Intrusion Detection on WLANs

By David F. Carr  |  Posted 2005-12-13 Email Print this article Print

Lockheed Martin couldn't allow hackers to see critical data on its wireless network. The answer: an intrusion detection system to pinpoint and repel attacks.

But even a security-obsessed organization like Lockheed Martin can realize cost benefits from wireless networking. As the company looked at its options for expanding the use of factory computers—for example, to make engineering documents available on screen rather than on paper—as well as the need to reconfigure the plant floor to support new products such as the Joint Strike Fighter, it estimated the cost of digging up and rebuilding the concrete floors to lay new wiring at $20 million to $30 million, according to Voshell.

Deploying a wireless network thus made a lot of sense, and Lockheed Martin proceeded to do so with help from Symbol Technologies. Voshell's challenge was to figure out how to do it securely. Because wireless networking offers increased convenience and mobility, employees are likely to create their own setups—most of which are not properly secured—if they are not given an officially sanctioned option. So at the same time he was helping plan the new wireless network, Voshell found himself shutting down unofficial hot spots.

The solution was the AirDefense wireless intrusion detection system. The entire access point and sensor network took months to plan but only a few weeks to install at each location, starting in 2002 in Fort Worth and continuing to early 2003 at the other locations, he says.

Because Lockheed Martin's defenses have to be thorough, AirDefense sensors are hidden in the rafters above the ceiling tiles or sealed inside protective casings, even where no wireless network access points have been deployed. "That's how we know that there is no wireless here," Voshell explains while striding down a corridor in the Fort Worth plant.

In all, more than 200 access points and 200 AirDefense sensors were deployed as part of the project. Since a sensor can cover several access points, there were plenty to deploy outside the official wireless coverage area.

The Air Defense sensors collect radio transmission data and feed it to a monitoring server, which searches for inappropriate signals. When the system finds something suspicious, Voshell or one of his colleagues gets an alert by e-mail or pager, and can call up more details from any Web browser.

The system provides an approximate location for the rogue signal, based on the locations of the sensors that picked it up, as well as relative signal strength if it is within range of more than one sensor. So if an employee gets a wireless router for his birthday and decides to plug it into the office network, a member of the network security staff can locate that person's work space within minutes and confiscate the device.

Rogue access points are dangerous because wireless routers sold in an office superstore typically come configured for zero security. Unprotected wireless networks may be fine for checking personal e-mail at a local Starbucks, but they're not so great for protecting fighter-jet engineering plans. In fact, an unsecured wireless access point potentially provides an attacker with the kind of behind-the-firewall reach into the corporate network that would otherwise require physical access to the wired network.

If an approved access point is installed on the plant floor in an incorrect configuration—or resets to the default settings following a power surge—the intrusion detection system will report those errors, too, so that they can be corrected.

To create a protected connection, wireless networks use encryption to compensate for sending signals over the airwaves rather than through insulated wires. But the Wireless Equivalent Privacy encryption standard that shipped with early 802.11 devices turned out to be notoriously weak. And while better standards are emerging, Voshell doesn't trust them yet.

So, Lockheed Martin's approved configuration for wireless networking uses virtual private network technology as an additional layer of defense. Instead of logging on directly to the corporate network, computers connecting via wireless access points must first pass through a firewall, using VPN software and a hardware security token attached to the computer for proof of identity and additional encryption.

Gartner analyst John Pescatore says the use of VPN software is a common workaround, but a clumsy one that organizations with less stringent security requirements might want to skip. "Users hate having to login twice—once to the VPN, and then again to the application," he says.

since voshell's business is scanning for wireless network vulnerabilities, he doesn't appreciate anyone else doing so. Once, when he found a contractor in a Lockheed Martin conference room probing the network with sniffer software, he was not amused. The AirMagnet laptop software that the contractor was using is a legitimate tool—in fact, Voshell's team used AirMagnet's software for handheld computers to pin down the origin of unauthorized wireless network activity.

Problem was, no one at Lockheed Martin had authorized the contractor to go poking around the wireless network, and he got a tap on the shoulder within minutes.

"That made me very happy, and my boss very happy, and the contractor not very happy—because we had to wipe his laptop," Voshell says. He had the authority to erase the contractor's hard drive because of an agreement that visitors sign before they are allowed to bring computers into a Lockheed Martin facility.

Other companies might have just closed the connection, Voshell explains, "but I don't know what that guy had gotten a hold of." LOCKHEED MARTIN AERONAUTICS
Headquarters: Lockheed Blvd., Fort Worth, TX 76108
Phone: (817) 777-2000
Business: Makes military aircraft including the F-16 warplane and the F-35 Joint Strike Fighter Wireless Network Security Manager (June 1999 to November 2005): Jasyn Voshell Financials in 2004: Sales of $11.8 billion.
Challenge: Achieve the highest possible level of wireless network security, in more than 100 buildings at military aircraft factories in Texas, Georgia and California.

Baseline Goals:
• Use wireless network to avoid the cost of
rewiring to support new factory floor layout (estimated at $20 million to $30 million).
• Prevent wireless equipment from being deployed without permission or in insecure configurations.
• Detect and prevent attacks on the wireless network infrastructure.

Scanning radio waves for wireless intruders

Wireless intrusion detection systems use different technology from their wired counterparts. Because wireless networks extend outside the walls of a company, an insecure access point, even behind a firewall, offers an attacker the same kind of access as breaking into the building and tapping into the network wiring.

So, the focus of wireless intrusion detection is at the connectivity level—the radio signals used to make a wireless connection—as opposed to monitoring patterns of user behavior, as traditional detection products do.

A wireless intrusion detection system monitors radio signals within the 802.11 family of standards from the Institute of Electrical and Electronics Engineers (IEEE). The system looks for activity that might be part of an attempt to break into the corporate network, or to flood wireless access points with so much false traffic that legitimate users cannot log on. It also detects "rogue" access points set up without corporate approval, as well as legitimate access points or company laptops that are improperly configured and thus open to attack.

Network managers can configure the system to alert them when a problem is detected. The system can provide an approximate location for the source of the intrusion, based on which sensors detected the errant signal. Wireless scanning software
on a laptop or handheld computer can then pinpoint the offender.

For setups where security is critical, such as the AirDefense system deployed by Lockheed Martin, network managers should consider radio sensors specifically for intrusion detection. Other vendors make detection a part-time role for a company's wireless access points; existing hardware does double duty.

Jay Chaudhry, chairman and founder of AirDefense, says it's important to have dedicated sensors listening for rogue signals full-time. But many cost-sensitive firms are looking for a compromise that can use existing wireless networking hardware, according to John Pescatore, a Gartner security analyst. One tactic, Pescatore points out, is to supplement the use of access points with dedicated intrusion sensors in areas where no officially sanctioned wireless equipment has been deployed.—D.C.

David F. Carr David F. Carr is the Technology Editor for Baseline Magazine, a Ziff Davis publication focused on information technology and its management, with an emphasis on measurable, bottom-line results. He wrote two of Baseline's cover stories focused on the role of technology in disaster recovery, one focused on the response to the tsunami in Indonesia and another on the City of New Orleans after Hurricane Katrina.David has been the author or co-author of many Baseline Case Dissections on corporate technology successes and failures (such as the role of Kmart's inept supply chain implementation in its decline versus Wal-Mart or the successful use of technology to create new market opportunities for office furniture maker Herman Miller). He has also written about the FAA's halting attempts to modernize air traffic control, and in 2003 he traveled to Sierra Leone and Liberia to report on the role of technology in United Nations peacekeeping.David joined Baseline prior to the launch of the magazine in 2001 and helped define popular elements of the magazine such as Gotcha!, which offers cautionary tales about technology pitfalls and how to avoid them.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters