Intrusion Detection Based on Wireless Networks

0. Introduction

With the development of wireless technology and network technology, wireless networks are becoming a hot spot in the market. However, with the improvement of hacker technology, wireless LAN (WLAN) is under more and more threats. Wireless networks are not only attacked based on the traditional wired network's TCP/IP architecture, but may also be threatened by security issues based on the IEEE 802.11 standard. In order to better detect and defend against these potential threats, this article describes the detection technology of counterfeit devices (including AP and Client, it also shows how to implement intrusion detection policies in WLAN Based on the Infrastructure architecture to prevent hacker attacks.

1. WLAN Security Problems

There are many security threats from WLAN, such as spying, denial of service attacks, monitoring attacks, MITM attacks, client-to-client intrusion, Rogue AP, flooding attacks, etc, this article only studies the detection of Rogue AP. Rogue AP is currently the largest security threat in WLAN. Hackers put unauthorized APS or clients in WLAN to provide unlimited access to the network and obtain key data through spoofing. Without knowing it, the wireless LAN User thought that he was connected to the wireless LAN through a good signal, but he was not aware that he had been listened to by hackers. With the low cost and ease of configuration, wireless LAN is becoming increasingly popular. Many users can also set up wireless base stations (WAPS) in their traditional LAN ), the backdoor programs installed by some users on the network also lead to an unfavorable environment open to hackers.

1.1 Rogue Device Detection

Detects the existence of an AP by listening to packets in the radio waves, and obtains all the AP, SSID, and STA in use. To complete the Rogue AP detection, You need to place the following components in the Network: ① detector Sensor/Probe, used to monitor wireless data at any time; ② Intrusion Detection System IDS, used to collect data from the detector, it can also determine which types of devices are Rogue devices. ③ the network management software is used to communicate with the wired network, determine the switch port connected to the Rogue Device, and disconnect the port.

In order to discover the AP, detectors distributed across the network can capture and parse data packets. They can quickly discover the operations of all wireless devices and report the operations to the administrator or IDS system, this method is called RF scanning. Some AP can find the AP in the adjacent area. We only need to check the adjacent AP of each AP. Of course, through network management software, such as SNMP, you can also determine the physical address of the AP accessing the wired network.

After an AP is found, you can determine whether the AP is valid Based on the valid AP authentication List (ACL). If the list does not list the related parameters of the newly detected AP, then, the Rogue AP identifies the MAC address, SSID, Vendor, wireless media type, and channel of each AP. The AP can be regarded as an illegal AP by judging the MAC address, SSID, provider, wireless media type, or channel exceptions of the newly detected AP.

1.2 Rogue Client Detection

Rogue Client is a malicious wireless customer who attempts to illegally access WLAN or disrupt normal wireless communication. As long as the administrator pays more attention to their abnormal behavior, it is not difficult to identify fake customers. The main characteristics of abnormal behaviors include: ① sending a long Duration (Duration) frame; ② sustained time attack; ③ detecting "any SSID" device; ④ non-authenticated customer.

If the customer sends a frame with a Long Duration/ID, other customers must wait until the specified Duration (Duration) before using the wireless media, if the customer continuously sends such frames for a long time, other users will not be able to use wireless media and remain in the disassociation state.

To avoid network conflicts, a wireless node can send data within the specified time frame. According to the 802.11 frame format, the duration of the frame Header/the time interval specified by the ID field, reserve the channel for the node. The Network allocation vector (NAV) stores the time interval value and tracks each node. Other nodes can have a channel only when the duration value changes to O. This forces other nodes to not have a channel for this duration. If an attacker successfully sends long-lasting data packets, other nodes must wait for a long time and cannot accept the service, resulting in DOS for other nodes.

If the AP allows the customer to access the network with any SSID, this will bring great convenience to the attacker. If a customer finds a connection using any SSID, it is likely to be an attacker, the Administrator should change the AP settings to prohibit access using any SSID. If a counterfeit customer appears in the legal customer authentication list, you can determine based on the customer's MAC address and device supplier ID. If the NIC's MAC address or Vendor ID is not in the access control list, it may be an invalid customer.

2. Defense Against Wireless Network Attacks

When detecting a counterfeit AP, the immediate action should be taken to block the AP connection. The following methods can be used to block the AP connection: (1) DoS attacks, forces the customer to refuse wireless services. (2) the network administrator uses network management software to determine the physical connection location of the illegal AP and physically disconnects it. (3) detects the port on which the AP is connected to the vswitch and disables the port. You can use the wireless network management software to complete this task. Once a counterfeit AP is confirmed, the management software searches for the MAC address of the AP, and then finds the port on which it is connected to the switch based on the MAC address, to disconnect or block all network traffic through the port. This will automatically prevent the customer from connecting to the counterfeit AP and switch to other adjacent APs. This is the most effective method.

