Integrated Wireless Rogue Access Point Detection and Counterattack System

Songrit Srilasak†,††, Kitti Wongthavarawat† and Anan Phonphoem ††

†Thai Computer Emergency Response Team (ThaiCERT) National Electronics and Computer Technology Center (NECTEC)

112 Pahon-Yothin Rd., Klong Luang, Pathumthanee 12120, Thailand. Tel: +66-2564-6868, Fax +66-2564-6871

††Intelligent Wireless Network Group (IWING)

Department of Computer Engineering, Faculty of Engineering, Kasetsart University 50 Pahon-Yothin Rd., Cha-tuchak, Bangkok 10900, Thailand.

Tel: +66-2942-8555, Fax +66-2579-6245

songrit.srilasak@nectec.or.th, kitti.wongthawarawat@nectec.or.th, anan.p@ku.ac.th

Abstract

In this paper we propose the integrated solution for

detection and counterattack the rogue access points. Classification of rogue access point and related risk assessment is analyzed. Rogue detection algorithm is also proposed. Our proposed solution is effective and low cost. It is designed to utilize the existing wireless LAN infrastructure. There is no need to acquire the new RF devices or dedicated wireless detection sensors. The experiments in the real system are demonstrated.

1. Introduction

Currently many organizations utilize the wireless

LAN to provide the access channel to the Internet and Intranet enabling the flexible workforce. Employees are able to move their computers from one location to another. While doing so, communications with peers and the Internet are continuously maintained. It has been clearly shown that utilizing wireless LAN helps increasing the productivity of a company that is using it. Howerver the wireless security is always a primary concern. The information transmitted by the users is broadcasted through the air. Everybody within range of the wireless signal can easily tune in and capture the data. Most enterprise wireless implementations normally include the wireless security measure such as IEEE 802.11i or WPA (Wireless Protected Access). IEEE 802.11i provides the encryption and authentication mechanisms to protect user from unauthorized access and data eavesdrop over the

wireless network. However, such security measures cannot protect the system from the unauthorized installation of the access point by their own staffs. The staffs can easily plug in the unauthorized access point (normally called rogue access point) to the network for their personal usage. Most staffs are unaware of the security threats that come along with this act. The unauthorized user or hacker can bypass the company’s line of network defenses (i.e., firewall, access control) through the rogue access point and poses the serious threat to the organization.

Detecting and terminating the rogue access point are not trivial tasks. It is labor intensive to manually locate a rogue access point especially in the large enterprise network. It requires high administration and technical resources to execute the security audit on the wireless system. Therefore, this paper proposes the automate solution that will help administrator mitigating the rogue access point threat. This paper is organized as follows. In the next section, we provide the general description of rogue access point, rogue access point classification and associated risk. In section 3, we propose the integrated wireless rogue access point detection and couterattack system. In section 4, we demonstrate the implementation of the proposed solution as well as the experimental result. We provide the best practice for mitigate the rogue access point threat the section 5. Section 6 concludes the paper.

2008 International Conference on Information Security and Assurance

978-0-7695-3126-7/08 $25.00 © 2008 IEEEDOI 10.1109/ISA.2008.103

326

2008 International Conference on Information Security and Assurance

978-0-7695-3126-7/08 $25.00 © 2008 IEEEDOI 10.1109/ISA.2008.103

326

2. The Rogue Access Point The definition of unauthorized access point (or

rogue access point) is the "wireless access point that are installed without explicit authorization from a local network management" [1] Some define the rogue access point as "Wi-Fi Access Point which is setup by an attacker for the purpose of sniffing wireless network traffic" In this paper we summarize the rogue access point as two definitions: − Definition 1: Rogue access point is the access

point that is installed to the network without authorization and does not follow the organization’s security policy.

− Definition 2: Rogue access point is the access point that is setup based on the malicious intention to compromise the company’s information system i.e, data sniffing going through the rogue access point.

An access point with the criteria that falls in either definition is considered to be the rogue access point. There are four common types of rogue access point as the follows: 1) Employee’s rogue access point: Employees buy an

access point and installs it on the company’s LAN for their own convenient uses without the authorization. The rogue access point creates the vulnerability to the network. It enables unauthorized users or attackers from outside to access the company’s network. This type of rogue access point is very common especially in the organization that is lacking of the wireless security policy and secuity awareness training for employees.

2) Attacker’s external rogue access point: The rogue access point is setup outside the company and does not connect to the company’s network. Typically the attacker will use the high transmission power and high antenna gain rogue access point with the spoof SSID. It aims to allure the target employee to connect the rogue access point. All user traffic is redirected through the rogue access point and analyzed by the attacker. This attack is called Man-in-the-middle-Attack.

3) Attacker’s internal rogue access point: The rogue access point is setup inside the company and does connect to the company’s network. The attacker will use this rogue access point as the backdoor to access the network at later time.This rogue access point is unlikely because the attacker has to bypass the physical security and access to the internal LAN. But once it is successful, it would be a serious security breach. Typically the attacker will

disable the broadcast SSID in order to hide it from others to notice.

4) Neighborhood rogue access point: The access point is setup by other company in the close vicinity. Some people do not consider this as the rogue access point because of the unlicensed and share media of wireless LAN. The administrator has no authority to control or shut down legitimate access points of other company. But it is the good practice to educate their employees to be aware of neighborhood access point. Inadvertantly connecting to the neighborhood access point would compromise the security.

In order to mitigate rogue access point it needs two processes 1) Rogue access point detection to identify the rogue access point and 2) Rogue access point countermeasure to disable the rogue access point.

Previous works in rouge access point detection focus on two approaches: 1) Client based rogue access point detection and 2) Network based rogue access point detection. Client based rogue access point detection use the client computer to implement the rogue access point detection [2][20]. [2] proposed technique called Client Conduit to detect rogue access point by changing wireless network interface card (i.e, client NIC) to act like an access point then collect wireless data for analysis. [20] proposed agent-based solution install on the client computer to operate the real time rogue access point detection by compairing MAC address from sniffing with the registered MAC. Network based rogue access point was proposed in [3][4]. [3] proposed rogue access point detection based on temporal traffic characteristics. The paper measured inter-packet time of the traffic to differentiate between traffic from regular wired LAN and traffic from wireless LAN. Result of paper described 80% of wired LAN inter-packet time is less than 1ms, while 90% of wireless LAN inter-packet time is greater than 1ms. [4] proposed the measurement of TCP-Ack pairs traffic to differentiate between traffic from wired LAN and from wireless LAN. In addition, there are quite a few commercial rogue access point detection available in the marker. Most of them are based on the dedicated wireless sensor to perform the RF detection. The commercial products like AirWave[5], AirDefense [6], AirMagnet [7], Wifi Manager [8] and Cisco WLSE [9] are proprietary.

3. The Proposed Solution

In this paper we propose the solution that is different from the previous works. Key features are:

327327

1) The integrated rogue access point detection and countermeasure systems

2) Use existing access point as the wireless sensor. No dedicated wireless sensor is required.

The proposed system (shown in Figure 1) consists of 3 main components: 1) Access Point: the access point can operate in two

modes: Nornal Mode is the mode that the access point performs as the regular access point and Sniffer Mode is the mode that the access point performs as the wireless sniffer collecting surround wirless data. Most enterprise class access points include such a feature. The switching between two modes is proprietary and requires the vendor specific command. Therefore, our solution will turn the existing access points distributed around the facility into the wireless sensor detecting the rogue access point.

2) Switch: the switch is a part of counterattack mechanism. Switch can disable the port to which the rogue access point is attaching. Typically the blocking switch port can be controlled by SNMP command. Therefore, our solution requires the switch with SNMP support.

3) Central System, Central System includes all intelligent functions such as the access point mode switching, sniffing data collection, rogue access point identification and localization and switch port blocking.

Access Point

Rogue Detection and Counterattack

System

(Central System) Switch

Figure 1: System Design

3.1 Rogue Access Point Detection

The rogue access point detection starts with RF

sniffing to collect wireless data and then analyze the collected data to determine the rogue access point.

The rogue access point sniffer phase has the processes as follows: 1) The access point is changed the mode from

Normal Mode to Sniffer Mode and operates as wireless sniffer collecting wireless sniffing data including Beacon, Probe messages and client data frames. The frame format of wireless sniffer data is shown in Figure 2.

2) Wireless sniffing data will be nomalized to remove irrelevent information out and stored the rest to the database.

3) Repeat step 1 and 2 with different sniffing channel (from channel 1 to channel 13)

4) Switch the access point mode back to Normal Mode

Figure 2: Cisco Aironet proprietary frame format

Figure 3: Rogue access point detection algorithm The potential rogue access point data is stored in the database waiting for analyzed. Central system analyzes the rogue access point based on the detection algorithm shown in Figure 3. The algorighms are the follows: 1) Compare the sniffing data (i.e., SSID, Wireless

MAC) with the authorized AP information. The authorized AP information is stored before hand. There are three possible outcomes: Completely Matched (SSID and MAC), Completely Unmatched (not SSID and not MAC) and Partially

328328

Matched (not SSID but MAC, or SSID but not MAC). If Completely Matched, goto stage 2). If Partially Matched, goto stage 3) and If Completely Unmatched goto stage 4)

2) For Completely Matched, there are two possibilities of access points: Trusted AP or Attacker Rogue AP. The attacker rogue AP completely spoofs the authorized AP information (i.e., spoof MAC and spoof SSID). Typically it is hard to verify if an AP is the legitimate one. Therefore, we propose the technique that can differentiate Trust APs from Spoof Rogue AP using timestamp information within Beacon. Normally each access point will includes the timestamp on the Beacon. The timestamp is total uptime of the access point measured since its start. Even though the attackers can manipulate the spoof SSID and wireless MAC, they will have the difficult time trying to synchronize and spoof timestamp of the trusted AP.

