Enhancing the Security of Corporate Wi-Fi Networks Using DAIR Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh, Alec.

Enhancing the Security of Corporate

Wi-Fi Networks Using DAIR

Paramvir Bahl, Ranveer Chandra, Jitendra Padhye,

Lenin Ravindranath, Manpreet Singh, Alec Wolman,

Brian Zill

Presented By:J. Falquez

Challenges in Building an Enterprise-scale WiFi Monitoring System

• Scale of WLAN– Microsoft’s WLAN has over 5000 APs

• Need to deploy many monitors– Rapid fading of signal in indoor environment

– Multiple orthogonal channels

– May need observations from multiple vantage pointsPinpoint location of rogue AP

Taxonomy of Attacks on Wi-Fi Networks

• Eavesdropping – Passive snooping (perhaps with high-gain antennas)– Nearly impossible to detect– Cryptographic techniques generally considered sufficient.

• Intrusion– Rogue AP / Rogue Ad-hoc network

• Denial of Service– Fake deauthentication/disassociation, NAV attacks, DIFS attacks,

Jamming.

• Phishing– Acquire passwords

Example : Rogue AP

• Careless employee brings AP from home and plugs it into corporate Ethernet

• Bypasses corporate Wi-Fi security measures – For example: WPA, 802.1X

• Permits unauthorized users to connect to corporate network

– Malicious user outside the building?

• Widespread Problem

– Ongoing concern for MS IT department

– Surveyed two major US universities, found multiple rogue APs

Need for WiFi Monitoring Systems

• Preventive measures such as 802.1X do not guarantee full security

• In addition, need WiFi monitoring system to detect problems in operational WiFi networks– Detect Rogue AP by overhearing packets containing

unknown BSSID

UP

DN

DN

UP

EL 32

%0%0

0%0%

0%0%

0%0%

97%1.7%

26%0%

Rapid loss of signal strength in indoor environments

0

20

40

60

80

100

0 100 200 300Time (Minutes)

% R

ec

eiv

ed

Complex, time-varying signal propagation

Example: Indoor WLAN Monitoring

Rogue AP and Client Monitors

Red: Beacon reception rateBlue: Data packet reception rate

State of the Art

• AP-based monitoring [Aruba, AirDefense ..]

– Pros: Easy to deploy (APs are under central control)

– Cons: Single radio APs can not be effective monitors

• Specialized sensor boxes [Aruba, AirTight, …]

– Pros: Can provide detailed signal-level analysis

– Cons: Expensive, so can not deploy densely

• Monitoring by mobile clients [Adya et. al., MobiCom’04]

– Pros: Inexpensive, suitable for un-managed environments

– Cons: Coverage not predictable: mobile, battery-powered clients Only monitor the channel they are connected on

Observation

• Desktop PC’s with good wired connectivity are ubiquitous in enterprises

• Outfitting a desktop PC with 802.11 wireless is inexpensive– Wireless USB dongles are cheap

As low as $6.99 at online retailers

– PC motherboards are starting to appear with built-in 802.11 radios

Combine to create a dense deployment of wireless sensors

DAIR: Dense Array of Inexpensive Radios

+

Wired Network

Database

AirMonitor AirMonitorLand Monitor(1 per subnet)

Inference Engine

DAIR Architecture

Other data:SNMP,

Configuration

Command Processor

Filter Processor

Driver Interface

Filter

WiFi Parser

SQL Client

Remote Object

Command (Enable/Disable Filter/

Send Packets)Heart Beat

CommandIssuer

Custom Wireless Driver SQL Server

Deliver Packets to all the Registered Filters

Enable/Disable Filters

Enable/Disable Promiscuous/Logging

Summarized Packet Information

Dump summarized data into the SQL Tables

Get Packets/Info from the Device

Send Packets/Query Driver

DHCP Parser

Other Parser

Wired NIC Driver

FilterFilter

Sender

Packet

Packet Constructor

Send Packet

Monitor Architecture

Key Characteristics of DAIR

• High sensor density at low cost– Leverages existing desktop resources

– Effective monitoring in indoor environments

– Can tolerate loss of a few sensors

• Sensors are (mostly) stationary – Provides predictable coverage

– Permits meaningful historical analysis

Applications of the DAIR Platform

Security applications– Detecting attacks on Wi-Fi networks

– Responding to such attacks

Performance management– Monitor RF coverage

– Load balancing

Location service to support above applications

Rogue Wireless Networks

• An uninformed or careless employee who doesn’t understand (or chooses not to think about) the security implications– Brings AP from home, and attaches it to the corporate

network

– Configures desktop PC with wireless interface to create a rogue ad-hoc network

• Bypasses security measures such as WPA, 802.1X

Simple Solution

Database

AirMonitor AirMonitor

Inference Engine

BSSID SSID

00:08:AC … MSFT

00:09:3B … MSRLAB

Known: Seen:

