Wireless Intrusion Detection System

In this section, we're going to look at various ways in which a Linux box can be turned into a wireless intrusion detection system (WIDS).

As with the wired world, intrusion detection is very much part of the whole arsenal of defense that needs to be deployed for the purposes of detecting and reacting to realtime threats to your network. However, this requirement is even more critical in the wireless world since threats come not only from conventional vectors, i.e., detected by a normal wired IDS, but also from the wireless arena itself. Examples of such threats range from DoS attacks using deauthentication packet floods to keep legitimate users out of the wireless network to credential-theft using fake APs and captive portals.

The very nature of wireless, its radio frequency propagation, requires transmission through a shared medium (i.e., the air), and it is not something that can be easily contained or segmented using physical media (e.g., wires) or boundaries (e.g., walls) so as to prevent the bad guys from entering while allowing access to legitimate users. The wireless standards of today also do not help in the sense that, even for networks encrypted with the strongest algorithms possible, management and control frames are still sent in the clear.

A couple of familiar names come up when we talk about IDSes, one of them being Snort. Snort, in the wired world, is a very popular IDS, used and supported by many people and organizations worldwide. Snort-Wireless is a project that attempts to make a scalable (and free!) 802.11-based intrusion detection system that is easily integrated into an IDS infrastructure. It is completely backward-compatible with Snort 2.0.x and adds several additional features. Currently it allows for 802.11-specific detection rules through the new WiFi rule protocol, as well as rogue AP, ad hoc network, and Netstumbler detection.

To set up a WIDS, you would have a Linux machine installed with a wireless card and placed it in RFMON mode. All wireless frames sniffed by the wireless NIC will be passed to the Snort-Wireless engine, which is installed on the same machine. As with any typical IDS, false alarms are expected to be generated during the initial runs of the device. There is an additional difficulty in detecting wireless attacks due to the fact that the wireless medium comprises a pool of 14 channels (on the 802.11b standard) and having any IDS engine read and understand attacks that might span various radio channels is not exactly an easy task.

Another popular tool that is deployed as a simple form of WIDS is the Kismet tool (http://www.kismetwireless.net). Although the tool is written primarily as a wireless sniffer, it has built-in capabilities to detect the following attack types:

• NETSTUMBLER NetStumbler program sending out multiple probe requests

• DEAUTHFLOOD Deauthentication flood

• LUCENTTEST Lucent link test program in use

• WELLENREITER A popular wireless tool

• CHANCHANGE Channel changes that could indicate a rogue AP

• BCASTDISCON Disassociation attacks

• AIRJACKSSID AP with SSID of airjack (airjack is attack tool)

• PROBENOJOIN Device that probes for open networks but never joins

• DISASSOCTRAFFIC Disassociation attack

• NOPROBERESP Possible DoS attack

• BSSTIMESTAMP Possible spoofed BSSID

From this list, you can see that Kismet can detect many of the top attack categories used against a wireless network. Kismet can also be used as a distributed WIDS platform. By setting up the Kismet drone component and pointing it to a central server running the Kismet server component (which is itself a client-server application), you can easily set up an enterprise-wide WIDS with multiple monitoring and central reporting capabilities all in one solution. The drones require very limited system resources and can even be installed on a Linksys WRT54g, which has been flashed to run Linux.

Another freely available WIDS tool is WIDZ (http://www.loud-fat-bloke.co.uk/tools .html). The version of WIDZ at the time of writing is 1.5 and supports the following:

• Rogue AP detection

• AirJack attack detection

• Probe requests detection

• Bad MAC placement on a MAC block list

• Bad ESSID placement on an ESSID block list

• Association frame flooding

WIDZ can be configured to detect APs that are not legitimate simply by adding your legitimate APs into widz-ap.config, as well as monitoring the network for possible hostile traffic.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment