Docstoc

Part 1 Wireless IDS

Document Sample
Part 1 Wireless IDS Powered By Docstoc
					                ECE 4112: Internet Security
                 Lab13: Wireless IDS/IPS
Lab authored by: Group13 (Stephen Grey, Dilruba Malik)


Group Number: ___________________

Members Names: ____________________                       _____________________

Date Assigned: November 7, 2006
Date Due: December 6, 2006
Last Edited: December 5, 2006

Please read the entire lab and any extra materials carefully before starting. Be sure to
start early enough so that you will have time to complete the lab. Answer ALL questions
and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE
the Date Due.



Part 1 Wireless IDS

Requirements
               2 Windows XP Virtual Machines
               Linksys wireless access point
               Air Defence Software
               Net Stumpler software


Goal: The goal of this lab is to use wireless tools on the wireless intrusion detection
system using Air Defense and Network Stumbler to detect and penetrate wireless
networks. We will use these tools to detect vulnerabilities within a wireless network that
we setup

Three section of this lab will show how to monitor the unencrypted traffic, spoof a MAC
address and scan the wireless network as a whole.
Summary:
You will download Netstumbler and Air Defence from the NAS and save them in you
root directory. You will then unzip these files and then use these tools to detect
vulnerabilities within the wireless network. The wireless network will already be setup by
the TA.
Attention: Please unplug the power from the wireless access point when you
have completed the lab. The access point may cause interference with the GT wireless
network, so please unplug the power adapter from the back of the access point when the
access point is not being used.




Background and Theory:

Introduction
  Wireless networks base on the 802.11 standards (WiFi) are convenient, inexpensive and
easily deployed. They are rapidly been developed in many homes and business. Threats
to wireless system have grown throughout the years and as such you will need to monitor
you wireless network more frequently. Security issues with wireless range from rouge
access point, man in the middle attack and crack Wired Equivalent Privacy (WEP). If an
attacker uses brute force attack to crack then they can intercept and decrypt sensitive data
from a wireless network.

 Threat to wireless networks

 An attacker can gather sensitive data by introducing rouge wireless access point into the
wireless coverage area. Since many wireless clients have to connect the wireless access
point then the attacker can monitor all traffic on the wireless network through the rouge
wireless access point. The attacker can also create backdoors into the network and leave
the wireless network open to other hackers. It is for these reasons that have an Intrusion
Detection System necessary on all wireless networks.

Wireless networks are also subject to denial of service attacks that cause the wireless
network to crash. An attacker can flood the wireless access point with TCP traffic to deny
a client from connection to the network. These kinds of attacks can cause extensive
damage to a wireless network if not caught and fixed. Only when threat are known on a
network can an administrator equipped the network with the necessary security measures
to combat these attacks[3]
Wireless Intrusion Detection Systems are designed specifically to identify attacks aimed
at an 802.11 networks. The sensors detect attacks from a wireless interface. Traditional
Network Intrusion Detection Systems may have signatures written specifically to detect
wireless traffic passing over a wired network An Intrusion Detection system will identify
computer system and network intrusion and misuse.


Lab Scenario:
For this lab you will download and install Air Defense and Net Stumble from the
NAS4112 server to 2 virtual machines running windows XP. The TA will set up the
computer with wireless cards the will be connected to an access point. Then you will
unzip the files and run them. From each machine you will try to attack the other and
observe the response of the IDS.

Section 1: Setting up and running Air Defense

Air defense is software that runs on Windows PC that monitors for malicious wireless
activity and wireless misconfigurations that may cause security exposure. Air defense
will extend the wireless security and can provide 24/7 network monitoring that notifies
the users when risky activities occur

               Copy the AirDefencePersonak.zip folder to the desktop of both virtual
                machines



               Open the folder and unzip the files
               You can follow the instruction in Appendix A to install and run Air
                Defense
               After AirDefense is properly installed you are going to run it on one of
                the virtual machine to look for vulnerabilities on the wireless network.


