1. Enhancing the Security of Corporate Wi-Fi Networks using DAIR PRESENTED BY SRAVANI KAMBAM 1

2. Outline:  Introduction  Attacks on Wi-Fi Networks  DAIR Architecture  Detecting Attacks  Experimental Results  Channel Assignment  Limitations  Related Work  Future Work  Conclusion 2

3. Introduction  DAIR-Dense array of Inexpensive Radios  Framework for monitoring enterprise wireless networks  DAIR framework to detect  Rogue wireless devices  Denial of Service attacks  Prior proposals:  Combination of access points, mobile clients and dedicated sensor nodes  Dense deployment of sensors is necessary for effective monitoring  2 Observations- Plenty of desktop computers with wired connectivity and availability of inexpensive USB-based wireless adapters 3

4. Attacks on Wi-Fi Networks  Eavesdropping  Intrusion  Denial of Service(DoS)  Phishing 4

5. DAIR Architecture  Air Monitors  The Land Monitors  The Inference Engine  The Database 5

6. 6

7. Detecting Attacks  Intrusion Attacks  Guarding Against False Positives  Association Test  Source/Destination Address Test  Replay Test  DHCP Signature Test  Guarding Against False Negatives  DoS Attacks  Deauthentication/Disassociation Attacks  NAV attacks 7

8. Experimental Results  Test Environment  Sensor Deployment Density  System scalability  Demonstrative Results  Delay Incurred by the Association Test  Effectiveness of the Replay Test  Effectiveness of DHCP Test  Threshold for Detecting Disassociation Attacks 8

9. Channel Assignment  Which channels the DAIR nodes should listen on??? 9

10. Limitations  DAIR assumes the availability of stationary Desktop computers with good wired network connectivity.  DAIR can never guarantee that a suspect device is harmless.  If all the tests fail, we still cannot say that the suspect device is not connected to the corporate network.  DAIR monitoring system is at risk, if some component of the monitoring system is compromised.  Desktop systems-False data submitted, large number of alarms, Denial of Service attacks  DAIR adds a wireless interface to desktop systems which may make them more vulnerable. 10

11. Related Work  Firewalls prevent unauthorized users from gaining access to the network.  IDSs detect compromised machines in the network.  They detect once the attack is launched  High false positive rate-hence not useful  IPSec secures the communication channel between two authorized machines.  VPN software uses this.  These reduces the attacks but does not secure the network against the attacks like DoS.  Does not detect rogue Wi-Fi devices  DAIR  Detects and locates the rogue Wi-Fi devices  Detects various DoS attacks  Few false positives  Minimal human intervention. 11

12. Related Work Cont..  Two Approaches  APs  Dedicated and expensive custom hardware sensors for RF monitoring  One prior research paper on detecting rogue devices  Mobile clients and APs  Any unknown AP is flagged as rogue AP, even if it not plugged into corporate network.  Rogue adhoc networks are not detected  DoS attacks not detected  Another research on detecting greedy and malicious behavior in IEEE 802.11 neworks.  DOMINO  AP based solution for detecting greedy behavior in IEEE 802.11 hotspots. 12

13. Future Work: Initially deployed on a small scale but can be scaled to larger deployments 1. Plan to expand initial deployment to cover entire office building. 2.Building additional performance monitoring and network management applications using the DAIR framework 3.Extending DAIR system to support accurate location determination. 13

14. Conclusion  DAIR ◦For monitoring enterprise wireless networks using desktop machines ◦Takes advantage of key attributes of desktop infrastructure ◦Dense deployment ◦Stationarity ◦Wired connectivity ◦Spare CPU and disk resources  DAIR monitors ◦Security breaches ◦Denial of Service attacks  DAIR reduces  False negative alarms  False positive alarms 14

15. Thank You! 15