3) For Partially Matched, the result would be either Misconfiguration AP or Attacker’s Rogue AP. The Misconfiguration AP is the access point with configuration that is not consistent to the registered AP. Verifying the configuration of all APs will remove the outcome of Misconfiguration AP and leave remaining of Attacker’s Rogue AP.

4) For Completely Unmatched, the result would be either Neighborhood AP or Employee rogue AP. If the AP connects to the external network, we can assume that it is Neighborhood AP. If the AP connects to the intenal network, it is Employee rogue AP. The technique to perform “AP internal connection checking” or AP localization is described in the next section.

3.2 Rogue Access Point Localization After discovering the rogue access points, we need to locate where they are and perform the countermeasure. The localization is the process to discover if the rogue access point is connecting to the company’s network. If so, to which switch port the rogue access point is connecting. AP localization technique relies on the sniffing data getting from the wireless client that is associated with the questioned AP. The wireless client accesses the network through the questioned AP. The data header includes the wireless MAC address of the wireless client. If wireless MAC address of the wireless client appears at any port of the internal switch (through SNMP command). We can conclude that the queationed AP is connecting to the internal network. This technique is

invalid if the rogue access point is the router or using NAT. Otherwise, the walk-through audit is required. 3.3 Rogue Access Point Countermeasure Based on the rogue access point localization, we know exactly to which port of the switch that the rogue access point is connecting. Then, the central system will issue the SNMP command to block that switch port. In case of the rogue access point location is unavailable, the walk-through audit is required. The countermeasure algorithm is shown in Figure 4.

Figure 4: Rogue access point Countermeasure algorithm

4. The Experimental Result The experimental testbed is shown in Figure 5. It consists of AP, Central Server, Manage AP, Rogue AP and Wireless Client.

Figure 5: Experimental testbed

329329

The central server contains 1. Expect – the Expect is the software tool used

to remotely control the AP mode switching through SSH.

2. Apache and PhP5 for the web service 3. MySQL for the rogue access point database 4. gcc for compiler the server program

4.1 Access Point Mode Switching The experiment measures the transition time between each mode (i.e., Normal Mode, Sniffer Mode). Central Server sends the CLI command to access point to change the access point status. The result of transition time is shown in Table 1.

Transition Mode Transition Time (sec.)

Normal Sniffer 4.25 Sniffer(channel i) Sniffer (channel j) 6 Sniffer Normal 74

Table 1: AP Transition Time

In Sniffer Mode, there are the transitions from Sniffer(Channel i) to Sniffer (Channel j). It needs to change from Ch1 to Ch2 to Ch 3 and so on until the Ch11 to detect the rogue access point on all possible channels. So the total time of switching from Normal Mode to Sniffer Mode and back to Normal Mode is equal to 4.25 + (6 x 11) + 74 = 144.25 second. 4.2 Rogue Access Point Detection In this section, we perform the experiment to show how the proposed system can detect the vaious types of rogue access point. We define four types rogue access point. 1. Rogue Type 1: Employee’s rogue access point, no

SSID spoof and no wireless MAC spoof. 2. Rogue Type 2: Attacker’s rogue access point,

with SSID spoof but no wireless MAC spoof 3. Rogue Type 3: Attacker’s rogue access point, with

no SSID spoof but wireless MAC spoof. 4. Rogue Type 4: Attacker’s rogue access point, with

SSID spoof and wireless MAC spoof. We set up the Authorized AP with SSID “RDS” and wireless MAC “0019e8d90ba0” and each type of rogue access point as shown in Table 2 (Note: the shade cell represents spoofing). The result (see Figure 6) shows our system can detect all four types rogue access point.

Type of AP MAC SSID Channel Authorized AP 0019e8d90ba0 RDS 1 Rogue Type 1 0013468b7434 Rogue-1 1 Rogue Type 2 00304f51c609 RDS 1 Rogue Type 3 0019e8d90ba0 Rogue-2 1 Rogue Type 4 0019e8d90ba0 RDS 1

Table 2: Rogue Access Point Testing

Figure 6: Rogue Access Point Detection

5. The Recommended Secure Wireless System

In order to mitigate the rogue access point effectively the secured wireless system is required. The recommendation of secured wireless system is summarized as the follows: 1) Wireless Security Policy: Wireless Security

Policy plays key role to guide the company to the right direction of secured wireless. Policy presents the commitment on the security issues. It should clearly state the important of security, unauthorized access point will not be allowed and also state the consequence of policy violation. Furthermore, there shoud be the regular announcement or reminder about the security policy to employees.

