View PDF

Table of Contents

The Need for Intrusion Detection and Prevention

Integrated vs. Overlay Architectures
Eliminating Coverage Holes
Simplified Deployment & Management
Better Attack Mitigation Capabilities
Cost Advantages

Real-time Monitoring & RF Management
Rogue Detection and Containment
Interference Detection and Avoidance
FakeAP Detection
AP Impersonation Detection
Spoofed Deauthenticate Frame Detection
FATA-Jack Detection
Honeypot AP Detection
Man In The Middle Detection

Advanced IDS Signature Analysis
Management Frame Flood Signature
Broadcast Deauthenticate Frame Signature
EAPOL Flood Signature
NetStumbler Signature
Wellenreiter Signature
NULL Probe Response Signature
Valid Stations, Invalid SSID Signature
Invalid OUIs Signature
Weak IV WEP Key Signature

Networking with Confidence

The Need for Intrusion Detection and Prevention
Radio is an open medium, shared between anyone who is transmitting and/or receiving in the same RF spectrum. 802.11, the common standard used for enterprise Wireless LANs (WLAN), leverages unlicensed (i.e. public) radio bands for communication. This makes 802.11 wireless networks particularly susceptible to unauthorized intrusion and malicious attacks.

Traditional WLAN deployments require the IT staff to physically monitor the air space with manual RF scanning devices to detect undesirable behavior. As this approach only yields a snapshot of activity and requires expensive human capital resources, it lacks effectiveness and is often cost prohibitive. As a result, to safeguard enterprise WLANs from security threats that can compromise data and/or disrupt service, next generation WLAN systems integrate real-time intrusion detection and prevention with multiple layers of WLAN security to provide complete WLAN protection, while keeping capital and operational expenditures to a minimum.

Airespace is the first vendor to completely integrate a Wireless Protection System (WPS) with intelligent WLAN capabilities. More specifically, Airespace combines real-time (24/7) monitoring with advanced RF analysis for complete intrusion protection, enabling enterprises to safeguard their air space without requiring disparate systems for security, management, and traffic delivery. In addition, Airespace’s WPS functions are tightly coupled with real-time monitoring, dynamic RF management, attack signature analysis, and location tracking capabilities to deliver a comprehensive end-to-end security solution for business critical applications.

Integrated vs. Overlay Architectures
In an Airespace WLAN System, the same APs and controllers that are used to deliver 802.11 service are also used to simultaneously monitor the RF. In this respect, a single infrastructure is used for traffic delivery and WLAN security. This has a number of distinct advantages over alternative solutions that require a standalone IDS system to be “overlayed” on top of a separate WLAN infrastructure. These advantages include:

• No coverage holes or hidden nodes - Overlay IDS systems monitor the air space using distributed radio sensors that are connected to a stand-alone IDS server. When deploying these systems, IT staffs are forced to choose between cost and effectiveness. Mapping radio sensors to APs at a 1:1 ratio ensures the best network coverage, but can be cost prohibitive; Deploying one monitoring node for every 3-5 APs can alleviate the investment cost, but might result in RF coverage holes whereby network access is provided in an area that is not being monitored. As every Airespace AP simultaneously handles intrusion detection/prevention with traffic delivery, maximum protection is provided with no additional hardware investment cost.
• Simplified planning, deployment, and management - Designing the optimum overlay design can be time consuming and resource intensive. In addition, managing it on an ongoing basis can be cumbersome as separate NMS tools are required, one for WLAN systems management and another for IDS monitoring.
  
  The Airespace intrusion detection and prevention solution seamlessly integrates with Airespace Control System (ACS) Software to provide a single management interface for administrators. This enables organizations to have better control over all critical WLAN management functions as opposed to overlay systems which require a secondary management console for IDS configuration and monitoring.
• Better Attack Containment Capabilities - Because Airespace’s IDS is embedded within all Airespace equipment, it has direct access to the WLAN infrastructure. This enables the Airespace system to respond immediately to critical intruder alarms, and if necessary, take appropriate mitigation action against rogue APs, RF-related attacks, and unwanted network intrusions. Response actions might include placement of clients on an exclusion list, device containment, termination of network access or critical alarm notifications sent to an administrator for further investigation.
• Cost Advantages - The Airespace solution for intrusion detection and prevention does not require a parallel RF infrastructure, including radio sensors, extra dedicated AP air monitors, and a stand-alone IDS server. All Airespace APs perform both IDS and network distribution service simultaneously. The system also gives administrators the flexibility (if required) to set Airespace APs as dedicated air monitors if they have special deployment needs. As a result, total cost of ownership is significantly lower with the Airespace system when compared to overlay systems or systems that require dedicated hardware and software for monitoring. Furthermore, if companies already have a WLAN and our simply looking to add IDS functionality, the Airespace system is a more cost effective alternative since it can provide distribution services as well as IDS protection.

It is important to note that even WLAN infrastructures that allow IT staff to configure APs as either access points or access monitors are still technically creating an overlay network. That is because one set of hardware is required to do monitoring and intrusion detection/prevention functions, while another set of hardware is handling traffic delivery. While a single piece of hardware can act as both an Access Point and an Access Monitor, these functions are not performed simultaneously. As a result, it does not avoid the need for additional hardware investment, nor does it simplify network design.

Real-Time Monitoring and RF Management
There is no way to predict the exact date or time when a WLAN might come under attack. As a result, network administrators require a WLAN solution with real-time RF monitoring capabilities to provide constant visibility into the air space. In addition, it is easy to confuse benign activities, such as interference from a neighboring coffee shop, with real security threats. Consequently, network administrators require real-time RF intelligence within the WLAN to help analyze RF activity so that they can make informed decisions about the overall state of network security.

Airespace integrates the real-time monitoring and dynamic RF management capabilities of its AireWave Director™ Software with its Wireless Protection System to provide complete intrusion detection and prevention. AireWave Director Software, which is embedded on all Airespace equipment, automatically identifies, analyzes, corrects, and logs all potentially harmful RF activity, minimizing the effect that it has on WLAN performance and security. This provides real-time protection from the following types of malicious activity:

• Rogue Access Point/Ad-Hoc networks - The Airespace WLAN system uses patent-pending technology to constantly monitor the air space looking for unexpected access points. If rogue access points or rogue clients appear, the WLAN system pinpoints their location, and is capable of preventing them (and all associated clients) from accessing the network through rogue containment. Along with rogue detection, the Airespace IDS solution is also able to detect clients operating in ad-hoc mode. If an administrator chooses to disallow ad-hoc communication than devices that violate this policy can be contained.
• RF Interference - The Airespace WLAN system actively monitors the wireless network for interference. When potentially harmful traffic or interference is detected, the Airespace Wireless Protection System helps to identify the source and takes appropriate measures, such as denying network access or adjusting channel assignments through dynamic radio resource management.
• FakeAP - In this attack, the hacker floods the air with hundreds of beacons with fake SSIDs. One of the results of this attack is a denial of service to all wireless clients that end up processing all of the fake SSIDs
• AP Impersonation - In this attack, a rogue AP spoofs its MAC address to the identity of an authorized AP. The result of this attack is that a number of exploits can be mounted against clients that unknowingly associate to the masquerading AP, such as man-in-the-middle or denial of service attacks.
• Spoofed Deauthenticate Frame - In this attack, the hacker sends an 802.11 deauthenticate frame to a client using the BSSID of the client’s AP. The result is another denial of service attack.
• FATA-Jack - FATA-Jack is a denial of service attack that uses the AirJack driver to send out fake failed authentication packets to clients with a reason code of “Previous authentication failed”. The source MAC is spoofed so that clients think the packet came from a valid AP. It sends a packet every 2.5 seconds.
• Honeypot AP - In this attack, the rogue AP advertises a valid SSID with either a spoofed authorized AP’s BSSID, or with a random BSSID. The goal of this attack is to cause a client to associate with the rogue AP.
• Monkey Jack and Man In The Middle Detection - The monkey-jack attack is a blend of the broadcast deauthenticate frame attack and a spoofed MAC address attack. After successfully causing the client to lose its connection, the attacker tricks the client into re-associating with the rogue AP and proceeds to insert itself between the client and the AP.

For each of the attacks described above, the Airespace system not only detects the activity and takes appropriate counter measures, but it uses advanced location tracking capabilities to help locate the source of the undesirable activity. This helps to expedite problem resolution. By tying in location tracking with intelligent event correlation software, Airespace helps IT staffs dramatically reduce false positives when detecting WLAN attacks.

Advanced IDS Signature Analysis
In addition to monitoring the air space for unusual activity, the Airespace system comes equipped with an advanced IDS signature analysis engine to help identify known WLAN exploits and attacks. Once an event is triggered by signature analysis, the system responds with an alarm that correlates directly to that specific event and initiatives the appropriate mitigation actions.

The Airespace WLAN system is extremely efficient in the manner in which it handles attack signatures. Whereas some vendor systems require all captured packets to be forwarded back to a centralized WLAN switch (or stand alone IDS server) for analysis, the Airespace WLAN system inspects all packets directly at the AP. This architecture allows Airespace to provide maximum WLAN protection without sacrificing WLAN performance. If an attack is detected, the appropriate mitigation response action is communicated across the entire Airespace WLAN system. This enables uniform policies to be enforced throughout the enterprise, preventing intruders from attempting to remount an attack from a different physical location.

Some of the critical wireless intrusion signatures enforced by the Airespace WLAN system include:

• Management Frame Flood Signature - In this attack, the hacker floods an AP with 802.11 management frames. The result of this attack is a denial of service to all stations associated or trying to associate with the AP. Implementations of this attack include the following management frame types received by an AP:
  • Association Request flood
  • Reassociation Request flood
  • Probe Request flood
  • Disassociation flood
  • Deauthentication flood
  • Reserved management sub-types 6 and 7
  • Reserved management sub-type D
  • Reserved management sub-types E and F
  
  
  To mitigate this DoS attack, the Airespace WLAN system will identify management frames matching the entire characteristic of the Airespace management frame flood signature. One of the variables in this signature is the frequency in which these packets are transmitted. If the frequency of these frames is greater than the value set in the signature, the AP that hears these frames triggers an alarm. Depending upon how the administrator configures the Airespace system, a response action could include isolating the offending device through containment or sending an alarm notification to an administrator for further investigation.

Figure 4 As new attack signatures are identified, the Airespace system is updated to ensure complete IDS protection. Along with known attack signatures, the Airespace system enables administrators to create and enforce custom IDS signatures.

• Broadcast Deauthenticate Frame Signature - In this attack, the hacker sends an 802.11 deauthenticate frame to the broadcast MAC destination address of another station. This attack causes the destination address to disassociate from the AP and lose its connection. If this action is repeated, the station experiences a denial of service. One example of a hacker tool that implements this attack is known as “Airjack”. The Airespace system mitigates this attack with the broadcast deauthenticate frame signature. If an AP hears a station transmitting broadcast deauthenticate frames which match the characteristics of the broadcast deauthenticate frame signature an alarm is generated. Depending upon how the administrator configures the Airespace system, either the offending device can be contained so that its signals no longer interfere with authorized clients and/or the system can forward an immediate alert to the administrator for further action.
• EAPOL Flood Signature - In this attack, the hacker floods the air with EAPOL frames with 802.1x authentication requests. As a result, the 802.1x authentication server can not respond to all of the requests and fails to send successful authentication responses to valid clients. The result is a denial of service to all effected stations. The Airespace WLAN system will identify this attack with an EAPOL flood signature. When the maximum number of allowed EAPOL packets is exceeded, the Airespace WLAN system will trigger an alarm and proceed with the appropriate mitigation action.
• NetStumbler Signature - This is a wireless scanning utility that reports AP broadcast information such as operating channel, RSSI info, adapter manufacturer name, SSID, whether or not WEP is turned on, and the latitude and longitude of the device running NetStumbler when a GPS is attached. NetStumbler can be detected by Airespace IDS signature analysis since it broadcasts packets with a unique signature. While in active scanning mode, Netstumbler uses OID 0x00601d (Lucent) and PID 0x0001 in the SNAP header. If NetStumbler succeeds in authenticating and associating with an AP, it sends a data frame with the following strings, depending on the NetStumbler version:
  
