1

Enhancing the Security of Corporate Wi-Fi Networks using DAIR

PRESENTED BY

SRAVANI KAMBAM

2

Outline:IntroductionAttacks on Wi-Fi NetworksDAIR ArchitectureDetecting AttacksExperimental ResultsChannel AssignmentLimitationsRelated WorkFuture WorkConclusion

3

IntroductionDAIR-Dense array of Inexpensive Radios

Framework for monitoring enterprise wireless networks

DAIR framework to detectRogue wireless devicesDenial of Service attacks

Prior proposals:Combination of access points, mobile clients and dedicated sensor nodes

Dense deployment of sensors is necessary for effective monitoring

2 Observations- Plenty of desktop computers with wired connectivity and availability of inexpensive USB-based wireless adapters

4

Attacks on Wi-Fi NetworksEavesdroppingIntrusionDenial of Service(DoS)Phishing

5

DAIR ArchitectureAir MonitorsThe Land MonitorsThe Inference EngineThe Database

6

7

Detecting AttacksIntrusion Attacks

Guarding Against False PositivesAssociation TestSource/Destination Address TestReplay TestDHCP Signature Test

Guarding Against False Negatives

DoS Attacks Deauthentication/Disassociation Attacks NAV attacks

8

Experimental ResultsTest Environment

Sensor Deployment Density

System scalability

Demonstrative Results Delay Incurred by the Association Test Effectiveness of the Replay Test Effectiveness of DHCP Test Threshold for Detecting Disassociation Attacks

9

Channel AssignmentWhich channels the DAIR nodes should listen on???

10

LimitationsDAIR assumes the availability of stationary Desktop computers with good wired network connectivity.

DAIR can never guarantee that a suspect device is harmless.

If all the tests fail, we still cannot say that the suspect device is not connected to the corporate network.

DAIR monitoring system is at risk, if some component of the monitoring system is compromised.Desktop systems-False data submitted, large number of alarms, Denial of Service attacks

DAIR adds a wireless interface to desktop systems which may make them more vulnerable.

11

Related WorkFirewalls prevent unauthorized users from gaining access to the network.

IDSs detect compromised machines in the network.They detect once the attack is launched High false positive rate-hence not useful

IPSec secures the communication channel between two authorized machines.VPN software uses this.

These reduces the attacks but does not secure the network against the attacks like DoS.

Does not detect rogue Wi-Fi devices

DAIRDetects and locates the rogue Wi-Fi devices Detects various DoS attacksFew false positivesMinimal human intervention.

12

Related Work Cont..Two Approaches

APsDedicated and expensive custom hardware sensors for RF monitoring

One prior research paper on detecting rogue devicesMobile clients and APsAny unknown AP is flagged as rogue AP, even if it not plugged into corporate network.Rogue adhoc networks are not detectedDoS attacks not detected

Another research on detecting greedy and malicious behavior in IEEE 802.11 neworks.

DOMINOAP based solution for detecting greedy behavior in IEEE 802.11 hotspots.

13

Future Work: Initially deployed on a small scale but can be scaled to larger deployments

1. Plan to expand initial deployment to cover entire office building.2. Building additional performance monitoring and network management applications using the DAIR

framework3. Extending DAIR system to support accurate location determination.

14

ConclusionDAIR

◦ For monitoring enterprise wireless networks using desktop machines◦ Takes advantage of key attributes of desktop infrastructure

◦ Dense deployment◦ Stationarity◦ Wired connectivity◦ Spare CPU and disk resources

DAIR monitors ◦ Security breaches◦ Denial of Service attacks

DAIR reducesFalse negative alarmsFalse positive alarms

15

Thank You!