DOCSLIB.ORG

Bachelor Degree Project Comparison of Systems to Detect Rogue Access

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Bachelor Degree Project Comparison of Systems to Detect Rogue Access Bachelor Degree Project Comparison of systems to detect rogue access points Author: Alexander Lennartsson, Hilda Melander Supervisor: Ola Flygt Semester: VT 2019 Subject: Computer Science Abstract A hacker might use a rogue access point to gain access to a network, this poses a threat to the individuals connected to it. The hacker might have the potential to leak corporate data or steal private information. The detection of rogue access points is therefore of importance to prevent any damage to both businesses and individuals. Comparing different software that detects rogue access points increases the chance of someone finding a solution that suits their network. The different type of software that are compared are intrusion detection systems, wireless scanners and a Cisco wireless lan controller. The parameters that are being compared are; cost, compat- ibility, detection capability and implementation difficulty. In order to obtain results some of the parameters require testing. As there are three types of software, three experiment environments should be conducted. Our research indicates that already existing network equipment or the size of the network affects the results from the experiments. Keywords: Network Intrusion Detection, Rogue Access Points, Wireless Scanner, Wireless Lan Controller, Software Comparisons Contents List of FiguresI List of TablesII 1 Introduction1 1.1 Background.................................1 1.2 Related work................................1 1.3 Problem formulation............................2 1.4 Motivation..................................2 1.5 Objectives..................................3 1.6 Scope/Limitation..............................3 1.7 Target group.................................4 1.8 Outline...................................4 2 Method5 2.1 Scientific Approach.............................5 2.2 Reliability and Validity...........................5 2.3 Ethical considerations............................5 3 Detection methods for rogue access points6 3.1 Intrusion Detection.............................6 3.1.1 Signature-based detection.....................6 3.1.2 Anomaly-based detection......................6 3.2 Intrusion Prevention.............................7 3.3 Wireless Scanner..............................7 3.4 Detection Approaches of Rogue access points...............7 3.5 The Software Packages...........................7 4 The Parameters9 4.1 Parameter Motivation............................9 5 Implementation 10 5.1 IDS Experiment environment........................ 10 5.1.1 Snort................................ 11 5.1.2 Zeek(Bro).............................. 11 5.1.3 Suricata............................... 11 5.2 Wireless Scanner Experiment environment................. 11 5.2.1 Wireless Scanners software.................... 12 5.3 WLC Experiment environment....................... 12 5.3.1 Cisco WLC............................. 13 6 Results 14 6.1 Implementation difficulty.......................... 14 6.2 Compatibility................................ 15 6.3 Cost..................................... 15 6.4 Detection Capability............................ 16 7 Analysis and Discussion 18 7.1 The Analyzed Concerns........................... 18 7.2 Ways to detect rogue access points..................... 18 7.3 Parameters used to compare........................ 18 7.3.1 Implementation difficulty...................... 18 7.3.2 Compatibility............................ 19 7.3.3 Cost................................. 19 7.3.4 Detection Capability........................ 20 7.4 Solutions for Networks........................... 20 7.4.1 Scenario one: Small sized network................. 20 7.4.2 Scenario two: Large sized network................. 20 8 Conclusion and Future work 22 8.1 Conclusion................................. 22 8.2 Future work................................. 22 References 24 A AppendixA A.1 Device summary..............................A A.2 Software versions..............................B A.3 Acronyms..................................C List of Figures 5.1 IDS Topology................................ 10 5.2 RSSI Topology............................... 12 5.3 WLC Topology............................... 13 1.4 Devices...................................A I List of Tables 1.1 Research questions.............................2 1.2 Objectives..................................3 6.3 Difficulty table............................... 14 6.4 Compatibility table............................. 15 6.5 Cost table.................................. 16 6.6 Detection table............................... 17 1.7 Software versions..............................B 1.8 Acronyms..................................C II 1 Introduction The process and the mechanism of detecting rogue access points (RAP) differ between software packages [1]. By making a comparison of different software and their ability to find RAP’s, there is a chance of decreasing the harm that they pose. The harm of a RAP depends on what type of RAP it is. Some examples of the harm that a RAP can cause are theft of company data or eavesdropping on private conversations [2]. Knowing in which situations that certain software are more effective can increase the security of the network. The requirements on a network can change based on different variables. Examples of requirements can be; level of security, management, cost and existing network equipment or hardware specifications. As most networks have unique features it is necessary to find a suiting protection solution for each network. A compari- son between software is essential as RAP’s can bring harm to both the enterprise and the people associated with it [2]. 