D1 - June 29, 2005

The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement.

Mitigating Rogue Access Points in Corporate Environments(Design, Implementation and Deployment of a Wireless

IDS)

FIRST Singapore – June 29, 2005

Laurent BUTTI – France Telecom Division R&Dfirstname.lastname AT francetelecom dot com

D2 - June 29, 2005

The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement.

Introduction

D3 - June 29, 2005

Context

s Wireless networks are widely available in corporate environmentsQWireless infrastructures for employee access (IPsec or WPA/WPA2)QWireless infrastructures for guest access (captive portal)QWireless chipsets shipped by default on most laptops today

s These facts fatally lead to several weaknessesQInformation leaking about your wireless infrastructure and laptopsQError-prone configurations and uncontrolled experimental networksQUncontrolled adhoc networks that may represent a critical hole (double-attachment)

s New security mechanisms (WPA/IEEE 802.11i) can not address these issues!

D4 - June 29, 2005

Need a Wireless IDS?

s Combine the context with attacker’s panoplyQAccess point mode available with most *nix drivers and firmwaresQLightweight access points to be plugged in corporate networksQWardriving tools (obvious process to a more intrusive attack)QFrame injection attacks that may be disrupting

s Difficulties to know the status of wireless networksQJust ask your sysadmins to tell you about this!QAttacks in action? Wardriving and man-in-the-middle attacks are impossible to detect without any specific tools!QIs there any legitimate or illegitimate access points?

s Your wireless environment may be vulnerable…QYou should observe it carefully thanks to a wireless IDS!

D5 - June 29, 2005

Preliminary Choices

s Wireless networks were already deployedQEmployee corporate access thanks to IPsec w/ IKE and certificatesQEmployee corporate access thanks to WPA w/ EAP-TLSQGuest access thanks to captive portals w/ temporary logins

s Overlay wireless IDS solution seems to be straightforwardQSpecialized IDS software and dedicated sensors

s We decided to design a new tool from scratchQFit our needs and the low-cost requirementQImprove our skills in wireless security area

s This presentation will expose our feedbacks onQDesign, Implementation and Deployment of a Wireless IDSQMitigating Rogue Access Points in Corporate Environments

D6 - June 29, 2005

The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement.

Wireless IDSDesign and Implementation

D7 - June 29, 2005

Requirements: Overlay Wireless IDS (1/2)

s PortableQIndependent of lower layers (any IEEE a/b/g/? monitor capable wireless card)QShould run on any *nix operating system

s Flexible and lightweightQCode should not be modified when adding a new event patternQShould run on embedded devices (e.g. WRT54G) with low memory and CPU constraints

s Channel hopping compliantQShould not trigger false positives

s Enhanced featuresQEfficient aggregation and correlationQNew MAC spoofing detection enginesQNew equipment tracking capabilities

D8 - June 29, 2005

Requirements: Overlay Wireless IDS (2/2)

s Low-costQAs overlay solutions may be expensive, low-cost wireless probes and backend tools are mandatory

s Ease of useQMust be managed thanks to a WEB interface (log readability, administration…)

D9 - June 29, 2005

Architecture Overview

s Architecture is divided in several technical partsQSeveral wireless probes: detecting and sending eventsQA central collector: event aggregation and correlationQA database: aggregated and correlated events storageQA GUI: presentation and supervision/administration

s The wireless probe is fully functional in a standalone modeQBut, you need to store and read lot of SYSLOG events!Wireless

Probe

WirelessProbe

Aggregationand

CorrelationSYSLOG

SYSLOG

EventsDatabase

SQL

Presentationand

Administration

SQL

SSH/SCP

SiteAdministrator

HTTPS

D10 - June 29, 2005

Architecture Overview

AP

Internal Network

AP

ProbeProbe

HTTPS

SYSLOG

SSH/SCP

Aggregationand

Correlation

Presentation and AdministrationSQL

D11 - June 29, 2005

(Wireless Probe) Technical Choices

s Language and capture libraryQC and libpcap

s HardwareQPrism2/2.5/3 (hostap), Prism54 (prism54.org), Atheros (madwifi) and WRT54G (wl)

s Rules definitionQLexical and syntaxical parsers

s Optimized for speed and sizeQRules tree is stored in memory, minimize mallocsQSmall memory footprint for embedded devices (~ 85 Kb binary)