  

  Version	String
  3.2.0	"Flurble gronk bloopit, bnip Frundletrune"
  3.2.3	"All your 802.11b are belong to us"
  3.3.0	(sends white spaces)

  
  
  The Airespace system identifies this attack with a NetStumbler signature that matches the details listed above. Once detected, a specific alarm that correlates to the event is generated and the location of the offending device is identified.
• Wellenreiter Signature - Similar to Netstumbler, Wellenreiter is a WLAN scannig and discovery utility which can reveal AP and station information. Airespace IDS detects this attack with a unique signature for the Wellenreiter program. Once detected, a specific alarm that correlates to the event is generated and the location of the offending device is identified.
  
  For the remaining attacks listed below, the Airespace system detects a unique signature for each attack, and responds with the appropriate alarm and locates the device.
• NULL Probe Response Signature - Certain wireless cards tend to lock up if they receive a NULL probe response. This attack is identified by the Airespace system with a NULL Probe Response Signature.
• Valid Stations, Invalid SSID Signature - A client that has previously been authenticated on the wireless network may attempt to associate with an AP advertising an SSID that is not supported on the wireless network. This may be a badly configured client, or a rogue client attempting to open a back door into the network. In either case, a set of signatures indicating the SSIDs allowed on the network can identify the attack.
• Invalid OUIs Signature - In addition to detecting attacks, custom signatures can be used to configure OUIs allowed on a wireless network. For instance, if a network only uses Cisco and Netgear client adapters, then signatures can be configured to detect OUIs that are not of those two vendors and enforce the appropriate response action. Airespace IDS supports the creation of custom signatures so that administrators can enforce unapproved packet types through IDS signature analysis.
• WEP Weak IV Detection Signature - Certain IV’s (Initialization Vectors) used in conjunction with static WEP keys are considered to be weak and consequently make WEP vulnerable to key cracking programs such as Airsnort and WEPCrack. Many of the newer WLAN adapter cards already filter out these known weak IV’s before they are broadcasted over the air, thus mitigating this vulnerability. However, many of the older WLAN adapters do not filter out these weak IV’s. With the Airespace weak IV detection signature, enterprises are protected from this known vulnerability.

Networking with Confidence
There is little doubt that security is vital to wireless networking in the enterprise. The most effective way of ensuring complete control of the air space is to build safeguards into the WLAN system that enable IT staff to visualize the air space and control how it is being used.

Airespace has set the standard for WLAN security by integrating wireless intrusion detection and prevention directly into the wireless LAN infrastructure. This reduces WLAN deployment costs by eliminating the need for separate overlay IDS networks, dedicated AP monitoring devices, and stand alone IDS servers and appliances.

Only Airespace integrates WLAN protection with real-time RF management. This enables RF anomalies to be rapidly detected and analyzed to determine potential threat risk. In addition, WLAN configuration parameters, such as channel assignments, can be dynamically adjusted to mitigate the risk of attacks. Airespace is the only WLAN system with integrated location tracking for better intrusion detection and prevention. This enables the source of potential threats to be easily identified, which minimizes false positives and expedites problem resolution.

Finally, Airespace offers the industry’s most robust IDS solution for enterprise WLANs. With real-time signature updates, the Airespace system remains up-to-date with no network downtime, delivering 24/7 WLAN security to support business critical applications.