140 likes | 293 Views
NETW 05A: APPLIED WIRELESS SECURITY Additional Security Solutions. By Mohammad Shanehsaz Spring 2005. Objectives. Describe the following types of intrusion detection methods and tools for WLANs: 24x7 centralized, skilled monitoring Honey pots Professional security audits
E N D
NETW 05A: APPLIED WIRELESS SECURITY Additional Security Solutions By Mohammad Shanehsaz Spring 2005
Objectives • Describe the following types of intrusion detection methods and tools for WLANs: • 24x7 centralized, skilled monitoring • Honey pots • Professional security audits • Accurate, timely reporting • Distributed agent software • Security spot checking • Available wireless LAN intrusion detection software and hardware tools
Intrusion Detection Systems • An IDS inspects inbound and outbound traffic and attempts to identify suspicious activity • An IDS is different from firewall in that a firewall monitors for intrusion to stop them while an IDS signals an alarm • Wireless IDS can search a WLAN for vulnerabilities, detect and respond to intruders, and help manage it • Wireless IDS use sensors that monitor all wireless traffic and report them to the central server • The sensors provide 24x7 real-time monitoring
Features of IDS • Network-based vs. host-based monitoring • Passive vs. Reactive monitoring • Misuse detection • Anomaly detection • Vulnerability detection • Performance monitoring
Network-based vs. Host-based • Network-based IDS listen on the wireless segment through wireless sensors • To monitor all wireless traffic, sensors must be placed at, in, or near every access point • Host-based IDS, examine data on each host computer, require that IDS agents be running on each node in order to report suspicious activity back to the central server • They are able to monitor attacks against an individual computer more thoroughly
Passive vs. Reactive • IDS in passive mode - if any attacks occur, will raise various alarms to inform the appropriate security personnel to take action • IDS in reactive mode, IDS react to attacks and eliminate them by shutting down services, restrict access to services or disconnecting them altogether • Active vs. reactive settings configured through policy settings in the IDS
Misuse Detection • To detect misuse, the IDS must monitor business rules for WLAN, some of which are: • Limit access points to only operate on specific channels • Require all wireless LAN traffic to be encrypted • Prohibit SSIDs from being broadcast unmasked • Limit traffic on the wireless LAN to occur only within certain hours of the day
Anomaly Detection • Monitors network segments to compare their current status to the normal baseline • Baselines should be established for typical network load, protocols, and packet size • Appropriate personnel should be alerted to any anomalies
Vulnerability Detection • Vulnerabilities to wireless LANs can be detected in real-time • Locating any ad-hoc networks that are actively transmitting traffic, is one way to keep peer-to-peer attacks from occurring • Locating an open rogue access point that has hi-jacked an authorized user is another one
Performance Monitoring • Since WLAN has limited bandwidth we need to determine who is using the bandwidth and when • We don’t need performance monitoring if IDS has built-in rate Limiter functionality, but we can use it to report on usage statistics, for future growth
Monitoring and Maintenance • Monitoring must be active 24x7 to be effective • The security policy must define contact personnel, and what steps to take to respond properly • The reports that are generated from an IDS must be treated with utmost importance • Periodic upgrades and ongoing training for the IDS specialist ensure continued success in effective use of the IDS • Periodic spot-checking of the IDS should be considered mandatory
Thin Clients • Based on a hybrid of the mainframe-terminal and the client-server model • Clients run an OS of their own, but all processing is done at the server • Come in the form of thin client software running on a notebook computer or an actual machine • Low Total Cost of Ownership • Peer-to-peer attacks yield no useful info • They pass screenshots, mouse clicks, and screen updates which use minimal bandwidth • Client authentication is required • SSH2 can be used to authenticate and tunnel encrypted traffic
Authenticated DHCP Services • IETF RFC 3118 adds authentication to DHCP • DHCP clients and server are able to authenticate one another • IP connectivity is given only to authorized clients • Prevents rogue and malicious DHCP clients and servers from unauthorized access , DoS, theft of services or hijacking attacks • To implement it, administrators must deploy RFC 3118 compatible software on all PCs, and upgrade existing DHCP servers to support DHCP authentication • Users must also devise an authentication key scheme and distribute it to all authenticated DHCP clients
Traffic Baselining • Analyze the performance of a selected network segment over a period of time (represent network normalcy) • Provides reference points for current use, and for required modifications when adding new services or users (baselining for performance) • Identify performance issues and provide info for security (min, max, or average values from baseline data can be used for setting alarm thresholds in IDS)