Known Address? If Destination Address belongs to a subnet router, then AP Is connected to corporate wired network Similar test for Source Address

  22. Source / Destination Address Test • Test will fail if AP is really a NAT/Router • Many home APs combine AP and NAT/router functionality • Failure means that additional tests are needed

  23. Replay Test X 1 2 3 4 ? AirMonitor X ? X X X Inference Engine Land Monitor AirMonitors capture data packets At the same time LandMonitors are alerted to watch for duplicate packets on wired network. One of the AirMonitors replays captured packets Each packet replayed multiple times

  24. Replay Test • AirMonitors replay packets with suspect BSSID • No need to decrypt packet • Each packet is replayed multiple times (say 5) • LandMonitors detect if duplicate packets are seen on wired network • Works for NAT/Routers • Even rogue ad-hoc networks • Fails if suspect is using WPA2 or other crypto schemes that are robust against replay attacks

  25. Scalability • Load on database server • Load on individual AirMonitors • Additional wired network traffic

  26. Load on Database Server 100 80 60 CPU Load (%) 40 20 0 1AM 5AM 9AM 1PM 5PM 9PM 1AM 12 AirMonitors AirMonitors submit summarized data every 2 minutes Database Server: MS-SQL 2005, 1.7GHz P4 with 1GB RAM

  27. Machine running AirMonitor 100 75 50 Load (%) 25 0 1AM 5AM 9AM 1PM 5PM 9PM 1AM Machine not running AirMonitor 100 75 Load (%) 50 25 0 1AM 5AM 9AM 1PM 5PM 9PM 1AM Load on Client Machine Additional Network Traffic: 2-5Kbps per AirMonitor

  28. Summary • Built a scalable, cost-effective, dense WLAN monitoring platform in a corporate environment • Explored ways to leverage the platform to monitor threats to Wi-Fi networks

  29. DAIR ongoing work • Which channels should each AirMonitor listen on? • What scanning strategy to use? [Deshpande et. al. 2006] • Depends on density of AirMonitors, environment • Building an effective location system • Building performance management tools

  30. Questions?

More Related