Intrusion Detection on WLANsBy David F. Carr | Posted 2005-12-13 Email Print
Lockheed Martin couldn't allow hackers to see critical data on its wireless network. The answer: an intrusion detection system to pinpoint and repel attacks.
But even a security-obsessed organization like Lockheed Martin can realize cost benefits from wireless networking. As the company looked at its options for expanding the use of factory computersfor example, to make engineering documents available on screen rather than on paperas well as the need to reconfigure the plant floor to support new products such as the Joint Strike Fighter, it estimated the cost of digging up and rebuilding the concrete floors to lay new wiring at $20 million to $30 million, according to Voshell.
Deploying a wireless network thus made a lot of sense, and Lockheed Martin proceeded to do so with help from Symbol Technologies. Voshell's challenge was to figure out how to do it securely. Because wireless networking offers increased convenience and mobility, employees are likely to create their own setupsmost of which are not properly securedif they are not given an officially sanctioned option. So at the same time he was helping plan the new wireless network, Voshell found himself shutting down unofficial hot spots.
The solution was the AirDefense wireless intrusion detection system. The entire access point and sensor network took months to plan but only a few weeks to install at each location, starting in 2002 in Fort Worth and continuing to early 2003 at the other locations, he says.
Because Lockheed Martin's defenses have to be thorough, AirDefense sensors are hidden in the rafters above the ceiling tiles or sealed inside protective casings, even where no wireless network access points have been deployed. "That's how we know that there is no wireless here," Voshell explains while striding down a corridor in the Fort Worth plant.
In all, more than 200 access points and 200 AirDefense sensors were deployed as part of the project. Since a sensor can cover several access points, there were plenty to deploy outside the official wireless coverage area.
The Air Defense sensors collect radio transmission data and feed it to a monitoring server, which searches for inappropriate signals. When the system finds something suspicious, Voshell or one of his colleagues gets an alert by e-mail or pager, and can call up more details from any Web browser.
The system provides an approximate location for the rogue signal, based on the locations of the sensors that picked it up, as well as relative signal strength if it is within range of more than one sensor. So if an employee gets a wireless router for his birthday and decides to plug it into the office network, a member of the network security staff can locate that person's work space within minutes and confiscate the device.
Rogue access points are dangerous because wireless routers sold in an office superstore typically come configured for zero security. Unprotected wireless networks may be fine for checking personal e-mail at a local Starbucks, but they're not so great for protecting fighter-jet engineering plans. In fact, an unsecured wireless access point potentially provides an attacker with the kind of behind-the-firewall reach into the corporate network that would otherwise require physical access to the wired network.
If an approved access point is installed on the plant floor in an incorrect configurationor resets to the default settings following a power surgethe intrusion detection system will report those errors, too, so that they can be corrected.
To create a protected connection, wireless networks use encryption to compensate for sending signals over the airwaves rather than through insulated wires. But the Wireless Equivalent Privacy encryption standard that shipped with early 802.11 devices turned out to be notoriously weak. And while better standards are emerging, Voshell doesn't trust them yet.
So, Lockheed Martin's approved configuration for wireless networking uses virtual private network technology as an additional layer of defense. Instead of logging on directly to the corporate network, computers connecting via wireless access points must first pass through a firewall, using VPN software and a hardware security token attached to the computer for proof of identity and additional encryption.
Gartner analyst John Pescatore says the use of VPN software is a common workaround, but a clumsy one that organizations with less stringent security requirements might want to skip. "Users hate having to login twiceonce to the VPN, and then again to the application," he says.
since voshell's business is scanning for wireless network vulnerabilities, he doesn't appreciate anyone else doing so. Once, when he found a contractor in a Lockheed Martin conference room probing the network with sniffer software, he was not amused. The AirMagnet laptop software that the contractor was using is a legitimate toolin fact, Voshell's team used AirMagnet's software for handheld computers to pin down the origin of unauthorized wireless network activity.
Problem was, no one at Lockheed Martin had authorized the contractor to go poking around the wireless network, and he got a tap on the shoulder within minutes.
"That made me very happy, and my boss very happy, and the contractor not very happybecause we had to wipe his laptop," Voshell says. He had the authority to erase the contractor's hard drive because of an agreement that visitors sign before they are allowed to bring computers into a Lockheed Martin facility.
Other companies might have just closed the connection, Voshell explains, "but I don't know what that guy had gotten a hold of."
LOCKHEED MARTIN AERONAUTICS
Headquarters: Lockheed Blvd., Fort Worth, TX 76108
Phone: (817) 777-2000
Business: Makes military aircraft including the F-16 warplane and the F-35 Joint Strike Fighter Wireless Network Security Manager (June 1999 to November 2005): Jasyn Voshell Financials in 2004: Sales of $11.8 billion.
Challenge: Achieve the highest possible level of wireless network security, in more than 100 buildings at military aircraft factories in Texas, Georgia and California.
Use wireless network to avoid the cost of
rewiring to support new factory floor layout (estimated at $20 million to $30 million).
Prevent wireless equipment from being deployed without permission or in insecure configurations.
Detect and prevent attacks on the wireless network infrastructure.