1.1 Background Nowadays, many places offer Wi-Fi access, anything from the local coffee shop to work- places. One of the security concerns with Wi-Fi access being available almost everywhere is RAP’s. There are three types of RAP; (1) an unauthorized AP, (2) a phishing AP and (3) a compromised AP [3]. Many AP’s are not configured securely, and these are threats to the connecting network as it lowers the security of the overall network. The category (1) of a RAP is set up on a networks infrastructure without the approval of the network administrator [4]. The (2) can be when a device is configured to mimic an already existing AP to try and lure individuals into using the mimicked device. The hacker could monitor the data sent or received via the phishing AP, and it might result in stolen information and credentials. An AP is considered to be a RAP of (3) if there are unusual events that are caused by a hacker, virus, or another type of mechanism [5]. To prevent the attack which could cause an AP to become compromised, it might require additional software. One type of system that can detect the compromised AP’s is called intrusion detection system (IDS). IDS is a system that monitors the network and can detect attacks and other malicious activities. An IDS is not able to do any management control work, this means that when a IDS finds a problem it will forward a message to an administrator. [3]. Another type of software that can be used to detect RAP’s are wireless scanners. Wireless scanners measure the radio signals that an AP broadcasts. The power of the signal is measured using the devices received signal strength indicator (RSSI). The higher the RSSI value is the closer the wireless scanner device is to the AP [6]. 1.2 Related work There are significant amount of subsequent studies that are relevant to the research. As our research investigates multiple types of software, some studies are relevant to certain software packages such as [7] and [8]. Both of these studies describes Snort and its func- tions as an IDS. They give suggestions for how to make Snort able to act as an intrusion detection prevention system (IPS) to prevent attacks. In [8] the focus is on creating a framework that uses RSSI to prevent the RAP’s more efficiently. This means that the study mentions the security concerns of the RAP’s. The framework is said to be able to detect both phishing AP and unauthorized AP’s. While in [7] the main focus is on 1 Snort combined with firewall commands. Neither of the proposed suggestions are rele- vant to the thesis research as the thesis focuses on Snort as an IDS. However, in the thesis comparison there are wireless scanners which uses RSSI to detect RAP’s. Other studies that are relevant to the research are [9] and [1]. In these studies the detection of the RAP is mentioned. However, [9] focuses more on how an IDS should be designed for the detection of the RAP. While in [1] the focus is on the different methods that can be used in the detection of the RAP. 1.3 Problem formulation RAP can pose a threat to the networks in the area, depending on what type of RAP it is. If the RAP is set up by a hacker, it could cause harm by leakage of data from an enterprise or by intercepting private conversations [5]. The harm that can be caused by a RAP is the reason why it is important to investigate how different software detects the RAP’s. As most networks have unique features, not every software might be suitable for each network [citera?]. By comparing software solutions, the chance that someone finds the correct software for their network increases, hence protects them against RAP’s. In order to find software solutions to suit a wide range of networks, various parameters needed to be compared. The chosen parameters had to take into consideration that the requirements on a home and corporate network are different. There are many things that
Load more

Recommended publications
  • Running Bro on BSD
    Running Bro on BSD An analysis of high performance solutions running on BSD operating systems. Michael Shirk BroCon 2016 @Shirkdog http://github.com/Shirkdog Agenda l Introduction l Bro is awesome l Why FreeBSD? l High Performance and FreeBSD l FreeBSD at the Berkley Lab l PF_RING vs. netmap l OpenBSD Rant Warning l Whenever you see the beastie with a hammer, there is a potential for some BSD bias to slip in. l The goal is to minimize this throughout the talk. l All information not cited in this talk is based on personal experience or opinion (marked with an asterisk *). Introduction l Worked in IDS/IPS since 2003 (various positions including consulting) - Engines: Snort, Suricata, Dragon and now Bro (also had to work with McAfee, ISS, NFR … others) - Signatures for Emerging Threats (since they were Bleeding Edge Snort) l Support Open Source Security Tools and Software - Maintain pulledpork for Snort/Suricata (rule updating script): http://github.com/shirkdog/pulledpork - Active community member of open source projects: l Operating Systems: FreeBSD, OpenBSD, HardenedBSD l Security Tools: Snort, Suricata, AIDE, Bro (starting) Bro Beginnings l 2013 – Bro setup on Linux with PF_RING and Suricata ( Dell R610 12 Core 32GB Appliance) - PoC was Security Onion, the production setup was on Ubuntu with PF_RING, Suricata and nothing else. - Gigamon TAP aggregated data to a single 10Gb Fiber interface fed to the Bro/Suricata sensor. - ~700Mbps peak, ~350Mbps non-peak l Bro logs were fed into Splunk (modified Splunk_TA_Bro to work with log formats) l Set it and forget it, it's just that simple.
