The Anti-Spyware war on the wireless LAN

The rise of Wireless LAN (WLAN) brings obvious benefits to all enterprises. IT not only enables enterprises to deploy a wireless LAN more easily where it networks are needed, in addition, it does not need the characteristics of cables, but also saves a lot of network infrastructure purchase and deployment costs for enterprises. However, wireless LAN also has various security threats similar to wired LAN. Due to its wireless characteristics, it has more vulnerabilities that are easy to attack than wired LAN, for example, the security threats caused by illegal wireless access devices are one of the unique security threats of wireless local areas.

Nowadays, there are more and more devices with WIFI wireless functions, and their sizes and weights are getting lighter and lighter. Therefore, an illegal wireless access device may be a laptop that uses wireless sniffing software and password cracking software, or a PDA or smart phone with WIFI functions, it is even a PSP game machine with WIFI function, not to mention the illegal Wireless AP installed by employees or hackers in the wireless LAN. Therefore, unauthorized wireless access devices can be called illegal wireless access devices.

It is precisely because of the portability of these wireless access devices that allow them to quietly lurk around or inside the LAN deployed by the enterprise as a spy. You can obtain confidential information transmitted in a wireless LAN by listening to various information in radio waves sent from a wireless LAN. Alternatively, you can use a wireless LAN to intrude into an enterprise LAN to obtain more confidential information they want.

So, as a network administrator or security engineer, how can we detect and defend against illegal wireless access devices that want to access the enterprise's wireless LAN at any time to win the anti-espionage battle in the wireless LAN?

Currently, most enterprises that have successfully deployed illegal Wireless Access Device Detection and defense solutions use the following technologies and tools:

1. Apply wireless network sniffing Technology for protocol analysis and tracking;

2. Apply a wireless intrusion detection/Defense System (WIDS/IPS), and then install sensors in the workstation or AP of the wireless LAN to detect illegal wireless access devices. However, it cannot detect Passive Wireless sniffing attacks and access requests, as well as internal personnel's active external wireless access points;

3. Use a handheld wireless device detection tool. Some hand-held on-site wireless detection tools can be used to detect the intensity and noise of wireless signals received, and can flexibly detect the entire wireless signal area to be covered, it can also be used to detect the actual boundary position of wireless signals;

4. Illegal wireless access devices are detected through site survey, MAC address list, and noise checking.

In practical applications, the above four methods are usually used together to achieve the best detection results. Therefore, below this article, xuanyuan meixiang will show you a three-layer three-dimensional detection and defense against illegal wireless access devices, as well as the steps to deploy it.

Step 1: fully understand our wireless LAN

The purpose of understanding a wireless LAN is to know which wireless devices exist in the current wireless LAN and which adjacent Wireless LAN and wireless access devices exist around the Enterprise.

We 'd better perform a detailed investigation on all the wireless access devices and APS in the current wireless LAN, and then record all the properties related to these wireless devices to the wireless device list. The wireless device attributes that need to be recorded include the MAC address used by each device and wireless network adapter, the allocated IP address, and the SSID number used by the AP and wireless network adapter, information about the AP supplier, AP type, and channels used by the AP and wireless network adapter.

The purpose of recording the properties of known wireless access devices and APS in a wireless LAN is to use them as the basis for distinguishing illegal wireless access devices.

In addition, if you need to add a new wireless access device during the operation of the wireless LAN, you must add the new device attributes to this table. The following table 1 shows the style of the wireless access device and AP attributes.

498) this. style. width = 498; "border = 0>

Table 1 wireless access device and AP list Style

At the same time, we must create an archive for these untrusted wireless devices to record their MAC addresses, ESSID numbers, channels, and signal-to-noise ratio (SNR) and the approximate location. This helps identify whether the detected wireless device is illegal during the subsequent illegal wireless device detection process. The table style can be the same as that in table 1.

After registering an enterprise's current wireless LAN and other nearby wireless access devices, it is best to mark the locations of these wireless access devices in the enterprise's wireless LAN with a plan, in this way, you can find out the specific location of devices when detecting illegal wireless access. Figure 1 shows a wireless device distribution chart.

498) this. style. width = 498; "border = 0>

Figure 1 Distribution chart of wireless devices in a wireless LAN

 

Step 2: deploy a solution to detect and defend against illegal Wireless Access Devices

Before this article, I mentioned that the best solution to detecting and defending against illegal wireless access devices is to fully combine the four main solutions mentioned above, to deploy a hybrid three-tier three-dimensional solution. 2 shows a three-layer network topology for detecting and defending against illegal wireless access devices.

498) this. style. width = 498; "border = 0>

Figure 2 network topology of layer-3 three-dimensional detection and defense against illegal Wireless Access Devices

In the three-layer three-dimensional detection and defense solution shown in figure 2, we divide the entire detection and defense system into control layer, service layer, and sensor layer.

On the sensor layer, you can install a wireless signal detector into a workstation or use a sensor integrated with the AP. However, no matter which method is used, all suspicious activities, including illegal Wireless Access to the device, must be monitored. All Detected signals are transmitted to the service layer over a wireless network, which is processed by WIDS/IPS installed on the service layer.

The service layer is a server with WIDS/IPS installed. It can process the detection information sent from various sensors in a timely manner. Once a new illegal wireless access device is found in the network or surrounding location, WIDS/IPS will send a security alarm to the Administrator at the control layer, and then the Administrator will make the final response, or WIPS can automatically defend against these attacks.

To generate alarms for illegal wireless access devices, WIDS/IPS usually use ACL (Access Control List) for control. ACL identifies and discovers the MAC address, configuration name, and recently used IP address of the device through wireless access.

Sometimes, we do not want to generate alarms for wireless access devices of neighboring enterprises. This increases our workload and is prone to false positives and false negatives. We just need to know if these wireless access devices have ever accessed our network. Therefore, we can set WIDS/IPS so that it does not generate alarms for known neighboring APs. However, when they are found to be connected to the enterprise's wireless LAN, an alarm should be issued in a timely manner.

For locations that cannot be detected by wireless signal sensors, we can use handheld wireless signal analysis devices. For example, we can use handheld wireless signal analysis devices to perform mobile detection on the perimeter and dead corners of the enterprise's wireless LAN to find the missing illegal wireless access devices.

All these operations can be controlled by a network management system, which manages and configures WID/IPS servers, alarms generated by the WIDS/IPS server are also sent directly to the background Administrator console, and the Administrator responds to events in a timely manner.

Step 3: locate and clear illegal Wireless Access Devices

Because the location of an illegal wireless access device is often not fixed, it may change the location at any time. If we cannot immediately locate the specific location of the illegal device, then, even if we know that the enterprise wireless LAN is facing these "espionage" attacks, we do not know where these illegal wireless access devices are connected to the enterprise wireless LAN.

Of course, we can't just stay at the stage of knowing whether illegal wireless access devices exist in the enterprise's wireless LAN, the ultimate goal of deploying a solution for detecting and defending against illegal wireless access devices is to be able to locate and clear them.

To locate illegal wireless access devices, you must also use the corresponding tools and techniques. Generally, some network administrators and security engineers use the following three methods:

One is to use signal strength to estimate the distance between illegal wireless access devices and the nearest Wireless AP. If