2) Wireless Risk Assessment: Annual wireless risk assessment is also essential. Wireless risk assessment analyzes the threat, vulnerability and the impact. Wireless risk assessment provides the priority of how importance we should protect our system.

3) Wired and Wireless Network Separation: There should be the network separation for the wired network and wireless network (shown in Figure 7). This common practice provides the good security due to the different security requirements of wired and wireless LAN. Therefore, different security measures are applied to each network. In the enterprise wireless network, the information of access points installed in the company will be registered. The information includes MAC address of access point, SSID (ID of wireless network), Channel, the installed location and etc.

4) User Seperation: Different groups of users should apply the different security policy. For example, Guest users are only allowed to access

330330

the Internet with limited services while Staff users are allowed to access the Intranet. User Separation can be done by different SSIDs and different VLANs.

5) Authentication: The wireless system should implement some forms of authentication in order to control users before allowed to access the network. Mutual authentication (i.e., user authenticates the wireless system and wireless system authenticates the users) is necessary for the wireless network. Mutual authenticaltion can mitigate the rogue access point. Users will only associate to the trusted access point. EAP-TLS, EAP-TTLS, PEAP are most common authentication protocol.

6) Confidentiality: the encyption will provide the secure communication over the wireless LAN. WPA or IEEE 802.11i is the common solution.

7) Physical Security: To secure the physical access is important. All network equipments (such as server, access point and switches) should be securely protected from the unauthorized access. LAN outlet should also be secure.

8) Awareness Training and Education: the employees are required to have the awareness training regularly.

Figure 7: Wired and Wireless Networks 6. Conclusion

In this paper we propose the integrated solution for detection and counterattack the rogue access points. Classification of rogue access point and related risk assessment is analyzed. Rogue detection algorithm is also proposed. Our proposed solution is effective and low cost. It is designed to utilize the existing wireless LAN infrastructure. There is no need to acquire the new RF devices or dedicated wireless detection sensors. The experiments in the real system are demonstrated.

References [1] Raheem Beyah, Shantanu Kangude, George Yu, Brian Strickland and John Copeland. "Rouge Access Point Detection using Temporal Traffic Characteristics", Proceeding, IEEE GLOBECOM'04. [2] Austin Godber and Partha Dasgupta. "Countering Rogues in wireless networks", Parallel Processing Workshops, 2003. [3] Wei Wei, Kyoungwon Suh, Bing Wang, Yu Gu and Jim Kurose. "Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs", Proceeding, IMC'07 [4] Atul Adya, Paramvir Bahl, Raveer Chandra and Lili Qui. "Architecture and Techniques for Diagnosing Faults in IEEE 802.11 Infrastructure Networks", Proceeding, MobiCom, 2004. [5] Cisco Wireless LAN Solution Engine (WLSE). "http://www.cisco.com/en/US/products/sw/ciscowork/ps3915 [6] AirMagnet. "http://www.airmagnet.com." [7] NetStumbler. "http://www.netstumbler.com" [8] Tcpdump. "http://www.tcpdump.org" [9] Aircrack-ng. "http://www.aircrack-ng.org" [10] Wireshark. "http://www.wireshark.org/" [11] White Paper, Rogue Access Point Detection: Automatically Detect and Manage Wireless Threats to your Network. "http://www.proxim.com". [12] What is a rogue wireless access point, "http://www.tech-faq.com/rogue-access-point.shtml". [13] Airwave. "http://www.airwave.com". [14] Airdefense. "http://www.airdefense.net". [15] SpectraMon/SpectraGuard. "http://www.wibhu.com". [16] Rogue Detection and Blocking." http://manageengine.adventnet.com/products/wifi-manager/rogue-detection-and-blocking-whitepaper.html". White paper. [17] The National Telecommunications Commission. "http://www.ratchakitcha.soc.go.th/DATA/PDF/2550/E/009/34.PDF" [18] Steven M. Bellovin. "A Technique for Counting NATed Hosts". Proceedings ACM SIGCOMM Workshop, 2002. [19] Wei Wei, Bing Wang, Chun Zhang, Jim Kurose and Don Towsle. "Classification of Access Network Types: Ethernet, Wireless LAN, ADSL, Cable Modem or Dialup?". in Proceedings of IEEE Infocom 2005. [20] Mohan K Chirumamilla and Byrav Ramamurthy. "Agent Based Intrusion Detection and Response System for Wireless LANs". Proceeding, ICC'03. 2003.

331331