1 / 31

Mitigating Rogue Access Points in Corporate Environments

This presentation discusses the design, implementation, and deployment of a wireless IDS to address the vulnerabilities and risks associated with rogue access points in corporate environments. The focus is on creating a low-cost, portable, and flexible solution that can detect and mitigate various wireless attacks.

krantz
Download Presentation

Mitigating Rogue Access Points in Corporate Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mitigating Rogue Access Points in Corporate Environments(Design, Implementation and Deployment of a Wireless IDS)FIRST Singapore – June 29, 2005 Laurent BUTTI – France Telecom Division R&D firstname.lastname AT francetelecom dot com

  2. Introduction

  3. Context • Wireless networks are widely available in corporate environments • Wireless infrastructures for employee access (IPsec or WPA/WPA2) • Wireless infrastructures for guest access (captive portal) • Wireless chipsets shipped by default on most laptops today • These facts fatally lead to several weaknesses • Information leaking about your wireless infrastructure and laptops • Error-prone configurations and uncontrolledexperimental networks • Uncontrolled adhoc networks that may represent a critical hole (double-attachment) • New security mechanisms (WPA/IEEE 802.11i) can not address these issues!

  4. Need a Wireless IDS? • Combine the context with attacker’s panoply • Access point mode available with most *nix drivers and firmwares • Lightweight access points to be plugged in corporate networks • Wardriving tools (obvious process to a more intrusive attack) • Frame injection attacks that may be disrupting • Difficulties to know the status of wireless networks • Just ask your sysadmins to tell you about this! • Attacks in action? Wardriving and man-in-the-middle attacks are impossible to detect without any specific tools! • Is there any legitimate or illegitimate access points? • Your wireless environment may be vulnerable… • You should observe it carefully thanks to a wireless IDS!

  5. Preliminary Choices • Wireless networks were already deployed • Employee corporate access thanks to IPsec w/ IKE and certificates • Employee corporate access thanks to WPA w/ EAP-TLS • Guest access thanks to captive portals w/ temporary logins • Overlay wireless IDS solution seems to be straightforward • Specialized IDS software and dedicated sensors • We decided to designa new tool from scratch • Fit our needs and the low-cost requirement • Improve our skills in wireless security area • This presentation will expose our feedbacks on • Design, Implementation and Deployment of a Wireless IDS • Mitigating Rogue Access Points in Corporate Environments

  6. Wireless IDSDesign and Implementation

  7. Requirements: Overlay Wireless IDS (1/2) • Portable • Independent of lower layers (any IEEE a/b/g/? monitor capable wireless card) • Should run on any *nix operating system • Flexible and lightweight • Code should not be modified when adding a new event pattern • Should run on embedded devices (e.g. WRT54G) with low memory and CPU constraints • Channel hopping compliant • Should not trigger false positives • Enhanced features • Efficient aggregation and correlation • New MAC spoofing detection engines • New equipment tracking capabilities

  8. Requirements: Overlay Wireless IDS (2/2) • Low-cost • As overlay solutions may be expensive, low-cost wireless probes and backend tools are mandatory • Ease of use • Must be managed thanks to a WEB interface (log readability, administration…)

  9. Wireless Probe SYSLOG Aggregation and Correlation Wireless Probe SYSLOG SQL SSH/SCP Presentation and Administration Events Database Site Administrator HTTPS SQL Architecture Overview • Architecture is divided in several technical parts • Several wireless probes: detecting and sending events • A central collector: event aggregation and correlation • A database: aggregated and correlated events storage • A GUI: presentation and supervision/administration • The wireless probe is fully functional in a standalone mode • But, you need to store and read lot of SYSLOG events!

