Wireless Intrusion Monitoring

When most people think of wireless, they think only in terms of access and not in terms of attacks or intrusions. It has become increasingly necessary to constantly monitor for the many types of attacks because of the potential damage they can cause.

Businesses of all sizes have begun to deploy 802.11 wireless networks for mobility and access and at the same time are running a wireless intrusion detection system (WIDS) to monitor for attacks.

Many companies are very concerned about the potential damage that would result from rogue access points. It is not unusual for a company to actually deploy a WIDS before the company deploys the wireless network that is meant to provide access.

Wireless intrusion monitoring has evolved, and most current systems have methods to prevent and mitigate some of the known wireless attacks.

While most systems are distributed for scalability across a large enterprise, single laptop versions of intrusion monitoring systems also exist.

Most wireless intrusion monitoring exists at layer 2, but layer 1 intrusion monitoring systems are now also available to scan for potential attacks.

Wireless Intrusion Detection System (WIDS)

In today’s world, a wireless intrusion detection system (WIDS) might be necessary even if there is not an 802.11 Wi-Fi network on site. Wireless can be an intrusive technology and if data ports at a business are not controlled, any individual including employees can install a rogue access point.

Because of this risk, many companies like banks and other financial institutions as well as hospitals choose to install a WIDS prior to deploying a Wi-Fi network for employee access.

Once an 802.11 network is installed for access, it has become almost mandatory in most situations to also have a WIDS because of the other numerous attacks against Wi-Fi, such as denial of service, hijacking, and so on.

The typical wireless intrusion detection system is a client/server model that consists of three components:

  • WIDS server - A software or hardware server acts as a central point of management.
  • Management consoles - Software-based management consoles that connect back to a WIDS server as clients can be used for 24/7 monitoring of wireless networks.
  • Sensors - Hardware or software-based sensors are placed strategically to listen to and capture all 802.11 communications.

Sensors are basically radio cards that are in a constant listening mode as passive devices. The sensor devices are usually hardware based and resemble an access point. The sensors have some intelligence but also communicate with the centralized WIDS server.

The centralized server can collect data from literally thousand of sensors from many remote locations, meeting the scalability needs of many large corporations.

Management consoles can also be installed at remote locations, and while they talk back to the centralized server, they can also monitor all remote WLANs where sensors are installed.

WIDS are best at monitoring layer 2 attacks such as MAC spoofing, disassociation attacks, and deauthentication attacks. Most WIDS will usually have alarms for as many as 60 potential security risks.

Part of deploying a WIDS is setting the policies and alarms. False positives are often a problem with intrusion detection systems, but they can be less of a problem if proper policies are defined.

Policies can be created to define the severity of various alerts as well as provide for alarm notifications. For example, an alert for broadcasting the SSID might not be considered severe and might even be disabled.

However, a policy might be configured that classifies a deauthentication spoofing attack as severe and an email message or pager notification might be sent automatically to the network administrator.

Although most of the scrutiny that is performed by a WIDS is for security purposes, many WIDS also have performance monitoring capabilities. For example, performance alerts might be in the form of excessive bandwidth utilization or excessive reassociation and roaming of VoWiFi phones.

Currently, three different WIDS design models exist:

  • Overlay - The most common model is an overlay WIDS that is deployed on top of the existing wireless network.

This model uses an independent vendor’s WIDS and can be deployed to monitor any existing or planned WLAN. The overlay systems typically have more extensive features, but they are usually more expensive.

  • Integration enabled - Wi-Fi vendors are currently working to integrate their access points and management systems with the major WIDS vendors.

The Wi-Fi vendor access points integrate software code that can be used to turn the APs into sensors that will communicate with the third-party WIDS server.

  • Integrated - Many wireless switching vendors have fully integrated WIDS capabilities. The wireless controller acts as the centralized server.

The thin access points can be configured in a sensor-only mode or can act as sensors in a minor fashion when not transmitting as an access point. The integrated solution is a less-expensive solution but may not have all the capabilities that are offered in an overlay WIDS.

