Information Security The Complete Reference by Mark Rhodes-Ousley

Author:Mark Rhodes-Ousley
Language: eng
Format: epub, pdf
Tags: -
Publisher: McGraw-Hill Education
Published: 2013-03-26T04:00:00+00:00

Wireless Intrusion Detection and Prevention

The preceding points notwithstanding, intrusion detection on wireless networks should always cover the data-link layer. The principles of intrusion detection are outlined in Chapter 18. Here, we briefly cover wireless-specific IDS issues. Many applications claim to be wireless IDS systems but detect new MAC addresses on a LAN only as long as these addresses are not permitted by an ACL. Such functionality is implemented in the firmware of some access points as well. Of course, anyone able to bypass MAC-based ACL will bypass MAC-based “IDS.” A true wireless IDS is a dedicated 802.11 (or 802.15) protocol analyzer supplied with an attack signature database or knowledge base and inference engine, as well as an appropriate report and alarm interface. Some suspicious events to look for on a wireless LAN include

• Probe requests (a good indication of someone using active scanning mode)

• Beacon frames from unsolicited access points or ad hoc wireless clients

• Floods of disassociate/deauthenticate frames (man-in-the-middle attack?)

• Associated but not authenticated hosts (attempts to guess the shared key?)

• Frequent reassociation frames on networks without enabled roaming, and frequent packet retransmits (“hidden node,” bad link, or possible DoS attack?)

• Multiple incorrect SSIDs on closed networks (SSID brute-forcing?)

• Suspicious SSIDs such as “AirJack” (or plain old “31337”)

• Frames with unsolicited and duplicated MAC addresses

• Randomly changing MAC addresses (attackers using Wellenreiter or FakeAP)

• Frames transmitted on other 802.11 channels within the five-channel range, or frames with different SSIDs transmitted on the same channel (misconfigured and probably unsolicited host, interference, DoS?)

• Hosts not using implemented cryptographic solutions (should not be there)

• Multiple EAP authentication requests and responses (brute-forcing EAP-LEAP?)

• Malformed and oversized EAP frames and various EAP frame floods (802.1x DoS attack?)

• 802.11 frame sequence numbers that don’t match the established sequence cycle (man-in-the-middle attacks, MAC spoofing on LAN?)

• ARP spoofing and other attacks originating from wireless LANs

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.