M A S T E R ' S T H E S I S
Identifying Threats in a Wireless Environment
Chris Viklund
Luleå University of Technology MSc Programmes in Engineering
Department of Computer Science and Electrical Engineering Division of Computer Communication
2005:234 CIV - ISSN: 1402-1617 - ISRN: LTU-EX--05/234--SE
Identifying threats in a wireless environment
Chris Viklund
Luleå University of Technology
Department of Computer Science and Electrical Engineering
Division of Computer Communication
i
Abstract
Threats towards networks are a constant problem, given the rise and rapid growth of the Internet these have increased by magnitudes. In order to secure networks, patch management is a necessity as well as using firewalls and access control mechanisms. If a network-connected host is fully patched, could it still be subject to various break-in attempts, and if so, could they be detected? Having a complete view of the threats directed towards a network became realized in the birth of intrusion detection systems.
By utilizing intrusion detection systems for monitoring network flows for malicious activity, system administrators can learn which attacks are destined towards their networks and thereby obtain a better view of the threat level directed towards them.
The main goal of intrusion detection systems is to capture and log threats towards the networks, not necessarily prevent them from happening.
This thesis has explored how an intrusion detection system can aid in detecting threats towards a wireless communication. Given the inherent problems that exist in wireless conversations regarding eavesdropping and badly implemented security (WEP); could any of the threats be identified by an intrusion detecting system? The answer is yes and no. It is impossible to detect eavesdropping of the wireless medium, but other attacks directed towards wireless products can be detected in most cases.
Furthermore, the thesis setup a secure wireless communication utilizing a RADIUS server for authenticating clients and the TKIP encryption scheme for ensuring a stronger encryption than WEP.
When monitoring a wireless communication with such characteristics, not much could be deducted
given the security scheme, and most of the threats directed towards the test bed could be detected by
the intrusion detection systems used.
i
Acknowledgements
This master thesis is the final part in my Master of Science studies in computer science at Luleå University of Technology, Sweden. The thesis was conducted at Ericsson Microwave Systems in Gothenburg during the months of January to July year 2005.
First of all, I would like to thank my supervisors Helena Sandström (LTU), Henrik Riomar, Anders
Ripa and Bo Renman (Ericsson) for all their comments and support. Secondly, I would like to thank
everybody else in general who has helped me with my thesis, either directly or in other ways.
ii
Table of Contents
INTRODUCTION ...1
BACKGROUND...1
OBJECTIVES...1
DELIMITATIONS...1
DOCUMENT OUTLINE...1
ABBREVIATIONS AND ACRONYMS...2
HISTORICAL OVERVIEW ...4
BACKGROUND...5
INTRUSION DETECTION SYSTEMS...5
Threat detection...6
Anomaly detection ...7
Signature detection ...7
Network-Based IDS ...7
Host Based IDS...8
Stack Based IDS...8
Bayesian IDS...9
INTRUSION PREVENTION SYSTEM...9
NETWORK MONITORING...10
Port mirroring...10
Network hubs ...10
Network taps ...10
NETWORKS...11
Ethernet...11
WLAN...13
SECURITY TOOLS...20
Snort ...20
Snort-wireless ...20
Oinkmaster...20
Kismet ...21
Airsnort...21
Aircrack...21
Arpwatch...21
Advanced Console for Intrusion Detection (ACID) ...21
FreeRADIUS ...22
nmap ...22
Ethereal ...22
MySQL ...22
THREATS...23
WLAN attacks...23
Sniffing traffic...23
Disassociating nodes from APs...23
Breaking WEP keys...23
Dictionary attacks against WPA-PSK...24
Message integrity check denial of service...24
ARP attacks ...24
Denial of Service ...24
Man in the Middle ...25
MAC flooding ...25
iii
SECURITY REQUIREMENTS...26
SECURITY ENFORCEMENTS...26
ENCRYPTED TRAFFIC...26
CERTIFICATES...27
MAC FILTERING...27
DHCP(DYNAMIC HOST CONFIGURATION PROTOCOL) ...27
LOGGING...28
EXTENSIBLE AUTHENTICATION PROTOCOL...28
TEST BED...29
WIRELESS CLIENT...30
SNORT SENSORS...31
MYSQL DATABASE...33
THE FREERADIUS SERVER...33
OPENSSL...34
ACCESS POINT...34
NMAP...35
KISMET...35
ARPWATCH...35
METHOD AND RESULT ...36
UNDERSTANDING THE NETWORK...36
Access Point...36
Kismet ...36
Ethereal ...37
Snort ...37
nmap ...37
CONCLUSIONS...39
FUTURE WORK...42
REFERENCES ...43
APPENDIXES
APPENDIX A. SNORT.CONF………....1APPENDIX B. RADIUSD.CONF………...…3
APPENDIX C. EAP.CONF……….8
APPENDIX D. CLIENTS.CONF………9
APPENDIX E. OPENSSL SCRIPTS FOR GENERATING CERTIFICATES………...10
APPENDIX F. CREATE_MYSQL………12
APPENDIX G. WIFI.RULES……….15
APPENDIX H. NMAP SCAN OF THE FREERADIUS SERVER USING THE –SX FLAG………..16
APPENDIX I. STRIPPED SNORT LOG FROM THE NMAP XMAS SCAN………....17
1
Introduction
Background
Threats against networks have existed as long as the networks themselves. A threat being anything from eavesdropping or fraud attempts to classic cracking (not to be confused with hacking) or unauthorized use of resources. The list is long and the ways to prevent them are equally so. Examples of cracking are unauthorized use of computer resources, destroying or modifying data for own purpose, unleashing viruses or setting up backdoors on systems in order to gain future access. Phishing (attempting to fraudulently and deceptively acquire sensitive personal information by masquerading in official-looking messages as someone trustworthy with a real need for such information [31]) is another common issue to protect users and resources from.
Objectives
This report attempts to describe the threats that exist towards wired networks, as well as wireless networks (and Access Points) in general, and offers a way to monitor and log such behavior and if possible actively circumvent them as well. The suggestions will be based upon the test bed that is described in this report as well as the requirements that are setup for it.
Delimitations
The following delimitations have been set upon this report due to time limitations:
• Even though a comparison of different scenarios and different configurations are interesting, only one test bed will be evaluated.
• Only one brand of intrusion detection systems (and wireless equivalents) will be tested, namely snort.
• Threats described in the report are limited to the ones explained or to ones directed towards wireless network in general, if not otherwise explicitly stated.
Document outline
Chapter background gives a brief background regarding the details of wired networks and the wireless 802.11 protocol used when communicating between wireless nodes.
The chapter security requirements discusses what requirements are necessary for approving a security
scheme to the network described in chapter test bed, in order for it to be considered «secure». Chapter
test bed describes the test setup used for this experiment and chapter method and result evaluates the
testing. Finally, the chapter conclusions, wraps up the report and suggests further improvements.
2
Abbreviations and acronyms
AES Advanced Encryption Standard.
ARP Address Resolution Protocol. A protocol used to translate IPv4 over Ethernet addresses into physical addresses of network interfaces.
BIDS Bayesian IDS. An IDS which learns to identify and classify packets by certain sets of rules.
DHCP Dynamic Host Configuration Protocol.
DMZ Demilitarized Zone. A network area between an internal and external network deemed neither safe nor “unsafe” (other placements do exist though).
DDOS Distributed Denial of Service. Many compromised hosts simultaneously attack a target host.
DOS Denial of Service. An attack towards a system, rendering it unusable for its legitimate users.
EAP Extensible Authentication Protocol.
GPL GNU General Public License. The license states that software released under this license is free and anyone basing their work upon the source code must release the changes as well.
HIDS Host based IDS. An IDS that resides on a host in order to detect threats against it.
ICMP Internet Control Message Protocol. Typically used for reporting errors in processing datagrams.
IDS Intrusion Detection System. A system designed to detect intrusion attempts often by use of known exploits towards bugs in programs or the operating system.
IPS Intrusion Prevention System. A system designed to actively prevent intrusion, once it detects that they are taking place.
IPv4 Internet Protocol version 4. A protocol that provides best effort delivery of datagrams over a network.
IPv6 Internet Protocol version 6. The next generation of IP, designed to provide better security by using encryption of the payload inside it, as well as other improvements over IPv4.
IV Initialization Vector for WEP uses the 24 first bits of each encrypted packet to let the receiver know how to decrypt it.
MAC Media Access Control.
MIM Man in the Middle. An attack where an attacker places himself between two participating nodes during a network transmission in order to listen to the conversation, alter it, or something similar.
MTU Maximum Transmission Units. The maximum size of datagrams sent through a network interface before the packet must be fragmented (split into smaller parts).
NIC Network Interface Card. A device that physically connects a node to a network.
NIDS Network based IDS. An IDS that resides in a network in order to analyze the packets passing though the network.
SPX Sequenced Packet Exchange. An alternative to TCP that enables packets to be sent using a resending mechanism if the packets fail to meet their destination.
SSID Service Set Identifier. The name (or identifier) of a wireless access point.
SSL Secure Sockets Layer. An application leveled encryption paradigm used for secure communications in a network.
TAP Test Access Port. A device which splits the incoming physical layer into a mirroring one which enables a device to passively monitor the traffic passing through such a device.
TCP Transmission Control Protocol. A protocol used for ensuring reliable communication
over a network.
3 TKIP Temporal Key Integrity Protocol. A security protocol replacement of WEP that utilizes
the same hardware as was built for WEP implemented devices.
TLS Transport Layer Security
UDP User Datagram Protocol. This is a lightweight alternative to TCP since it does not provide reliability or ordering guarantees, thus is fast (and often used for multimedia).
WEP Wired Equivalent Privacy. An encryption scheme used in wireless 802.11 networks to encrypt the payloads of the traffic in order to keep it protected from casual eavesdropping.
WPA Wi-Fi Protected Access. A stronger encryption protocol used for encrypting packets in wireless communications, (an improvement over WEP).
WPA2 Wi-Fi Protected Access 2. Will be included in 802.11i as the new security scheme
available for wireless communications.
4
Historical overview
The development of intrusion detection systems (IDSs) began back in the 1980s [17]. A paper called,
“Computer Security Threat Monitoring and Surveillance” written by James Anderson introduced the concept that audit trails contained vital information that could be valuable in tracking misuse and understanding user behavior. It was from this paper that the concept of detecting misuse and user patterns was born.
In the year of 1983, Dr. Dorothy Denning and SRI, started a government project which aimed to analyze audit trails from the government mainframes and create usage profiles from them. The following year she helped design the first model for intrusion detection: the intrusion detection expert system. Later on she released the paper called “An Intrusion Detection Model”, which is referred to as the basis for most of the work in IDS that later followed.
In 1984, SRI developed a way of tracking and analyzing authentication information from the users of ARPANET, (the network that later evolved into the Internet), which later was realized into the first functional IDS.
Meanwhile in 1988 at the University of California, the Haystack project produced an IDS that analyzed audit data by comparing it to predefined patterns. The Project evolved into a Distributed IDS that tracked client machines as well as the servers, and opened the way for the development of host based intrusion detection systems.
In the ‘90s, the concept of network IDSs emerged, mainly from David Todd Heberlein. He was the primary author and developer of the Network Security Monitor, (the first network IDS). The NSM was deployed at major government installations where it analyzed the network traffic. Together with the DIDS and haystack development team, the stack based intrusion detection idea was introduced.
Later on commercial products of these realizations were offered and different vendors have since
evolved them with improvements and enhancements to become the intrusion detection systems that are
available today.
5
Background
Confidentiality, integrity and availability are the three cornerstones of information security.
Confidentiality should ensure that information or resources are not subject to unauthorized access.
Integrity states that information or resources are protected from alteration by any third party, and availability describes that information or resources shall be available to its intended users. Non- repudiation is also considered as an equal part from which information security is built upon. It states that given a transaction, no party can in the future claim they were not a part of the communication. It is a way of digitally time-stamping the transaction, so that it in the future can be validated if concern arises. This notion of information security applies as well during the exchange of information across a network in order for it to be considered secure.
The nodes connected to a network that pass data back and forth are under a constant threat since their data is constantly subject to violations of the four bases of security. Being in a networking environment and having multiple nodes to supervise, the use for a tool that automatically monitors the traffic for violations of the concept is needed. Intrusion detection systems aim at helping an administrator to know what threats towards the network exist and in what shape they occur.
Intrusion detection systems
Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) are the two most common technologies for monitoring a network for violations of the security notion. The IDS is a common word for grouping a technology consisting of various representations into one classification. Intrusion detection systems are usually called different things depending on which type is deployed. If the IDS is placed on a host that is interesting to monitor it usually is referred to as a Host Based IDS (HIDS), and if it is a stand-alone node inside the network, it usually is called a Network Based IDS (NIDS). If the IDS is a mixture of these two it commonly is called a Hybrid or Stack based IDS. To blur the nomenclature just a tad, different ways to investigate the packets can be used as well. Anomaly detection tends to find anomalies in the traffic flow, indicating potential intrusions, whereas rule based detection is the other major way. Mixtures of the two kinds exist as well of course.
Placement of the IDS
When deploying an IDS into a network, one needs to think about what the IDS should do for the network and what the purpose of using one is. What traffic should it analyze and what should it do if it detects malicious packets in the network traffic. A network usually consists of a firewall faced towards the Internet and behind the firewall, a DMZ usually lies (see figure 1).
Inside this DMZ, a web server and other publicly accessible services are located. After the DMZ, a new firewall comes and behind it resides the internal network. This motivation for dividing the network into different parts is reasoned by using a layered security.
Figure 1. A typical layout of a demilitarized zone.
6 If a web server is compromised, the affect it might have on the internal network is a lot less when it is physically divided from it, and by such means keeping the damages to a minimum.
The placement of the IDS has a big importance in the capturing of malicious packets. Placing one inside the private LAN behind a DMZ would only allow the IDS to capture potential damaging traffic already inside the network. While placing it in the DMZ, directly behind the outer firewall, would allow the IDS to monitor all traffic aimed towards the services running in it, as well as the node behind the next firewall inside the private network. Placing the IDS outside of the primary firewall would allow all traffic to be analyzed, and not just the packets that made it through the firewall. Since the firewall will drop packets according to certain rules [6], many attempts to exploit vulnerabilities in the network inside the firewall will be silently dropped (see figure 2).
This of course is good in the sense of security, but leaves the system administrator unaware of the attacks directed towards the inner network that are dropped. Depending solely on logs from an intrusion detection system inside the outer firewall would therefore only show attacks possible given some degree of filtering, but not the whole picture. Some reports [18] as a result motivate that there should reside an IDS outside of the network as well as inside the DMZ to gain a whole picture of the attacks directed towards the network. Of course, such a picture is flawed since not all attacks towards a network would end up damaging it, simply because not all networks contain all services possible.
For instance, a Linux server would not be subject to threats towards a Microsoft Windows 2000 service, and thereby such packets could be dropped by the primary firewall without the system administrator ever knowing about such attempts to break the system had occurred.
Figure 2. An IDS/IPS equipped network.
Threat detection
Investigating the network traffic flow for threats is a cumbersome job, especially when the amount of
traffic passing through is large. It usually requires a lot of time and training before the system analyzing
the traffic can be considered functional. Analyses can be performed in two major ways; anomaly or
signature based intrusion detection systems [23]. Mixture of anomaly and signature based IDSs, as well
as other techniques do exist too.
7
Anomaly detection
Anomaly based intrusion detection [19] is a technique used to compare the current flow of a network towards a profile of the network's behavior over a period. Given a sufficient time frame, analyzing the traffic passing through a specific point in the network, the generated traffic can be analyzed and classified. Considering that the traffic flowing during this time was normal and not out of order, a fingerprint of the network data can then be compared to that data in the future and if anomalies are detected, chances are that an intrusion is ongoing or at the very least something suspicious is going on.
The drawback with this method is the fact that defining «normal» traffic is near to impossible [20], unless it would be entirely static. For instance, the degree at which an anomaly scanner can handle dynamic changes in the network flow, that is, more connections than «normal» to a web server is very important. Changes might be constituted from a potential intrusion, or might be explained by coincidence, or any other likely reason. Yielding false positives is not something a system administrator wants. (A false positive occurs when the IDS falsely classifies a legitimate action as potentially harmful).
Moreover this technique can be subject to small subtle changes by injecting legitimate (or malicious) packets into the network, and thereby raising the bar for what would be classified as normal traffic and hence invalidating the whole purpose of such an IDS scanning technique.
Signature detection
Signature (misuse) based detection is a static way of comparing incoming and outgoing traffic packets for common phrases, words [21] or protocol specific parameters that are deemed threatening, and in some way notify concerned parties about it (most likely the information is logged to a file or a database). Since data can be fragmented due to small MTUs (Maximum Transmission Units) [22], the specified keywords that the IDS looks for, might be sent over several packets, making it all the harder for the packet analyzer to catch the bogus word in question. Drawbacks with signature based intrusion detections are numerous [20]. They quantify all packets not deemed badly as implicitly good, which means that unless the signatures stored of bad keywords always are up to date, it is impossible for it to catch any zero day attacks, (exploits found in the wild before or simultaneously as patches for the affected software are released). In other words, this signature-based database must constantly be updated, as must all of the software running on the network being subject to possible security breaches [3].
Network-Based IDS
The network based IDS is a node connected to a network that analyzes the raw data packets that pass
through or beside it. Usually the IDS utilizes a network adapter in promiscuous mode that listens and
analyzes the traffic in real time as it travels across the network. A first level filter is often applied to
determine which traffic will be discarded or passed on to an attack recognition module. The
performance is greatly benefited by this technique since non-malicious traffic is filtered out and sent on
into the network. Of course, no system is perfect and spoofed (forged) packets can even cause more
trouble since the system believes that the traffic is authentic and hence bypasses the security
mechanisms, or it could drop more packets than desired in belief that they were bogus. The attack
recognition module typically relies on one of three different methodologies to recognize the malicious
traffic signatures; patterns, frequency or anomaly.
