Updated by Algis Kibirkstis
The IEEE 802.11 series of wireless LAN standards have progressed over recent years; after 802.11a, 802.11b and 802.11g, the recently-published 802.11n standard has become the current benchmark for high-performance wireless network communications. The continued availability of inexpensive equipment, coupled with comparable wire-speed network bandwidth and ease of use, has continued to drive increased adoption rates by business and home users. Unfortunately, as is often the case, implementations of such easy-to-use technologies come at a price, and introduce some unintended consequences, such as the ability of malicious users to attach wireless networks from ever-increasing distances.
Brought into the public eye in the early 1980s by the movie War Games, war dialling -- the act of systematically dialing ranges of phone numbers to discover computer systems -- had become a plague on corporate America. War dialling was used to discover modems attached to corporate servers and desktops, which are in turn connected to corporate LANs. These target systems are generally loaded with remote control software, such as PCAnywhere or Carbon Copy, allowing an individual to remotely connect to a corporate environment, just as if they were sitting at the console keyboard.
Business units, as well as motivated individuals, install wireless access points (AP) which act as bridges to corporate networks. These APs broadcast their availability to anyone within the signal range of the AP, which can be dramatically extended through the use of specialized antennas. If the wireless network extensions are not properly configured, any inexpensive wireless network card and a laptop (or smartphone) can connect to the AP with little or no detection. "War driving," like its "war dialling" cousin described above, allows those with the necessary tools and motivation to find, catalog, and access vulnerable wireless APs -- and possibly gain access to any physically connected network -- from the relative anonymity of a rental car at a nearby location.
The scenario described above is but one of the threats which an intrusion detection analyst must consider. First, however, we must ask a more fundamental question: what is intrusion detection when applied to wireless networks? Intrusion detection systems collect information about observable and/or auditable events, which are then analyzed and correlated to determine things like incidents, causes and motives. Therefore, in order to provide a basis for wireless intrusion detection, we must first determine what can be observed and collected for analysis. This paper will discuss several rudimentary events which could be captured by a wireless intrusion detection system and present a survey of tools which can accomplish such tasks.
Current intrusion detection solutions tend to rely on the relatively static and contained nature of wired networks. Potential 'wired' intruders would need to gain physical access somehow, either through an accessible network jack or logically enter the network through well-defined pathways. Locating intrusion detection sensors was a matter of defining and inserting listeners in locations where all or most network traffic transited. These assumptions are no longer valid for wireless networks if both approved and rogue APs can be located anywhere on a network.
The IEEE 802.11 standard  defines several types of wireless network topologies. The Independent Basic Service Set (IBSS, or "ad hoc") topology involves two or more wireless stations communicating peer-to-peer (Figure 1). The Basic Service Set (BSS, or "infrastructure") topology (Figure 2), adds an AP attached to a "distribution system" (usually a network, like Ethernet), through which all wireless communications pass before reaching their destination.
An ad-hoc network has some obvious disadvantages for intrusion detection. Yongguang Zhang and Wenke Lee have written an excellent paper  addressing this particular problem. They outline several fundamental issues with wireless ad-hoc networks:
- Wireless stations are all independent nodes. Each node must be responsible for it's own protection from attack and compromise. Compromising only one node or introducing a malicious node may affect the viability of the entire network, and an affected node could be used as a launching point for subsequent attacks.
- No central point exists from which to monitor all network traffic, as the network is distributed.
- Differences between normal and anomalous traffic patterns may be practically indistinguishable. The mobile nature of the wireless stations can make legitimate network traffic appear suspect.
Zhang and Lee propose an architecture in which all nodes act as independent IDS sensor, able to act independently and cooperatively. Events are generated from a local detection engine. If analysis of the events are inconclusive or require more information, other networked 'local sensors' can be utilized and consulted. Each independent sensor has six modules, three of which pertain to intrusion detection:
- Data collection: the types of raw data used includes system and user activities, local communication activities, and "observable" communications activities
- Local detection: since it is difficult to maintain and distribute an anomalous signature database, Zhang and Lee have proposed the definition of statistically "normal" activities specific to each node, which will therefore reside locally on each node.
- Cooperative detection: if the local detection engine does not have enough evidence to alert on a suspected problem, it can ask other nodes for assistance. Information describing the event gets propagated to neighboring nodes. Evidence returned from neighbouring nodes can then be used to create a new evaluation of the detected event.