    [Show full text]
  • Ipv6 Security Training Course
    IPv6 Security Training Course References March 2021 Introduction During the IPv6 Security Course, many references are given, mostly IETF RFCs (Internet Engineering Task Force)(Request For Comments). You can also find useful references for RIPE NCC documents, security tools and sources of relevant security information. This document contain more details about those references, allowing the course participants to go deeper into details. In the case of RFCs, updated information about them, like the date of publication or if it still valid or has been obsoleted or update by another RFC, could be found in the www.rfc-editor.org web site. IETF Standards References [RFC2827] P. Ferguson, D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, May 2000, Best Current Practice [RFC3704] F. Baker, P. Savola, “Ingress Filtering for Multihomed Networks”, March 2004, Best Current Practice [RFC3756] P. Nikander, Ed., J. Kempf, E. Nordmark, “IPv6 Neighbor Discovery (ND) Trust Models and Threats”, May 2004, Informational [RFC3849] G. Huston, A. Lord, P. Smith, "IPv6 Address Prefix Reserved for Documentation", July 2004 [RFC3971] J. Arkko, Ed., J. Kempf, B. Zill, P. Nikander, SEcure Neighbor Discovery (SEND), March 2005, Proposed Standard [RFC3972] T. Aura, “Cryptographically Generated Addresses (CGA)”, March 2005, Proposed Standard [RFC4191] R. Draves, D. Thaler, “Default Router Preferences and More- Specific Routes”, November 2005, Proposed Standard [RFC4301] S. Kent, K. Seo, "Security Architecture for the Internet Protocol”, December 2005, Proposed Standard [RFC4302] S. Kent, “IP Authentication Header”, December 2005, Obsoletes RFC 2402, Proposed Standard [RFC4303] S. Kent, “IP Encapsulating Security Payload (ESP)”, December 2005, Obsoletes RFC 2406, Proposed Standard [RFC4443] A.
    [Show full text]
  • Evaluation of Intrusion Detection Systems in Ipv6 Networks
    Evaluation of Intrusion Detection Systems in IPv6 Networks Max Schrotter¨ 1, Thomas Scheffler2 and Bettina Schnor1 1Operating Systems and Distributed Systems, University of Potsdam, Potsdam, Germany 2School of Engineering - Energy and Information, Hochschule fur¨ Technik und Wirtschaft Berlin, Berlin, Germany Keywords: IDS, IDSv6, Benchmark, IPv6. Abstract: This paper introduces a benchmark suite for the evaluation of intrusion detection systems in IPv6 environ- ments. We use this benchmark to evaluate the prominent intrusion detection systems Snort, Zeek and Suricata. Further, an IPv6 Plugin Suite is presented and evaluated which enhances Snort by stateful attack detection. The results of our evaluation demonstrate the current abilities to detect IPv6 link-local attacks. 1 INTRODUCTION This leads to a third approach, that focuses on network monitoring and anomaly detection. Work Relatively early after the finalization of the IPv6 stan- started with (Beck et al., 2007), which introduced the dard, it became apparent, that the automatic host con- host-based tool ndpmon that listens to all NDP mes- figuration mechanism defined in the protocol did not sages in order to detect NDP anomalies and report work well with the proposed IPsec security mech- them. Another suitable approach is based on the ex- anisms and that the Neighbor Discovery Protocol tension of Intrusion Detection Systems (IDS) with ad- (NDP) (Narten et al., 2007) suffered from similar se- equate protocol support for the detection of specific curity problems as the Address Resolution Protocol IPv6-attacks. The authors of (Schutte¨ et al., 2012) (ARP) in IPv4 (Arkko et al., 2002). developed an IPv6 Plugin Suite for the well known IDS Snort 2.