8 The network-based IDS can detect packets that are malformed and spoofed and can thereby detect a standing (D)DOS attack and perhaps perform actions before a Host-based IDS would start to check all the different logs that it monitors. It can also check the contents of the packets and perform actions based upon that. An imminent problem of course appears if the traffic is encrypted; The IDS has no chance of determining what is sent or received. If the packets are fragmented, the IDS might need lots of buffering before being able to merge the packets together in order to determine the contents being sent or received.
The NIDS performs real-time detection and given that an intruder manages to find a way in to the network, the knowledge gathered by the NIDS cannot later be removed by the intruder. Even if the intruder finds a way to erase logs, that the NIDS created from the intrusion (if it discovered it), the intrusion is determined (more or less) in real-time by the NIDS and that is not something that the intruder ever can alter. This is in contrast to the HIDS, which might check logs of different programs in order to investigate if an intrusion took place, or not. If the intruder managed to remove or alter these logs, the HIDS would never know that an intrusion had occurred.
If the NIDS is placed outside the outer firewall in a DMZ, it could pick up attacks that the firewall might block. If the NIDS did not report on these attacks, an overall picture of the threats towards the network would then be incomplete. Finally, the NIDS is not operating system dependent; it can work in any networking environment as long as it is correctly configured for dealing with the characteristics of the hosts its supervising.
Host Based IDS
This approach audits system logs for specific changes or if special commands are executed on the system, the HIDS will be notified and can then decide whether or not the trigger was from a real threat or not. The HIDS will most likely compare changes (in owner, permission, size, name, etc of vital system files) to a database where it has stored approved copies of the files (or signatures) and based upon that can determine what to do. These checks can be done in real-time as well as periodically if so chosen. Of course, the HIDS can monitor specific network ports and other channels that data can use when entering the network. Given the HIDS specific characteristics, it more or less reacts to actions that already have taken place rather than being strictly real-time.
Since the HIDS audits logs, it can determine if an attack or exploit actually was successful or not. This yields less false positive reports. The HIDS can also monitor user log on/off activities, USB hot plugging and other hardware modifications of the local or network-based computer. If accounts are deleted, modified, added or similar the HIDS will catch this and typically react in some way. If traffic is sent within encrypted protocol bodies, the HIDS will be able to read the data in plain text once it is decrypted by receiving party. In addition, it can monitor system critical components, which could be an indication of whether the system has been breached (or is about to be).
Stack Based IDS
The stack based IDS, is closely integrated into the TCP/IP stack of a node. This allows the IDS to
analyze the packets as they traverse the network stack. Being that it is so tightly integrated, it can drop
packets or perform any other desirable action before the operating system or the receiving program
process the data [16]. Analysis of the packets can be done using either pattern matching in the packets
(i.e. looking for specific words or terms), or can check flags in the packets (i.e. bits in the protocol
headers), and other identification techniques. Since the stack based IDS to such a degree is coupled
with the TCP/IP stack, if it determines that a packet is encrypted, it can wait for the receiving IP stack
9 to decrypt it. This will of course only work if the node receiving the packet and the stack based IDS both reside on the same computer. Then it can perform any check it desires with full plain text control over the data. Stack based IDSs can determine attacks in real-time and respond in real-time as well (as opposed to the HIDS). Thanks to this integration, the combination of both a HIDS as well as a NIDS into stack-based IDS will give the best protection against evil packets entering or leaving the network.
Furthermore, it can ensure that hosts connected to the network are not compromised from the inside by the users or by mistake.
Bayesian IDS
Bayesian IDSs are still rare and under heavy research. The goal of BIDSs is to try to minimize the amount of false positives that are reported from the IDS when analyzing traffic [7]. When the false positives become too many, the IDS becomes worthless since people will stop using it and will instead become dependent on other tools for intrusion detection (and prevention). To do this the Bayesian engine needs training, and this can become a large and time-consuming task.
Bayesian filters work by classifying the content and adding weights to each token (or word). If the product of each token in a given length (a sentence for instance) becomes larger than a given threshold, the tokens can be classified accordingly and measures be taken. However, this is something that initially needs to be supervised by system administrators in order to teach the filter how to distinguish attacks from legitimate traffic.
The filter could of course be trained to accept malicious traffic, given that it was unsupervised over a longer period.
Intrusion Prevention System
Intrusion prevention differs in one major aspect from intrusion detection systems. After it has detected
an attempted intrusion, (by means of some exploit of the system for instance), it tries to diminish the
affect such an intrusion might have towards the system. If the attacking host sends some data, that the
IPS deems as malicious or a threat towards a node inside the network behind it, it could send a TCP
FIN or TCP RST packet back to the attacking host as well as the targeted host and by so, prevent an
attack from taking place. Unfortunately, things are never as easy in life as they are in theory. IPSs are
and should be used with utter most care. If the attacking user when attempting to break into a system
receives RST or FIN packets, the user could probably draw the conclusion that the network in question
is monitored by an IPS. This gives the attacker a vital part of information regarding the protected
network. The attacker could use the IPS against the network the IPS was set out to protect if the IPS is
not carefully configured. Some IPSs will on-the-fly block IP address from attacking hosts on the outer
firewall protecting the network, without more thought to what address they in fact are blocking. If the
attacker spoofs the source address of the attacking packets to be the DNS or gateway of the network
under attack, the IPS would instead be performing a DOS attack towards the network, effectively
preventing any traffic from reaching the Internet after the addresses being blocked [28].
10
Network monitoring
In order for an IDS or IPS to monitor network traffic, they need access to the packets destined towards the nodes inside the network as well as the nodes destined outside it. In other words, they have to be positioned so that they can capture both sides of a conversation.
Since the IDS or IPS (network or stack-based) needs to listen to the network traffic in order to discover threats towards the network, traffic monitoring is essential. Investigating traffic offline works just as well of course, though they will not capture any ongoing attacks.
Different techniques to monitor wired network traffic exist, though depending on the traffic load as well as the cost of analyzing it, some solutions work better than others. Hubs for instance will not work well in a busy network segment due to all the packet collisions that will occur. Equally, deploying network taps might be practical and desirable but cost more than switches do.
Port mirroring
Port mirroring or SPAN (Switch Port Analyzer) [16] is a way of analyzing network traffic entering and leaving a network. Using switches in a network, depending on the manufacturer of the product, some will have an extra port, which can be used for copying packets from all other ports to one single port, or multiple ones, for redundancy, if so chosen. Connecting a listening node into the mirroring port would thereby allow the node to listen to all traffic entering the switch. The node could therefore passively monitor all traffic. Unless the listening node is specially configured, it would be subject to attacks directed to broadcast address for instance.
Packets with bad CRCs, over or undersized header stamps will be dropped and never reach the listening node, which might complicate the determination regarding if an attack is under way or not.
Network hubs
When a packet is sent from a computer connected to a port on a hub, the hub forwards the same packet to all the other ports in order to attempt to provide a best effort connection between the sending and receiving host. The hub does not know if the other ports are different networks connected together by the hub, nor does it know if the receiving host at all is connected to the hub. Problems with hubs are that the packets passing through it tend to collide and thereby need to be re-transmitted. Evidently, the speed and throughput of a fully connected hub degrades by the number of hosts sending data through it.
If a listening sensor were to be placed on a port of the hub, and listening for incoming packets, it would pick up all the data being sent back and forth over the hub. Since the hub sends packets to all ports, monitoring a busy network segment would render the hub very busy and performance would be low due to all packet collisions.
Network taps
Network TAPs (Test Access Port) is a port that allows for passive monitoring of network traffic. TAPs
can either be stand-alone devices or built into switches. The TAP gives the NIDS the ability to view
both sides of a full duplex communication. Furthermore, it reduces the amount of packet losses due to
the hardware complexity involved. The TAPs do not copy packets, as port mirroring would do, rather it
11 copies data from level one in the OSI model. (In other words, it splits the incoming physical medium into two parts; one that is sent to the receiving end and the other one is sent to a (for instance) passive listening IDS.
Security for the IDS can be enhanced, since the listening IDS does not need an IP address so it can't be specifically targeted in an attack.
Networks
Different network technologies of course have different characteristics and therefore a short summary here is provided for the reader to familiarize with the most frequent used technologies and how they differ. These characteristics are important in understanding why and how the IDS detects the various malicious packets.
Ethernet
Ethernet is a technology described in the IEEE 802.3 standard [23]. It was first developed for networks in confined areas (such as office networks), but because of its popularity, it has become a popular network technology used in WANs (Wide Area Networks).
Each node in this network is connected to a shared medium (from hereon, called link). Since one link is sufficient for connecting all the nodes together, only one NIC (Network Interface Card) is required for a node to connect to all other nodes. Each node is identified by the unique MAC (Media Access Control) address on its NIC and a protocol called ARP (Address Resolution Protocol) is used to exchange this information between the various nodes in the network. Higher protocols such as IP (Internet Protocol) or any other similar protocol, acts as an intermediate level between the lower level ARP and the higher level TCP (Transmission Control Protocol) or similar where the application specific protocols are found. Data sent over such a network can be either unencrypted (plain text) or encrypted by higher level encryptions (SSL (Secure Sockets Layer)) or by the stack in IPv6 (Internet Protocol version 6) implementations.
Address Resolution Protocol
A common misconception among users of switched networks is that packets traversing in such an
environment cannot be sniffed (captured), which of course is not entirely true. In the most basic
network design, using hubs, they will send traffic from one port to all others in hope that it will arrive
at the right destination. If one of the listening nodes sets its NIC in promiscuous mode, it will capture
all the traffic, even though the packets' destinations differ from the listening host. In a switched
network, the packets (hopefully) only pass from a source to a destination without visiting the other
listening nodes. Unfortunately, higher-level protocols such as IP rely on underlying ones (ARP) in
order to function. ARP searches for a MAC address on a network segment given an IP address and
returns it to the inquiring host in question. Then the sending node labels its packets with the newly
discovered ARP address when sending to the destination, thus no other nodes on the network will
receive the packets. Of course, there lies an inherent problem in the ARP protocol: when a node first
boots, it will (most likely) have an empty ARP cache. After communicating with hosts on the local
network, it will eventually start filling this cache with new entries in order to speed up the
communication between it and the other hosts. The problem with ARP is that it doesn't require any
authentication when updating its ARP table, thus it allows all the clients on the network to send it
12 regular updates regarding new MAC addresses that are bounded to a specific IP address. This design flaw allows for attacks against a client being, DOS (Denial Of Service), MIM (Man In the Middle) or MAC flooding.
In IPv6, the neighbor discovery protocol is used to determine which nodes are next to each node in
question, when it builds a table of network address matches to IP addresses. It also suffers from attacks
similar to the ones for ARP, but different approaches [11, 12] are proposed to deal with this
shortcoming.
13
WLAN
In this report, a Wireless Local Area Network (WLAN) describes a network connected by any of the various IEEE 802.11 wireless technologies and is used as a common word to describe such a constitution. Other wireless communication technologies do exist (infrared, Bluetooth etc), but will not be covered here.
In order to avoid having all wireless networks communicate on the same frequency, the concept of channels was added to the 802.11x networks. Depending on which country the wireless equipment resides in (different countries have different legislations regarding the use of the frequencies), different amount of channels will be available for the devices to use. In Sweden, 14 channels are available in the frequency domain of 2.400 to 2.4835 GHz for 802.11b and 802.11g equipment.
A overview of the most common frames used in the 802.11 protocol will be presented and the security schemes available as well for 802.11 networks.
802.11x standards
The family of 802.11 contains many specifications of wireless technologies. Not all of the existing (or proposed standards) will be discussed since they neither are relevant nor widely deployed as of the writing of this report.
802.11
This was the original draft for a WLAN technology and was introduced back in 1997. It suffered from somewhat slow connections, a mere maximum of two Mbps. 802.11 operated in the 2.4 GHz band and could use either frequency hopping spread spectrum (FHSS) or direct squared spread spectrum (DSSS), two different ways of transmitting signals from sender to receiver. Network equipment using this technology is obsolete today.
802.11a
IEEE expanded the original 802.11 standard with the extension of 802.11a in July 1999 (at the same time as they wrote the 802.11b specification). 802.11a operates in the 5 GHz band and supports speeds of 6 to 54 Mbps. 6, 12, 18 and 24 Mbps are mandatory speeds that manufacturers of 802.11a equipment must support. Rather than using FHSS or DSSS, it uses orthogonal frequency division multiplexing (OFDM), which enables data to be encoded, on multiple parallel high-speed radio channels simultaneously, (which means faster connections and better utilization of bandwidth).