D12 - June 29, 2005

(Wireless Probe) Some Features

s Rules can be designed to trigger any event, e.g.QRogue access point: packet with a BSSID not in a MAC address whitelistQSTA association to a rogue access point: association success packet with a BSSID not in a MAC address whitelistQWEP injection: several WEP encrypted packets with a same MAC_STA address and same IV

s Ruleset is about 60 signatures implementing detection ofQRogue access point: unauthorized BSSIDs, ESSIDsQMAC spoofing: several techniquesQDoS: deauthentication/disassociations, EAP-logoff/failure floods, …QEAP bruteforcing: load of EAP-Response Identity requests, …QWardriving: Netstumbler, Wellenreiter, …QInjection attacks: load of WEP packets with same IVsQMisconfiguration: default ESSIDs, …

D13 - June 29, 2005

(Wireless Probe) WRT54G Port

s Linksys WRT54G (802.11b/g access point)QHardware (v1.0)

–RAM: 16 MB, Flash: 4MB–CPU: BCM94702 (125MHz MIPS)–Ethernet: ADMtek ADM6996 5 port 10/100 switch

QOthers–WPA compliant–Wireless driver is proprietary–Firmware source code is released under the GPL license

s We used OpenWRT’s firmwareQUpgrading new firmware by HTTP (Linksys’s) or TFTP with "nvram set boot_wait=on"  QCross-compilation of new binaries (MIPS)QPackage construction with ipkgQMust configure starting scripts

D14 - June 29, 2005

(Backend) Technical Choices

s Aggregation and correlationQSimple Event Correlator (SEC) processing SYSLOG logs

s Event storageQSQL database (e.g. mySQL)

s HTTP(S) interfaceQApache and PHP driven

s Supervision and administrationQSSH/SCP for administration purposesQsyslog for event reporting

D15 - June 29, 2005

(Backend) Some Features

s On-the-fly aggregation reduces up to 98% generated logsQMost logs are recurrent (Scans, Rogue APs…) within a timeframe

s On-the-fly correlationQCorrelation thanks to logic combination of alerts (new signature)

–e.g. STA changing to AP

s Offline correlationQEquipment tracking and geolocation

–Is the rogue access point interconnected with internal networks?

s Update the database with a new correlated eventQImproves accuracy as false alarms are reduced thanks to correlation

s Aggregation and correlation processes are mandatory!

D16 - June 29, 2005

The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement.

Detection and Mitigation

D17 - June 29, 2005

Case Study: Rogue Access Points

s You must addressQMisconfigured legitimate access pointsQIllegitimately connected access points (by malicious people or not)

s Processing steps

QDetection: Detect rogue access points

QEvaluation: Determine if rogue access points are interconnected with internal networks and if possible their physical location

QMitigation: Mitigate the risks of rogue access points interconnected with internal networks

s Of course, you must know all BSSIDs/ESSIDs of your legitimate access points…

D18 - June 29, 2005

Rogue Access Points: Detection

s Rogue access points not spoofing a legitimate BSSIDQDetected thanks to a MAC address white list (BSSID mismatch)

s Rogue access points spoofing a legitimate BSSIDQDetected thanks to a correlation of several MAC spoofing techniques

–“Layer 2” sequence numbers variations (thanks to Joshua Wright)–“Layer 2” signal strength variations–“Layer 2” timestamp inconsistencies–“Layer 2” tagged parameters inconsistencies

s But, these techniques cannot determine if rogue access points are interconnected to internal networks!

D19 - June 29, 2005

Rogue Access Points: Evaluation

s Evaluation will help us to determineQIf rogue access points are interconnected to internal networksQThe exact location of rogue access pointsQThe approximate physical location of rogue access points

s ‘Automatic’ association with a wireless probe to a rogue access pointQRetrieve the ESSID thanks to syslog eventsQAssociation, act as a DHCP client and send a packet to the internal network and/or to the InternetQIf resultcode == success, this is a critical vulnerability!!!QOf course, this must be used with caution

–Do not connect to (millions of) fake access points!–De-activate bridge, put firewall rules on your wireless interface…

D20 - June 29, 2005

Rogue Access Points: Evaluation

s Seek in switches MAC tablesQSource and destination MAC addresses of data framesQBSSID +1/–1 MAC addressesQPerformed thanks to Netdisco an Open Source network management tool

s Equipment geolocation thanks to signal strength analysisQUse the RSSI (Received Signal Strength Index)QAvailable in PRISM Monitoring Header in monitor modeQHard to design an efficient technique (calibration, propagation model, attenuation model, interferences…)QDefine if an access point is within corporate physical perimeter

s But these techniques cannot mitigate rogue access points!

D21 - June 29, 2005

Rogue Access Points: Mitigation

s Switch port shutdown thanks to evaluation resultsQAs false alarms are always possible, switch port shutdown is up to the decision of the site administratorQOur tool only provides necessary information to take an actionQYou must be sure! De-activating legitimate access points is not an option!

s Radio containment capabilities could be developed (seeking some clues for wl driver injection!)QDEAUTH/DISASSOC frames may be sent to prevent clients from associating to rogue access pointsQYou must be sure! DoSing neighbors is not an option!

s These techniques are effective, but must be activated with caution!

D22 - June 29, 2005

Example: Rogue AP Location

s Associates to rogue access point (bridge, router mode) to determine ifQAn IP address is given thanks to DHCPQAn internal IP address is reachable thanks to a PING request

s Determines if rogue access point is interconnected to internal networks or not

Probe

?

D23 - June 29, 2005

Example: Rogue AP Location

s Search for destination MAC address of a “TO_DS DATA frame” through a rogue access point (in bridge mode)QThanks to MAC switches tables

s Determines if rogue access point is interconnected to internal networks or not

Probe

?

?

?

Internal Mac Address?

YES!!!

D24 - June 29, 2005

Example: Rogue AP Location

s Search for the wireless client MAC address through a rogue access point (in bridge mode)QThanks to MAC switches tables

s Determines the exact location of the rogue access point

Probe

??

Wireless @MAC client search in switches MAC tables

Switch XXX.XXX.XXX.XXX, Port Y.Z!!!

D25 - June 29, 2005

Example: Rogue AP Location

s Search for the BSSID +1/-1 MAC address (sometimes )QThanks to MAC switches tables

s Determines the exact location of the rogue access point

Probe

?

BSSID +1/-1 @MAC search in switches MAC tables

Switch XXX.XXX.XXX.XXX, Port Y.Z!!!

D26 - June 29, 2005

The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement.

Feedbacks and Guidelines

D27 - June 29, 2005

Mitigating Rogue AP Guidelines

s Have a physical security policy especially for RJ45 plugs in meeting rooms!

s Consider IEEE 802.1X network access control on your RJ45s

s Know the configuration of your wireless infrastructure (BSSIDs, ESSIDs, crypto-protocols…)

s Harden laptops’ configuration (prevent from associating to interfering or rogue access points, avoid double attachment and information leaking)

s Deploy a Wireless IDS to achieve observation at radio level

D28 - June 29, 2005

Wireless IDS Deployment Guidelines

s Cost-effective solution fitting your environment

s Must have minimal impacts on your architecture

s Should have equipment tracking and location

s Tune your rule-set for performance and effectiveness

s Deploy enough wireless probes at edge of your physical perimeter

s Evaluate packet losses on your wireless probes

s Do not trust anything! Audit your deployment! (are attacks really detected?)

D29 - June 29, 2005

Feedbacks

s Developing a robust wireless IDS is not trivialQYou must deal with load of events (hundreds per second)

s Building an efficient GUI for sysadmins is not trivialQThat’s the challenge!

s Difficulties to identify all interfering access pointsQWhat about neighbors, hot spots, …QYou must be sure!

s False positive rate is a classic issue for IDS technologiesQMinimize this rate thanks to enhanced correlation

s Performance issuesQLightweight wireless probe may have packet lossesQSQL table may become huge

D30 - June 29, 2005

Conclusions

s Wi-Fi technologies are changing corporate security policiesQMisconfigurations and rogue access point are critical vulnerabilitiesQEven non-enabled Wi-Fi corporate may be vulnerable

s Can you tell me about the status of your wireless networks?QWireless IDS seems to become mandatory

s Wireless IDS should detect most wireless security issuesQHelp to detect abnormal events that cannot be seen by classic stuffQHelp to detect, evaluate and locate rogue access pointsQHelp to react on security incidents

s Must be combined with a Yagi antenna! QHow could you locate the guy DoSing the FIRST wireless networks?!?QOr the guy with a fake FIRST access point who will exploit a remote root on your system?!?

D31 - June 29, 2005

The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement.

Questions?

Thanks for your attention