Take a Screenshot of the competed result. (Screenshot # 1)

Q1.1: What vulnerabilities were found on the wireless network?

Q1.2: Did AirDefense detect any attack?

Q1.3: What other service can be monitored using Air Defense


On the other windows XP virtual machine, run a denial of service attack on the Access
point. Observe the result in Air Defense
Q1.4 What software you used to do the denial of service and why?

Q1.4: What message did you get from AirDefence?

Take a Screenshot of the AirDefence output after the Attack (Screenshot #2)



Section 2: Installing and running NetStumbler
Netstumbler is software that can be used to detect rouge access point, and gets the MAC
address of all clients on the network. Netstumbler can be used to find unauthorized users
on a wireless network.


               Copy the file called NetStumbler-0-4-0.exe from the Nas4112 server to
                the desktop of both                              windows XP virtual
                machines



               Open the file and install it
               Restart the windows XP machine
               Start NetStumbler by clicking on the file

               Click on the Device Tab and select the wireless card you are using

               Click on the Green Arrorw to run NetStumbler.

Observer the output of the informantion determined by NetStumbler
Take a Screenshot of the results of the scan (Screenshot #3)

Q2.1: What is the MAC Address of the AP?


Q2.2: What is the IP address for the AP?


Next we will spoof the Mac Address of one of the Window XP Virtual machine. This is
done the same way you did in previous Labs. Scan the network again using NetStumbler
and observe the alert message.

Q2.3: What is the Alert message you got after running NetStumblet?
Part 2 Wireless IPS
Goal: The goal of this lab is to use wireless tools on the wireless security using
GesWall to detect and prevent intrusion in wireless networks. IPS prevents attacks and
intrusions in real time to protect valuable information.

Summary:              The two sections of this lab will show you how to monitor network
traffic, and secure the network.

Background and Theory:
Introduction

Intrusion Prevention Systems is the advanced version of Intrusion Detection System
(IDS) in the network security. An IPS can be hardware or software device which has the
ability to detect known/unknown attacks and prevent them. IPS is a firewall which can
detect any malicious activities in the regular network traffic and protect the network from
the malicious activities.

.In addition to detecting threats, such as DoS, SYN flood, Trojans, and backdoors, IDS
detects security threats and vulnerabilities by passively monitoring, or in-line monitoring,
all network traffic. By placing intrusion detection sensors on a network, security experts
can manages and monitors devices for security violations or misuse originating from
internal, or external network.


Wireless Network Security

Threats to wireless local area networks are abundant and potentially destructive. Security
issues ranging from misconfigured wireless access points to session hijacking to Denial
of Service (DoS) can infect a WLAN. Wireless networks are not only susceptible to
TCP/IP-based attacks; they are also subject to a wide array of 802.11-specific threats. To
aid in the defense and detection of these potential threats, WLANs should employ a
security solution that includes an intrusion detection system or intrusion prevention
system. Even organizations without a WLAN are at risk of wireless threats and should
consider an IDS solution.

Prelab Questions: None.
Lab Scenario: You will be using the Windows XP machine in order to be
familiar with wireless IPS using GeSWall 2.3
The setup you will be implementing for section 1 is shown below:




After downloading the free source GeSWall 2.3, follow the install process. GeSWall
dynamically isolates web browsers, e-mail, chat, P2P, IRC clients and other applications
that may serve as entry points for malicious software or intrusions. Viruses, trojans,
spyware and exploits cannot pass through an isolated application and so cannot cause any
damage.

Section 1: GeSWall
Using GeSWall, you can securely surf the web, open e-mail attachments, chat,
exchange files regardless of the security threats posed by the internet. GeSWall
prevents damage from malicious software and intrusions by isolating applications.
Isolation applies an access restriction policy that effectively prevents different
kinds of attacks, including: rootkits, key loggers, backdoors, confidential file disclosure,
intrusions, malicious software spreading.

The technology used allows any application to be automatically isolated without
configured by a user. To make it easy, GeSWall applies specific access rules for most
popular internet applications. Those specific rules come in an open Application Database.
With the GeSWall Console, advanced users may choose an appropriate security mode
and create rules for applications which are not currently in the application database.

1.2. Access Restriction Policy

The GeSWall access restriction policy determines how GeSWall will restrict access by
applications to system resources. Resources are files, registry keys; processes etc. and all
resources are categorized as untrusted, trusted or confidential. The access restriction
policy is composed of both generic rules which apply to all applications and specific rules
which apply to one application.
The generic rules for an isolated application are that the application: can read but cannot
modify trusted resources, cannot read or modify confidential resources, may create new
untrusted resources, e.g. files, may read or modify untrusted resources.
The only generic rule for a non-isolated application is that the application cannot
load untrusted executables into its address space. All other resources access is
allowed. These generic rules are overridden by any application specific rules in the
application database. All resources are trusted except those created by isolated
applications. Resources created by isolated applications are untrusted. Confidential
resources are any resources, which are marked as confidential in the database. By default,
any files in a user My Documents\Confidetial folder are confidential. The GeSWall
policy model also reserves the notion of a Jailed Application – an application that has no
permissions by default and may access only explicitly granted resources.

After installation and reboot, GeSWall starts protecting any PC. Whenever you
start a web browser or other internet application that GeSWall is aware of, it is
isolated. Depending on settings, isolation happens automatically or you get a popup
dialog request such as:




Figure 1: example of the pop-up windows where it ask permission from the user.

Take Screenshot 4. (as shown in Figure 1)

Depending on settings, the pop-up will appear as soon as an application tries to
access an untrusted resource or as soon as it attempts to establish a connection to
the internet. To help you to make a choice, the dialog contains some information about
the application. If you want to make the same choice every time you run this application
then just check „Do not ask again‟. If you do not make any choice before the number on
the “Yes” button has counted down to zero then the application will be isolated for
you. Usually you should always run an untrusted application in isolated mode. You may
however occasionally want to run an untrusted application non-isolated if you want
to allow it to modify trusted resources, e.g.: to install new software, ActiveX
components, etc. Once an application is isolated, GeSWall marks its active window
caption with a special indicating color, so that you may easily distinguish isolated
applications.

1.2 Security Levels

GeSWall supports four security policy templates named Security Levels.
Switching between security levels changes GeSWall behavior and should be done
with due caution. To choose a level, select the GeSWall root folder, as shown on
the picture.




1.3. Resources
The „Resources‟ folder contains definitions of trusted and untrusted resources. The
Access restriction policy uses these definitions for isolating applications.




The default list of resources is required for GeSWall functionality and it is not
recommended that you modify these however, you may add your own resource
definitions, e.g. define additional file folders for confidential documents, or certain
untrusted files.
By default, all resources are trusted. An untrusted resource can be read and modified. A
resource is confidential and an isolated application can neither read nor modify it. By
default, GeSWall defines all users‟ My Documents\ Confidential folders as confidential.
Therefore, you may either create that folder and copy your private documents there or
define another file folder, which stores your confidential
data.
To add a new rule you can right click on the resource folder and right click on new, add
resource which will bring the windows below:
This definition prevents an isolated application creating resources inside the specified
path. For example, if “Deny Create” for “c:\windows\system32\” denies creating any new
files inside c:\windows\system32\ path. Note that by default GeSWall allows isolated
applications to create new files and folders without restriction but disallows the creation
of new registry keys.

1.4. Applications

The „Applications‟ folder contains known application definitions together with
specific rules, which comprise the application database. For easy browsing
applications are organized into logical groups, according to the application
category.

