Technical Brief Wireless Intrusion Protection Introduction One layer of the multi-layer wireless security solution provided by Aruba Wireless Networks is the ability to “lock the air” using wireless intrusion prevention technology built into every Aruba switch and AP. This technology provides all RF security features, including policy configuration, real-time monitoring, RF countermeasures, and wireless intrusion detection and prevention. Attacks and Intrusions The nature of wireless networks makes them attractive targets for intruders. Many intruders are only searching for free Internet access, and use a number of different probe tools to find it. Others, however, are intent on gaining access to an enterprise network for malicious purposes – either to steal data, disrupt legitimate communication, or damage data. Wireless intrusion can be classified into several broad categories: Probing and Network Discovery Network discovery is a normal part of 802.11, and allows client devices to discover APs and also to learn about available services provided by APs. While network discovery itself does not necessarily lead to security problems, it is the first step that an attacker needs to accomplish before moving on to more serious intrusion attempts. Denial of service attack DoS attacks are designed to prevent or inhibit legitimate users from accessing the network. This includes blocking network access completely, degrading network service, and increasing processing load on clients and network equipment. Surveillance Surveillance allows an attacker to monitor and capture data from a wireless network. The primary means of overcoming the risk of surveillance is the use of encryption – either link-layer encryption such as WEP or TKIP, or network-layer encryption such as IPSEC. Impersonation Impersonation attacks in a wireless network typically involve an attacker taking on the address of a valid client or AP and trying to obtain access or services typically reserved for those valid clients or APs. Because wireless devices are not at the end of a physical cable, it can be difficult to detect such an attack taking place. In a worst-case scenario, an impersonating AP could fool a client into connecting with it, and then obtain that client’s authentication credentials. Client Intrusion Aruba Networks Wireless Intrusion Protection 2 Client intrusion attacks attempt to exploit vulnerabilities in client devices to gain access to a network resource. Most of Aruba’s protection in this area comes from stateful firewalls and from client remediation services rather than from RF-level protection. Network Intrusion A network intrusion attack implies that an attacker is able to gain full access to an enterprise network resource. Network intrusion attacks are some of the most serious. While the Aruba system is not a traditional wired-side IDS that can detect such intrusion directly, it does detect and disable many of the doors used in such intrusion attempts. Classification is Key To Wireless Security One of the primary requirements for an RF-layer security device is the ability to classify network elements into either threats or non-threats. First-generation wireless security devices do not have a complete view of both the wired and wireless sides of the network, and thus cannot adequately determine what is and is not a threat – such devices take the simplistic approach of assuming that any unknown device detected in the RF environment is a threat. This approach works if an enterprise is located in a dedicated and isolated building with RF-shielded walls and windows, but will generate many false alarms in a typical multi-tenant building or in a dense commercial or industrial area. Aruba has developed a patent-pending classification algorithm that compares traffic seen on the wireless side of the network with that seen on the wired side of the network. Upon network installation, each Aruba AP is configured to be either an access point (AP), providing secure wireless access to users, or an Air Monitor (AM), providing RF monitoring and security features. APs can be classified as valid, interfering (detected but NOT connected to the wired network), or rogue. Air Monitors constantly scan all channels of the RF environment, communicating information back to the Aruba Wi-Fi switch. The switch is the central control point for the wireless network, providing all access, security, configuration, monitoring, and management functions. Based on this classification and policy configuration Aruba’s system can automatically disable rogue APs or any other AP specified by he administrator. Likewise, all wireless stations detected in an RF environment are classified into valid, interfering or disabled. Stations on the disabled list are prevented from associating to any AP. Threat Response Aruba employs a number of techniques to detect and, where possible, prevent wireless attacks and intrusion. Probing and Network Discovery Detection of NetStumbler and Wellenreiter Aruba Networks Wireless Intrusion Protection 3 Netstumbler and Wellenreiter are popular “wardriving” applications. Typically they are used to locate both free Internet access as well as “interesting” networks. Netstumbler interfaces with a GPS receiver and with mapping software to automatically map out locations of wireless networks. DoS Attacks Management Frame Flood Prevention This type of attack floods an AP or multiple APs with 802.11 management frames. These can include authenticate/associate frames, designed to fill up the association table of an AP. Other management frame floods, such as probe request floods, can consume excess processing power on the AP. Aruba detects such floods, generates a warning, and helps the administrator locate where the attack is taking place. RF Jamming protection RF jamming is used to take down an entire wireless LAN by overwhelming the radio environment with high-power noise. Aruba detects such attacks as excessive interference and notifies the administrator. Where possible, the APs will make channel or power adjustments to overcome the interference. Spoofed deauthenticate frame protection Spoofed deauthenticate frames form the basis for most denial of service attacks, as well as the basis for many other attacks such as man-in-themiddle. A Linux driver called AirJack typically forms the basis for this type of attack, with tools such as WLAN-Jack and Fake-Jack actually carrying out the attack. When Aruba air monitors are deployed in a detection role, both Aruba APs and 3rd-party APs can be monitored for this attack, with notification to the administrator when an attack takes place. When Aruba APs are used, man-in-the-middle attacks can be prevented. Broadcast deauthenticate attack protection Similar to the spoofed deauthenticate frame attack above, this attack generates spoofed deauthenticate frames with a broadcast destination address – instead of disconnecting a single station, the intent is to disconnect all stations attached to a given AP. Typically, a Linux tool known as “Hunter-Killer” is used to generate this attack. Aruba detects the attack and notifies the administrator. Null probe response protection An attack exists with the potential to crash or lock up the firmware of many 802.11 NICs. In this attack, a client proberequest frame will be answered by a probe response containing a null SSID. A number of popular NIC cards will lock up upon receiving such a probe response. Aruba detects this attack and notifies the administrator of the approximate location of the attacker. FakeAP protection Aruba Networks Wireless Intrusion Protection 4 FakeAP is a tool originally created to thwart wardrivers by flooding beacon frames containing hundreds of different addresses. This would appear to a wardriver as though there were hundreds of different APs in the area, thus concealing the real AP. While the tool is still effective for this purpose, a newer purpose is to flood public HotSpots or enterprises with fake AP beacons to confuse legitimate users and to increase the amount of processing client operating systems must do. Aruba detects FakeAP and notifies the administrator. EAP handshake flood protection An EAP handshake flood is designed to overwhelm the authentication systems of a wireless network by generating floods of EAPOL messages requesting 802.1x authentication. Aruba detects this attack and notifies the administrator. Surveillance Detection of weak WEP implementation The primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. Most modern 802.11 devices do not generate such weak IVs, but plenty of legacy devices are still in use today that will generate this vulnerable data. Aruba monitors for devices using weak WEP implementations and generates reports for the administrator of which devices require upgrades. Impersonation MAC address spoofing detection Many older, insecure wireless LAN implementations rely on the client’s MAC address for identity of the user. MAC address spoofing is a typical attack on a wireless LAN in which an attacker will spoof the MAC address of a valid client in an attempt to be granted that client’s access privileges. The AirJack driver for Linux allows such an attack. When MAC address spoofing is detected, both the legitimate client as well as the attacker will be quarantined from the network for a configurable period of time. AP impersonation prevention AP impersonation attacks can be done for several purposes, including as a Man-In-the-Middle attack, as a rogue AP attempting to bypass detection, and as a possible honeypot attack. In such an attack, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. When Aruba detects an AP impersonation in progress, both the legitimate AP as well as the attacker’s AP will be shut down. Man-In-The-Middle attack prevention A successful man-in-the-middle attack will insert an attacker into the datapath between the client and the AP. In such a position, the attacker can delete, add, or modify data, provided he has access to the encryption keys. Such an attack also enables other attacks that can learn a user’s authentication credentials. When Aruba detects a man-in-the-middle attack in progress, it will quarantine the client and attacker from the network. Client Intrusion Aruba Networks Wireless Intrusion Protection 5 Honeypot AP Protection Most client intrusion attempts are handled by higher-layer security functions. However, one serious lower-layer attack that exploits client weaknesses is the honeypot AP. A “honeypot” has a number of connotations in the security world. When discussing wireless LANs, one meaning is an attacker’s AP that is set up in close proximity to an enterprise, advertising the ESSID of the enterprise. The goal of such an attack is to lure valid clients to associate to the honeypot AP. From that point, a MITM attack can be mounted, or an attempt can be made to learn the client’s authentication credentials. Most client devices have no way of distinguishing between a valid AP and an invalid one – the devices only look for a particular ESSID and will associate to the nearest AP advertising that ESSID. A honeypot AP may attempt to spoof the BSSID of a valid AP. In that case, it is detected by AP Impersonation Detection. However, the typical honeypot attack simply duplicates the ESSID without impersonating the BSSID. When Aruba