Network-based Rogue Wireless Access Point Detection

Shared by: ybg79195
Tags
access point, access points, the network, rogue access point, wireless access point, wireless network, wireless networks, ieee 802.11g, wireless lan, point detection, wireless access points, power over ethernet, intrusion detection, hp procurve, procurve networking
Stats
views:: 35
posted:: 4/8/2010
language:: English
pages:: 3
Public Domain
Document Sample
							Network-based Rogue Wireless Access Point Detection System

PI:            Dr. Aaron Striegel           striegel@nd.edu
               Chad Mano                    cmano@nd.edu

Purpose

The purpose of this document is to give an overview of the Rogue Wireless Access Point
detection work completed here at the University of Notre Dame by Dr. Striegel and his
graduate student, Chad Mano. In the interest of avoiding issues with intellectual
property/etc., the core aspects of the work are described in a broad manner.

Motivation

The premise of the work is fairly straightforward: design a system to detect rogue
wireless access points (RWAPs) that require minimal deployment/maintenance cost but
yet preserve rapid detection with a high degree accuracy. From this concept, the RIPPS
(Rogue Identifying Packet Payload System) approach was conceived.


Target Environment




                                                            R
              R

                                           Spoofed
                                            MAC
                                                  RWAP                   Internet
   Critical
  Resources




      R       RIPPS - ND RWAP Detection System             Firewall



Our target environment is a corporate network or branch office. The network possesses a
router at the edge of the network (Internet) with basic firewall capabilities. Additional
critical points in the network may also possess firewall or intrusion detection systems
(IDS). Devices are validated on a MAC-wise basis either at the switch itself or at the
DHCP server.



PROPRIETARY
The rogue device (RWAP) is viewed to be a simple WAP (D-Link, LinkSys) that will be
inserted into the network by an unsuspecting user. It is assumed that the user will engage
MAC spoofing (provided on most boxes via a wizard-like interface) with the valid MAC
address of the user’s wired host. The RWAP would provide NAT-like connectivity along
with unlimited (unencrypted) wireless coverage for both the validated wired host and the
new wireless device.

System Overview

Our system sits in-line on the network path (i.e. with a firewall, IDS, or other device) to
offer network-based monitoring of the underlying hosts. Our system, RIPPS, is purely
passive in that it does not require changes to the monitored hosts nor an explicit
communication path to the host. Through monitoring of TCP channels and the
underlying TCP properties, our system identifies systems with wireless connectivity with
high accuracy in an extremely short period of time (< 50 ms).

In short, we take advantage of the natural properties of TCP (Data+Ack) along with
appropriate packet shaping to make the half-duplex or even full-duplex (multi-channel
wireless) pop out even in the presence of significant heterogeneity (10 Mb/s Ethernet,
802.11b, 802.11g, Fast Ethernet, Gigabit Ethernet, etc.). The actual overhead of our
system is quite limited (typically < 1%) even with an extremely aggressive monitoring
approach (re-validate every 10 minutes on a thousand host network).

Performance Notes

       •   In-line detection of RWAPs without sensor networks
       •   Discernment of NATs, 802.11(a,b,g) from heterogeneous wired networks
           (Ethernet @ 10 Mb/s, Fast Ethernet @ 100 Mb/s, etc.)
       •   Accurate detection in < 50 ms (2-3 TCP data packets)
               o Derive patterns with SSH, web (SSL, etc.)
       •   Will function despite the presence of a NAT
       •   Easily scalable
               o Prototype used libpcap/user-space apps to deliver 100 Mb/s
                   performance on COTS HW
               o Does not need to process all packets, only TCP traffic of suspected or
                   unvalidated hosts

Limitations

   •   Will not detect wireless proxies
          o TCP connection terminates at host vs. pass through
   •   Will not detect layer 2 rogue APs
          o Devices are still valid but associate with a malicious AP
   •   Detection requires connection by host
          o Host must initiate a TCP connection either to critical resources or to
              external Internet



PROPRIETARY
Current State of RIPPS

   •   Full prototype/proof of concept
           o Paper available (pending at ACM Trans. on Information System Security)
               with NDA
           o Various presentations (PowerPoint)
           o Full analysis of competing (non-sensor) approaches
           o Prototype is based in C++ / Linux / libpcap
   •   Provisional patent filed

Notre Dame Contacts

       Technical

              Dr. Aaron Striegel
              Dept. Computer Science & Engineering
              356-B Fitzpatrick Hall
              Notre Dame, IN 46556
              (574) 631-6896

       Office of Research

              Elizabeth Spencer
              Director, Office of Research
              511 Main Building
              Notre Dame, IN 46556
              (574) 631 5158

              Greg Luttrell
              Assistant Director, Office of Research
              511 Main Building
              Notre Dame, IN 46556
              (574) 631 2857
              Gregory.N.Luttrell.1@nd.edu




PROPRIETARY
Related docs