    [Show full text]
  • Open Source Intrusion Detection Systems Evaluation for Small and Medium-Sized Enterprise Environments
    Open source intrusion detection systems evaluation for small and medium-sized enterprise environments Markku Hänninen Master’s Thesis December 2019 School of Technology Master’s degree programme in information technology Cyber Security Description Author(s) Type of publication Date Hänninen, Markku Mikael Master’s thesis 12/2019 Language of publication: English Number of pages Permission for web: 41 x Title of publication Open source IDS evaluation for small and medium-sized enterprise environments Degree programme Master’s degree programme in Information Technology Supervisor(s) Nevala Jarmo, Saharinen Karo Assigned by L aurio Markus, Paytrail Oyj Abstract Paytrail offers internet payment services to organizations and due to these services, Paytrail has a very public and visible presence on the Internet. Their information systems contain sensitive information about customers and general public using the services. One of the biggest threats to any company today is intrusion to their information systems and networks. While preventive methods can raise the cost of intrusion, there are no 100% secure systems and the next best thing is to notice the intrusion early on. The selected open source intrusion detection systems for networks were compared to provide awareness of their capabilities concerning detection, outputs, administration and software maintenance and development. The research method used a was collective case study. In collective case study a common set of research goals are used to study individual cases. The cases themselves were quantitative and qualitative evaluations of the capabilities mentioned above. These cases and their research results then provide the basis for comparing the different intrusion detection systems by the factors that had been set by Paytrail.
    [Show full text]
  • Security Onion Documentation Release 2.3
    Security Onion Documentation Release 2.3 Sep 27, 2021 Table of Contents 1 About 1 1.1 Security Onion..............................................1 1.2 Security Onion Solutions, LLC.....................................2 1.3 Documentation..............................................2 2 Introduction 5 2.1 Network Security Monitoring......................................7 2.2 Enterprise Security Monitoring.....................................7 2.3 Analysis Tools..............................................8 2.4 Deployment Scenarios.......................................... 12 2.5 Conclusion................................................ 12 3 License 13 4 First Time Users 15 5 Getting Started 39 5.1 Architecture............................................... 40 5.2 Hardware Requirements......................................... 48 5.3 Partitioning................................................ 53 5.4 Download................................................. 55 5.5 VMware................................................. 55 5.6 VirtualBox................................................ 57 5.7 Booting Issues.............................................. 58 5.8 Installation................................................ 58 5.9 AWS Cloud AMI............................................. 60 5.10 Azure Cloud Image............................................ 66 5.11 Configuration............................................... 71 5.12 Machine Learning............................................ 72 5.13 After Installation............................................
    [Show full text]
  • Effectiveness of Machine Learning for Intrusion Detection Systems. Heuristic-Based Network Intrusion Detection System Over Supervised Learning
    Effectiveness of Machine Learning for Intrusion Detection Systems. Heuristic-based Network Intrusion Detection System over Supervised Learning Valiente Sanchez, Joel Curs 2019-2020 Director: Vanesa Daza GRAU EN ENGINYERIA INFORMÀTICA Treball de Fi de Grau ACKNOWLEDGEMENTS To my family, for supporting me as much as they can for getting this university degree and completing this project. To my supervisor, Vanesa Daza, for encouraging me to develop this project. All the advice and corrections provided were necessary for completing this project. To all of you, thanks for providing me all the love and opportunities I needed. iii ABSTRACT Network Intrusion Detection Systems (NIDS) are software applications monitoring a network and the systems using this network for detecting malicious activities. These activities are reported to the administrator in the form of alarms. No further actions are taken to prevent these attacks, the creation of these alarms is the desired output of any NIDS. The administrator, using these alarms, realise what attacks are being performed. In front of successful attacks the source of the problem (vulnerability) is described by the alarms and, therefore, the administrator knows what needs to be fixed indeed. It is currently an expanding area and many companies provide software compatible with most used OS (Windows, Linux and Mac OS), for instance, Snort is the most used NIDS worldwide (owned and maintained by Cisco from 2013) which supports both Windows and Linux. Most used NIDSs are rule-based: administrators defines rules that match corresponding attacks. These rules can be provided by some NIDS vendors to detect well known attacks. The amount of rules is considerable and usually the management of them becomes a full-time work.
