Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Wireless Intrusion Protection

Technical Brief
Wireless Intrusion Protection
Introduction
One layer of the multi-layer wireless security solution provided by Aruba Wireless Networks is the ability to “lock the air”
using wireless intrusion prevention technology built into every Aruba switch and AP. This technology provides all RF
security features, including policy configuration, real-time monitoring, RF countermeasures, and wireless intrusion
detection and prevention.
Attacks and Intrusions
The nature of wireless networks makes them attractive targets for intruders. Many intruders are only searching for free
Internet access, and use a number of different probe tools to find it. Others, however, are intent on gaining access to an
enterprise network for malicious purposes – either to steal data, disrupt legitimate communication, or damage data.
Wireless intrusion can be classified into several broad categories:
Probing and Network Discovery
Network discovery is a normal part of 802.11, and allows client devices to discover APs and also to learn about
available services provided by APs. While network discovery itself does not necessarily lead to security
problems, it is the first step that an attacker needs to accomplish before moving on to more serious intrusion
attempts.
Denial of service attack
DoS attacks are designed to prevent or inhibit legitimate users from accessing the network. This includes
blocking network access completely, degrading network service, and increasing processing load on clients and
network equipment.
Surveillance
Surveillance allows an attacker to monitor and capture data from a wireless network. The primary means of
overcoming the risk of surveillance is the use of encryption – either link-layer encryption such as WEP or TKIP, or
network-layer encryption such as IPSEC.
Impersonation
Impersonation attacks in a wireless network typically involve an attacker taking on the address of a valid client or
AP and trying to obtain access or services typically reserved for those valid clients or APs. Because wireless
devices are not at the end of a physical cable, it can be difficult to detect such an attack taking place. In a
worst-case scenario, an impersonating AP could fool a client into connecting with it, and then obtain that client’s
authentication credentials.
Client Intrusion
Aruba Networks
Wireless Intrusion Protection
2
Client intrusion attacks attempt to exploit vulnerabilities in client devices to gain access to a network resource.
Most of Aruba’s protection in this area comes from stateful firewalls and from client remediation services rather
than from RF-level protection.
Network Intrusion
A network intrusion attack implies that an attacker is able to gain full access to an enterprise network resource.
Network intrusion attacks are some of the most serious. While the Aruba system is not a traditional wired-side
IDS that can detect such intrusion directly, it does detect and disable many of the doors used in such intrusion
attempts.
Classification is Key To Wireless Security
One of the primary requirements for an RF-layer security device is the ability to classify network elements into either
threats or non-threats. First-generation wireless security devices do not have a complete view of both the wired and
wireless sides of the network, and thus cannot adequately determine what is and is not a threat – such devices take the
simplistic approach of assuming that any unknown device detected in the RF environment is a threat. This approach
works if an enterprise is located in a dedicated and isolated building with RF-shielded walls and windows, but will
generate many false alarms in a typical multi-tenant building or in a dense commercial or industrial area.
Aruba has developed a patent-pending classification algorithm that compares traffic seen on the wireless side of the
network with that seen on the wired side of the network. Upon network installation, each Aruba AP is configured to be
either an access point (AP), providing secure wireless access to users, or an Air Monitor (AM), providing RF monitoring
and security features. APs can be classified as valid, interfering (detected but NOT connected to the wired network), or
rogue.
Air Monitors constantly scan all channels of the RF environment, communicating information back to the Aruba Wi-Fi
switch. The switch is the central control point for the wireless network, providing all access, security, configuration,
monitoring, and management functions. Based on this classification and policy configuration Aruba’s system can
automatically disable rogue APs or any other AP specified by he administrator.
Likewise, all wireless stations detected in an RF environment are classified into valid, interfering or disabled. Stations on
the disabled list are prevented from associating to any AP.
Threat Response
Aruba employs a number of techniques to detect and, where possible, prevent wireless attacks and intrusion.
Probing and Network Discovery
Detection of NetStumbler and Wellenreiter
Aruba Networks
Wireless Intrusion Protection
3
Netstumbler and Wellenreiter are popular “wardriving” applications. Typically they are used to locate both free Internet
access as well as “interesting” networks. Netstumbler interfaces with a GPS receiver and with mapping software to
automatically map out locations of wireless networks.
DoS Attacks
Management Frame Flood Prevention
This type of attack floods an AP or multiple APs with 802.11 management frames. These can include authenticate/associate
frames, designed to fill up the association table of an AP. Other management frame floods, such as probe request floods,
can consume excess processing power on the AP. Aruba detects such floods, generates a warning, and helps the
administrator locate where the attack is taking place.
RF Jamming protection
RF jamming is used to take down an entire wireless LAN by overwhelming the radio environment with high-power noise.
Aruba detects such attacks as excessive interference and notifies the administrator. Where possible, the APs will make
channel or power adjustments to overcome the interference.
