Chapter 11: Additional WLAN Security Solutions


This chapter deals with topics crucial to WLAN security that deserve special attention. Each has a useful and unique approach to WLAN security and merits coverage in this text. The subjects in this chapter are unrelated to each other, or to other categories, which is why they are covered as "additional" security solutions. Included herein are discussions about intrusion detection systems, thin client network models, using DHCP for authentication, network traffic baselining, Kerberos, RADIUS, LDAP, and some emerging standards; each of these technologies offers additional layers of security to WLANs.

11.1 Intrusion Detection Systems

Intrusion Detection Systems (IDSs) have been a critical security component of wired networks for a number of years now. They are beginning to appear in the wireless security software marketplace and have been specifically designed with the discrete requirements of wireless networks in mind. An IDS inspects inbound and outbound traffic and, through the use of built-in rule sets, identifies suspicious activity that could be the result of a hacker trying to break into a network. Firewalls are also used for this purpose, but an IDS is different from a firewall because a firewall monitors for intrusions to stop them from occurring. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. Both the firewall and IDS security packages may be configured to monitor internal network traffic for anomalies and attacks originating from within the system.

Wired network IDS products are designed as a solution for wired networks, and as such, typically provide minimal security in a wireless environment. For example, wired IDS products may help avoid denial-of-service (DoS) attacks in a wired network, but they are only marginally effective in a wireless environment, providing less than adequate security. Furthermore, man-in-the-middle attacks, client hijacking, jamming, or rogue APs in a wireless network would likely go unnoticed by a wired network IDS deployed for use in a WLAN. A wired IDS cannot detect wireless-based attacks or threats such as rogue APs, software APs, ad hoc networks, sniffers, Netstumbler probes, or Kismet users. Although a wired IDS can detect wireless- borne IP attacks once they hit the wire, they are basically useless against wireless-based attacks.

The new breed of wireless IDS products can search a WLAN for vulnerabilities, detect and respond to intruders, and help the WLAN administrator manage a WLAN. As with a wired IDS on a wired network, a wireless IDS in a wireless environment has the functionality to detect session hijacking, spoofing, identity theft, and DoS attacks before those packets ever reach the network. Other new wireless IDS products allow the placement of their monitoring sensors near APs. These sensors may also be sold as part of the AP firmware. These sensors monitor and capture all wireless traffic on these APs 24/7 and report information to a central monitoring server, where the data can be analyzed and acted upon.

Both the wired and wireless IDS may experience false-positive alarms. False positives occur when legitimate network traffic violates policy or boundary rules set up within the IDS. For example, a wireless client uploading a large file to a network server could trigger an IDS alarm if the IDS contains a policy limiting data transfer size . False positives waste institutional resources and add to the cost of implementing any type of IDS. Careful analysis of the network before implementation, baselining for historical data comparison, and security policy rule sets that are realistic and responsible will all help reduce false-positive alerts. An IDS can be configured to fit your security policy and your network's design with many built-in features and options. These optional IDS features include network-based or host-based monitoring, passive or reactive monitoring, misuse detection, anomaly detection, vulnerability detection, and the ability to do performance monitoring.

Deciding on the type of IDS to choose for your enterprise, and deciding on how to configure its options and features, can be crucial to the longterm success of this undertaking. For this endeavor, there is no single correct answer. Network design, projected transactional load, the depth of security policy desired, the real and future costs, implementation, and management overhead are critical factors that should be considered when configuring a wireless IDS security product.

Conventional network-based IDSs analyze all packets, anywhere on the network, including incoming packets that are unsuccessful . This data is logged and compared to a security rule set in the IDS or reviewed by a human for malicious or anomalous behavior. Further actions that may be taken can include adjusting security policies as they may apply to the IDS and fine-tuning the network's components for increased efficiency and throughput. The inclusion of wireless devices in a conventionally secured wired network presents challenges, as well as opportunities, to incrementally add security to the entire topology. WLANs are a high-speed environment, and the potential additional traffic load must be considered when choosing the proper IDS configuration. The IDS must not only be able to process an additional volume of traffic, but it must also handle the higher transmission speed of the wireless clients , even when network loads are at their peak.

An increasing number of network-based wireless intrusion detection systems utilize a completely passive method to "listen" on the wireless segment through wireless sensors. These sensors must be placed strategically across the network so that all wireless traffic can be monitored . This means that you should place sensors at, in, or near every AP in order to detect typical wireless attack techniques such as setting up rogue APs or jamming devices; however, many network-based IDSs place their sensors upstream from the switch where APs connect. This type of design is less effective because the sensors cannot hear what is happening on each wireless segment.

Host-based IDSs examine the data on each node/host computer in a system, allowing them to report suspicious activity back to a central server. Host-based IDSs monitor attacks against individual computers more precisely than network-based systems. If the wireless sensors are not correctly placed in the network, then the detection of rogue APs, RF jamming devices, and other RF DoS equipment is not feasible .