  10. SQL Aggregation and Correlation Presentation and Administration Architecture Overview Internal Network HTTPS AP SYSLOG SSH/SCP Probe Probe AP

  11. (Wireless Probe) Technical Choices • Language and capture library • C and libpcap • Hardware • Prism2/2.5/3 (hostap), Prism54 (prism54.org), Atheros (madwifi) and WRT54G (wl) • Rules definition • Lexical and syntaxical parsers • Optimized for speed and size • Rules tree is stored in memory, minimize mallocs • Small memory footprint for embedded devices (~ 85 Kb binary)

  12. (Wireless Probe) Some Features • Rules can be designed to trigger any event, e.g. • Rogue access point: packet with a BSSID not in a MAC address whitelist • STA association to a rogue access point: association success packet with a BSSID not in a MAC address whitelist • WEP injection: several WEP encrypted packets with a same MAC_STA address and same IV • Ruleset is about 60 signatures implementing detection of • Rogue access point: unauthorized BSSIDs, ESSIDs • MAC spoofing: several techniques • DoS: deauthentication/disassociations, EAP-logoff/failure floods, … • EAP bruteforcing: load of EAP-Response Identity requests, … • Wardriving: Netstumbler, Wellenreiter, … • Injection attacks: load of WEP packets with same IVs • Misconfiguration: default ESSIDs, …

  13. (Wireless Probe) WRT54G Port • Linksys WRT54G (802.11b/g access point) • Hardware (v1.0) • RAM: 16 MB, Flash: 4MB • CPU: BCM94702 (125MHz MIPS) • Ethernet: ADMtek ADM6996 5 port 10/100 switch • Others • WPA compliant • Wireless driver is proprietary • Firmware source code is released under the GPL license • We used OpenWRT’s firmware • Upgrading new firmware by HTTP (Linksys’s) or TFTP with "nvram set boot_wait=on"   • Cross-compilation of new binaries (MIPS) • Package construction with ipkg • Must configure starting scripts

  14. (Backend) Technical Choices • Aggregation and correlation • Simple Event Correlator (SEC) processing SYSLOG logs • Event storage • SQL database (e.g. mySQL) • HTTP(S) interface • Apache and PHP driven • Supervision and administration • SSH/SCP for administration purposes • syslog for event reporting

  15. (Backend) Some Features • On-the-fly aggregation reduces up to 98% generated logs • Most logs are recurrent (Scans, Rogue APs…) within a timeframe • On-the-fly correlation • Correlation thanks to logic combination of alerts (new signature) • e.g. STA changing to AP • Offline correlation • Equipment tracking and geolocation • Is the rogue access point interconnected with internal networks? • Update the database with a new correlated event • Improves accuracy as false alarms are reduced thanks to correlation • Aggregation and correlation processes are mandatory!

  16. Detection and Mitigation

  17. Case Study: Rogue Access Points • You must address • Misconfigured legitimate access points • Illegitimately connected access points (by malicious people or not) • Processing steps • Detection: Detect rogue access points • Evaluation: Determine if rogue access points are interconnected with internal networks and if possible their physical location • Mitigation: Mitigate the risks of rogue access points interconnected with internal networks • Of course, you must know all BSSIDs/ESSIDs of your legitimate access points… 

  18. Rogue Access Points: Detection • Rogue access points not spoofing a legitimate BSSID • Detected thanks to a MAC address white list (BSSID mismatch) • Rogue access points spoofing a legitimate BSSID • Detected thanks to a correlation of several MAC spoofing techniques • “Layer 2” sequence numbers variations (thanks to Joshua Wright) • “Layer 2” signal strength variations • “Layer 2” timestamp inconsistencies • “Layer 2” tagged parameters inconsistencies • But, these techniques cannot determine if rogue access points are interconnected to internal networks!

  19. Rogue Access Points: Evaluation • Evaluation will help us to determine • If rogue access points are interconnected to internal networks • The exact location of rogue access points • The approximate physical location of rogue access points • ‘Automatic’ association with a wireless probe to a rogue access point • Retrieve the ESSID thanks to syslog events • Association, act as a DHCP client and send a packet to the internal network and/or to the Internet • If resultcode == success, this is a critical vulnerability!!! • Of course, this must be used with caution • Do not connect to (millions of) fake access points! • De-activate bridge, put firewall rules on your wireless interface…

  20. Rogue Access Points: Evaluation • Seek in switches MAC tables • Source and destination MAC addresses of data frames • BSSID +1/–1 MAC addresses • Performed thanks to Netdisco an Open Source network management tool • Equipment geolocation thanks to signal strength analysis • Use the RSSI (Received Signal Strength Index) • Available in PRISM Monitoring Header in monitor mode • Hard to design an efficient technique (calibration, propagation model, attenuation model, interferences…) • Define if an access point is within corporate physical perimeter • But these techniques cannot mitigate rogue access points!

