wireless network monitoring
DESCRIPTION
Wireless Network Monitoring. Plan B Project Sandeep P Karanth Advisor: Prof. Anand Tripathi. Outline. Introduction Overview of Konark IEEE 802.11 Wireless LANs Potential Threats to a Wireless LAN Modes of Operation Detection Logic Conclusions and Future work. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/1.jpg)
1
Wireless Network Monitoring
Plan B ProjectSandeep P Karanth
Advisor: Prof. Anand Tripathi
![Page 2: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/2.jpg)
2
Outline
• Introduction• Overview of Konark• IEEE 802.11 Wireless LANs• Potential Threats to a Wireless LAN• Modes of Operation• Detection Logic • Conclusions and Future work
![Page 3: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/3.jpg)
3
Introduction
• Network Monitoring issues:• Large Networks• Heterogeneous components• Distributed monitoring• Centralized event-viewing and control• Quick Response to alerts
• Response against attackers/intruders• Response against misconfigurations/failures
• Robust and Secure system
![Page 4: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/4.jpg)
4
Konark: Overview
• Mobile-Agent based network monitoring
• Object capable of migration• first-class objects – altered remotely• Programming framework – Ajanta
• Script based detection techniques• tedious to install, debug and modify• coarse-grained protection
![Page 5: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/5.jpg)
5
Konark: Overview (Contd..)
•Goals:• Dynamically Extensible
• Addition of new monitoring components• Modification of existing monitoring policies• Integration of tools
• Active Monitoring• Modification of policies in response to events
• Online Monitoring• Event monitoring in real-time
![Page 6: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/6.jpg)
6
Konark: Overview (Contd..)
•Goals (contd..):• Resilience by diverse monitoring sources • Secure
• System itself has to be secure• Robust
• Automated recovery of failed system components
• Scalable• Acceptable System Performance
![Page 7: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/7.jpg)
7
Konark: Overview (Contd..)• Publish-Subscribe network monitoring system• Monitoring agents equipped with detectors• Publisher-subscriber relationship is dynamic• Event model for information flow• Automated agent and detector recovery
• Uses self-monitoring schemes• Authenticated inter-agent communication (RMI)
• Challenge-response protocol
![Page 8: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/8.jpg)
8
Konark: Overview (Contd..)
![Page 9: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/9.jpg)
9
IEEE 802.11 Wireless LAN
• IEEE 802.11 operates at PHY and MAC• Operating modes:
• Infrastructure• Ad hoc
• Carrier Sense Multiple Access (CSMA)• Collision Avoidance (CA)• Binary Exponential Back-off algorithm
![Page 10: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/10.jpg)
10
IEEE 802.11 Wireless LAN (contd..)
• Terminology:• Access Point (AP) • Service Set Identifier (SSID)• Basic Service Set (BSS)• Independent BSS (IBSS) – Adhoc network• Extended Service Set (ESS) – APs having same SSID• Distribution System (DS) – connects APs• Wired Equivalent Privacy (WEP)
![Page 11: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/11.jpg)
11
IEEE 802.11 Wireless LAN (contd..)
• Generic 802.11 frame format
![Page 12: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/12.jpg)
12
IEEE 802.11 Wireless LAN (contd..)
• Generic Management frame
![Page 13: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/13.jpg)
13
IEEE 802.11 Wireless LAN (contd..)
• Association Process
![Page 14: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/14.jpg)
14
IEEE 802.11 Wireless LAN (contd..)
• Frame types:• Beacon Frame – AP advertisement• Probe Request / Response • Reassociation Request / Response
• Authentication:• Open Authentication (MAC ACLs used)• Shared Key authentication
![Page 15: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/15.jpg)
15
Potential Threats and Management Issues
• MAC Address Spoofing:• Attacker impersonates a legitimate client• Attacker fakes as a legitimate AP (Fake AP)• Attacker sends spoofed deauthenticate/disassociate frames
• Denial-Of-Service Attacks:• Authenticate/Associate message floods on AP• RTS frame floods
![Page 16: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/16.jpg)
16
Potential Threats and Management issues (contd..)
• Network Misconfigurations / Failures• AP failure• Unauthorized or Rogue APs
• May not conform to security policies• Policy Conformance
• Acceptable signal strengths• Acceptable data rate• Correct SSIDs
• Attack Tools: macchanger, FakeAP, LibRadiate
![Page 17: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/17.jpg)
17
Design Goals
• Monitoring Objectives• Attack Detection and response• Unauthorized use detection and response• Component failure detection
• Service Provisioning Objectives:• User tracking service – Pervasive applications
![Page 18: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/18.jpg)
18
Modes of Monitoring System Operation:
• Mode 1:• Notebooks/PCs executing a monitoring daemon• Statically placed• Strategically placed to get entire network coverage
• Mode 2:• A PDA/handheld running a monitoring daemon
![Page 19: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/19.jpg)
19
Modes of Monitoring System Operation(Contd…)
• Mode 2: (contd..)• Campus walk taken by wireless security auditor
• Mode 3:• Access Points log information to a syslog file• Syslog file analyzed for event generation
![Page 20: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/20.jpg)
20
Modes of Monitoring System Operation(Contd…)
![Page 21: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/21.jpg)
21
Detection Logic and Response
• Sequence number Analysis:• Each frame has a 12-bit sequence number• Put in by the firmware• Range of sequence numbers: 0 - 4095• Sequence numbers of 2 stations are not likely to be the same• Fake and legitimate station will have out-of-order sequence numbers
![Page 22: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/22.jpg)
22
Detection Logic and Response (contd..)