Spoofed deauthenticate frame protection
Spoofed deauthenticate frames form the basis for most denial of service attacks, as well as the basis for many other attacks
such as man-in-themiddle. A Linux driver called AirJack typically forms the basis for this type of attack, with tools such as
WLAN-Jack and Fake-Jack actually carrying out the attack. When Aruba air monitors are deployed in a detection role,
both Aruba APs and 3rd-party APs can be monitored for this attack, with notification to the administrator when an attack
takes place. When Aruba APs are used, man-in-the-middle attacks can be prevented.
Broadcast deauthenticate attack protection
Similar to the spoofed deauthenticate frame attack above, this attack generates spoofed deauthenticate frames with a
broadcast destination address – instead of disconnecting a single station, the intent is to disconnect all stations attached to
a given AP. Typically, a Linux tool known as “Hunter-Killer” is used to generate this attack. Aruba detects the attack and
notifies the administrator.
Null probe response protection
An attack exists with the potential to crash or lock up the firmware of many 802.11 NICs. In this attack, a client proberequest frame will be answered by a probe response containing a null SSID. A number of popular NIC cards will lock up
upon receiving such a probe response. Aruba detects this attack and notifies the administrator of the approximate location
of the attacker.
FakeAP protection
Aruba Networks
Wireless Intrusion Protection
4
FakeAP is a tool originally created to thwart wardrivers by flooding beacon frames containing hundreds of different
addresses. This would appear to a wardriver as though there were hundreds of different APs in the area, thus concealing the
real AP. While the tool is still effective for this purpose, a newer purpose is to flood public HotSpots or enterprises with fake
AP beacons to confuse legitimate users and to increase the amount of processing client operating systems must do. Aruba
detects FakeAP and notifies the administrator.
EAP handshake flood protection
An EAP handshake flood is designed to overwhelm the authentication systems of a wireless network by generating floods of
EAPOL messages requesting 802.1x authentication. Aruba detects this attack and notifies the administrator.
Surveillance
Detection of weak WEP implementation
The primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for
patterns of WEP initialization vectors (IVs) that are known to be weak. Most modern 802.11 devices do not generate such
weak IVs, but plenty of legacy devices are still in use today that will generate this vulnerable data. Aruba monitors for devices
using weak WEP implementations and generates reports for the administrator of which devices require upgrades.
Impersonation
MAC address spoofing detection
Many older, insecure wireless LAN implementations rely on the client’s MAC address for identity of the user. MAC address
spoofing is a typical attack on a wireless LAN in which an attacker will spoof the MAC address of a valid client in an attempt
to be granted that client’s access privileges. The AirJack driver for Linux allows such an attack. When MAC address
spoofing is detected, both the legitimate client as well as the attacker will be quarantined from the network for a configurable
period of time.
AP impersonation prevention
AP impersonation attacks can be done for several purposes, including as a Man-In-the-Middle attack, as a rogue AP
attempting to bypass detection, and as a possible honeypot attack. In such an attack, the attacker sets up an AP that
assumes the BSSID and ESSID of a valid AP. When Aruba detects an AP impersonation in progress, both the legitimate AP
as well as the attacker’s AP will be shut down.
Man-In-The-Middle attack prevention
A successful man-in-the-middle attack will insert an attacker into the datapath between the client and the AP. In such a
position, the attacker can delete, add, or modify data, provided he has access to the encryption keys. Such an attack also
enables other attacks that can learn a user’s authentication credentials. When Aruba detects a man-in-the-middle attack in
progress, it will quarantine the client and attacker from the network.
Client Intrusion
Aruba Networks
Wireless Intrusion Protection
5
Honeypot AP Protection
Most client intrusion attempts are handled by higher-layer security functions. However, one serious lower-layer attack that
exploits client weaknesses is the honeypot AP. A “honeypot” has a number of connotations in the security world. When
discussing wireless LANs, one meaning is an attacker’s AP that is set up in close proximity to an enterprise, advertising the
ESSID of the enterprise. The goal of such an attack is to lure valid clients to associate to the honeypot AP. From that point, a
MITM attack can be mounted, or an attempt can be made to learn the client’s authentication credentials. Most client devices
have no way of distinguishing between a valid AP and an invalid one – the devices only look for a particular ESSID and will
associate to the nearest AP advertising that ESSID.
A honeypot AP may attempt to spoof the BSSID of a valid AP. In that case, it is detected by AP Impersonation Detection.
However, the typical honeypot attack simply duplicates the ESSID without impersonating the BSSID. When Aruba detects an
unrecognized AP using a reserved ESSID, it will disable the unrecognized AP and prevent clients from associating to it.
Valid Station Protection
This policy will protect enterprise stations from roaming to an interfering AP. While the “honeypot protection” keeps all users
off an AP advertising a reserved ESSID, this policy keeps valid enterprise users off any non-valid APs. The policy only affects
valid stations – that is, those stations that have previously authenticated to the enterprise network. Any APs that enterprise
users should be allowed to connect to – such as a neighboring HotSpot at a coffee shop that employees frequently visit –
must be set as a valid AP by the administrator.
Network Intrusion
Misconfigured AP Protection
If desired, a list of parameters can be configured that define the characteristics of a valid AP. This is primarily used when
non-Aruba APs are being used in the network, since the WLAN switch cannot configure the 3rd-party APs. These
parameters can include preamble type, WEP configuration, OUI of valid MAC addresses, valid channels, DCF/PCF
configuration, and ESSID. The system can also be configured to detect an AP using a weak WEP key. If a valid AP is
detected as misconfigured, the system will deny access to the misconfigured AP. In cases where someone gains
configuration access to a 3rd-party AP and changes the configuration, this policy is useful in blocking access to that AP until
the configuration can be fixed.
Rogue AP Protection
A rogue AP is defined as one that is a) unauthorized, and b) plugged into the wired side of the network. Any other AP seen in
the RF environment that is not part of the valid enterprise network is considered “interfering”– it has the potential to cause RF
interference, but is not connected to the enterprise wired network and thus does not represent a direct threat. After an AP
has been classified as rogue, it can be automatically disabled if the administrator has enabled this policy. When a rogue AP
is disabled, no wireless stations are allowed to associate to that AP – upon detecting a station attempting to associate to the
rogue AP, any air monitor or AP in range will send deauthenticate frames to the station and to the AP using forged source
addresses, forcing the two to disconnect from each other. This ensures that even if an AP is connected to the network, it is
rendered useless.
Aruba Networks
Wireless Intrusion Protection
6
Ad-Hoc network detection and protection
As far as network administrators are concerned, ad-hoc wireless networks are uncontrolled. If they do not use encryption,
they may expose sensitive data to outside eavesdroppers. If a device is connected to a wired network and has bridging
enabled, an ad-hoc network may also function like a rogue AP. Additionally, ad-hoc networks can expose client devices to
viruses and other security vulnerabilities. For these reasons, many administrators choose to prohibit ad-hoc networks. When
the Aruba system detects an ad-hoc network, the administrator will be notified. In addition, if the ad-hoc network protection
feature has been enabled, communication in the ad-hoc network will be disrupted.
Wireless bridge protection
Wireless bridges are normally used to connect multiple buildings together. However, an attacker could place (or have an
authorized person place) a wireless bridge inside the network that would extend the corporate network somewhere outside
the building. Wireless bridges are somewhat different from rogue APs in that they do not use beacons and have no concept
of association. Most networks do not use bridges – in these networks, the presence of a bridge is a signal that something is
wrong. Aruba will notify the administrator when wireless bridges are detected.
ASLEAP attack prevention
LEAP is a protocol used by Cisco APs and licensed NICs to perform authentication and coordination of dynamic encryption
keys. LEAP contains a design flaw that makes it vulnerable to dictionary-based password guessing attacks. The tool used to
perform the LEAP attack is known as ASLEAP. If an Aruba switch is part of the datapath, the switch can prevent activemode LEAP attacks from being successful. In addition, the administrator will be notified of the attack.
About Aruba Networks, Inc.
Aruba Networks provides an enterprise mobility solution that enables secure access to data, voice and video
applications across wireless and wireline enterprise networks. The Aruba Mobile Edge Architecture allows end-users to
roam to different locations within an enterprise campus or office building, as well as to remote locations such as branch
and home offices, while maintaining secure and consistent access to all of their network resources. Using the Aruba
Mobile Edge Architecture, IT departments can manage user-based network access and enforce application delivery
policies from a single integrated point of control in a consistent manner. Aruba’s user-centric enterprise mobility solution
integrates the ArubaOS operating system, optional value-added software modules, a centralized mobility management
system, high-performance programmable mobility controllers, and wired and wireless access points. Based in
Sunnyvale, California, Aruba has operations in the United States, Europe, the Middle East and Asia Pacific, and employs
staff around the world. To learn more, visit Aruba at http://www.arubanetworks.com.
© 2007 Aruba Networks, Inc. All rights reserved. Aruba Networks and Aruba Mobile Edge Architecture are trademarks of Aruba
Networks, Inc. All other trademarks or registered trademarks are the property of their respective holders. Specifications are subject to
change without notice.
Aruba Networks
Wireless Intrusion Protection
7
Related documents
Greg Peterson - Green Aruba where Europe Meets the Americas
Greg Peterson - Green Aruba where Europe Meets the Americas
Chrysalix focus: renewables & efficiency plays
Chrysalix focus: renewables & efficiency plays
How to Efficiently Communicate When Your Network is Under Attack
How to Efficiently Communicate When Your Network is Under Attack
ZigBee Based Intelligent Helmet for Coal Miners
ZigBee Based Intelligent Helmet for Coal Miners
Dr. Luk R. Arnaut
Dr. Luk R. Arnaut
Wireless structural health monitoring system(Literature review
Wireless structural health monitoring system(Literature review
wireless - Home and Learn
wireless - Home and Learn
TechnoCom Selected to Speak at 86th Annual TRB Meeting
TechnoCom Selected to Speak at 86th Annual TRB Meeting
Download