BSSID SSID

00:08:AC … MSFT

00:09:3B … MSRLAB

0C:3B:5A: Joe’sAP

BSSID SSID

00:08:AC … MSFT

00:09:3B … MSRLAB

0C:3B:5A: Joe’sAP

Problem with the Simple Solution• False Positives

– Multi-office buildings

• False negatives– Malicious attacker fakes authorized SSID / BSSID

• DAIR can help reduce both false positives and false negatives – No foolproof way to avoid false positives/negatives

completely

– DAIR raises bar while generating fewer alarms

Reducing False Negatives

• Suspect is using an “authorized” SSID / BSSID

• If the “real” AP is still active– Packet sequence numbers not monotonic

• If real AP is not active– Determine location of suspect

– If different than expected, raise alarm

Reducing False Positives

• Detect whether rogue AP is connected to corporate wired network

• Series of tests:– Association test

– Source/destination address test

– Replay test

Association Test

Database

AirMonitor

Inference Engine

0C:3B:5A: Joe’sAP

?

Machine inside corporate firewall

If AirMonitor can connect to machine inside firewall via AP thenAP is connected to corporate wired network

Association Test

• Test will fail if AP uses WEP or MAC address filtering

– People configure home APs with WEP or MAC filtering

• Failure means we need additional tests …

Source / Destination Address Test

Database

AirMonitor

Inference Engine

?Land Monitor

08:5B:3F: …

08:3C:4F:…

MAC AddrsOf Subnet RoutersSubnet Router

Source / Destination Address Test

Unencrypted Header Encrypted Payload

Receiver Transmitter DestinationAccess Point Client

802.11 Data Frame (with encryption):

MAC Addresses:

Known Address?

If Destination Address belongs to a subnet router, then APIs connected to corporate wired network

Similar test for Source Address

Source / Destination Address Test

• Test will fail if AP is really a NAT/Router – Many home APs combine AP and NAT/router

functionality

• Failure means that additional tests are needed

Replay Test

AirMonitor

Inference Engine

?

Land Monitor

123 4

X

XXXX

AirMonitors capture data packetsOne of the AirMonitors replays captured packetsEach packet replayed multiple times

At the same time LandMonitors are alerted to watch for duplicate packets on wired network.

?

Replay Test

• AirMonitors replay packets with suspect BSSID– No need to decrypt packet

• Each packet is replayed multiple times (say 5)

• LandMonitors detect if duplicate packets are seen on wired network

• Works for NAT/Routers – Even rogue ad-hoc networks

• Fails if suspect is using WPA2 or other crypto schemes that are robust against replay attacks

Scalability

• Load on database server

• Load on individual AirMonitors

• Additional wired network traffic

Load on Database Server

12 AirMonitorsAirMonitors submit summarized data every 2 minutes

Database Server: MS-SQL 2005, 1.7GHz P4 with 1GB RAM

0

20

40

60

80

100

1AM9PM5PM1PM9AM5AM1AM

CP

U L

oad

(%)

Load on Client Machine

0 25 50 75

100

1AM9PM5PM1PM9AM5AM1AM

Loa

d (

%)

Machine not running AirMonitor

0 25 50 75

100

1AM9PM5PM1PM9AM5AM1AM

Loa

d (

%)

Machine running AirMonitor

Additional Network Traffic: 2-5Kbps per AirMonitor

Summary

• Built a scalable, cost-effective, dense WLAN monitoring platform in a corporate environment

• Explored ways to leverage the platform to monitor threats to Wi-Fi networks

DAIR ongoing work

• Which channels should each AirMonitor listen on?

– What scanning strategy to use? [Deshpande et. al. 2006]

– Depends on density of AirMonitors, environment

• Building an effective location system

• Building performance management tools

Questions?