Sie sind auf Seite 1von 4

Backdoor Intrusion in Wireless Networks- problems and solutions

Neel Diksha, Agarwal Shubham


Indian Institute of Information Technology-Allahabad, Deoghat- Jhalwa, Allahabad- 211011, U.P, India
dpneel_wc04@wcc.iiita.ac.in, ssagrwal_02@iiita.ac.in

Abstract- Wireless networks and ubiquitous availability of ‘safe’ and if unsecured provide anyone in range with
the global Internet have already changed dramatically the access to your network, potentially exposing
way we communicate, conduct business, and organize our confidential data about your business, customers,
society. With current research and developments in products and services. And, the benefits of using Wi-Fi
sensor networks and pervasive computing, we are even
for productivity gains are too many to sacrifice due to
creating a new networked world. However, the benefits
associated with information and communication security concerns. Wi-Fi can be deployed securely, and
technology imply new vulnerabilities. In wired networks the enterprise can proactively scan and prevent wireless
we have to take care of front door security but same threats without significant burden on the IT department.
solutions do not apply to wireless networks and they have
weak security solutions. The Wireless networks by A typical wired enterprise network
inherently insecure. In this paper we address the threats Any typical wired enterprise looks like the figure below:
in wireless networks in detail and we propose novel
solutions which will not only detect the attack on the
network but will also take counter measures to save
integrity of wireless networks.

1. INTRODUCTION

For any enterprise, network security of its intellectual


property is very important- be it a source code or a
business plan, any important document, if, goes in
“wrong” hands then it can cause big damages. With the
introduction of wireless networks the threat is more Figure 1-A Wired Enterprise Network
than that it was before due to weak security algorithms
and if at all strong security solutions are introduced, not One basic assumption is that enterprise premises by
all wireless networks update themselves before a long themselves are secure and we have to shield our data
period of time. But this should not discourage any from outside world and that firewall is typical solution
enterprise to use wireless networks. If problems exist, in such networks. Corporate firewall secures your data
so do the solutions- we address the same issue here from outside hackers and different policies of firewalls
decide who can connect to your enterprise and
The Misconception: "No Wi-Fi" Policy Keeps My exchange data. Firewalls usually perform two tasks-
Network Safe- first task is to restrict access of outsides to the
One of the biggest misconceptions is that an enterprise enterprise networks and second task is to monitor
with a "no Wi-Fi" policy is immune to wireless threats. outgoing traffic and deny any service which is not
This perception is due to the fact that many IT considered secure as per the policy of the enterprise
administrators presume that without Wi-Fi network. The problem is only to secure the front door.
infrastructure, they are safe from wireless threats. There is no back door entry possible.
Unfortunately, even with a "no Wi-Fi" policy, Wi-Fi is
very likely entering your enterprise through embedded The problem of backdoor Intrusion
clients in laptops or rogue access points. Over 45% of Consider a situation where your corporate network is
laptops shipped in 2004 include embedded Wi-Fi, thus wired and a LAN terminal wire is hanging out from a
an enterprise is likely to have wireless within its window. Any one who wishes to connect to network
premises. Access points are now commonly available in just connects his device to the LAN and accesses the
retail stores and on the Internet for less than $30. A network. The situation is too insecure and any
recent survey showed that over 20% of enterprise CIOs enterprise cannot afford it. This will expose their
had found unsecured access points on their networks. confidential data to anyone.
Once behind the firewall, these devices are presumed The problem described above is same as the
problem in a wireless network where the signals go
outside enterprise walls and the above analogy shows which is in control of software setup and there is need
how big the problem of wireless security is now-a-days. to remove such software rouge AP too.
These problems should, of course, not stop enterprises Mis-configured Access Points
from using wireless networks. Today wireless networks For enterprises with a wireless LAN infrastructure, one
are common in enterprises and this new inclusion potential threat can arise from their equipment itself.
brings new threats of intrusion. The problem of An access point which becomes mis-configured can
backdoor attack is at its peak and enterprise data is at potentially open up a door to the corporate network,
stake- any hacker can take data in this unsecured particularly if the access point is reset to network
environment. In today’s industry either most people defaults or the security settings are turned off. If the
don’t understand the importance of threat caused by the access point is not centrally managed, then the
network attacks in wireless network or the network is likelihood of it going unnoticed is high. Employees will
itself unsecured and there is no foolproof solution for still be able to connect and no problem will be reported.
securing a network from these kinds of attacks. Client Mis-associations
Embedded Wi-Fi clients in laptops are now relatively
common. Even for those enterprises with a "no Wi-Fi"
policy, a Windows XP laptop with a wireless client will
automatically try to connect to a server to which it had
successfully connected before. This scenario is very
common. Neighboring Wi-Fi networks can spill into the
enterprise and curious users connect to these open,
insecure, and distrusted networks while still being
connected on the wired side of the trusted network.
Users may also connect to these networks if their
internal network firewall does not permit POP email
Figure 2: An Unsecured Wireless Network
accounts, does not permit access to certain web sites, or
they do not want their outbound traffic monitored.
The security solutions of wired networks do not work These users of enterprise networks can in turn allow
for wireless networks. The range of wireless signals go another person to read important data of the enterprise.
outside the walls and the corporate firewall can only
guard the front door. The enterprise walls no longer Ad Hoc Connections
remain safe and assumption that enterprise is by itself Wireless clients can also create peer-to-peer
safe no longer remains valid. There is no one in the connections. A peer-to-peer connection can be
back door and the back door needs to be secured exploited by a malicious hacker who may try to then
otherwise any intruder can attack the network and steel inflict a variety of attacks on the client such as port
important data from the enterprise hence breaching scanning to explore and exploit client vulnerabilities.
Intellectual property Rights.
Malicious Wireless Threats

2. WIRELESS THREAT CATEGORIES WHICH WILL Evil Twin/Honey pot Access Points
BREACH INTELLECTUAL PROPERTY Malicious hackers are known to set up Honey pot APs
with default SSIDs (Service Set Identifier, Network
Wireless threats fall into two general categories, Name), hotspot SSIDs, and even corporate SSIDs
common and malicious, with several types of threats outside buildings and watch a large number of clients
within each group. automatically connect to the AP. These APs can then
inflict a variety of attacks on the client or attempt
Common Wireless Threats password stealing by presenting a login page to the
client over the mis-associated wireless connection.
Rogue Access Points Rogue Clients
The most common as well as most dangerous wireless Rogue clients are those that are unauthorized to attach
threat is the rogue access point. The rogue access point to an authorized corporate wireless network. This may
is typically low cost, brought in by an employee who occur through an authorized access point that has been
desires wireless access. The default access point mis-configured with encryption turned off, or through
settings typically have no security enabled, and thus an access point that has had its encryption/
when plugged into the corporate network create an authentication compromised and uses the key to
entryway for anyone with a Wi-Fi client within range. connect to a properly configured authorized access
The rogue access point can also be a client computer point.
Denial of Service Attacks impossible to keep signatures up-to-date with the latest
A threat to enterprises and service providers delivering and most sophisticated attacks.
hot spot services, denial of service attacks are a threat
that can wreak havoc on a large number of users 3. ATTRIBUTES NEEDED IN TODAY’S WORLD FOR
simultaneously. There are various forms of wireless SECURING A WIRELESS NETWORK
denial of service attacks, but they typically involve
flooding a channel or channels with de authentication or Wireless intrusion prevention systems stop attacks
similar packets that terminate all current and attempted before they penetrate and harm the enterprise. WIPS
client associations to access points. solutions detect each category of attack using
deterministic techniques involving a combination of
Detection or Prevention? device and event auto-classification, protocol analysis
Earlier generations of wireless security systems focused and association analysis. Signatures are only used to
on detection. Wireless Intrusion Detection Systems provide additional details and are not necessary for
(WIDS) typically rely on signature analysis to provide detection. Key attributes of a wireless intrusion
an alert that a threat is occurring. The WIDS analyzes prevention system are:-
the information it gathers and compares it to large 1. Monitoring/Detection: All channels in the 2.4 GHz
databases of attack signatures. Essentially, the WIDS (802.11b, 802.11b/g) and 5 GHz (802.11a) bands
looks for a specific attack that has already been should be scanned. It needs to analyze, aggregate, and
documented. As with wire-line detection systems, the correlate information reported by different sensors.
solution is only as good as the database of threats. 2. Auto-Classification: With increasing penetration of
Some systems combine this with anomaly-based WLANs, there is a need to accurately and automatically
detection methods. Anomaly-based systems identify sort harmful activity from the harmless activity in the
traffic or application content presumed to be different shared wireless medium. As an example, in
from ‘normal' activity on the network or host. In organizations with official WLAN infrastructure, the
anomaly detection, the system administrator defines the intrusion prevention system must be able to
baseline, or normal, state of the network's traffic load, differentiate between authorized, rogue, and external
breakdown, protocol, and typical packet size. The wireless activities. This type of classification minimizes
anomaly detector monitors network segments to annoying false alarms and volumes of irrelevant alerts
compare their state to the normal baseline and look for from the security standpoint, both of which make the
anomalies. Wireless Intrusion Detection Systems were security system unusable. Figure 3 here shows need for
appropriate with small numbers of access points and classification between Rouge AP (RED) External AP
Wi-Fi clients. However, with the exponential growth of (Blue) and Authenticated AP (Green) by Senor (White).
Wi-Fi clients and access points within the enterprise
and those within range from neighbors outside the
premises, WIDS creates an enormous burden for IT and
security administrators because they generate a huge
number of alerts, many or most of which turn out to be
false alarms. As a result, just as the market turned away
from IDS to IPS for wire line security, there has been a
rapid shift away from WIDS to a new generation of
wireless intrusion prevention systems. WIDS systems
are subject to significant numbers of false positives and Figure 3 : Need for classification
false negatives. Because they do not use deterministic
techniques, they typically cannot determine whether 3. Prevention: The WIPS must automatically and
encrypted APs or NATing APs are on the enterprise instantaneously block harmful wireless activity detected
network. More importantly, with the widespread use of by its wireless sensors. For example, it must block any
Wi-Fi in many enterprises, being unable to reliably client from connecting to a Rogue AP or a MAC
classify external APs creates huge administrative spoofing AP, prohibit formation of ad-hoc networks,