  21. Rogue Access Points: Mitigation • Switch port shutdown thanks to evaluation results • As false alarms are always possible, switch port shutdown is up to the decision of the site administrator • Our tool only provides necessary information to take an action • You must be sure! De-activating legitimate access points is not an option! • Radio containment capabilities could be developed (seeking some clues for wl driver injection!) • DEAUTH/DISASSOC frames may be sent to prevent clients from associating to rogue access points • You must be sure! DoSing neighbors is not an option! • These techniques are effective, but must be activated with caution!

  22. Example: Rogue AP Location • Associates to rogue access point (bridge, router mode) to determine if • An IP address is given thanks to DHCP • An internal IP address is reachable thanks to a PING request • Determines if rogue access point is interconnected to internal networks or not ? Probe

  23. Example: Rogue AP Location ? • Search for destination MAC address of a “TO_DS DATA frame” through a rogue access point (in bridge mode) • Thanks to MAC switches tables • Determines if rogue access point is interconnected to internal networks or not Internal Mac Address? YES!!! ? ? Probe

  24. Example: Rogue AP Location • Search for the wireless client MAC address through a rogue access point (in bridge mode) • Thanks to MAC switches tables • Determines the exact location of the rogue access point ? ? Probe Wireless @MAC client search in switches MAC tables Switch XXX.XXX.XXX.XXX, Port Y.Z!!!

  25. Example: Rogue AP Location • Search for the BSSID +1/-1 MAC address (sometimes ) • Thanks to MAC switches tables • Determines the exact location of the rogue access point BSSID +1/-1 @MAC search in switches MAC tables Switch XXX.XXX.XXX.XXX, Port Y.Z!!! ? Probe

  26. Feedbacks and Guidelines

  27. Mitigating Rogue AP Guidelines • Have aphysical security policy especially for RJ45 plugs in meeting rooms! • Consider IEEE 802.1X network access control on your RJ45s • Know the configuration of your wireless infrastructure (BSSIDs, ESSIDs, crypto-protocols…) • Harden laptops’ configuration (prevent from associating to interfering or rogue access points, avoid double attachment and information leaking) • Deploy a Wireless IDS to achieve observation at radio level

  28. Wireless IDS Deployment Guidelines • Cost-effective solution fitting your environment • Must have minimal impacts on your architecture • Should have equipment tracking and location • Tune your rule-set for performance and effectiveness • Deploy enough wireless probes at edge of your physical perimeter • Evaluate packet losses on your wireless probes • Do not trust anything! Audit your deployment! (are attacks really detected?)

  29. Feedbacks • Developing a robust wireless IDS is not trivial • You must deal with load of events (hundreds per second) • Building an efficient GUI for sysadmins is not trivial • That’s the challenge! • Difficulties to identify all interfering access points • What about neighbors, hot spots, … • You must be sure! • False positive rate is a classic issue for IDS technologies • Minimize this rate thanks to enhanced correlation • Performance issues • Lightweight wireless probe may have packet losses • SQL table may become huge

  30. Conclusions • Wi-Fi technologies are changing corporate security policies • Misconfigurations and rogue access point are critical vulnerabilities • Even non-enabled Wi-Fi corporate may be vulnerable • Can you tell me about the status of your wireless networks? • Wireless IDS seems to become mandatory • Wireless IDS should detect most wireless security issues • Help to detect abnormal events that cannot be seen by classic stuff • Help to detect, evaluate and locate rogue access points • Help to react on security incidents • Must be combined with a Yagi antenna!  • How could you locate the guy DoSing the FIRST wireless networks?!? • Or the guy with a fake FIRST access point who will exploit a remote root on your system?!?

  31. Questions? Thanks for your attention

More Related