detects an unrecognized AP using a reserved ESSID, it will disable the unrecognized AP and prevent clients from associating to it. Valid Station Protection This policy will protect enterprise stations from roaming to an interfering AP. While the “honeypot protection” keeps all users off an AP advertising a reserved ESSID, this policy keeps valid enterprise users off any non-valid APs. The policy only affects valid stations – that is, those stations that have previously authenticated to the enterprise network. Any APs that enterprise users should be allowed to connect to – such as a neighboring HotSpot at a coffee shop that employees frequently visit – must be set as a valid AP by the administrator. Network Intrusion Misconfigured AP Protection If desired, a list of parameters can be configured that define the characteristics of a valid AP. This is primarily used when non-Aruba APs are being used in the network, since the WLAN switch cannot configure the 3rd-party APs. These parameters can include preamble type, WEP configuration, OUI of valid MAC addresses, valid channels, DCF/PCF configuration, and ESSID. The system can also be configured to detect an AP using a weak WEP key. If a valid AP is detected as misconfigured, the system will deny access to the misconfigured AP. In cases where someone gains configuration access to a 3rd-party AP and changes the configuration, this policy is useful in blocking access to that AP until the configuration can be fixed. Rogue AP Protection A rogue AP is defined as one that is a) unauthorized, and b) plugged into the wired side of the network. Any other AP seen in the RF environment that is not part of the valid enterprise network is considered “interfering”– it has the potential to cause RF interference, but is not connected to the enterprise wired network and thus does not represent a direct threat. After an AP has been classified as rogue, it can be automatically disabled if the administrator has enabled this policy. When a rogue AP is disabled, no wireless stations are allowed to associate to that AP – upon detecting a station attempting to associate to the rogue AP, any air monitor or AP in range will send deauthenticate frames to the station and to the AP using forged source addresses, forcing the two to disconnect from each other. This ensures that even if an AP is connected to the network, it is rendered useless. Aruba Networks Wireless Intrusion Protection 6 Ad-Hoc network detection and protection As far as network administrators are concerned, ad-hoc wireless networks are uncontrolled. If they do not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a wired network and has bridging enabled, an ad-hoc network may also function like a rogue AP. Additionally, ad-hoc networks can expose client devices to viruses and other security vulnerabilities. For these reasons, many administrators choose to prohibit ad-hoc networks. When the Aruba system detects an ad-hoc network, the administrator will be notified. In addition, if the ad-hoc network protection feature has been enabled, communication in the ad-hoc network will be disrupted. Wireless bridge protection Wireless bridges are normally used to connect multiple buildings together. However, an attacker could place (or have an authorized person place) a wireless bridge inside the network that would extend the corporate network somewhere outside the building. Wireless bridges are somewhat different from rogue APs in that they do not use beacons and have no concept of association. Most networks do not use bridges – in these networks, the presence of a bridge is a signal that something is wrong. Aruba will notify the administrator when wireless bridges are detected. ASLEAP attack prevention LEAP is a protocol used by Cisco APs and licensed NICs to perform authentication and coordination of dynamic encryption keys. LEAP contains a design flaw that makes it vulnerable to dictionary-based password guessing attacks. The tool used to perform the LEAP attack is known as ASLEAP. If an Aruba switch is part of the datapath, the switch can prevent activemode LEAP attacks from being successful. In addition, the administrator will be notified of the attack. About Aruba Networks, Inc. Aruba Networks provides an enterprise mobility solution that enables secure access to data, voice and video applications across wireless and wireline enterprise networks. The Aruba Mobile Edge Architecture allows end-users to roam to different locations within an enterprise campus or office building, as well as to remote locations such as branch and home offices, while maintaining secure and consistent access to all of their network resources. Using the Aruba Mobile Edge Architecture, IT departments can manage user-based network access and enforce application delivery policies from a single integrated point of control in a consistent manner. Aruba’s user-centric enterprise mobility solution integrates the ArubaOS operating system, optional value-added software modules, a centralized mobility management system, high-performance programmable mobility controllers, and wired and wireless access points. Based in Sunnyvale, California, Aruba has operations in the United States, Europe, the Middle East and Asia Pacific, and employs staff around the world. To learn more, visit Aruba at http://www.arubanetworks.com. © 2007 Aruba Networks, Inc. All rights reserved. Aruba Networks and Aruba Mobile Edge Architecture are trademarks of Aruba Networks, Inc. All other trademarks or registered trademarks are the property of their respective holders. Specifications are subject to change without notice. Aruba Networks Wireless Intrusion Protection 7