Detecting Protected Layer-3 Rogue APs

Similar documents
Robust Detection of Unauthorized Wireless Access Points

Detecting Protected Layer-3 Rogue APs

The Changing Usage of a Mature Campus-wide Wireless Network

Managing Rogue Devices

PIE in the Sky : Online Passive Interference Estimation for Enterprise WLANs

Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point

DWS-4000 Series DWL-3600AP DWL-6600AP

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Configuring Security Solutions

DESIGN AND DEVELOPMENT OF MAC LAYER BASED DEFENSE ARCHITECTURE FOR ROQ ATTACKS IN WLAN

HP0-Y39. Managing and Troubleshooting Enterprise Wireless Networks. Download Full Version :

Managing Rogue Devices

Configuring the EAPs Globally via Omada Controller

A Passive Approach to Wireless NIC Identification

Ruckus ZoneDirector 3450 WLAN Controller (up to 500 ZoneFlex Access Points)

Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs

WIDS Technology White Paper

Securing Your Airspace with WatchGuard s Wireless Intrusion Prevention (WIPS)

Security Setup CHAPTER

The Challenges of Measuring Wireless Networks. David Kotz Dartmouth College August 2005

Wireless g AP. User s Manual

Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1

802.11a g Dual Band Wireless Access Point. User s Manual

A Review of Online Rogue Access Point Detection

Detecting & Eliminating Rogue Access Point in IEEE WLAN

Ruckus ZoneDirector 1106 WLAN Controller (up to 6 ZoneFlex Access Points)

Configuring Security Solutions

Wireless Network Security Spring 2011

BIG-IP Local Traffic Management: Basics. Version 12.1

Chapter 1 Introduction

Trusted AP Policies on a Wireless LAN Controller

What is Eavedropping?

Network Traffic Characteristics of Data Centers in the Wild. Proceedings of the 10th annual conference on Internet measurement, ACM

1. Which network design consideration would be more important to a large corporation than to a small business?

RAWDAD : A Wireless Data Archive for Researchers

Wireless LAN Security (RM12/2002)

Configure Controller and AP Settings

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

Subject: Adhoc Networks

@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India

Wireless LAN Controller (WLC) Mobility Groups FAQ

PowerStation2 LiteStation2 LiteStation5 User s Guide

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Network Security and Cryptography. 2 September Marking Scheme

Network Configuration Example

Wireless Controller DWC-1000

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

Table of Contents 1 WLAN Service Configuration 1-1

GregSowell.com MikrotikUniversity.com. Rogue Access Point Detectoin and Mitigation MUM 2011

User Guide. For TP-Link Auranet Access Points

Rogue Access Point Detection using Temporal Traffic Characteristics

Wireless Attacks and Countermeasures

Table of Contents X Configuration 1-1

Wireless Network Security

Wireless Integration Overview

OmniAccess Instant AP Update

Chapter 11: It s a Network. Introduction to Networking

CS-MARS Integration for Cisco Unified Wireless

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Cisco Technologies, Routers, and Switches p. 1 Introduction p. 2 The OSI Model p. 2 The TCP/IP Model, the DoD Model, or the Internet Model p.

SecBlade Firewall Cards Attack Protection Configuration Example

Cisco Aironet 350 (DS) AP IOS Software

Using the Web Graphical User Interface

The network requirements can vary based on the number of simultaneous users the system will need to support. The most basic requirements are:

Overview Intrusion Detection Systems and Practices

Chapter 11: Networks

Using the Web Graphical User Interface

Multipot: A More Potent Variant of Evil Twin

NETWORK SECURITY. Ch. 3: Network Attacks

CSC Network Security

PRODUCT GUIDE Wireless Intrusion Prevention Systems

LiteStation2 LiteStation5 User s Guide

Configuring WLANs CHAPTER

Classifying Rogue Access Points

SWITCH Implementing Cisco IP Switched Networks

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Mobile Security Fall 2013

Oct 2007 Version 1.01

Classifying Rogue Access Points

Network Defenses 21 JANUARY KAMI VANIEA 1

Computer Communication III

WL-5420AP. User s Guide

Chapter Topics Part 1. Network Definitions. Behind the Scenes: Networking and Security

FAST INTER-AP HANDOFF USING PREDICTIVE AUTHENTICATION SCHEME IN A PUBLIC WIRELESS LAN

Wireless# Guide to Wireless Communications. Objectives

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Mobility Groups. Information About Mobility

Configuring the Wireless Parameters (CPE and WBS)

Client QoS Association Settings on the WAP371

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Detecting Spam Zombies by Monitoring Outgoing Messages

EVIL TWIN ACCESS POINT DETECTION AND PREVENTION IN WIRELESS NETWORK Sandip S. Thite Bharati Vidyapeeth s College of Engineering for Women, Pune, India

Redes de Computadores. Medium Access Control

CWNP PW Certified Wireless Analysis Professional. Download Full Version :

Network Security. Thierry Sans

Protecting the Platforms. When it comes to the cost of keeping computers in good working order, Chapter10

Configuring a VAP on the WAP351, WAP131, and WAP371

Transcription:

Detecting Protected Layer-3 Rogue APs Authors: Hongda Yin, Guanling Chen, and Jie Wang Department of Computer Science, University of Massachusetts Lowell Presenter: Bo Yan Department of Computer Science University of Massachusetts Lowell Email: byan@cs.uml.edu

Outline Motivation Approach Network Model Wired Traffic Monitoring Rogue AP Verification Evaluation results Conclusion

Motivation What is Rogue AP An unauthorized AP plugged into a corporate network Security threat to the internal network Why Rogue AP is important No.2 threat of critical wireless vulnerability, June 2006, Network Computing Detecting rogue APs Wireless sniffers scanning airwaves for packet analysis A detected AP not on the authorized list is a suspect A suspect maybe a legitimate AP belong to neighboring areas How to automatically verify whether the suspect AP is on the enterprise wired network or not??!

Layer-2 rogue APs Poll network switches over SNMP to determine MAC addresses associated with each port on the switch Wireless sniffer observes any of these MAC addresses to detect whether associated AP is on the wired network Layer-3 rogue APs A nearby sniffer associate with the suspect AP Ping a known host inaccessible from outside to detect whether successful However, fails to detect protected associated APs due to the requirement of valid MAC addresses or other authentication methods Our Goal To detect protected rogue APs on both layer-2 and layer-3, focus on layer-3!!

Network Model Monitor outbound traffic and send test packets Instruct sniffers to switch to a particular channel during the verification process Sniffer channel switching Test packet size wireless sources classification Wireless workstations Detect the presence of APs Update the verifier about the detected APs and their channels

Wired Traffic Monitoring Test every observed internal host: Every observed host on the internal network is potentially a wireless AP. Simple to implement but time consuming. Test those hosts classified as wireless sources: Any source with ratio of inbound and outbound short packet intervals exceeds a threshold is classified as a potential wireless host W. Wei et al s work [6], short packet intervals Maybe inaccurate results and longer delay Obtain high accuracy classification and reduce test traffic

Rogue AP Verification The verifier sends test packets to wireless sources and sees whether some wireless sniffer can hear these packets Packet size selection A rogue AP may encrypt traffic and so sniffers cannot rely on special signature embedded in the application layer data. To detect test packet relayed by a rogue AP requires decryption method Use packet size observation to recognize test packets

Network trace collected from a WLAN made available to attendees of a four-day academic conference (Sigcomm 2004) Size distribution of downstream data packets Not frequently seen on the suspect APs Small size demanding less bandwidth and unlikely being fragmented by APs so that not be missed by sniffers

Binary hypothesis testing To avoid false positives caused by normal packets that happen to have the same size of the test packets, the verifier sends more than one test packet to improve the robustness of detection. But how many?? Sequential Hypothesis Testing A. Wald[9], Sequential Analysis Send packet with rarely-seen size The tradeoff between the desired detection accuracy and the longer delay

Sniffer channel scheduling Hear multiple targets if they are in its range, but only listen to one channel at one test round Switch channels to monitor targets in range at another test round To minimize the number of test rounds so that all targets are covered by at least one sniffer

Evaluation Results Wired traffic monitoring Two 10-day data sets collected from Dartmouth campus WLAN Long-time trace and only wireless hosts Some hosts remaining untested in the queue Appeared early in the trace, expired in the queue before they could be verified, and were never seen again Length of verification queue

In more than 98% of the cases a host could be verified within 5 minutes since its first appearance for the traces In more than 95% and 99% of the cases a host could be verified within 50 seconds since its last update for the traces Verification delay since first request

A one-day data set collected from enterprise network Short-time trace, wireless and wired hosts, only one hour data is available from a particular subnet Large Jumped At the 6th hour of the odd-ports The monitor started on an active subnet and 539 hosts were observed during that hour. The queue length would be reduce with longer-time traces Length of verification queue

In more than 77% of the cases a host could be verified within 20 minutes since its first appearance for the traces In more than 49% of the cases a host could be verified within 100 seconds since its last update for the traces Verification delay since first request

Imitate a rogue AP, using a Web proxy running tcpdump as a sniffer to collect the traffic. Then, all the Web transactions are recorded in the tcpdump trace Classifier achieved 100% accuracy The verifier could reduce its workload by only testing likely wireless sources In about 93% of the cases the classifier could conclude in less than 100 seconds. The distribution of classification time

Sniffer channel scheduling The Sniffer/AP ratio increases, the tuning time decreases The working of covering the APs can be shared by more sniffers. With a larger sniffering radius, a sniffer can cover more APs with the same channels so the tuning time also decreases. Number of scheduled rounds for sniffers

The number of required sniffers decreases as the sniffer/ap density increases. If the APs run over a larger channel range, more sniffers are needed to cover them. Number of sniffers to be instrumented

Network Model Monitor outbound traffic and send test packets Instruct sniffers to switch to a particular channel during the verification process Sniffer channel switching Observed packets size wireless sources classification Wireless workstations Detect the presence of APs Update the verifier about the detected APs and their channels

Related Work Associate-and-ping approach False positives to classifying neighboring APs as rogues on the internal network Fails for protected AP Collect information from network devices for classification Need user feedback Must trust user input-data without threat DIAR uses heuristics to reduce false positives A wired component to compare the packets seen on wired and wireless networks. However, give none details on their comparison heuristics require running a wired monitor in each subnet Use Different inter-packet temporal distributions to detect Not consider natural variations of traffic patterns

Conclusion A new method to reliably detect protected layer-3 rogue APs Easily combined with other rogue AP detection methods Quickly detected with High accuracy and high robustness

Q & A? Welcome to Our group website http://www.cs.uml.edu/~glchen/map

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback