Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing the Security of Corporate Wi-Fi Networks Using DAIR

Published byEverett Gordon Modified over 6 years ago

Similar presentations

Presentation on theme: "Enhancing the Security of Corporate Wi-Fi Networks Using DAIR"— Presentation transcript:

1 Enhancing the Security of Corporate Wi-Fi Networks Using DAIR
Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh**, Alec Wolman, Brian Zill Microsoft Research **Cornell University

2 Motivation Corporations becoming increasingly dependent on WLAN infrastructure Worldwide enterprise WLAN business expected to grow from $1.1 billion this year to $3.5 billion in 2009 Wi-Fi networks are vulnerable to many threats Rogue AP, Denial of Service, Phishing … DefCon 2005 : Wi-Fi Pistol, Wi-Fi Sniper Rifle, Wi-Fi Bouncing, AirSnarf box Clarify what each attack means 2

3 Example : Rogue AP Careless employee brings AP from home and plugs it into corporate Ethernet Bypasses corporate Wi-Fi security measures For example: WPA, 802.1X Permits unauthorized users to connect to corporate network Malicious user outside the building? Widespread Problem Ongoing concern for MS IT department Surveyed two major US universities, found multiple rogue APs

4 Need for WiFi Monitoring Systems
Preventive measures such as 802.1X do not guarantee full security In addition, need WiFi monitoring system to detect problems in operational WiFi networks Detect Rogue AP by overhearing packets containing unknown BSSID

5 Challenges in Building an Enterprise-scale WiFi Monitoring System
Scale of WLAN Microsoft’s WLAN has over 5000 APs Need to deploy many monitors Rapid fading of signal in indoor environment Multiple orthogonal channels May need observations from multiple vantage points Pinpoint location of rogue AP

6 Demonstrates need for dense deployment of monitors
Example Scenario X X X X X Monitors Rogue AP and Client Demonstrates need for dense deployment of monitors

7 State of the Art AP-based monitoring [Aruba, AirDefense ..]
Pros: Easy to deploy (APs are under central control) Cons: Single radio APs can not be effective monitors Specialized sensor boxes [Aruba, AirTight, …] Pros: Can provide detailed signal-level analysis Cons: Expensive, so can not deploy densely Monitoring by mobile clients [Adya et. al., MobiCom’04] Pros: Inexpensive, suitable for un-managed environments Cons: Coverage not predictable: mobile, battery-powered clients Only monitor the channel they are connected on

8 + Observation DAIR: Dense Array of Inexpensive Radios
Desktop PC’s with good wired connectivity are ubiquitous in enterprises Outfitting a desktop PC with wireless is inexpensive Wireless USB dongles are cheap As low as $6.99 at online retailers PC motherboards are starting to appear with built-in radios + Single domain of trust Combine to create a dense deployment of wireless sensors DAIR: Dense Array of Inexpensive Radios

9 DAIR Architecture Land Monitor (1 per subnet) AirMonitor AirMonitor
Wired Network Four main components: AirMon, LandMon: use wired services like DHCP, ex, Database, Inference AirMonitors: wireless sensors. Primarily passive, in certains cases generate active traffic LandMonitors: wired sensors. One per subnet. (make clear) Inference engine: queries database, performs complex, cpu intensive computations. Database: goal is to support a small # of 100’s of clients per database Inference Engine Other data: SNMP, Configuration Database

10 Submit list of all unique BSSIDs seen on a given channel
Monitor Architecture SQL Helper Database Every 30 seconds: Submit list of all unique BSSIDs seen on a given channel Filter Filter Filter Processor Driver Interface Wireless NIC Driver Wired NIC Driver

11 Key Characteristics of DAIR
High sensor density at low cost Leverages existing desktop resources Effective monitoring in indoor environments Can tolerate loss of a few sensors Sensors are (mostly) stationary Provides predictable coverage Permits meaningful historical analysis To reiterate, the key characteristics of DAIR are … Self configuration is not a direct consequence of the basic idea. Rather, it is a need (due to high sensor density), and we have explicitly designed our system to be so. 11