802.11b
When talking about WLAN today, either this or the 802.11g standard is generally regarded. This is the most commonly used standard today, but is slowly being replaced by 802.11g.
802.11b works in 2.4 GHz frequency band and has a physical maximum speed of 11 Mbps. The
throughput lays around 5.0 Mbps due to interference and other issues [24]. 802.11b extends DSSS from
the original 802.11 specification and includes higher speeds, which makes 802.11b a faster technology
than its predecessor ever was. It was made to be comparable with Ethernet in terms of speed.
14 802.11g
To overcome the shortcomings in the 802.11b standard in terms of speed, the proposed standard 802.11g arose, but not until 2002 - 2003. It was designed to utilize the best parts of 802.11a and 802.11b to be the new improved standard for wireless communication. It works in the same 2.4 GHz band as the 802.11b standard. From 802.11a, the 802.11g standard took the speed and it supports speeds up to 54 Mbps. To achieve the speeds 6, 12, 18 and 24 Mbps, 802.11g uses OFDM and for the speeds of 1, 2, 5.5 and 11 Mbps, it uses the same DSSS as implemented in 802.11b.
Protocol overview
Aside from using different physical implementations, all the 802.11 specifications share the same method for sending and receiving packets in the wireless network.
802.11 networks work in two major modes; Infrastructure and ad-hoc. Monitor mode (or radio frequency monitoring) is a special driver implementation and not a standardized mode.
The infrastructure mode is the most common one, where nodes connect to an AP (Access Point). The AP in turn is usually connected to a wired network, acting as leverage point for the wireless client to gain access to another network (office network of the Internet).
Ad-hoc is a decentralized mode where the wireless peers connect directly to each other, not utilizing any central peer (such as an AP) to communicate.
Lastly, the monitor mode (not available on all wireless devices), sets the wireless NIC in a mode where it can monitor all wireless traffic in reach. This is equivalent to wired NICs in promiscuous mode connected to a HUB listening to the network traffic passing through.
Inner-workings
For simplicity, the frames that are passed between a client and an AP will be divided into three categories in order to shed some light on how they work; Management, control and data frames.
Management frames
There are eleven different management frames, which can be transmitted in the wireless media. All except one of them form pairs, where each message has a request and a response message.
All of these frames are sent in clear text and are available for monitoring devices. Sender and receiver MAC addresses are available as well. If an AP uses MAC filtering it could be circumvented by using any of these MAC addresses in transmit (given that the MAC address came from a packet that in some way indicated success in association with the AP).
Authentication frame
If a wireless node wishes to encrypt the traffic between itself and the AP (to which it is connected), it
must negotiate an encryption scheme to use. The authentication frame is sent to the AP with the
identity of the sender. If the AP is using open system authentication (no encryption), the client node
only sends one authentication frame, and the AP will respond with its own authentication frame
indicating either acceptance or rejection. On the other hand, if the AP uses a shared key authentication,
15 the wireless node sends an initial authentication frame and the AP responds by sending it a frame containing challenge text. The wireless node encrypts the frame using its encryption key and returns it to the AP. The AP then decrypts the received encrypted frame with its shared key and compares it to the challenge text it sent the wireless node in the first place. If they are the equal, the AP sends an authentication frame back to the client node indicating success.
Deauthentication fame
If a wireless node wishes to end a secure (or open system authentication) communication with an AP, it sends a deauthentication frame to the AP in order to terminate such a setup.
Association request frame
If a wireless node wishes to use an AP, it has to associate with it first. It does so by sending the AP an association frame containing its supported data rates and the SSID (name) of the AP. If the SSID matches the AP in question and other issues (such as MAC address) are deemed correct, the AP reserves memory and establishes an association id with the wireless node.
Association response frame
If the AP finds that the wireless node in question may associate with it, it responds with the data rates that it supports and the association id of the association procedure. When the wireless node receives this frame, it can start to use the AP to communicate with other nodes connected to the same AP, or a wired connection the AP might be hooked up to.
Reassociation request frame
If a wireless node roams away from its AP, and finds another one with a stronger beacon signal, it may choose to connect to the new AP instead. Before connecting to it though, a reassociation frame is sent to the new AP, which lets the previous AP know that it has taken over the communication and asks for it to forward any buffered packets it may have waiting to be sent to the wireless node in question.
Reassociation response frame
The AP sends the wireless node a reassociation frame indicating an acceptance or rejection of the required reassociation. If it is accepted, the frame will contain supported data rates as well as the association id.
Disassociation frame
If a wireless node wishes to terminate its connection to an AP, it sends a disassociation frame, so that
the AP in question can relinquish any allocated memory for that connection and free the associated id
with that wireless node.
16 Beacon frame
APs periodically broadcast (addressed to the MAC broadcast address) beacon frames to announce its presence, SSID and other parameters. Wireless nodes tend to listen for incoming beacon frames in order to find an AP to connect to. This is optional though, and not all APs broadcast this information
Probe request frame
A wireless node, which wishes to discover all APs in range, broadcasts a probe request frame and waits for probe responses. When these responses arrive, they are used by the node in order for it to identify possible APs it can connect to. It can also be used in order to gain more information about a specific AP in question.
Probe response frame
An AP will respond to the probe request with a frame containing supported data rates, and other information, such as signal strength.
Announcement traffic indication message frame
This kind of frame is sent between wireless nodes (or APs), when they want them to avoid entering power saving mode since buffered data is about to be sent their way.
Control frames
Control frames are transmitted between wireless nodes (clients as well as APs) in order to assist delivery of data frames. Many different control frames exist, but only three (RTS, CTS and ACK) will be presented here, for a full list of them all see section 7.2.1 in [4].
Acknowledgement (ACK) frame
When a wireless node receives a data frame, it responds to the sending node by sending an acknowledgement frame indicating success in receiving it, if the transmitted data frame was found to lack any errors. If the sending node fails to receive an acknowledgement during a certain amount of time, it retransmits the data frame in question.
Request to send (RTS) frame
The RTC/CTS function is mandatory, but aims to reduce frame collisions when hidden wireless nodes
are associated with the same AP. The RTS frame is sent from one wireless node to another at the first
phase of a two-way handshake necessary before sending a data frame.
17 Clear to send (CTS) frame
The other wireless node responds to a RTF frame with the CTS frame in order for the first wireless node to send its data frame. Included in the CTS frame is a time value which causes all other stations (including the hidden ones), to hold of any communications for the time period specified, in order to avoid frame collisions when the first node wishes to send its data frame. A hidden node is one that can communicate with other ones, but can not physically “see” them.
Node A in figure 3, can send and receive data from node B, even though it can not see that node. Node B is said to be “hidden” from A (and vice versa of course).
Data frames
The whole purpose of wireless communication is to provide means for sending and receiving data. The data frames in the wireless media carry packets from higher layers (such as web pages or anything else) and do not provide any data themselves.
Security schemes
802.11, 802.11a and 802.11b all support two forms of encryption: open system or shared key authentication. The open system as its name states utilizes no encryption on the packets what so ever and all packets and their payloads are sent in clear text. In shared key authentication, the same predefined key is used on the AP as well as by the client, and the payloads of the packets are encrypted with an encryption routine called WEP (Wired Equivalent Privacy). Using WEP, a client would start by sending an authentication frame to the AP. The AP replies with 128 bytes of random data that the client will encrypt with the shared key, and then returns back to the AP. The AP will decrypt the encrypted data and compare it to the original data that it sent to the client, and if they equal each other, the AP knows that the client shares the same WEP key [25].
WEP was never designed as being a strong encryption around the network data in 802.11 packets;
rather it was designed, as being a scheme that should obscure the data, and protect it from passive listeners. The idea was that it should offer the same level of protection as people using wired connections could be expected to have. This meant that one should be able to use it for everyday activities such as surfing on the web and reading e-mails, but when dealing with sensitive information, other encryption schemes were to be applied, just as anyone using a wired network would do as well.
As stated in the documentation of the proposed 802.11 draft, it was designed to protect users of a wireless LAN from casual eavesdropping [4]. Nevertheless, it was later superseded by the WPA (Wi-Fi Protected Access [49]) encryption, which offers a better protection.
WEP uses a twenty-four bit IV (Initialization Vector) in each packet to let the other party in the conversation know how to decrypt the packet (WEP being a symmetric algorithm, the same key is used to decrypt as well as encrypt the packets). Due to bad implementations of the WEP algorithm, the IVs will be more or less badly randomized and thereby facilitate the breaking of it.
Figure 3. Node A and node B are “hidden” from each other.
18 The IEEE released 802.11, 802.11a and 802.11b, which all supported WEP as the primary way of encrypting packets. The Wi-Fi alliance (the organization that standardizes Wi-Fi equipment), felt that WEP was of limited use and decided to develop a better encryption, which they did and WPA was born. Later on, IEEE adapted WPA as a newer and better encryption scheme than the old WEP and all new products of 802.11a, 802.11b and 802.11g support WPA as well as WEP.
WPA uses TKIP (Temporal Key Integrity Protocol) [26] as a wrapper around the existing WEP encryption. It uses the same encryption routines and engine as WEP does. This time around however, the key used for encryption is 128 bits long, which addresses the short key length that WEP utilized.
WEP supports 128 bit keys, but due to the IVs that WEP uses, the maximum key-length ended up being only 104 bits (the IVs use 24 bits). Another important improvement over WEP is that TKIP changes the key used for encrypting each packet and hence the temporal part of the TKIP algorithm.
The key is created by mixing a number of things including a base key, the MAC address of the transmitting station and the packet’s serial number.
Every transmitted packet encrypted with TKIP has a unique 48-bit serial number that is incremented each time a new packet is transmitted and is used both as the Initialization Vector and part of the key.
Using a sequence number as the key ensures that a different one is used for every packet which solves another problem of WEP, called “collision attacks,” which could occur if the same key was used for two different packets. When different keys are used there is no risk for collisions. The “Replay attacks”
of WEP are also addressed with the use of serial numbers as initialization vectors. Repeating a sequence number that is 48 bits would take thousands of years, yielding no luck for replaying old packets since they will be detected and discarded as out of order.
The final improvement that was implemented was the use of base keys in TKIP. Even if TKIP lacked such a feature it would still be considered more secure than WEP, but it would not have addressed the most important one; the constant reuse of a well-known key by everyone on the wireless LAN. In order to mitigate this, TKIP generates a base key, which then is mixed into the key used for each packet.
Each time a wireless node associates with an AP, a new base key is generated. The base key is created from hashing a special secret with some random numbers (called nonces) that are generated by the AP and the wireless node as well as the MAC address from the two as well. When 802.1X authentication is used, the session secret is unique and securely transmitted to the wireless node by the authentication server; when using TKIP with PSK-mode, the session secret is the same for all participating parties and never changes – hence is vulnerable to dictionary attacks.
Some wireless adapters also support the use of AES (Advanced Encryption Standard) as the encryption scheme when using WPA. Officially, 802.11 adapters do not support AES natively, but an upcoming standard, 802.11i will. These products will be future compatible though, and that is the motivation for the release of such software and hardware. The 802.11i adds further strength to the encryption schemes used when encrypting packets. AES supporting pass phrases up to 512 bits will be used in the protocol.
Furthermore, 802.11i supports key caching, which helps fast re-connections for users who temporarily went offline, and pre-authentication which allows fast roaming [27] and is ideal for use with advanced applications such as Voice over IP.
WPA2 (the name that the Wi-Fi alliance uses for products certified according to the 802.11i standard) is the next advance in encrypting wireless packets.
While both WPA and WPA2 support using TKIP for encrypting the packets, WPA2 demands the use
of AES, WPA leaves it optional [32]. The authentication part of WPA and WPA2 supports two modes
PSK for personal use and EAP-TLS for enterprise mode. The enterprise mode of WPA and WPA2 after
an update now contains five different ways of authenticating a node (which uses methods ranging from
client side certificates to SIM cards).
19 PSK (Pre-Shared Key) works the same way WEP did. The same shared-key is present at both the client as well as the AP, and challenge text is produced in order to verify that they are equal. EAP-TLS [13]
used in enterprise mode needs a third party for authenticating the node, and often a RADIUS server is used.
Basically, the AP forwards all authentication messages between the RADIUS server and the wireless client, letting the external server handle all the authentication parts, taking the burden away from the AP to provide such mechanisms, see figure 4.
1
1 Image is courtesy of The Linux Documentation Project (http://tldp.org)
Figure 4. A client must authenticate before gaining access to the network beyond the access point.
20
Security tools
In order to verify the security status of the test network (presented in chapter test bed), different tools will be used, and a short description of each is presented below. Attackers as well as system administrators can use these tools to gain knowledge regarding networks. It is usually considered as a good idea for system administrators to run publicly available security tools and exploits similar to the ones used by intrudes. Using such tools might reveal vulnerabilities, exploitable issues or other security weaknesses of the network in question and can be addressed before intruders exploit them.
Security by obscurity is one way of protecting assets in a network from intrusions, but is generally regarded as a bad idea. Mainly because once the obscured asset becomes known, the security falls and is subject to known attacks towards the asset in question. Removing banners from servers (for instance Apache/2.0.52 (Gentoo/Linux)), would in one way hide it from obvious identification, but passive analyzers exist as well which do not actively need to inquirer each service for its banner in order to determine what it actually is.
The list presented in this thesis is not a complete list of available tools, nor does it in any way imply that the tools chosen here are the best to use. They are simply used because the author found them suitable for the tasks undertaken. Other programs or operating systems could be used just as well for testing the security of a wireless network.
Snort
Snort is an open source NIDS [1, 41] that also works as an IPS. The main motivation for the use of snort in this thesis is because it is licensed under GPL (GNU General Public License) [33] and thereby free of cost to use and modify.
Snort uses a rule-based engine to classify traffic as either bad or good. It also allows for anomaly detection of the network traffic. Rules in snort can easily be added and snort supports the possibility to on-the-fly update and configure firewalls depending on the traffic that hits it.
TCP Reassembly is a part of the snort engine that buffers packets and rebuilds them when they are marked as fragmented in order to detect attacks spread over several packets.
Snort-wireless
This is a patch [42] to the official build of snort (it now works for the 2.3.3 build 14 release of snort – the latest stable release). Nevertheless, the functionality that this adds is tremendous. Snort in its default “way” hardly supports the concept of WLAN, and that is why the need for snort-wireless was written and added. It can dump packets (raw from the IP packets) and allows rules to be written which better deal with this specific kind of networking. For instance, it can sort out all beacon packets, packets that contain a specific WEP key or any other 802.11x protocol specific parameter.
Oinkmaster
In order for Snort to work optimally, the rules it uses for detection of the malicious packets, needs to
regularly be updated and maintained. Oinkmaster [43] is a program that automatically downloads the
latest rules from different places on the web and installs them in the system. Furthermore, it can deploy
these rules over multiple sensors in the network that snort might use to collect data. The rules are not
signed with PGP, but MD5 sums are available at snort’s homepage for the compressed rule archives.
21 Of course, these MD5 sums do not really provide any special means of security. The sum can be altered during the network transfer or snort’s homepage could from a client’s perspective be DNS poisoned and replaced by a fake one offering a different MD5 sum than the original one had.
Kismet
Kismet [44] is a tool that works with 802.11 layer frames. It sniffs traffic and somewhat work as an IDS. Moreover, it can also scan all channels for APs and give statistical information regarding them (such as IP address connected to the AP, SSID, BSSID (Basic SSID is the SSID used in ad-hoc mode) and so forth).
Kismet also warns if a node sends a SSID probe request to an AP without joining it, which could be a way of detecting which APs exist in the area around the node in question.
Furthermore, Kismet has the ability to decrypt WEP packets on the fly if the key is presented to it and can if chosen create a FIFO queue, which snort can actively monitor in order to analyze encrypted packets for possibly malicious content.
Airsnort
Airsnort [45] is a tool used for listening at network packets in wireless networks and printing out the WEP key used in the transfers. Since WEP is proven weak, after a certain amount of re-used IVs are sent, Airsnort will need anything from 100.000 to 10.000.000 packets before it can show the key used.
Aircrack
In a package containing various programs, aircrack [46] and airosnort can be found. Airosnort collects all the data that it monitors, and dumps it into a file, which aircrack then uses in order to break the WEP key. Airodump also prints a neat list of all wireless nodes in transmit, which channel they are speaking on, what SSID and BSSID they have and if the traffic is encrypted or not.
Arpwatch
Arpwatch [47] maintains a database of Ethernet MAC address seen on the network, with their associated IP pairs and notifies if duplicates are found or changes to the local NIC are made. Some kernels have this functionality built-in as well as a module that can be dynamically loaded or unloaded as found chosen.
Advanced Console for Intrusion Detection (ACID)
In order to easily overview the collected alerts from snort sensors, a web-based tool called acid [51] is used. ACID breaks down the attacks into protocol, belonging, frequency and other statistical groupings.
Using this tool helps a lot in understanding what attacks directed towards the network has been subject
to as well as categorizing them in easy ways to grasp.
22
FreeRADIUS
FreeRADIUS is a server that accepts network connections from clients about to authenticate towards a network [48] and provides a way for the network to grant or decline them access. One major accomplishment that FreeRADIUS provides is that authentication of nodes connecting to the network is administrated centrally from one point. If users are added or deleted, and should have access to various services inside a network, it is sufficient to update the server instead of updating several places instead.
nmap
Nmap is a security tool [56] that scans a network and tries to determine what hosts are available (up and running), what services they are running (names and versions) and what operating systems they are using. Furthermore, nmap also determines what packet filter/firewalls are in use and lots of other characteristics. Once the hosts have been scanned, vulnerabilities available for them can then be downloaded from the Internet and executed in order to compromise them.
Nmap can perform a range of different scans (see table 1). One of the characteristics of nmap scan packets, is that the TCP window size always takes upon one of the four values, 1024, 2048, 3072 or 4096, which makes it easier to discover these scans by an IDS (given that the nmap source is not recompiled of course).
Table 1. Different scan types performed by nmap for mapping a remote host
