Wireless intrusion detection system

Introduction:

Threats to wireless local area networks (WLANs) are numerous and potentially devastating. Security issues ranging from misconfigured wireless access points (WAPs) to session hijacking to Denial of Service (DoS) can plague a WLAN. Wireless networks are not only susceptible to TCP/IP-based attacks native to wired networks, they are also subject to a wide array of 802.11-specific threats.WLANs should employ a security solution that includes an intrusion detection system (IDS). Even organizations without a WLAN are at risk of wireless threats and should consider an IDS solution.

Wireless IDS:

IDS have traditionally been developed to detect intrusions and misuse for wired systems and networks. More recently, IDS have been developed for use on wireless networks. These wireless IDS can monitor and analyze user and system activities, recognize patterns of known attacks, identify abnormal network activity, and detect policy violations for WLANs. Wireless IDS gather all local wireless transmissions and generate alerts based either on predefined signatures or on anomalies in the traffic.

A Wireless IDS is similar to a standard, wired IDS, but has additional deployment requirements as well as some unique features specific to WLAN intrusion and misuse detection.

Physical location detection is a critical aspect of a wireless IDS. 802.11 attacks are often carried out in close proximity to the WAP and can be performed in an extremely short timeframe. Therefore, the response to attacks needs to not only be logical, like standard IDSs (i.e. Block the offending IP address), the response also needs to incorporate the physical deployment of individuals to identify the attacker - and the response must be timely. Unlike wired attacks where the hacker is usually great physical distances from the victim network, wireless attackers are often physically located on the local premises. A wireless IDS can aid in detecting the attacker's location by providing at least a general estimate of their physical location. By correlating the captured 802.11 data with the sensor location as well as the location of the victim WAP, the physical location of the attacker can be more easily identified.

How Hackers work:

In an effort to identify potential WAP targets, hackers commonly use scanning software. Hackers or curious individuals will use tools such as Netstumbler or Kismet to map out a given area's WAPs. Used in conjunction with a Global Positioning System (GPS) these scans not only locate WAPs, but also log their geographical coordinates. These tools have become so popular that there are web sites dedicated to mapping the world's WAP geography. A wireless IDS can detect these and other scans, helping to improve awareness of the threats to the WLAN.

Draw Backs of wireless IDS:

The benefits to a wireless IDS are numerous, but there are several drawbacks to consider before deploying such a system. Wireless intrusion detection is a rather new technology. Caution should be taken before applying any new technology to an operational network. Because the technology is new, there may be bugs, or worse vulnerabilities which could potentially weaken the WLAN security. Wireless IDS technology is developing at a rapid pace though, and this caveat may not be a deterrent in the future. A potential turn-off to a wireless IDS solution may be cost.

The expense of the vendor solutions may be prohibitive. In such a case, a homegrown solution can be developed, but this approach may prove costly as well due to the extensive human capital that may be required to develop such a solution. Also, the cost of the wireless IDS solution (vendor-based or homegrown) will grow in conjunction with the size of the WLAN to be monitored, due to the requirement for a greater number of sensors. Therefore, the larger the WLAN, the more expensive the wireless IDS deployment will be.

Intrusion Prevention Systems

Intrusion prevention is a way of protecting your computer system from unwanted entry. Most computers have firewall programs installed to protect their systems from exploitation, but intrusion prevention is a system added for extra security. An intrusion prevention system provides added protection from either computer viruses or hackers trying to break into your network.

Intrusion prevention systems are much more secure than common firewall technology. Although considered to be an expansion of the original intrusion detection system, they are actually more a way of controlling who has access to a computer network. They not only control access, but also detect entry to the network, so the two systems are closely linked.

The intrusion prevention system controls access to a network based on the content of the application trying to make contact. Prior to this, the detection from firewalls was based on ports or IP addresses. A good intrusion prevention system not only detects intrusion, but also controls access to a network. This latter feature is the system's main improvement over detection only firewalls.

There are different types of intrusion prevention available for added security.

Network intrusion prevention systems are usually hardware devices that are situated in the network. Unlike host based intrusion systems that have to be applied to every computer in the network, the network system requires fewer devices to be installed.

The network intrusion prevention system can be content based or rate based. A content based system will inspect and disallow any entry from content that is not known. The content may be not be recognized by the prevention system, or it may have been previously recorded as a threat to the system.

Rate based network intrusion prevention is based on the intent of the attack rather than the content. The rate-based system can identify threats that are different from the traffic the network usually receives. The rate-based system learns the type and behavior of normal network traffic and sets parameters accordingly. Anything that falls outside of these parameters will be prevented access to the network.

There are also host based intrusion prevention systems. These are software only applications that are very good at detecting unwanted entry after decryption has occurred. Over time, the host-based system builds up a monitoring system for access to the computer’s network. The only problem with host based prevention is that it must be installed on every computer in the network. It also cannot cope with larger rate based access attacks, as it does not have the capabilities to deal with these levels of detection and denial of entry.

Hybrid Intrusion Detection System

HIDS and NIDS Used in Combination:

The two types of intrusion detection systems differ significantly from each other, but complement one another well. The network architecture of host-based is agent-based, which means that a software agent resides on each of the hosts that will be governed by the system. In addition, more efficient host-based intrusion detection systems are capable of monitoring and collecting system audit trails in real time as well as on a scheduled basis, thus distributing both CPU utilization and network overhead and providing for a flexible means of security administration.

In a proper IDS implementation, it would be advantageous to fully integrate the network intrusion detection system, such that it would filter alerts and notifications in an identical manner to the host-based portion of the system, controlled from the same central location. In doing so, this provides a convenient means of managing and reacting to misuse using both types of intrusion detection.

