Bachelor Degree Project Comparison of systems to detect rogue access points Author: Alexander Lennartsson, Hilda Melander Supervisor: Ola Flygt Semester: VT 2019 Subject: Computer Science Abstract A hacker might use a rogue access point to gain access to a network, this poses a threat to the individuals connected to it. The hacker might have the potential to leak corporate data or steal private information. The detection of rogue access points is therefore of importance to prevent any damage to both businesses and individuals. Comparing different software that detects rogue access points increases the chance of someone finding a solution that suits their network. The different type of software that are compared are intrusion detection systems, wireless scanners and a Cisco wireless lan controller. The parameters that are being compared are; cost, compat- ibility, detection capability and implementation difficulty. In order to obtain results some of the parameters require testing. As there are three types of software, three experiment environments should be conducted. Our research indicates that already existing network equipment or the size of the network affects the results from the experiments. Keywords: Network Intrusion Detection, Rogue Access Points, Wireless Scanner, Wireless Lan Controller, Software Comparisons Contents List of FiguresI List of TablesII 1 Introduction1 1.1 Background.................................1 1.2 Related work................................1 1.3 Problem formulation............................2 1.4 Motivation..................................2 1.5 Objectives..................................3 1.6 Scope/Limitation..............................3 1.7 Target group.................................4 1.8 Outline...................................4 2 Method5 2.1 Scientific Approach.............................5 2.2 Reliability and Validity...........................5 2.3 Ethical considerations............................5 3 Detection methods for rogue access points6 3.1 Intrusion Detection.............................6 3.1.1 Signature-based detection.....................6 3.1.2 Anomaly-based detection......................6 3.2 Intrusion Prevention.............................7 3.3 Wireless Scanner..............................7 3.4 Detection Approaches of Rogue access points...............7 3.5 The Software Packages...........................7 4 The Parameters9 4.1 Parameter Motivation............................9 5 Implementation 10 5.1 IDS Experiment environment........................ 10 5.1.1 Snort................................ 11 5.1.2 Zeek(Bro).............................. 11 5.1.3 Suricata............................... 11 5.2 Wireless Scanner Experiment environment................. 11 5.2.1 Wireless Scanners software.................... 12 5.3 WLC Experiment environment....................... 12 5.3.1 Cisco WLC............................. 13 6 Results 14 6.1 Implementation difficulty.......................... 14 6.2 Compatibility................................ 15 6.3 Cost..................................... 15 6.4 Detection Capability............................ 16 7 Analysis and Discussion 18 7.1 The Analyzed Concerns........................... 18 7.2 Ways to detect rogue access points..................... 18 7.3 Parameters used to compare........................ 18 7.3.1 Implementation difficulty...................... 18 7.3.2 Compatibility............................ 19 7.3.3 Cost................................. 19 7.3.4 Detection Capability........................ 20 7.4 Solutions for Networks........................... 20 7.4.1 Scenario one: Small sized network................. 20 7.4.2 Scenario two: Large sized network................. 20 8 Conclusion and Future work 22 8.1 Conclusion................................. 22 8.2 Future work................................. 22 References 24 A AppendixA A.1 Device summary..............................A A.2 Software versions..............................B A.3 Acronyms..................................C List of Figures 5.1 IDS Topology................................ 10 5.2 RSSI Topology............................... 12 5.3 WLC Topology............................... 13 1.4 Devices...................................A I List of Tables 1.1 Research questions.............................2 1.2 Objectives..................................3 6.3 Difficulty table............................... 14 6.4 Compatibility table............................. 15 6.5 Cost table.................................. 16 6.6 Detection table............................... 17 1.7 Software versions..............................B 1.8 Acronyms..................................C II 1 Introduction The process and the mechanism of detecting rogue access points (RAP) differ between software packages [1]. By making a comparison of different software and their ability to find RAP’s, there is a chance of decreasing the harm that they pose. The harm of a RAP depends on what type of RAP it is. Some examples of the harm that a RAP can cause are theft of company data or eavesdropping on private conversations [2]. Knowing in which situations that certain software are more effective can increase the security of the network. The requirements on a network can change based on different variables. Examples of requirements can be; level of security, management, cost and existing network equipment or hardware specifications. As most networks have unique features it is necessary to find a suiting protection solution for each network. A compari- son between software is essential as RAP’s can bring harm to both the enterprise and the people associated with it [2]. 1.1 Background Nowadays, many places offer Wi-Fi access, anything from the local coffee shop to work- places. One of the security concerns with Wi-Fi access being available almost everywhere is RAP’s. There are three types of RAP; (1) an unauthorized AP, (2) a phishing AP and (3) a compromised AP [3]. Many AP’s are not configured securely, and these are threats to the connecting network as it lowers the security of the overall network. The category (1) of a RAP is set up on a networks infrastructure without the approval of the network administrator [4]. The (2) can be when a device is configured to mimic an already existing AP to try and lure individuals into using the mimicked device. The hacker could monitor the data sent or received via the phishing AP, and it might result in stolen information and credentials. An AP is considered to be a RAP of (3) if there are unusual events that are caused by a hacker, virus, or another type of mechanism [5]. To prevent the attack which could cause an AP to become compromised, it might require additional software. One type of system that can detect the compromised AP’s is called intrusion detection system (IDS). IDS is a system that monitors the network and can detect attacks and other malicious activities. An IDS is not able to do any management control work, this means that when a IDS finds a problem it will forward a message to an administrator. [3]. Another type of software that can be used to detect RAP’s are wireless scanners. Wireless scanners measure the radio signals that an AP broadcasts. The power of the signal is measured using the devices received signal strength indicator (RSSI). The higher the RSSI value is the closer the wireless scanner device is to the AP [6]. 1.2 Related work There are significant amount of subsequent studies that are relevant to the research. As our research investigates multiple types of software, some studies are relevant to certain software packages such as [7] and [8]. Both of these studies describes Snort and its func- tions as an IDS. They give suggestions for how to make Snort able to act as an intrusion detection prevention system (IPS) to prevent attacks. In [8] the focus is on creating a framework that uses RSSI to prevent the RAP’s more efficiently. This means that the study mentions the security concerns of the RAP’s. The framework is said to be able to detect both phishing AP and unauthorized AP’s. While in [7] the main focus is on 1 Snort combined with firewall commands. Neither of the proposed suggestions are rele- vant to the thesis research as the thesis focuses on Snort as an IDS. However, in the thesis comparison there are wireless scanners which uses RSSI to detect RAP’s. Other studies that are relevant to the research are [9] and [1]. In these studies the detection of the RAP is mentioned. However, [9] focuses more on how an IDS should be designed for the detection of the RAP. While in [1] the focus is on the different methods that can be used in the detection of the RAP. 1.3 Problem formulation RAP can pose a threat to the networks in the area, depending on what type of RAP it is. If the RAP is set up by a hacker, it could cause harm by leakage of data from an enterprise or by intercepting private conversations [5]. The harm that can be caused by a RAP is the reason why it is important to investigate how different software detects the RAP’s. As most networks have unique features, not every software might be suitable for each network [citera?]. By comparing software solutions, the chance that someone finds the correct software for their network increases, hence protects them against RAP’s. In order to find software solutions to suit a wide range of networks, various parameters needed to be compared. The chosen parameters had to take into consideration that the requirements on a home and corporate network are different. There are many things that