    [Show full text]
  • Automating Defences Against Cyber Operations in Computer Networks
    DOCTORAL THESIS Automating Defences against Cyber Operations in Computer Networks Mauno Pihelgas TALLINNA TEHNIKAÜLIKOOL TALLINN UNIVERSITY OF TECHNOLOGY TALLINN 2021 TALLINN UNIVERSITY OF TECHNOLOGY DOCTORAL THESIS 36/2021 Automating Defences against Cyber Operations in Computer Networks MAUNO PIHELGAS TALLINN UNIVERSITY OF TECHNOLOGY School of Information Technologies Department of Software Science The dissertation was accepted for the defence of the degree of Doctor of Philosophy in Computer Science on 10 June 2021 Supervisor: Dr. Risto Vaarandi, Department of Software Science, School of Information Technologies, Tallinn University of Technology, Tallinn, Estonia Co-supervisor: Professor Dr. Olaf Manuel Maennel, Department of Software Science, School of Information Technologies, Tallinn University of Technology, Tallinn, Estonia Opponents: Professor Dr. Anja Feldmann, Max Planck Institute for Informatics, Saarbrücken, Germany Professor Dr. Jan Vykopal, Masaryk University, Brno, Czechia Defence of the thesis: 11 August 2021, Tallinn Declaration: Hereby I declare that this doctoral thesis, my original investigation and achievement, submitted for the doctoral degree at Tallinn University of Technology, has not been submitted for any academic degree elsewhere. Mauno Pihelgas signature Copyright: Mauno Pihelgas, 2021 ISSN 2585-6898 (publication) ISBN 978-9949-83-718-2 (publication) ISSN 2585-6901 (PDF) ISBN 978-9949-83-719-9 (PDF) Printed by Koopia Niini & Rauam TALLINNA TEHNIKAÜLIKOOL DOKTORITÖÖ 36/2021 Arvutivõrkude kaitse automatiseerimine
    [Show full text]
  • Security Onion Documentation Release 2.3
    Security Onion Documentation Release 2.3 Sep 24, 2021 Table of Contents 1 About 1 1.1 Security Onion..............................................1 1.2 Security Onion Solutions, LLC.....................................2 1.3 Documentation..............................................2 2 Introduction 5 2.1 Network Security Monitoring......................................7 2.2 Enterprise Security Monitoring.....................................7 2.3 Analysis Tools..............................................8 2.4 Deployment Scenarios.......................................... 12 2.5 Conclusion................................................ 12 3 License 13 4 First Time Users 15 5 Getting Started 39 5.1 Architecture............................................... 40 5.2 Hardware Requirements......................................... 48 5.3 Partitioning................................................ 53 5.4 Download................................................. 55 5.5 VMware................................................. 55 5.6 VirtualBox................................................ 57 5.7 Booting Issues.............................................. 58 5.8 Installation................................................ 58 5.9 AWS Cloud AMI............................................. 60 5.10 Azure Cloud Image............................................ 66 5.11 Configuration............................................... 70 5.12 Machine Learning............................................ 71 5.13 After Installation............................................
    [Show full text]
  • Network-Based APT Profiler
    Rochester Institute of Technology RIT Scholar Works Theses 11-22-2019 Network-based APT profiler Benjamin Bornholm [email protected] Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Bornholm, Benjamin, "Network-based APT profiler" (2019). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Network-based APT profiler By: Benjamin Bornholm Committee Members: Justin Pelletier Bill Stackpole Robert Brandon Thesis In partial fulfillment of the requirements for the degree of Master of Science in Computing Security Rochester Institute of Technology B. Thomas Golisano College of Computing & Information Sciences Department of Computing Security Friday, November 22nd 2019 1 Copyright 2019 Ben Bornholm ALL RIGHTS RESERVED 2 Acknowledgments ● Thanks to Splunk for providing a license to perform the experiments ● Thanks to my loving and supportive parents ● Thanks to my capstone committee for guiding me on this adventure ● Thanks to the Threat Hunting Slack community for being great mentors 3 Table of contents Acknowledgments 2 Table of contents 3 Definitions 8 List of figures 10 List of tables 10 List of equations 11 Abstract 12 Introduction 13 Background 15 Advanced Persistent Threat (APT) 15 Techniques, tactics, and procedures (TTPs) 17 TTPs in perspective of the MITRE
    [Show full text]