12 Applications of the DAIR Platform
Security applications Detecting attacks on Wi-Fi networks Responding to such attacks Performance management Monitor RF coverage Load balancing Location service to support above applications

13 A Partial List of Threats to Wi-Fi Networks
Rogue AP / Rogue Wireless Networks Denial of service Fake Disassociation [Bellardo and Savage 2003] NAV attack [Bellardo and Savage, 2003] DIFS attack [Raya, Hubaux and Aad 2004] Jamming Phishing Set up a “fake” AP that advertises well known SSID Lure unsuspecting users Acquire passwords What does aquire passwords mean?

14 Rogue Wireless Networks
An uninformed or careless employee who doesn’t understand (or chooses not to think about) the security implications Brings AP from home, and attaches it to the corporate network Configures desktop PC with wireless interface to create a rogue ad-hoc network Bypasses security measures such as WPA, 802.1X Trivial to create a rogue ad-hoc network with a desktop machine

15 Simple Solution AirMonitor AirMonitor Database Inference Engine
0C:3B:5A: Joe’sAP Database Known: Seen: Four main components: AirMon, LandMon: use wired services like DHCP, ex, Database, Inference AirMonitors: wireless sensors. Primarily passive, in certains cases generate active traffic LandMonitors: wired sensors. One per subnet. Inference engine: queries database, performs complex, cpu intensive computations. Database: goal is to support a small # of 100’s of clients per database BSSID SSID 00:08:AC … MSFT 00:09:3B … MSRLAB BSSID SSID 00:08:AC … MSFT 00:09:3B … MSRLAB BSSID SSID 00:08:AC … MSFT 00:09:3B … MSRLAB 0C:3B:5A: Joe’sAP Inference Engine

16 Problem with the Simple Solution
False Positives Multi-office buildings False negatives Malicious attacker fakes authorized SSID / BSSID DAIR can help reduce both false positives and false negatives No foolproof way to avoid false positives/negatives completely DAIR raises bar while generating fewer alarms Raises bar enough to prevent careless users from doing damage

17 Reducing False Positives
Detect whether rogue AP is connected to corporate wired network Series of tests: Association test Source/destination address test Replay test

18 Association Test ? Machine inside corporate firewall AirMonitor
0C:3B:5A: Joe’sAP ? AirMonitor Database Inference Engine Four main components: AirMon, LandMon: use wired services like DHCP, ex, Database, Inference AirMonitors: wireless sensors. Primarily passive, in certains cases generate active traffic LandMonitors: wired sensors. One per subnet. Inference engine: queries database, performs complex, cpu intensive computations. Database: goal is to support a small # of 100’s of clients per database Machine inside corporate firewall If AirMonitor can connect to machine inside firewall via AP then AP is connected to corporate wired network

19 Association Test Test will fail if AP uses WEP or MAC address filtering People configure home APs with WEP or MAC filtering Failure means we need additional tests …

20 Source / Destination Address Test
? AirMonitor Land Monitor Database Inference Engine Four main components: AirMon, LandMon: use wired services like DHCP, ex, Database, Inference AirMonitors: wireless sensors. Primarily passive, in certains cases generate active traffic LandMonitors: wired sensors. One per subnet. Inference engine: queries database, performs complex, cpu intensive computations. Database: goal is to support a small # of 100’s of clients per database MAC Addrs Of Subnet Routers Subnet Router 08:5B:3F: … 08:3C:4F:…

21 Source / Destination Address Test
Data Frame (with encryption): Unencrypted Header Encrypted Payload MAC Addresses: Receiver Transmitter Destination Access Point Client Known Address? If Destination Address belongs to a subnet router, then AP Is connected to corporate wired network Similar test for Source Address

22 Source / Destination Address Test
Test will fail if AP is really a NAT/Router Many home APs combine AP and NAT/router functionality Failure means that additional tests are needed