That said, as an organization introduces an IDS into its network to augment its current information security strategy, the primary focus of the intrusion detection system should be host-based. Although network intrusion detection has its merits and certainly must be incorporated into a proper IDS solution, it has historically been incapable of evolving to comply with the growing technology of data communications. Most NIDS perform miserably, if at all, on switched networks, fast networks of speeds over 100 Mbps, and encrypted networks. Furthermore, somewhere in the range of 80-85 percent of security incidents originate from within an organization. Consequently, intrusion detection systems should rely predominantly on host-based components, but should always make use of NIDS to complete the defense. In short, a truly secure environment requires both a network and host-based intrusion detection implementation to provide for a robust system that is the basis for all of the monitoring, response, and detection of computer misuse.

NIDS

Network based intrusion detection system:

Network-based intrusion detection systems operate differently from host-based IDS.This analyzes data packets that travel over the actual network. Based on these suspicious packets, a NIDS can scan its own database of known network attack signatures and assign a severity level for each packet. If severity levels are high enough, a warning email placed to security team members so they can further investigate the nature of the anomaly.

In general, network-based systems are best at detecting the following activities:

• Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.
• Bandwidth theft/denial of service: These attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.

Some possible downsides to NIDS include encrypted packet payloads and high-speed networks, both of which inhibit the effectiveness of packet interception and deter packet interpretation. Examples of network-based IDS include Shadow, Snort!, Dragon, NFR, RealSecure, and NetProwler.

Snort is an IDS designed to be comprehensive and accurate in successfully logging malicious network activity and notifying administrators when potential breaches occur. Snort uses the standard libcap library and tcpdump as a packet logging backend.

The most prized feature of Snort, in addition to its functionality, is its flexible attack signature subsystem. Snort has a constantly updated database of attacks that can be added to and updated via the Internet.

IDS Types and HIDS

In general intrusion detection systems can be categorized into three types. They are

• Host based IDS
• Network based IDS
• Hybrid IDS

Host Based IDS:
Host-based consult several types of log files (kernel, system, server, network, firewall, and more), and compare the logs against an internal database of common signatures for known attacks. UNIX and Linux host-based IDS make heavy use of syslog and its ability to separate logged events by their severity (for example, minor printer messages versus major kernel warnings). The syslog command is available when installing the sysklogd package, which is included with Red Hat Enterprise Linux. This package provides system logging and kernel message trapping. The host-based IDS filters logs (which, in the case of some network and kernel event logs, can be quite verbose), analyzes them, re-tags the anomalous messages with its own system of severity rating, and collects them in its own specialized log for administrator analysis.
A host-based IDS can also verify the data integrity of important files and executables. It checks a database of sensitive files (and any files added by the administrator) and creates a checksum of each file with a message-file digest utility such as md5sum (128-bit algorithm) or sha1sum (160-bit algorithm). The host-based IDS then stores the sums in a plain text file and periodically compares the file checksums against the values in the text file. If any of the file checksums do not match, the IDS alerts the administrator by email or cellular pager.
Tripwire is the most popular host-based IDS for Linux. Tripwire, Inc., the developers of Tripwire, opened the software source code for the Linux version and licensed it under the terms of the GNU General Public License. Tripwire is available from http://www.tripwire.org/.
SWATCH ( http://sourceforge.net/projects/swatch/ ) and LIDS (http://www.lids.org/ ) are other commonly used IDS.

IDS Overview

Intrusion detection systems do exactly as the name suggests, they detect possible intrusions. More specifically, IDS tools aim to detect computer attacks/misuse, and to alert the proper individuals upon detection. An IDS installed on a network provides much the same purpose as a burglar alarm system installed in a house. Through various methods, both detect when an intruder/attacker/burglar is present, and both subsequently issue some type of warning or alert.

IDS systems monitor, detect and respond to the unauthorized access either by insiders or outsiders.IDS use policies to define certain events that, if detected will issue an alert. In other words, if a particular event is considered to constitute a security incident, an alert will be issued if that event is detected. Certain intrusion detection systems have the capability of sending out alerts, so that the administrator of the IDS will receive a notification of a possible security incident in the form of a email or SNMP trap. Many IDS not only recognize a particular incident and issue an appropriate alert, they also respond automatically to the event. Such a response might include logging off a user, disabling a user account, and launching of scripts.

Some IDS are knowledge-based, which preemptively alert security administrators before an intrusion occurs using a database of common attacks. Alternatively, there are behavioral-based IDS that track all resource usage for anomalies, which is usually a positive sign of malicious activity. Some are standalone services that work in the background and passively listen for activity. Others combine standard system tools, modified configurations, and verbose logging, with administrator intuition and experience to create a powerful intrusion detection kit.

Basics on Intrusion Detection and Intrusion Prevention

Intrusion Detection:
This encompasses a range of security techniques that are designed to detect or report any instance of intrusion into the security system to the user/ network administrator. Intrusion detection technologies are detective rather than preventive, but they can help mitigate following types of risks by providing a security administrator with information on attempted or actual security events.
-> Destruction of data
-> Network intrusion
-> Unauthorized access
-> Denial of service attacks.

Intrusion Prevention:
These systems combine all levels of firewall and intrusion detection technologies, they often end up with systems that can operate at all levels of network stack. The only disadvantage of intrusion prevention systems is that they are not fast and robust. For this reason IPS may not be appropriate where speed is of high importance.
Intrusion prevention systems are a sophisticated class of network security implementation that not only has the ability to detect the presence of intruders and their actions but also to prevent them from successfully launching any attack.These systems are designed to detect malicious packets within normal network traffic and stop network intrusion, blocking unauthorized traffic automatically before it does damage rather than simply raising an alert.