Signs of WLAN intrusion
By by Lisa Phifer, VP, Core Competence
|Read about Lisa|
Many WLAN administrators are familiar with NetStumbler, a free discovery tool that sniffs out nearby 802.11 Access Points (APs). Unauthorized "rogue" APs get a lot of press, but are not the only threat. In this tip, we discuss how to spot other kinds of WLAN intrusion.
Step 1: Capture traffic
You'll need to capture wireless traffic being sent in the 2.4 and 5 GHz bands at your location. Start by getting yourself a wireless traffic analyzer and/or intrusion detection system (IDS).
Like Ethernet analyzers, WLAN analyzers capture and decode frames. They run on laptops and PDAs equipped with Wi-Fi NICs, passively scanning channels or watching one channel. They parse 802.11, 802.1X, and higher-layer protocols and display traffic capture results for visual inspection. They also analyze results to derive traffic statistics and generate alerts that help you get a better handle on WLAN security and performance. Examples include WildPackets AiroPeek, Network Instruments Observer, NAI Sniffer Wireless, AirMagnet Handheld and Laptop, AirScanner Mobile Sniffer, and Ethereal.
In larger WLANs, monitoring the entire network by spot-checking with stand-alone analyzers is impractical. WLAN IDSs (WIDSs) complement traffic analyzers by providing 24/7 monitoring. They rely on sensors placed at key points throughout the network. Sensors sum captured traffic and forward results to a central database, where an IDS engine watches for attack signatures, malformed frames, protocol sequencing errors, policy violations, and behavior changes. WIDSs are available from companies like AirMagnet, WildPackets, AirDefense, Newbury Networks, Network Chemistry, and Fatbloke.
If you're just starting out, try a shareware analyzer or 30-day commercial trial. As you become more proficient, add IDS and purchase more sophisticated products in accordance with your WLAN's size and risk.
Step 2: Analyze results
Once you've captured traffic, then what? Sure, you can watch the frames roll by, or stop and expand header and data fields. But what should you be looking for?
Watch for security policy violations, like stations or APs operating in Open System mode if you require Shared Key authentication. Or devices operating without WEP if you require link encryption. Look for APs using default SSIDs, as these are often unconfigured (aka easily-attacked.) Keep an eye out for peer-to-peer "ad hoc" stations if not permitted in your WLAN. Tools can flag policy violations for you by generating alerts for these and other events like unauthorized stations/APs, stations associating with the wrong AP, or APs operating on unexpected channels.
You can't detect a completely passive sniffer. But you can watch for signs of active war driving. Look for excessive Probe Requests from stations that never associate, or stations that probe for vendor-default or "ANY" SSIDs. Watch for stations racking up 802.11/802.1X authentication or DHCP failures. Look for stations using IPs that lie within your subnet but not been assigned by your DHCP server, and for stations that use a valid MAC address but have a different name than usual. Intruders use these techniques to get past your access control lists. If you see SNMP traffic on your WLAN, particularly aimed at your AP, suspect active NetStumbling.
SNMP, Telnet, or HTTP traffic generated by wireless stations, aimed at your APs or WLAN gateway, often signal an attempted attacks. So do excessive frame counts -- for example, a spike in CRC errors may indicate jamming, while a spike in 802.11 Disassociate or Deauthenticate frames may indicate DoS attack. Larger-than-usual WEP ICV errors or TCP resends may indicate packet injection or replay attacks. Here, you must baseline your WLAN to understand what's normal and what isn't; expert tools can help you do that.
Intruders may also try to attack servers on the adjacent wired network; look for routing protocols like OSPF or IGRP, ICMP port unreachables, and large numbers of TCP SYNs aimed at your Intranet servers. If you're using robust authentication (802.1X or VPN) and good gateway access control, these requests really should not make it into the wired network. Even so, their presence can alert you before the attacker finds your weak spot and exploits it.
Like NetStumbler, these tools also help you spot Rogue APs. Watch for Beacons from previously-unknown APs and APs using the same SSID and MAC address on more than one channel. Unauthorized APs may inadvertently expose the "soft underbelly" of your network if placed inside your firewall. Malicious rogue APs are worse -- they try to masquerade as a legitimate AP, tricking stations into associating with them. They listen to and record all traffic, without the legitimate station or AP realizing it. Analyzers and IDSs generate alerts that warn about suspicious APs, but don't assume all new APs are malicious. Chances are good that you will spot APs that simply belong to a neighbor.
Step 3: Take action
Once you've spotted a suspicious device, take action to find and correct the problem. WLAN analyzers -- particularly portable analyzers -- are handy for locating devices. When using an IDS, start from the sensor with the strongest signal. The idea is to find the device by monitoring signal strength. However, by the time you notice the possible intrusion, the source may be long gone. You may also find that the "intruder" is just a visitor or employee with an unauthorized Wi-Fi interface; you may choose to authorize or ignore the visiting device. This is where configuring policies into your analyzer or IDS comes in handy, so that you don't waste time on "false positives" and devote your efforts to addressing real threats. Analyzers and IDS tools help you "hear" what's happening in your WLAN, but ultimately it's up to you to interpret suspicious events and decide whether remedial action is required.
Do you have comments about this article, or suggestions for Lisa to write about in future
columns? Let us know!
21 Jul 2004
Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.