challenges for IT managers who must deal with alerts and mitigate any type of DOS attack. Furthermore, it
from remote sites. In addition, day zero attacks may go must block multiple simultaneous wireless threats while
undetected, until a new patch or fix is applied. Day zero continuing to scan for new threats.
attacks refer to attacks that exploit vulnerabilities Prevention of Wi-Fi threats must be carried out with
whose detection logic is not supported in the intrusion surgical precision to avoid disturbing legitimate WLAN
detection system. Day zero attacks are a huge problem activities. A well implemented WIPS Firewall should
for signature based detection systems, since it is not stop traffic on the authorized wireless network or a
neighboring Wi-Fi network.
4. Visualization: The spatial layout as well as materials packets from both the area and applying simple pattern
within the enterprise (walls, columns, windows, matching one can find that which AP is external and
furniture, etc.) interact with the radio coverage of the which is internal and after detecting external AP if we
security sensor in a complex way creating a significant find any connection which is not desired a De-
gap between rule-of-thumb placement and reality. A authentication attack can be launched as described
systematic, scientific, and scalable RF planning process above.
is therefore required for determining the right
placement of access points and wireless sensors. This Preventing
must be site-specific and not require time consuming Here we propose solution to one problem that is
manual surveys. Live RF maps should provide real time preventing external client to connect to AP using MAC
information on coverage of both authorized Wi-Fi spoofing or external AP acting as honey Pot to get
access points and security sensors. access on a client on enterprise network by using a
5. Location: Physical remediation is a final step in database of authenticated users.
permanently preventing the Wi-Fi threat and requires
knowledge of the physical location of these devices. MAC address of authenticated User
The WIPS Firewall must provide the location co- MAC address of authenticated users can be used to
ordinates of such a device inside and around the prevent spoofing of address. The enterprise can
perimeter of the enterprise premises without need for maintain a database which has MAC address of each
any specialized client side software or hardware. and every client as well as rouge APs MAC address of
all the APs present in the enterprise. If the Intrusion
Security Solutions in wireless Networks detection system which is typically a sensor finds more
To get a secure wireless network and prevent enterprise than one instances of MAC address in the same
client connection to external AP as well as prevent enterprise network, it can be sure that the MAC address
external client to connect to rouge AP in the enterprise has been spoofed and can block access to that MAC
network which can cause loss of enterprise confidential address temporarily.
data we propose a Denial of Service attack a De-
authentication attack to be launched by the intrusion 4. CONCLUSION
detection system present in constructive manner. The
requirement is that the intrusion detection system Today, the enterprise air space has become an asset. To
will have to first detect that external client is connected protect this asset, wireless intrusion prevention systems
to rouge AP or will have to give the information that are needed to provide 24 x 7 securities against
client is connected to external AP what ever the unintended and malicious Wi-Fi threats. As recent news
situation is and after detecting unwanted connection it events have shown, a lack of robust protection can lead
should launch a De-authentication attack to the to serious consequences including loss of confidential
unauthorized connection and disrupt the connection as data, customer trust and brand value. Wireless Intrusion
soon as possible. As the implementation of Prevention Systems complement today’s wired security
Authentication or De-authentication is done on solutions and keeps the enterprise network safe,
hardware hence external AP cannot deny de- whether or not a Wi-Fi network is currently in place.
authentication attack and hence the enterprise can be
secured by Constructive implementation of this De- REFERENCES
authentication attack. The first problem here is to detect
Rouge AP as well as external AP which is a problem [1] Mema Roussopoulous, Guido Appenzeller and Mary
known as Auto Classification. Baker, ”User-friendly access control for public network ports”,
IEEE INFOCOM, 1999.
How to Auto-classify [2] Elliot Poger and Mary Baker, “Secure public internet
The problem of auto classification is problem to access handler” December 1997.
differentiate between Rouge AP, External AP and [3] Harald Welte, “The netfilter framework”, Linux Congress,
2000.
Authorized AP as shown in figure 3. We here propose [4] Microsoft, msdn.microsoft.com. Microsoft Developer
method which can be implemented to differentiate Network: Firewall API.
between the three to will reduce the rate of false [5] Symantec. Security response. Virus-Worm activity details.
positive alarm as well as false negative alarm. [6] Port knocking: http://www.portknocking.org/
[7] Cisco: http://www.cisco.com/
Differentiating between External AP & Internal AP [8] Firewall : http://www.ipcortex.co.uk/wp/fw.rhtm
The solution which can be though of is quite a simple
one. The two APs External APs and internal APs must
have different kind of traffic and just by reading