Controlling WLAN access with IDS

The lowdown on two popular WLAN ID solutions

Like it or not, wireless networks are quickly becoming as common as old-school copper networks. If you have a WLAN up and running now, it is only a matter of time before one of your employees buys a wireless access point from the local computer store and hooks it up to your network. Policies and procedures won't prevent the incursion. But you can help control access after the fact by deploying intrusion detection devices on your network.

Intrusion detection, WLAN style
Intrusion Detection Systems (IDS) typically come in two forms:
  • Host-based IDS (HIDS): A host-based IDS solution is one that runs on a specific computer or device. A HIDS monitors log files on your server and compares events in the log files against a database. The HIDS will then use the comparison to identify patterns of behavior that reflect commonly known hacker attacks.
  • Network-based IDS (NIDS): A network-based IDS, while attempting to provide the same function, operates in a very different manner. Network-based IDS scan network packets at the router level. They can generate log files to reflect any suspicious packets that may be occurring on your network.

As cool as the concept of intrusion detection systems may be, when it comes time to deploy them, there are several questions you must ask yourself. How do you set up a Network-based IDS for a network that has no wires? What do you consider normal and abnormal access on your network? What about Host-based IDS solutions? Can they handle the traffic being pushed through them by all of the clients on the WLAN?

Despite the difficulties associated with WLAN intrusion detection, several valid solutions have been offered up to Admins in need of help. The problem, as we'll see when looking at some of these solutions, is that none of them offer a complete solution that's also easy to implement.

Author’s note
The following (short) list of WLAN IDS solutions is not complete, nor is it meant to be. This is one area experiencing a constant state of flux, so I'll examine two of the more popular solutions out there, discussing both their strengths and their weaknesses as expressed by experts currently using them. After I've presented these two options (which are about as diametrically opposed as can be), I'll present a third option that you may want to consider as you seek to create a complete WLAN IDS solution. Remember, when addressing WLAN IDS, you won't find one solution that fits all circumstances. In most cases, you'll need to mix and match strategies to fit your needs.

It's actually hard to categorize AirMagnet as an IDS because it's really so much more than that. AirMagnet is a combination of software and a modified NIC that can be installed on a Pocket PC, such as the iPAQ, or on a Windows-based portable computer. This feature proves to be both a strength and a weakness of AirMagnet. On the plus side, it's highly portable and can be used anytime the Administrator is physically within radio range. AirMagnet provides the ability to detect rogue APs, rogue clients, and many other security issues, such as the absence of WEP or the WEP IV (Initialization Vector) being reused. Figure A shows some sample output that you might expect to see when using AirMagnet on a portable computer.

Figure A
AirMagnet offers you a wealth of information in an easy-to-use format.

So what's wrong with AirMagnet? It's a very solid application that can be learned fairly quickly and put to good use in the right hands. Its only downside is that you must take it around the network with you to use it. The two most common uses for AirMagnet include rogue AP detection and site surveying, although there are several other site surveying items that you'll need to perform to properly complete the task. I consider AirMagnet to be the product that you want to pair up with any other WLAN IDS product to form a complete solution. It’s an added bonus that you can use AirMagnet for routine management tasks as well. For more information about AirMagnet, see the Daily Drill Down “Monitor your wireless network with AirMagnet.”

AirDefense takes an approach that is completely opposite of the AirMagnet strategy. AirDefense actually offers three different products, each with its own focus. Their premier product, AirDefense IDS, is an extremely powerful hardware-based, back-end solution that is as effective in use as it is difficult to configure. The great power and strength of AirDefense's method lies in the fact that it's a back-end solution, thus allowing for growth and easier scalability.

The AirDefense IDS is very powerful, but not for the faint of heart. It can be expensive, costing $9,000 for the entry level product, with the price increasing as you increase the number of monitored access points. Additionally, you’ll face a pretty steep learning curve trying to figure out how to interpret log files and how to react to the intrusions.

Symbol Spectrum 24 AP-4131 Access Point
You may be wondering why I’d mention an access point as a third IDS solution here. It's really quite simple: Symbol’s access point comes standard with onboard host-based IDS capabilities. One of the best features is that a Symbol access point can detect non-Symbol access points—those with a unsupported ESSID or those who's MAC addresses aren't configured in the AP-4131's Authorized AP Table. Figure B shows the SNMP Configuration screen of the AP-4131 from which you can configure SNMP traps to be sent when rogue access points are detected.

Figure B
The Symbol AP-4131 allows you to configure SNMP traps when a rogue AP is detected.

The three options of concern are:
  • NonSymbol AP Detection: When this option is enabled, the Access Point will enter promiscuous mode and send beacon packets to other Access Points for processing. If the MAC address of an Access Point that responds does not start with 00:0A:F8, then it is considered  to be a NON-Symbol Access Point and an SNMP trap is generated.
  • Other-ESSID AP Detection: When this option is enabled, the Access Point will generate an SNMP trap when any other ESSID (commonly referred to just as the SSID) is detected. The trap will be generated regardless of whether or not the other device has a Symbol MAC address (one starting with 00:0A:F8).
  • UnAuthorized AP Detection: When this option is enabled, MAC addresses of those Access Points you want to consider authorized must be placed into the Authorized AP Table. Any Access Point who's MAC address is not in the list will cause an SNMP trap to be generated upon its detection. Unauthorized Access Points are those which generate an SNMP trap using either of the two previous options.

When a rogue AP is discovered, the AP-4131 will generate an SNMP trap containing the name and MAC address of the rogue AP, as well as the ESSID. This information is also found in the Known Access Point screen, which can be accessed from the main menu shown in Figure C by selecting Show Known APs. (Note also that you can get to the SNMP Configuration page by selecting Set SNMP Configuration from this menu.)

Figure C
The AP-4131's main menu isn't pretty, but is very functional.

A broadcast message (a beacon packet) is sent to all access points within range of the AP-4131 every 12 seconds to determine which APs are to be included on this list, as shown in Figure D.

Figure D
All access points that the AP-4131 detects will be listed on the Known Access Points page

From here you can opt to easily add an access point to the Authorized AP MAC Address table by pressing the F2 key. A status of R indicates that an access point has been identified as a rogue, while a status of Z indicates that the access point is authorized on the network. The A status indicates that the device is a wireless access point.

Access points that you designate as "non-hostile," or authorized, are considered by the AP-4131 to be available for data transmission and will not result in an SNMP trap being generated upon their detection. You can see an example of the authorized AP listing in Figure E.

Figure E
You can enter authorized access points on the Authorized AP MAC Address page.

The Symbol AP-4131 may not be the end-all solution for your WLAN IDS needs, but it is a fantastic solution to a growing problem. By putting IDS capabilities on the AP itself, you can take the fight against rogue access points to the battle lines. The best thing about the AP-4131's IDS capabilities is that it requires no additional (or manual) work beyond the initial configuration. The AP-4131 is able to roll-out changes made on one unit to all other access points in the Known AP Table, as long as they all have the same hardware and firmware versions.

A step toward controlling access points
Many people consider WLANs to be an immature technology. In many ways, this is a valid assessment. However, very rarely have technological advances been made without some growing pains along the way—such is the price of progress. Either administrators must take proactive steps to locate and remove rogue access points from their wireless LANs, or someone else will make sure that the network is used or harmed by an intruder. The steps and products you choose to employ will be based on the size and design of your WLAN, as well as the level of security you feel you can afford.

Editor's Picks

Free Newsletters, In your Inbox