For a Rogue customer, when it is confirmed that the customer is an illegal customer, the network administrator can disconnect the customer's network. The common practice is to remove invalid customers' MAC addresses from the access control list (ACL) of the AP. The ACL determines which MAC addresses can access the network, and those cannot access the network.

2.1 application of IDS

The Intrusion Detection System (IDS) analyzes the transmitted data in the network to determine the damage to the system and the intrusion events. In some cases, firewall or authentication system can be easily used. Intrusion detection uses this technology to respond to unauthorized connection attempts and even defend against some possible intrusions. The ID-WG of IETF divides an intrusion detection system into four components: event generator, event analyzer, Response Unit, event database. The basic architecture of IDS in a traditional wired network is shown in Figure 1.

　　

Figure 1 General framework of the intrusion detection system

The detector placed in the network detects an exception, generates an event, reports it to the analyzer, and generates an alarm report to the manager after analysis. The Administrator decides how to perform the operation and responds to the event. We apply the IDS technology in traditional networks to wireless networks in order to enhance the ability of wireless networks to defend against attacks.

In the test environment, we set up a WLAN Network Based on the Infrastructure to test the performance of IDS.

The detection system is a network-based intrusion detection system (NIDS), as shown in figure 2. In the console of the network administrator center, configure the detection proxy and view the detection results and perform association analysis. The monitoring agent monitors data packets. It uses the detection engine to detect the data packets, record the warning information, and send the warning information to the central console. Probe is used to capture wireless data packets and send them to the Monitoring Agent.

　　

Figure 2 intrusion detection system with AP Mode

2.2 test results

We use the open-source IDS system WIDZ for intrusion detection, and use unauthorized users to attack the network (counterfeit MAC addresses). The recorded Detection alarms are as follows:

Alert NON whitelist mac essid Wireless_packet_type Beacon mac1 ffffffffffff

Mac2 0030ab1b9bcc mac3 0030ab1b9bcc mac4 OO0000000000

Alert NON whitelist mac essid Wireless_packet_type Probe Request mac1

Ffffffffffff mac2 00904b063d74 mac3 ffffffffffff mac4 oooooooooooooo

Alert NON whitelist mac essid Wireless_packet_type Probe Response mac1

00904b063d74 mac2 0030ab1b9bcc mac3 0030ab1b9bcc mac4 oooooooo000000

A1ert NON whitelist mac essid packet_type Authentication mac1 0030ab1b9bcc

Mac2 00904b063d74 mac3 0030ab1b9bcc mac4 OOOOO0000000

Alert NON whitelist mac essid Wireless_packet_type Association Request mac1

0030ab1b9bcc mac2 00904b063d74 mac3 0030ab1b9bcc mac4 000000000000

Alert NON whitelist mac essid packet_type NULL Function mac1 0030ab1b9bcc

Mac2 00904b063d74 mac3 0030ab1b9bcc mac4 000857697265

It can be seen that the MAC address of a valid device that is not listed in the ACL table is identified, which may be a counterfeit device. The other thing is to find the device and disconnect it.

3. Conclusion

Due to the particularity of the transmission media and the defects of the 802.11 standard, wireless networks have many security problems. In this article, we analyze the counterfeit attacks in wireless networks from a technical point of view, A solution is proposed, and an intrusion detection solution to ensure wireless network security is provided. Of course, there are many security threats in wireless networks, which need further research.

References:

[1] Draft-ietf-idwg-requirements-10.txt.Intrusion Detection Message Exchange Requirements [EB/OL]. []. http://iet-freport.isoc.org/a11-ids/draft-ietf-idwg-re-quirements-1O.txt

[2] stefan a. Intrusion Detection Systems: A Survey and Taxonomy [EB/OL]. []. http://www.mnlab.cs.depaul.edu/seminar/spr2003/IDSSurvey.pdf.

[3] mazda s, julie h. Intrusion Detection in 802.11 Wireless Local Area Networks [EB/OL]. []. http://www.ottawa.drdc-rddc.gc.ca/docs/e/TM2004-120.pdf.

[4] anand d. Rogue Detection and Blocking [EB/OL]. []. http://www.adventnet.com.

[5] Jiang jianchun, Feng dengguo. principles and technology of network intrusion detection [M]. Beijing: National Defense Industry Press, 2001.

[6] Design and Implementation of Tang zhengjun's network intrusion detection system [M]. Beijing: Electronic Industry Press, 2002.