Identify theft, DoS, man-in-the-middle attacks, and other such attacks can be monitored as they occur through the use of real-time monitoring. If the IDS is working in passive mode (so as not to alert attackers of its presence), these attacks will raise alarms as they occur, allowing security personnel to take action. Because most networks are not monitored by people all of the time, 24/7 IDSs are configured to be reactive to certain attacks and eliminate threats. It is critical to think through the ramifications of the potential actions IDSs may take in automatic mode because they can be configured to restrict access to services, shut down services, disconnect certain connections, and take other appropriate actions as defined in the IDS configuration's policy rule set. It is important to remember that these settings are configured through well-thought-out policies and not the IDS itself. Any reactions to a perceived attack may adversely affect the normal activities of the network's authorized users. Thus, the decision to configure the IDS to be reactive must be made after consulting, educating , and receiving buy-in from management.

The IDS analyzes information gathered from both internal and external sources to detect misuse or abuse of a network by applying misuse detection rules to the WLAN. For example, typical rules may include limiting APs to operate only on specific channels, requiring all WLAN traffic to be encrypted, prohibiting SSIDs from being broadcasted unmasked, and limiting traffic on the WLAN to occur only within certain hours of the day. An IDS can be used like a traditional management system or directly tied into a wireless management software package in order to effect necessary changes.

The IDS anomaly detection feature monitors and compares network segments and their current status to "normal" baselines and reports anomalies that raise alerts to the appropriate personnel. Baseline norms for typical network load, protocols, and packet size should be established before implementation of an IDS. Users consuming more than average bandwidth can be identified by monitoring the performance of the network. More importantly, anomalous traffic loads may be evidence of an attack in progress. High traffic loads may be a DoS, and very low or no traffic load may indicate a damaged or nonfunctioning network segment.

A robust IDS on a WLAN can detect vulnerabilities in real time, such as rogue APs on the network or the creation of ad hoc networks. An open rogue AP that has hijacked an authorized user can result in a peer-to-peer attack. Locating any ad hoc networks that are actively transmitting traffic is the first step in preventing peer-to-peer attacks of this nature. WLANs share a finite amount of bandwidth, so it is important to determine who is using the bandwidth and when. If the business rules support it, streaming audio, video, and peer-to-peer file-sharing applications may be disallowed to keep the network from being flooded with unneeded traffic. When built-in rate-limiting functionality is being used in an enterprise, wireless gateway and performance monitoring features in the IDS are not required solely to locate and control network abusers. Instead, these features can still be used to report WLAN usage statistics. Over time, IDS performance monitoring can also provide statistics for AP bandwidth load. This enables the development of management reports that, along with site surveys, can be used to determine where and when growth of the network needs to occur to meet additional user requirements.

Because of the unpredictability of attacks, active monitoring must be conducted 24/7, and the results of this monitoring must be reviewed in real time by qualified security personnel whenever possible. These security personnel must be experts in general networking and systems knowledge, be up to date on security vulnerabilities, know the strategies for incident handling and attack mitigation, and be empowered to make time-critical security decisions to prevent an attack from damaging , compromising , or stealing resources.

A security policy should be in place to define the governance and operation of an incident response team to an attack or anomaly identified by the IDS. The policy must define primary and secondary contact personnel, how they are to be notified, and what steps they should take to respond to the incident properly. This includes stipulating who is responsible for each managerial or technical activity. A good security policy must include a section on IDS incident handling procedures for both wired and wireless clients.

In order for the IDS to be an effective security tool, the activity logs and the reports generated by the IDS must be handled securely, efficiently , and with consideration about their relative importance. These logs may be used in evidentiary proceedings by law enforcement, and their significance as a historical source document cannot be dismissed. Timely incident response is largely based on the following factors: detailed and understandable reports, near real-time analysis by qualified network security personnel, and immediate corrective action appropriate to the incident. Adherence to these factors can help make the IDS an effective tool, rather than an expensive use of time, resources, and money. Responding to incidents poorly, or in an untimely manner, will allow an attack to proceed in most cases. Additionally, the complexities of today's wireless IDS dictate that the appropriate personnel attend all available training sessions offered by the IDS vendor.

Periodic upgrades to the system, such as host-based agent updates, and updates to the network-based software and firmware should begin shortly after the IDS is installed and running. Ongoing training for the personnel responsible for the operation and maintenance of the IDS will ensure its continued success and effectiveness. All network devices associated with the IDS should be tested periodically for operational readiness. As new WLAN segments are added, these new segments must be incorporated into the IDS. Professional security audits should be conducted, preferably by outside resources, at least annually, and should test the IDS for weaknesses. Regularly scheduled spot-checking of the IDS should be considered mandatory to measure its efficiency and improve its operation.




Wireless Operational Security
Wireless Operational Security
ISBN: 1555583172
EAN: 2147483647
Year: 2004
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net