Wireless Intrusion Prevention System (WIPS)

Most WIDS vendors prefer to call themselves a wireless intrusion prevention systems (WIPS). The reason that they refer to themselves as prevention systems is that they are all now capable of mitigating attacks from rogue access points.

A WIPS characterizes access points and client radios in three classifications:

  • Infrastructure device - This classification refers to any client station or access point that is an authorized member of the company’s wireless network.

A network administrator can manually label each radio as an infrastructure device after detection from the WIPS or can import a list of all the company’s radio card MAC addresses into the system.

  • Known device - This classification refers to any client station or access point that is detected by the WIPS but is not considered an interfering device or a rogue access point.

The known device label is typically assigned to radio cards of neighboring businesses and is not considered a threat.

  • Rogue device - The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat.

Most WIPS define rogue access points as devices that are actually plugged into the network backbone. Most of the WIPS vendors use a variety of proprietary methods of determining if a rogue access point is actually plugged into the wired infrastructure.

Once a client station or access point has been classified as a rogue device, the WIPS can effectively mitigate the attack. Every WIPS vendor has several ways of accomplishing this, but the most common method is to use spoofed deauthentication frames.

The WIPS will have the sensors go active and begin transmitting deauthentication frames that spoof the MAC addresses of the rogue access points and rogue clients. The WIPS is using a known layer 2 denial of service attack as a countermeasure.

The effect is that all communications between the rogue access point and clients are rendered useless. This countermeasure can be used to disable rogue access points, individual client stations, and rogue ad-hoc networks.

Another method of rogue containment uses the Simple Network Management Protocol (SNMP). Most WIPS can determine that the rogue access point is connected to the wired infrastructure and may be able to use SNMP to disable the managed switch port that is connected to the rogue access point.

If the switch port is closed, the attacker cannot attack network resources that are behind the rogue AP. The WIPS vendors have other proprietary methods of disabling rogue access points and client stations and often their methods are not published.

Currently, the main purpose of a wireless intrusion prevention system is to contain and disable rogue devices. In the future, other wireless attacks might be mitigated as well.

Mobile WIDS

Several of the wireless intrusion detection/prevention vendors also sell laptop versions of their distributed products. The software program is a protocol analyzer capable of decoding frames with some layer 1 analysis capabilities as well.

The mobile WIDS software uses a standard Wi-Fi client radio as the sensor. However, the main purpose of the software is to provide a stand-alone mobile security and performance analysis tool.

The mobile WIDS will have all the same policy, alarm, and detection capabilities as the vendor’s distributed solution. Think of a mobile WIDS as a single sensor, server, and console all built into one package. The mobile WIDS will be able to detect only attacks within its listening range, but the advantage is that the device is mobile.

One useful feature of a mobile WIDS is that it can detect a rogue access point and client and then be used to track them down. The mobile WIDS locks onto the RF signal of the rogue device and then an administrator can locate the transmitting rogue with a directional antenna.

Spectrum Analyzer

WLAN administrators have begun to realize the benefit of using spectrum analyzers for security purposes. The WIDS vendors currently make claims that their products can detect layer 1 denial of service attacks, namely, RF jamming.

The truth of the matter is that the WIDS vendors are excellent at detecting all of the numerous layer 2 attacks but have limited success with layer 1 detection because they are not spectrum analyzers.

A spectrum analyzer is a frequency domain tool that can detect any RF signal in the frequency range that is being scanned. A spectrum analyzer that monitors the 2.4 GHz ISM band will be able to detect both intentional jamming and unintentional jamming.

Some spectrum analyzers can look at the RF signature of the interfering signal and classify the device. For example, the spectrum analyzer might identify the signal as a microwave oven, a Bluetooth transmitter, or an 802.11 FHSS radio.

A spectrum analyzer might also be used to locate rogue 900 MHz or frequency hopping access points. Most spectrum analyzers are stand-alone solutions; however, one company, Cognio, manufactures a distributed solution that uses a centralized server and remote hardware spectrum analyzer sensors.

The Cognio client/server spectrum analyzer is effectively a layer 1 wireless intrusion detection system. The layer 1 intrusion detection system also has the ability to categorize interference types based on frequency signatures. This can be useful to help classify and locate the interfering device.