The application database has the following groups such as system, web brwosers, e-mail
and news clients, chat messangers, IRC clients, P2P sharing applications and Microsoft
office applications and multimedia players. It is possible to add or delete new groups.
Rule can be added as well where you can allow, deny, redirect, or give read-only access
to new applications.
1.5. Logs
Whenever GeSWall restricts an access, it records the event to the log. The log can
be viewed in the „Logs‟ folder of the GeSWall Console as shown in the picture
below.
Usually you will find several of event records for running isolated applications because
those applications are restricted in access according to the Access Restriction Policy. The
event records do not necessarily indicate intrusion attempts but in most cases are
restrictions of optional application functionality, which could be mal-ware or intrusion
damage activity. This is similar to firewall logs which frequently show large numbers of
blocked connection attempts.




How long did it take you to complete this lab? Was it an appropriate length for the lab?



What corrections and or improvements do you suggest for this lab? Please be very
specific and if you add new material give the exact wording and instructions you would
give to future students in the new lab handout. You may cross out and edit the text of the
lab on previous pages to make minor corrections/suggestions. General suggestions like
add tool xyz to do more capable scanning will not be awarded extras points even if the
statement is totally true. Specific text that could be cut and pasted into this lab, completed
exercises, and completed solutions may be awarded additional credit. Thus if tool xyz
adds a capability or additional or better learning experience for future students here is
what you need to do. You should add that tool to the lab by writing new detailed lab
instructions on where to get the tool, how to install it, how to run it, what exactly to do
with it in our lab, example outputs, etc. You must prove with what you turn in that you
actually did the lab improvement yourself. Screen shots and output hardcopy are a good
way to demonstrate that you actually completed your suggested enhancements. The lab
addition section must start with the title “Lab Addition”, your addition subject title, and
must start with a paragraph explaining at a high level what new concept may be learned
by adding this to the existing laboratory assignment. After this introductory paragraph,
add the details of your lab addition.




Turn In Checklist
    o Completed Answers
    o 4 Screenshots
Reference:

[1] http://www.airdefense.net/products/adpersonal/AirDefensePersonal.zip

[2] http://www.stumbler.net/

[3] http://www.securityfocus.com/infocus/1742

[4]To download the free Personal edition: http://www.gentlesecurity.com/download.html

[5]To view the userguide of GeSWall: http://www.gentlesecurity.com/files/userguide.pdf
Appendix A: Air Defence Installation
Unzip the downloaded file and click on the file called AirDefensePersonal




Click next
Click on Yes
Click on Next then Install
Appendix B:NetStumbler v0.4.0 Release
Notes
      This version of NetStumbler requires Windows 2000, Windows XP, or better.
      The Proxim models 8410-WD and 8420-WD are known to work. The 8410-WD
       has also been sold as the Dell TrueMobile 1150, Compaq WL110, Avaya
       Wireless 802.11b PC Card, and others.
      Most cards based on the Intersil Prism/Prism2 chip set also work.
      Most 802.11b, 802.11a and 802.11g wireless LAN adapters should work on
       Windows XP. Some may work on Windows 2000 too. Many of them report
       inaccurate Signal strength, and if using the "NDIS 5.1" card access method then
       Noise level will not be reported. This includes cards based on Atheros, Atmel,
       Broadcom, Cisco and Centrino chip sets.
      I cannot help you figure out what chip set is in any given card.

Firmware Requirements

If you have an old WaveLAN/IEEE card then please note that the WaveLAN firmware
(version 4.X and below) does not work with NetStumbler. If your card has this version,
you are advised to upgrade to the latest version available from Proxim's web site. This
will also ensure compatibility with the 802.11b standard.

Other Requirements and Compatibility Issues

      Your card must be configured in such a way that it can be seen by the
       management software that came with the card.
      The Microsoft-provided Orinoco drivers that come with Windows 2000 do not
       work with NetStumbler. Please visit Windows Update or www.proxim.com and
       upgrade to the latest drivers.
      When NetStumbler is in "auto reconfigure" mode (the default), it will
       occasionally disconnect you from your network. This enables it to perform its
       scans accurately, and is not a bug.
      If you have the WLAN card configured to connect to a specific SSID,
       NetStumbler may not report any accees points other than those that have that
       SSID. Configure your card with a blank SSID or, if a blank one is not permitted,
       "ANY" (without quotes).