Infrastructure mode is where current intrusion detection methodologies and collection techniques become useful. Since all traffic transits through the AP, close proximity to the AP becomes a logical choice to place a sensor. Since the 802.11a/b/g/n wireless networking suite is essentially just another implementation set of network communications, the AP acts as a bridge - translating wireless frames to 802.3 (or other network medium) frames, and vice versa. Data encapsulated at higher layers remain unchanged. To collect events of interest at Layer 3 and above, one can continue relying on popular tools such as tcpdump or windump. To look at frame information, however, each tool must be able to interpret the medium frame type; fortunately, tools such as Kismet and Wireshark support interpretation libraries for wireless frame analysis.
Beacon frames are regularly transmitted management frames sent by an AP, and contain information needed by a wireless station to begin the association/authentication process -- such as a wireless network name (SSID) and supported rates of transmission. Beacon frames are picked up and read by a potential client node before considering connection initiation with a wireless AP. An analyst may wish to capture and analyze these frame types to monitor for rogue access points or other potentially malicious traffic.
Capturing beacon frames is similar to sniffing network traffic on an Ethernet segment. To capture all traffic that it sees, the network card must be in promiscuous mode, but does not necessarily need to have a network address assigned to it. In this mode the network card can capture data, but is otherwise invisible to everyone else on the network. Unix/Linux based systems are natively capable of capturing wireless traffic passively, and can use a wide variety of wireless interface hardware that support various combinations of 802.11a/b/g/n traffic; Windows systems can use the AirPcap USB dongle (http://www.cacetech.com/products/airpcap.html), together with a versatile wireless packet analyser like Kismet to enable passive wireless packet capturing. Active packet captures through the use of tools like NetStumbler can provide some data for analysis, but running such tools introduce a risk of detection for the user.
Association and Authentication
Once a (friendly or malicious) client collects a SSID and other peripheral information from a beacon frame, the next step towards initializing a wireless network connection is to trigger the association and authentication process with the AP. It starts with an Association Request Management frame, sent by the wireless client station, to which the AP responds with an Association Response Management frame. After successful association between client and access point, a subsequent authentication phase is initiated; the details of the authentication, including and challenge/response exchanges, depend on the authentication methods supported by the AP (eg: WEP, WPA, WPA2). Analyzing association/authentication response codes and capturing MAC addresses is also a good place to look for events of interest, such as multiple access attempts and protocol-specific break-in techniques.
Various wireless 802.11 packet analysis tools are widely available to assist in the assessment of wireless traffic. Popular freeware tools include Wireshark (formerly known as Ethereal) for general packet and frame analysis, and Kismet (a best-of-breed wireless networking assessment and attack tool).
The Address Resolution Protocol (ARP) is used to map an IP address to a corresponding hardware address , and is used to establish communication routes on networks. Arpwatch (http://www-nrg.ee.lbl.gov/) is a tool which monitors changes to this information and can be used as a source of detection data. When applied to a wireless access point , arpwatch could be used to obtain information about wireless stations already authenticated and associated with the AP. Once a packet enters the wired side of the AP from the wireless side, interesting traffic may begin to appear, such as network discovery and network connections coming from the IP address of the AP.
Wireless IDS Systems
So what do we introduce as sensors? WIDS (Wireless IDS) systems have gained popularity in recent years, due to the ongoing threat of remote exploitation through wireless networks. Deployed in overlapping, parallel configurations with AP networks, WIDS networks can be designed to detect signals, listen for malicious traffic, and even break undesirable wireless connections. Commercial WIDS implementations through vendors like ISS and AirDefense are available, and generally consist of a hierarchy of sensors, regional collector systems and central management consoles; open source solutions such as Snort-Wireless are available for those with more restricted budgets.
The process, methodology, and tools described above scratch the surface of wireless intrusion detection. This paper has described several rudimentary forms of wireless intrusion detection for the most basic network architecture - detecting wireless stations associating with an access point attached to a wired network. Recent advancements have been made in the field, with many traditional 'wired' tools becoming adapted to assist with the wireless perspective, and new dedicated tools providing capabilities in the field of packet capturing, packet interpretation and intrusion detection.. With the increasing popularity of "war driving" and other means of rogue communications, such capabilities will certainly continue to be required to help protect our ever-growing wireless infrastructures.
ANSI/IEEE. "IEEE Standard for Information technology. Telecommunications and information exchange between systems. Local and metropolitan area networks. Specific requirements. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications." 1999.
Zhang, Yongguang, Wenke, Lee. "Intrusion Detection in Wireless Ad-Hoc Networks." Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking. 2000.Arbaugh, William A., Shankar, Narendar, Wan, Y.C. Justin. "Your 802.11 Wireless Network has No Clothes." Department of Computer Science, University of Maryland. 31 March 2001.
Stevens, W. Richard. TCP/IP Illustrated, Volume 1. Massachusetts: Addison-Wesley. 1994.
Shipley, Peter. Interview. http://www.starkrealities.com/shipley.html. 31 July 2001.