Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Enhancing the Security of Corporate Wi-Fi Networks Using DAIR Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh**, Alec Wolman, Brian Zill Microsoft Research **Cornell University Motivation • Corporations becoming increasingly dependent on WLAN infrastructure – Worldwide enterprise WLAN business expected to grow from $1.1 billion this year to $3.5 billion in 2009 • Wi-Fi networks are vulnerable to many threats – Rogue AP, Denial of Service, Phishing … – DefCon 2005 : Wi-Fi Pistol, Wi-Fi Sniper Rifle, Wi-Fi Bouncing, AirSnarf box Example : Rogue AP • Careless employee brings AP from home and plugs it into corporate Ethernet • Bypasses corporate Wi-Fi security measures – For example: WPA, 802.1X • Permits unauthorized users to connect to corporate network – Malicious user outside the building? • Widespread Problem – Ongoing concern for MS IT department – Surveyed two major US universities, found multiple rogue APs Need for WiFi Monitoring Systems • Preventive measures such as 802.1X do not guarantee full security • In addition, need WiFi monitoring system to detect problems in operational WiFi networks – Detect Rogue AP by overhearing packets containing unknown BSSID Challenges in Building an Enterprise-scale WiFi Monitoring System • Scale of WLAN – Microsoft’s WLAN has over 5000 APs • Need to deploy many monitors – Rapid fading of signal in indoor environment – Multiple orthogonal channels – May need observations from multiple vantage points Pinpoint location of rogue AP Example Scenario X 80 X DN UP 60 EL 32 UP X 20 40 DN X X % Received 100 0 0 100 200 Time (Minutes) 300 Monitors Rogue AP and Client Demonstrates need for dense deployment of monitors State of the Art • AP-based monitoring [Aruba, AirDefense ..] – Pros: Easy to deploy (APs are under central control) – Cons: Single radio APs can not be effective monitors • Specialized sensor boxes [Aruba, AirTight, …] – Pros: Can provide detailed signal-level analysis – Cons: Expensive, so can not deploy densely • Monitoring by mobile clients [Adya et. al., MobiCom’04] – Pros: Inexpensive, suitable for un-managed environments – Cons: Coverage not predictable: mobile, battery-powered clients Only monitor the channel they are connected on Observation • Desktop PC’s with good wired connectivity are ubiquitous in enterprises + • Outfitting a desktop PC with 802.11 wireless is inexpensive – Wireless USB dongles are cheap As low as $6.99 at online retailers – PC motherboards are starting to appear with built-in 802.11 radios Combine to create a dense deployment of wireless sensors DAIR: Dense Array of Inexpensive Radios DAIR Architecture Land Monitor (1 per subnet) AirMonitor AirMonitor Wired Network Inference Engine Database Other data: SNMP, Configuration Monitor Architecture Database SQL Helper Every 30 seconds: Filter Filter Filter Processor Submit list of all unique BSSIDs seen on a given channel Driver Interface Wireless NIC Driver Wired NIC Driver Key Characteristics of DAIR • High sensor density at low cost – Leverages existing desktop resources – Effective monitoring in indoor environments – Can tolerate loss of a few sensors • Sensors are (mostly) stationary – Provides predictable coverage – Permits meaningful historical analysis Applications of the DAIR Platform Security applications – Detecting attacks on Wi-Fi networks – Responding to such attacks Performance management – Monitor RF coverage – Load balancing Location service to support above applications A Partial List of Threats to Wi-Fi Networks • Rogue AP / Rogue Wireless Networks • Denial of service – – – – Fake Disassociation [Bellardo and Savage 2003] NAV attack [Bellardo and Savage, 2003] DIFS attack [Raya, Hubaux and Aad 2004] Jamming • Phishing – Set up a “fake” AP that advertises well known SSID – Lure unsuspecting users – Acquire passwords Rogue Wireless Networks • An uninformed or careless employee who doesn’t understand (or chooses not to think about) the security implications – Brings AP from home, and attaches it to the corporate network – Configures desktop PC with wireless interface to create a rogue ad-hoc network • Bypasses security measures such as WPA, 802.1X Simple Solution AirMonitor AirMonitor 0C:3B:5A: Joe’sAP Database Known: BSSID Inference Engine Seen: SSID 00:08:AC … MSFT 00:09:3B … MSRLAB BSSID SSID 00:08:AC … MSFT 00:09:3B … MSRLAB 0C:3B:5A: Joe’sAP Problem with the Simple Solution • False Positives – Multi-office buildings • False negatives – Malicious attacker fakes authorized SSID / BSSID • DAIR can help reduce both false positives and false negatives – No foolproof way to avoid false positives/negatives completely – DAIR raises bar while generating fewer alarms Reducing False Positives • Detect whether rogue AP is connected to corporate wired network • Series of tests: – Association test – Source/destination address test – Replay test Association Test 0C:3B:5A: AirMonitor Joe’sAP ? Database Inference Engine Machine inside corporate firewall If AirMonitor can connect to machine inside firewall via AP then AP is connected to corporate wired network Association Test • Test will fail if AP uses WEP or MAC address filtering – People configure home APs with WEP or MAC filtering • Failure means we need additional tests … Source / Destination Address Test AirMonitor ? Land Monitor Database Inference Engine Subnet Router MAC Addrs Of Subnet Routers 08:5B:3F: … 08:3C:4F:… Source / Destination Address Test 802.11 Data Frame (with encryption): Unencrypted Header Encrypted Payload MAC Addresses: Receiver Access Point Transmitter Client Destination Known Address? If Destination Address belongs to a subnet router, then AP Is connected to corporate wired network Similar test for Source Address Source / Destination Address Test • Test will fail if AP is really a NAT/Router – Many home APs combine AP and NAT/router functionality • Failure means that additional tests are needed Replay Test X 3 AirMonitor 1 2 4 ? ? X X X X Inference Engine Land Monitor AirMonitors capture data packetsto At the time LandMonitors arecaptured alerted watch Onesame of the AirMonitors replays packets forEach duplicate packets on multiple wired network. packet replayed times Replay Test • No need to decrypt packets • Works for NAT/Routers – Even rogue ad-hoc networks • Fails if replay-resistant crypto scheme is used – WPA2 Scalability • Load on database server • Load on individual AirMonitors • Additional wired network traffic Load on Database Server CPU Load (%) 100 80 60 40 20 0 1AM 5AM 9AM 1PM 5PM 9PM 1AM 12 AirMonitors AirMonitors submit summarized data every 2 minutes Database Server: MS-SQL 2005, 1.7GHz P4 with 1GB RAM Load on Client Machine Load (%) Machine running AirMonitor 100 75 50 25 0 1AM 5AM 9AM 1PM 5PM 9PM 1AM Load (%) Machine not running AirMonitor 100 75 50 25 0 1AM 5AM 9AM 1PM 5PM 9PM 1AM Additional Network Traffic: 2-5Kbps per AirMonitor Summary • Built a scalable, cost-effective, dense WLAN monitoring platform in a corporate environment • Explored ways to leverage the platform to monitor threats to Wi-Fi networks Related Work • Campus-wide Wi-Fi monitoring system [Kotz and Essin 2005] • Monitoring corporate network for mobility patterns [Balazinska and Castro 2003] • Tools for analysis of packet-level Wi-Fi traces – WIT [Mahajan et. al. 2006] – JigSaw [Cheng et. al. 2006] DAIR ongoing work • Which channels should each AirMonitor listen on? – What scanning strategy to use? [Deshpande et. al. 2006] – Depends on density of AirMonitors, environment • Building an effective location system • Building performance management tools Backup slides Wired Solutions • Monitor CAM tables for unauthorized Ethernet addresses – Not scalable – Easy to fake Ethernet address • Monitor DHCP requests, deny from unauthorized clients – Bypassed using authorized client as forwarder • IPSec – Not widely used: hard to manage in heterogeneous environments – Bypassed using authorized clients acting as forwarders – Many machines on corporate LANs do not use IPSec Management servers on switches, printers Gateway machines Reducing False Negatives • Suspect is using an “authorized” SSID / BSSID • If the “real” AP is still active – Packet sequence numbers not monotonic • If real AP is not active – Determine location of suspect – If different than expected, raise alarm Example: Indoor WLAN Monitoring % Received 100 0% 0% 80 60 DN 26% 0% UP EL 32 40 0% 0% 20 UP DN 97% 1.7% 0 0 100 200 Time (Minutes) 300 0% 0% %0 %0 Rapid loss ofAP signal strength in Monitors indoor environments Rogue and Client Complex, Red: time-varying signal rate propagation Beacon reception Blue: Data packet reception rate Taxonomy of Attacks on Wi-Fi Networks • Eavesdropping – Passive snooping (perhaps with high-gain antennas) – Nearly impossible to detect – Cryptographic techniques generally considered sufficient. • Intrusion – Rogue AP / Rogue Ad-hoc network – Cryptographic techniques not enough, need continuous monitoring • Denial of Service – Fake deauthentication/disassociation, NAV attacks – Need monitoring system. • Phishing Enterprise-scale WLAN Monitoring System Challenges and Design Requirements • • • • Rapid fading in indoor environments Complex, time-varying signal propagation Many orthogonal channels Need information from many monitors • Dense deployment of monitors • Monitors must be self-configuring • Scalable data gathering and processing • Must cope with incomplete data Replay Test • AirMonitors replay packets with suspect BSSID – If suspect is AP, only replay packets with ToDS bit set – No need to decrypt packet • Each packet is replayed multiple times (say 5) • LandMonitors detect if duplicate packets are seen on wired network • Works for rogue ad-hoc networks • Fails if suspect is using WPA2 or other crypto schemes that are robust against replay attacks Monitor Architecture Command Issuer Command (Enable/Disable Filter/ Send Packets) Remote Object Heart Beat Command Processor Sender Packet Constructor WiFi Parser Enable/Disable Filters Send Packet Filter Processor Filter Filter DHCP Parser Filter Other Parser Packet Enable/Disable Promiscuous/Logging Deliver Packets to all the Registered Filters Driver Interface Send Packets/ Query Driver SQL Client Dump summarized data into the SQL Tables Get Packets/Info from the Device Custom Wireless Driver Summarized Packet Information Wired NIC Driver SQL Server