23 Replay Test ? ? At the same time LandMonitors are alerted to watch
X 1 2 3 4 ? AirMonitor X ? X X X Inference Engine Four main components: AirMon, LandMon: use wired services like DHCP, ex, Database, Inference AirMonitors: wireless sensors. Primarily passive, in certains cases generate active traffic LandMonitors: wired sensors. One per subnet. Inference engine: queries database, performs complex, cpu intensive computations. Database: goal is to support a small # of 100’s of clients per database Land Monitor At the same time LandMonitors are alerted to watch for duplicate packets on wired network. One of the AirMonitors replays captured packets Each packet replayed multiple times AirMonitors capture data packets

24 Replay Test No need to decrypt packets Works for NAT/Routers
Even rogue ad-hoc networks Fails if replay-resistant crypto scheme is used WPA2

25 Scalability Load on database server Load on individual AirMonitors Additional wired network traffic

26 Load on Database Server
100 80 60 CPU Load (%) 40 20 1AM 5AM 9AM 1PM 5PM 9PM 1AM 12 AirMonitors AirMonitors submit summarized data every 2 minutes Database Server: MS-SQL 2005, 1.7GHz P4 with 1GB RAM

27 Machine not running AirMonitor Machine running AirMonitor
Load on Client Machine 25 50 75 100 1AM 9PM 5PM 1PM 9AM 5AM Load (%) Machine not running AirMonitor Machine running AirMonitor Am has steady cpu load Additional Network Traffic: 2-5Kbps per AirMonitor

28 Summary Built a scalable, cost-effective, dense WLAN monitoring platform in a corporate environment Explored ways to leverage the platform to monitor threats to Wi-Fi networks

29 Related Work Campus-wide Wi-Fi monitoring system [Kotz and Essin 2005]
Monitoring corporate network for mobility patterns [Balazinska and Castro 2003] Tools for analysis of packet-level Wi-Fi traces WIT [Mahajan et. al. 2006] JigSaw [Cheng et. al. 2006]

30 DAIR ongoing work Which channels should each AirMonitor listen on?
What scanning strategy to use? [Deshpande et. al. 2006] Depends on density of AirMonitors, environment Building an effective location system Building performance management tools

31 Backup slides

32 Wired Solutions Monitor CAM tables for unauthorized Ethernet addresses
Not scalable Easy to fake Ethernet address Monitor DHCP requests, deny from unauthorized clients Bypassed using authorized client as forwarder IPSec Not widely used: hard to manage in heterogeneous environments Bypassed using authorized clients acting as forwarders Many machines on corporate LANs do not use IPSec Management servers on switches, printers Gateway machines

33 Reducing False Negatives
Suspect is using an “authorized” SSID / BSSID If the “real” AP is still active Packet sequence numbers not monotonic If real AP is not active Determine location of suspect If different than expected, raise alarm

34 Red: Beacon reception rate Blue: Data packet reception rate
Example: Indoor WLAN Monitoring 0% 26% 0% 0% 97% 1.7% Why density? Why need lot of data packets? 0% %0 Rapid loss of signal strength in indoor environments Rogue AP and Client Monitors Complex, time-varying signal propagation Red: Beacon reception rate Blue: Data packet reception rate

35

36 Taxonomy of Attacks on Wi-Fi Networks
Eavesdropping Passive snooping (perhaps with high-gain antennas) Nearly impossible to detect Cryptographic techniques generally considered sufficient. Intrusion Rogue AP / Rogue Ad-hoc network Cryptographic techniques not enough, need continuous monitoring Denial of Service Fake deauthentication/disassociation, NAV attacks Need monitoring system. Phishing Intrusion – access alone enough for DoS

37 Enterprise-scale WLAN Monitoring System Challenges and Design Requirements
Rapid fading in indoor environments Complex, time-varying signal propagation Many orthogonal channels Need information from many monitors Dense deployment of monitors Many orthognal channel needs to stand out Monitors must be self-configuring Scalable data gathering and processing Must cope with incomplete data

38 Replay Test AirMonitors replay packets with suspect BSSID
If suspect is AP, only replay packets with ToDS bit set No need to decrypt packet Each packet is replayed multiple times (say 5) LandMonitors detect if duplicate packets are seen on wired network Works for rogue ad-hoc networks Fails if suspect is using WPA2 or other crypto schemes that are robust against replay attacks

39 Monitor Architecture Extensibility : new task = new filter
Filters summarize what they hear, periodically submit summaries to a db server. Filter for Rogue wireless detection summarizes SSID and BSSID information. All support modules make the filters simple to write. 39

Download ppt "Enhancing the Security of Corporate Wi-Fi Networks Using DAIR"

Similar presentations

Wi-Fi Technology.

Wi-Fi Technology.
Enterprise Wireless LAN (WLAN) Management and Services

Enterprise Wireless LAN (WLAN) Management and Services
1 DAIR: Dense Array of Inexpensive Radios Managing Enterprise Wireless Networks Using Desktop Infrastructure Victor Bahl, Jitendra Padhye, Lenin Ravnindranath,

1 DAIR: Dense Array of Inexpensive Radios Managing Enterprise Wireless Networks Using Desktop Infrastructure Victor Bahl, Jitendra Padhye, Lenin Ravnindranath,
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Wireless Security. Objective: Understand the benefits of a wireless network Understand security risks Examples of vulnerabilities Methods to protect your.

Wireless Security. Objective: Understand the benefits of a wireless network Understand security risks Examples of vulnerabilities Methods to protect your.
1 DAIR: Dense Array of Inexpensive Radios Managing Enterprise Wireless Networks Using Desktop Infrastructure Victor Bahl †, Jitendra Padhye †, Lenin Ravnindranath.

1 DAIR: Dense Array of Inexpensive Radios Managing Enterprise Wireless Networks Using Desktop Infrastructure Victor Bahl †, Jitendra Padhye †, Lenin Ravnindranath.
A Location-Based Management System for Enterprise Wireless LANs Ranveer Chandra, Jitendra Padhye, Alec Wolman and Brian Zill Microsoft Research.

A Location-Based Management System for Enterprise Wireless LANs Ranveer Chandra, Jitendra Padhye, Alec Wolman and Brian Zill Microsoft Research.
A Location-based Management System for Enterprise Wireless LANS Ranveer Chandra, Jitendra Padhye, Alec Wolman, Brian Zill Microsoft Research, NSDI 2007.

A Location-based Management System for Enterprise Wireless LANS Ranveer Chandra, Jitendra Padhye, Alec Wolman, Brian Zill Microsoft Research, NSDI 2007.
A Guide to major network components

A Guide to major network components
1 Computer Networks Course: CIS 3003 Fundamental of Information Technology.

1 Computer Networks Course: CIS 3003 Fundamental of Information Technology.
195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.

195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.
Networking Components

Networking Components
Wi-Fi Neighborcast: Enabling communication among nearby clients

Wi-Fi Neighborcast: Enabling communication among nearby clients
Hosted by IDS for WLANs The Mansfield Group, LLC 802.11 Security for Enterprise Networks www.itvshop.com Wireless LAN Security Workshop Wash DC Honolulu.

Hosted by IDS for WLANs The Mansfield Group, LLC Security for Enterprise Networks Wireless LAN Security Workshop Wash DC Honolulu.
A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir Das, Farooq Anjum Speaker: George Lapiotis

A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir Das, Farooq Anjum Speaker: George Lapiotis
NETWORKING COMPONENTS By Cleve Rosser. Hubs allow large numbers of computers to be connected on a single or multiple LAN. Each computer plugs into the.

NETWORKING COMPONENTS By Cleve Rosser. Hubs allow large numbers of computers to be connected on a single or multiple LAN. Each computer plugs into the.
Wi-Fi Wireless LANs Dr. Adil Yousif. What is a Wireless LAN  A wireless local area network(LAN) is a flexible data communications system implemented.

Wi-Fi Wireless LANs Dr. Adil Yousif. What is a Wireless LAN  A wireless local area network(LAN) is a flexible data communications system implemented.

Similar presentations

Ads by Google