Wireless LAN Tools: Monitoring and Reporting (Part 4)
August 17, 2004
In the final part of this study, we discuss how to use WLAN analyzers to help keep your WLAN running smoothly.
This article is the fourth in a series that explores the purpose and use of 802.11 Wireless LAN Analyzers. Prior installments provided a resource list of open source and commercial WLAN analyzers (Part 1), explained how to combine software with hardware to create a WLAN analysis toolkit (Part 2), and used several different tools to illustrate wireless node discovery, rogue detection, site surveys, and basic troubleshooting (Part 3).
Here in Part 4, we show how to use WLAN analyzers to support typical 802.11 network monitoring and reporting tasks. Analyzers can help WLAN administrators detect security vulnerabilities and active attacks, monitor performance and pin-point potential problems, and evaluate network and application usage to spot emerging trends.
In last week's installment, we illustrated the use of WLAN analyzers and Intrusion Detection Systems to detect and track down nearby 802.11 APs and stations. That process, commonly referred to as rogue detection, is just one step in auditing the security of your WLAN.
Performing a security audit can help you find and fix your own WLAN's vulnerabilities before attackers can exploit them. Like an accounting audit, a network security audit check for the presence of known risk factors and compliance with best practices and established policies. A security audit can be conducted in-house or by a third-party, and can involve both active penetration testing and passive observation.
WLAN analyzers play an essential role during an audit by alerting you to common risk factors, like an AP broadcasting its SSID in beacon frames, or an AP using WEP keys that are known to be especially weak. Analyzers can also detect deviation from best practices commonly used to reduce risk, like an AP operating with a factory-default SSID (probably an unconfigured and therefore unsecured AP) or a station sending NetBIOS over wireless (probably leaking fileshares to others on the WLAN).
These conditions may or may not represent actual threats--for example, the AP may belong to a neighbor, or you might not intend to use WEP anyway. More often, these security alerts draw your attention to conditions that you didn't know existed or did not realize were risks. Performing a security audit gives you the opportunity to review these warnings and take corrective action where appropriate.
For example, consider this security audit template provided by WildPackets AiroPeekNX. This template loads pre-defined capture filters that are applied to wireless traffic to detect 13 common security mistakes. When an audited event occurs, it triggers a notification and/or a packet capture. Analyzing captured packets lets you investigate the event--in this example, identifying the AP using a factory-default SSID, and whether any stations are communicating with that AP. This template can obviously be extended or refined to check for additional risks or best practices.
During an audit, you will remediate conditions that pose a threat, and make a conscious decision to defer those that do not. Audits are typically repeated until you reach the point where remaining risk is acceptable. At that time, you will probably want to disable WLAN analyzer alerts that you no longer want to hear about. For example, this Network Instruments Observer panel is used to selectively enable or disable individual alerts reported by each local or remote network probe.
In fact, many of the alerts built into WLAN analyzers can help you enforce your company's security policy. The above example includes a long list of authentication alerts related to non-use of 802.1X and various EAP types. But these may or may not be policy violations for your WLAN. It's up to every organization to decide which security measures are required or permitted on their own WLAN.
WLAN analyzers can also detect attempted attacks. As discussed in Part 3, analyzers can be used for sampling traffic at regular intervals or stand-alone monitoring in smaller networks. Wireless Intrusion Detection Systems are often used in larger networks that require 24/7 distributed monitoring with central supervision. Because stand-alone monitoring with analyzers and distributed monitoring with IDS have much in common under the covers, several vendors sell both WLAN analyzers and WIDS products.
Whether you monitor your WLAN with an analyzer, a WIDS, or both, it's important to understand the kinds of attacks that can be detected, how you'll be notified when suspicious events occur, the information available to assist with your investigation, and the steps you can take to respond to the incident.
Alerts that can be generated by WLAN analyzers vary quite a bit. Most can alert you to rogue AP and stations and deviations from common best practices. Commercial products tend to include more policy enforcement alerts, at more granular levels. They also do a better job of keeping up with new WLAN attack signatures, like denial-of-service (DoS) attacks (e.g., 802.11/802.1X floods, RF jamming, forged logoff or deauthenticate messages), attempted break-ins (e.g., password-guessing, forged MAC addresses), and attacks against wireless stations (e.g., soft or faked APs, traffic between wireless stations, ARP spoofing).
Depending on the analyzer, alerts may be displayed on a console, sent to a logfile or database, and/or forwarded to an upstream management systems (e.g., an SNMP manager or WIDS server). To attract your attention, the analyzer may flash, make noise, send e-mail, call your pager, or invoke a user-defined program. For example, see this pair of Baseband LinkFerret alarm configuration panels. To avoid being flooded with e-mail or pages, apply these actions sparingly based on priority and set thresholds where available.
Response: Alerts should be accompanied by enough information that you can take corrective action to stop the attack or eliminate the vulnerability that was exploited--preferably both. Although presentation styles vary, look for features that help you navigate to related data, like traffic history associated with the affected AP or station. For example, clicking on an AirMagnet alert provides detailed description of both the alert and its subject.
Some commercial WLAN analyzers can provide expert analysis of the attack and advice on how to deal with it. For example, AiroPeek NX's Expert Problem Finder describes the potential consequences and recommended actions for each reported problem.
During incident investigation, intrusion detection systems and analyzers can play different roles. Use a WIDS for tasks that require more breadth--for example, correlating alerts from several sensors to pinpoint an attacker's approximate location, or looking back weeks to find related incidents. Use analyzers for tasks that require greater depth--for example, launching a capture to watch an attacker's activities and gather evidence. Many analyzers can filter on extremely minute protocol fields, as shown in this Ethereal example. Some analyzers can automatically generate complex filter expressions to watch the subject of an alert.