Legal note

I am not a lawyer. However as a user of this software, you need to be aware of the
following.
In most places, it is illegal to use a network without permission from the owner. The
definition of "use" is not entirely clear, but it definitely includes using someone else's
internet connection or gathering information about what is on the network. It may include
getting an IP address via DHCP. It may even include associating with the network.

The IP address reporting functionality in NetStumbler is for you to check the settings
of your own network, and for corporate users to identify rogue access points operating
within their organization. If you are doing neither of these things, it is suggested that you
disable TCP/IP on your wireless adapter. This will help you to avoid possible legal
trouble.

Marius Milner, netstumbler.com and stumbler.net accepts no liability for damages caused
by use of this software. For further information please consult the License Agreement
that can be found both in the installer and in the online help.

Mini-FAQ
Q1. NetStumbler reports "No wireless card found". Why?
       A1. Please check the compatibility lists above. Perhaps your adapter is not
       supported.
Q2. Why doesn't NetStumbler see the access point right next to my machine?
       A2A. The access point is configured not to respond to broadcast probes. Most
       manufacturers call this "disable broadcast SSID" or "closed". NetStumbler cannot
       see these networks unless you know the SSID and have your machine configured
       to connect to it.
       A2B. Your wireless card is configured to connect to a specific SSID. Try setting it
       to connect to a blank SSID or to "ANY" (without quotes).
Q3. What 802.11 frames does NetStumbler send?
       A3A. It sends out a probe request about once a second, and reports the responses.
       This is known as Active Scanning.
       A3B. (ORiNOCO only and with "Query APs for names" enabled) When it is
       connected to a BSS network, it will attempt to get the name of the access point.
       When it is connected to an IBSS network, it will try to get the names of all locally
       visible peers. This is done via Proxim's proprietary WMP protocol.
       A3C. (Only when connected to a Cisco access point and with "Query APs for
       names" enabled and with a valid IP address ) It will attempt to use Cisco's IAPP
       protocol to get the name and IP address of the access point.
       A3D. If you leave TCP/IP enabled, your adapter may attempt to get a DHCP lease
       or send other traffic. NetStumbler will record the fact that you were issued an IP
       address.
Q4. Does NetStumbler listen for beacons, or put my card into promiscuous or
RFMON mode?
       A4. This is called Passive Scanning and is not in this version.
Q5. I'm seeing access points appear briefly and then disappear for a long time.
What's happening?
      A5A. Some wireless networks can be configured not to respond to probes every
      time they hear a request.
      A5B. If you see lots of networks that appear briefly and then disappear forever,
      you may have found a FakeAP installation.
Q6. Why does NetStumbler disconnect me from the network?
      A6. If you have "Options->Reconfigure card automatically" checked, it will
      configure your card with a profile that uses a null SSID and BSS mode (It will not
      change your WEP settings). Also, when it sees another network that has a better
      signal than the one you're connected to, it may disconnect the current connection
      so that it can get the AP name on the other network.
Q7. Does NetStumbler detect ROR and COR installations?
      A7. Not usually. They are not always fully compliant with 802.11b and
      therefore may not be visible to NetStumbler.
Q8. Should I allow Windows XP to manage my wireless settings?
      A8. Probably not. When you are not connected to a network, XP will cycle
      through your favorite network names attempting to connect to them. While this is
      happening, NetStumbler may not see all available networks. It is recommended
      that you stop the "Wireless Zero Configuration" service while NetStumbler is
      running. You can do this by switching on "Auto Reconfigure", from Control
      Panel, or by running the command "net stop wzcsvc".
Q9. When will you support wireless card X? When will you add new feature Y that I
want?
      A9. I work on this in my spare time. I can make no commitment to dates for new
      features or bug fixes. If you would like to help me support a particular piece of
      hardware, please consider sending me a sample rather than complaining that it
      isn't supported.
Q10. What does "Auto Reconfigure" actually do?
      A10A. When using the ORiNOCO driver, it stops the Wireless Zero
      Configuration service and makes sure that the card is always set to a blank SSID
      and BSS mode.
      A10B. When using the Prism driver, it stops the Wireless Zero Configuration
      service and checks for a blank or "ANY" SSID. If necessary, it makes changes to
      the card's registry settings and prompts you to reinsert the card.
      A10C. On all other drivers, it stops the Wireless Zero Configuration service and
      then does nothing. Usually this is a good thing, but you should experiment with it.

       Release History
       Version 0.4.0 (April 21, 2004)

              Fixed bug (introduced in 0.3.30) that caused "Reconfigure" to put
               ORiNOCO cards into a state where they would report no access points.
              Support for Atheros, Atmel, Intersil Prism2 based wireless cards.
               Improved support for Cisco cards.
              Allow use of Serial Earthmate GPS. (USB Earthmate should already work
               using NMEA and serial driver)
      If you scroll all the way to the right of the graph view, it will auto-scroll
       new data.
      Fixed bug (introduced in 0.3.30) in graph view: corrupted display when
       scrolling.
      Fixed bug in graph view: improper scroll bar tracking with large data sets.
      If "Reconfigure" is on, the Windows XP Wireless Zero Configuration
       service will be stopped when you start scanning. It is restarted when the
       application exits.
      If you connect to a network that supports DHCP, the IP subnet is reported.
      If the access point is discovered in the ARP table, its IP address is
       reported.
      While you are scanning, the system will be prevented from going into
       standby unless power is critically low.
      Large files load several times faster than before (though the really large
       ones still don't load fast enough).
      A whole lot of new Scripting features.

Version 0.3.30 (August 18, 2002):

      Allow configuration of baud rate and other settings for GPS.
      Added "Default SSID" filter to tree view.
      Close connection to NIC when scanning is not happening.
      Moved much of the configuration to a dialog box.
      Support for user-provided scripts to be invoked when various events
       occur.
      Many errors are reported in a more meaningful way.
      Workaround for problem with driver version 7.62.
      GPS now supports Garmin proprietary protocols.
      (NetStumbler) MIDI output of signal strength(s).
      (NetStumbler) Proper installation package (thank you Nullsoft)
      (NetStumbler) Use NDIS 5.1 native 802.11 features for scanning on Cisco
       and some Prism cards on Windows XP.
      (NetStumbler) Support for 802.11a on Windows XP.
      (NetStumbler) Support for USB devices on 98/Me.

Version 0.3.23 (February 14, 2002):

      Count of filtered and all APs in bottom right corner.
      Handle "ASTRAL" on serial port so that Tripmate can be used.
      Autosave feature added.
      Popup menu allows deletion of APs from list.
      Complete rewrite of NIC access code in preparation for multiple chipset
       support.
      (MiniStumbler) First public release. No tree or graph view.

Version 0.3.22 (August 6, 2001):
      Fixed bug where system suspend or other long delays would stop the GPS
       from updating.
      Make AP name collection optional. Stop flooding LAN with WMP
       packets.
      Handle misreported WEP on some IBSS networks.
      Make card reconfiguration optional.
      Windows Me support.

Version 0.3.21 (July 16, 2001):

      Support for Dell Mini-PCI card.

Version 0.3.20 (July 13, 2001):

      Added Beggarware license agreement.

Version 0.3.10 (July 12, 2001):

      GPS code largely rewritten.
      GPS on ports up to COM8 instead of COM4.
      Adjustable scan speed.
      Export summary files.