• Sequence number analysis (contd..):• Packet capturing software and dump analyzer used to analyze • Dump analyzer slower than capturing software (packets captured are dropped)• Only 1 in 10 beacon frames analyzed to account for slow analysis•Threshold of 20 chosen for difference in seq. no. for the same source
![Page 23: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/23.jpg)
23
Detection Logic and Response (contd..)
• Sequence number analysis (contd..):• Detection Capabilities:
• Faking client detection• Fake AP detection• Forced disassociation/deauthentication
• Fails if unauthorized user connects in a disjoint time frame
• Likely time policy• Inform users when they connect
![Page 24: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/24.jpg)
24
Detection Logic and Response (contd..)
• Sequence number analysis (contd..):• Fails if unauthorized user connects to another BSS in an ESS
• Konark monitoring agents perform distributed correlations to detect this• Correlation of events among AP logs helps us detect this
![Page 25: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/25.jpg)
25
Detection Logic and Response (contd..)
• Packet counting and analysis• Packets sent to an AP are recorded• Many packets in a small adjustable interval indicate a DOS attack• AP logs also examined to detect such attacks
![Page 26: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/26.jpg)
26
Detection Logic and Response (contd..)
• Misconfiguration/Failure detection• Missing beacons imply AP failure
• Beacons may be disabled in an AP (policy)• Ping every AP with a probe request
• Extraneous beacons/ frames with unknown BSSID implies Rogue APs
• Network baseline fed to the daemon at startup
• Repeated associations, DHCP denials or unknown frame transmittals imply brute force attacks or client misconfiguration
![Page 27: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/27.jpg)
27
Detection Logic and Response (contd..)
![Page 28: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/28.jpg)
28
Experimental Setup
• Experiments conducted on the EECS building wireless LAN (802.11b)• Cisco Access Points (Aironet 340/350 series)• Notebook PCs running Linux used to conduct experiments• Cisco 340/350 wireless cards used for wireless connectivity
![Page 29: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/29.jpg)
29
Experimental Setup (contd..)
• Packet capturing software used Kismet (Development version 2.8.1)• Dump analyzer – Ethereal
Kismet EtherealMonitoringDaemon
Named pipe
Pipe
Capture packets Decode packets Analyze decoded packets
![Page 30: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/30.jpg)
30
Experimental Setup
• About 90-95% of the frames observed are IEEE 802.11 management frames• Beacon frames form 90% of the management frames• Beacon interval is 0.1024 seconds
![Page 31: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/31.jpg)
31
Experimental Setup
Mon May 26 15:31:00 2003 Deauthentication SrcAddr:00:40:96:47:99:13 DestAddr:00:40:96:33:4c:8c BSSID:00:40:96:47:99:13
Mon May 26 15:31:00 2003 Deauthentication SrcAddr:00:40:96:47:99:13 DestAddr:00:40:96:33:4c:8c BSSID:00:40:96:47:99:13
Mon May 26 15:31:00 2003 Authentication SrcAddr:00:40:96:33:4c:8c DestAddr:00:40:96:47:e6:ec BSSID:00:40:96:47:e6:ec
Mon May 26 15:31:01 2003 Sequence number mismatch: SrcAddr:00:40:96:41:d4:01 Details:Unauthorized Client suspected
Mon May 26 15:31:01 2003 Reassociation Request SrcAddr:00:40:96:33:4c:8c DestAddr:00:40:96:47:e6:ec BSSID:00:40:96:47:e6:ec
Mon May 26 15:31:04 2003 Sequence number mismatch: SrcAddr: 00:40:96:41:d4:01 Details:Unauthorized Client suspected
![Page 32: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/32.jpg)
32
Conclusions
• A MAC layer monitoring tool is required• A proof-of-concept monitoring tool is implemented• Such tools can be easily integrated with existing monitoring systems (Konark)
![Page 33: Wireless Network Monitoring](https://reader036.vdocuments.mx/reader036/viewer/2022081511/56813ae1550346895da3339f/html5/thumbnails/33.jpg)
33
Future Directions
• Cost efficient ways of monitoring MAC layer need to be determined• Efficient methodologies for building intrusion detection systems for thin clients are required• Ajanta agents need to be customized to run on handhelds and wearable computers