Add to collection(s) Add to saved
  1. Business

Additional Security Solutions NETW 05A: APPLIED WIRELESS SECURITY By Mohammad Shanehsaz

advertisement 
NETW 05A: APPLIED WIRELESS
SECURITY
Additional Security Solutions
By Mohammad Shanehsaz
Spring 2005
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Describe the following types of intrusion
detection methods and tools for WLANs:







24x7 centralized, skilled monitoring
Honey pots
Professional security audits
Accurate, timely reporting
Distributed agent software
Security spot checking
Available wireless LAN intrusion detection software
and hardware tools
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Intrusion Detection Systems
An IDS inspects inbound and outbound traffic and
attempts to identify suspicious activity
An IDS is different from firewall in that a firewall
monitors for intrusion to stop them while an IDS
signals an alarm
Wireless IDS can search a WLAN for vulnerabilities,
detect and respond to intruders, and help manage it
Wireless IDS use sensors that monitor all wireless
traffic and report them to the central server
The sensors provide 24x7 real-time monitoring
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Features of IDS
Network-based vs. host-based monitoring
Passive vs. Reactive monitoring
Misuse detection
Anomaly detection
Vulnerability detection
Performance monitoring
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Network-based vs. Host-based
Network-based IDS listen on the wireless
segment through wireless sensors

To monitor all wireless traffic, sensors must be
placed at, in, or near every access point
Host-based IDS, examine data on each host
computer, require that IDS agents be running
on each node in order to report suspicious
activity back to the central server

They are able to monitor attacks against an
individual computer more thoroughly
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Passive vs. Reactive
IDS in passive mode - if any attacks occur,
will raise various alarms to inform the
appropriate security personnel to take action
IDS in reactive mode, IDS react to attacks
and eliminate them by shutting down
services, restrict access to services or
disconnecting them altogether
Active vs. reactive settings configured
through policy settings in the IDS
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Misuse Detection
To detect misuse, the IDS must monitor
business rules for WLAN, some of which are:




Limit access points to only operate on specific
channels
Require all wireless LAN traffic to be encrypted
Prohibit SSIDs from being broadcast unmasked
Limit traffic on the wireless LAN to occur only within
certain hours of the day
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Anomaly Detection
Monitors network segments to compare
their current status to the normal
baseline
Baselines should be established for
typical network load, protocols, and
packet size
Appropriate personnel should be alerted
to any anomalies
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Vulnerability Detection
Vulnerabilities to wireless LANs can be
detected in real-time


Locating any ad-hoc networks that are
actively transmitting traffic, is one way to
keep peer-to-peer attacks from occurring
Locating an open rogue access point that has
hi-jacked an authorized user is another one
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Performance Monitoring
Since WLAN has limited bandwidth we
need to determine who is using the
bandwidth and when
We don’t need performance monitoring
if IDS has built-in rate Limiter
functionality, but we can use it to report
on usage statistics, for future growth
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Monitoring and Maintenance
Monitoring must be active 24x7 to be effective
The security policy must define contact personnel,
and what steps to take to respond properly
The reports that are generated from an IDS must
be treated with utmost importance
Periodic upgrades and ongoing training for the IDS
specialist ensure continued success in effective use
of the IDS
Periodic spot-checking of the IDS should be
considered mandatory
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Thin Clients
Based on a hybrid of the mainframe-terminal and the
client-server model
Clients run an OS of their own, but all processing is
done at the server
Come in the form of thin client software running on a
notebook computer or an actual machine
Low Total Cost of Ownership
Peer-to-peer attacks yield no useful info
They pass screenshots, mouse clicks, and screen
updates which use minimal bandwidth
Client authentication is required
SSH2 can be used to authenticate and tunnel
encrypted traffic
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Authenticated DHCP Services
IETF RFC 3118 adds authentication to DHCP
DHCP clients and server are able to authenticate one
another
IP connectivity is given only to authorized clients
Prevents rogue and malicious DHCP clients and servers
from unauthorized access , DoS, theft of services or
hijacking attacks
To implement it, administrators must deploy RFC 3118
compatible software on all PCs, and upgrade existing
DHCP servers to support DHCP authentication
Users must also devise an authentication key scheme
and distribute it to all authenticated DHCP clients
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Traffic Baselining
Analyze the performance of a selected network
segment over a period of time (represent network
normalcy)
Provides reference points for current use, and for
required modifications when adding new services
or users (baselining for performance)
Identify performance issues and provide info for
security (min, max, or average values from
baseline data can be used for setting alarm
thresholds in IDS)
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Related documents
Sample Cover Page
Sample Cover Page
Security Analyst - Collins McNicholas
Security Analyst - Collins McNicholas
Search Jobs
Search Jobs
SNS COLLEGE OF ENGINEERING Kurumbapalayam(Po
SNS COLLEGE OF ENGINEERING Kurumbapalayam(Po
UNIVERSITY OF NAIROBI Institute for Development Studies
UNIVERSITY OF NAIROBI Institute for Development Studies
Guide to Network Defense and Countermeasures, 2nd Edition, ISBN
Guide to Network Defense and Countermeasures, 2nd Edition, ISBN
SNORT
SNORT
Parent LovNotes #14 - Cobb County School District
Parent LovNotes #14 - Cobb County School District
Download
advertisement