Version 0.3.00 (June 19, 2001):

      Support for even more OEM cards (Now supported: Lucent, Dell 1150,
       Toshiba, Compaq, Enterasys/Cabletron, Elsa MC-11, ARtem Comcard,
       Buffalo Airstation WLI-PCM-L11)
      Currently connected AP appears in a bold font in the tree view, and has an
       asterisk by its channel number in list view
      This session's previously connected APs are marked with a '+' in list view
      Added Ctrl+B key shortcut to toggle scanning
      Filtering by channel number, ESSID, and capability flags
      Saves entire data log as well as AP summary data
      Graphical view of signal and noise over time if you select a single AP
      Automatic reconfiguration of card, if desired. This will take your card out
       of peer mode, and unset the desired SSID if you have one. It also
       disassociates from networks that are out of range.
      Creating a new document can be configured to automatically start
       scanning or not
      Get the name of an AP, where supported (it won't be unless the AP doesn't
       have WEP, or you have the WEP key configured). It looks like Aironet
       APs don't support this.
      Merge data files together
      Ability to drag and drop column headers
      Remembers view settings when switching views, and you can save the
       current settings as defaults
      Read and write Pete Shipley's log format, as well as an extended version
      Some APs respond to scan requests on multiple channels. These now
       appear as one item rather than multiple APs.
      Uses NS1 file extension
      Improved handling of invalid files
      GPS should no longer lock up and stop responding
      Removed non-functional toolbar buttons

Version 0.2.00 (May 16, 2001):

      Works only with Lucent, Dell, and Toshiba cards
      Doesn't crash the other PCMCIA devices that you have installed.
      Should now work with USB devices.
      Runs on Windows 2000, 95, 98 (and Me? - Untested).
      Saves the data instead of making a 0 byte file.
      Supports NMEA0183 GPS devices. It stores the location of the highest
       recorded SNR.
      Lists the brand of AP hardware (based on the MAC address)
      Shows current signal strength as well as the max, and has a dot that is
       colored to show the strength next to the AP name
      Tree view to the left shows Channels, and Names; this will do more in a
       future version.
      Makes a sound when it first sees an AP

Version 0.1.00 (May 5, 2001):

      Initial proof of concept version, first public release.
      Works only on Windows 2000.
      Works with most Hermes chipset cards, but not if any other PCMCIA
       devices are installed.
      Doesn't save data (creates a 0 byte file).
Part 1 Wireless IDS
                                      Answer Key

Q1.1: What vulnerabilities were found on the wireless network?
      There were much vulnerability that were detected like no Encryption found on
      Wireless network.



Q1.2: Did AirDefense detect any attack?

       Yes, It detected a wireless security risk to the network




Q1.3: What other service can be monitored using Air Defense
           Malicious access point
         o Non preferred access point
         o No VPN
         o Wireless Phishing
         o Station probinng



Q1.4 What software you used to do the denial of service and why?

      Many open source software could be used but Data pool would be an obvious
      choice since we have worked with it already in previous labs


Q1.4: What message did you get from AirDefence?

       You will get an Alert stating that AirDefence has detected a wireless security risk
       to you computer

Take a Screenshot of the AirDefence output after the Attack (Screenshot #2)
Screenshot # 1
Screenhot # 2




Q2.1: What is the MAC Address of the AP?

      00:16:b6:11:60:D5

Q2.2: What is the IP address for the AP?
      68.25.122.92
Screenshot # 3
                        Part 2 Wireless IPS
Question 1: How can you protect your private data isolated?

Answer: Create a directory name anything and in the Resource Properties add it as a
confidential.


Question 2: What happened when an application redirect?

Answer: Application my read resource but once it tries to modify it, GeSWall creates a
local copy of the file or registry key, which is modified instead. This allows the
application to work properly and at the same time prevents modification of trusted
resources. The local copy is not permanent and can be erased on application termination.



Question 3: Write a registry key name.

Answer: There are three examples of registry key names:
HKLM\SOFTWARE\Opera Software\Opera
%HKEY_CURRENT_USER%\Software\Skype
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services


Question 4: What you can monitor from the GesWall log file?

Answer: Analyzing logged events for attack traces requires expertise in computer
security and GeSWall is not intended to be an intrusion detection product. The log is
particularly useful for debugging application problems while authoring specific rules for
new applications.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:2/1/2012
language:Latin
pages:31