This file is raw output from pdftotext and may not be ideal for distribution. If you are a maintainer for Hackipedia, please sit down when you have time and clean this text version up. Source PDF: /mnt/fw-js/docs/Hardware/802.11 Wireless/security/Air Defence - Wireless LAN Security – What Hackers Know That You Don’t.pdf Like all conversions the text below should be fully readable as UTF-8 unicode text. --------------------------------------------------------------- White Paper Wireless LAN Security – What Hackers Know That You Don’t As the next generation of IT networking, 802.11 wireless encryption, any laptop with a wireless card can connect LANs are also the new playgrounds for hackers. with the network or stealthily eavesdrop on all network Effective encryption and authentication security traffic across that access point from any area within the measures for wireless LANs are still developing, but colored areas on the map. hackers already possess easy-to-use tools that can launch increasingly sophisticated attacks that put your Some enterprises make the mistake of believing that they information assets at risk. do not have to worry about wireless security if they are running non-mission critical systems with non-sensitive Like personal computers in the 1980s and the Internet in information across their wireless LANs. However, few the 1990s, wireless LANs are the new frontier of networks operate as islands of automation. Most connect technology in the enterprise. Thus, this white paper is not with the enterprise backbone at some point, and hackers designed to scare enterprises away from deploying can use the wireless LAN as a launch pad to the entire wireless LANs. Wireless LANs can be secured with a network. Thus, every entry point to that network should layered approach to security that goes beyond new be secured. encryption and authentication standards to include 24x7 monitoring and intrusion protection. This white paper outlines how hackers are exploiting vulnerabilities in 802.11 wireless LANs and the widely available hacking tools. The information presented is a collection of already published risks to wireless LANs. This white paper is written to inform IT security managers of what they are up against. In order to effectively secure their wireless LANs, enterprises must first know the potential dangers. Wireless LANs are a breeding ground for new attacks because the technology is young and organic growth creates the potential for a huge payoff for hackers. Figure 1: This image represents the signal emitted from a single – Pete Lindstrom, Spire Security, Sept. 2002 wireless access point located in downtown Lawrence, KS. What’s at Risk? Wireless LANs face all of the security challenges of any wired networks in addition to the new risks introduced In the summer of 2002, a retail chain was reported to be by the wireless medium that connects stations and access running its wireless LAN without any form of points. This white paper focuses on the wireless-specific encryption. The retailer responded by saying that its attacks, threats, and risks. wireless LAN only handled its inventory application, so encryption was not needed. However, the open Any wireless access point attached to a wired network connection invites hackers to snoop around on the essentially broadcasts an Ethernet connection and an network to possibly get into confidential customer onramp to the entire enterprise network. Layer 1 and records or sensitive corporate information. Layer 2 of a network is typically protected by the CAT5 wire within a building in a traditional wired network but is exposed in a wireless LAN. Internal Vulnerabilities Because security risks for wireless LANs can come from The satellite photograph on this page graphically the most malicious hackers as well as employees with the displays how a radio signals from a single access point best intentions, threats to wireless LAN security can be can travel several city blocks outside of the building. broken into internal vulnerabilities and external threats. Without proper security measures for authentication and Copyright © 2003, AirDefense, Inc. Page 1 www.airdefense.net Internal vulnerabilities are comprised of rogue overlapping networks. Accidental associations are deployments, insecure configurations, and accidental created when a neighboring company across the street or associations to neighboring wireless LANs. on adjacent floors of the building operates a wireless LAN that emanates a strong RF signal that bleeds over Rogue WLANs into your building space. The wireless LAN-friendly Rogue access points are a well-documented problem. In Windows XP operating system enables your wireless 2001 Gartner estimated that “at least 20 percent of users to automatically associate and connect to the enterprises already have rogue WLANs attached to their neighbor’s network without their knowledge. corporate networks.” Employees can easily hide their rogue access points to wired-side sniffers by simply A station connecting to a neighboring wireless LAN can setting the access point to duplicate the MAC address of divulge passwords or sensitive documents to anyone on the laptop – an easy and often mandatory configuration the neighboring network. Accidental associations can for a consumer-grade access point when installed to a even link the two companies’ networks together through home cable or DSL modem. this end user station as it bypasses all internal security and controls. Other rogue deployments or unauthorized uses of wireless LANs can include ad hoc networks. These peer- to-peer connections between devices with WLAN cards External Threats do not require an access point or any form of The internal vulnerabilities previously described open authentication from other stations with which it connects. the door for intruders and hackers to pose more serious While ad hoc networks can be a convenient feature for threats. However, the most secure wireless LANs are not users to transfer files between stations or connect to 100 percent safe from the continuously evolving external shared network printers, they present an inherent security threats that include espionage, identity theft, and other risk where a station in ad hoc mode opens itself to a attacks such as Denial-of-Service and Man-in-the-Middle direct attack from a hacker who can download files from attacks. the victim’s station or use the authorized station as a conduit to the entire network. Eavesdropping & Espionage Because wireless communication is broadcast over radio Insecure Network Configurations waves, eavesdroppers who merely listen to the airwaves Many organizations secure their wireless LANs with can easily pick up unencrypted messages. Additionally, virtual private networks and then mistakenly believe the messages encrypted with the Wired Equivalent Privacy network is bulletproof. While it takes a highly (WEP) security protocol can be decrypted with a little sophisticated hacker to break a VPN, a VPN can be like time and easily available hacking tools. These intruders an iron door on a grass hut if the network is not properly put businesses at risk of exposing sensitive information configured. Why would a thief try to pick the lock of the to corporate espionage. iron door if he could easily break through the thin walls of the hut? All security holes – big and small – can be Identity Theft exploited. The theft of an authorized user’s identity poses one the greatest threats. Service Set Identifiers (SSIDs) that act By year-end 2002, 30 percent of enterprises will suffer as crude passwords and Media Access Control (MAC) serious security exposures from deploying WLANs without addresses that act as personal identification numbers are implementing the proper security. often used to verify that clients are authorized to connect – Gartner Group, August 2001 with an access point. Because existing encryption standards are not foolproof, knowledgeable intruders can Insecure configurations represent a significant concern. pick off authorized SSIDs and MAC addresses to Default settings that include default passwords, open connect to a wireless LAN as an authorized user with the broadcasts of SSIDs, weak or no encryption, and lack of ability to steal bandwidth, corrupt or download files, and authentication can open an access point to be a gateway wreak havoc on the entire network. to the greater network. Properly configured access points can be reconfigured by employees seeking greater Evolving Attacks operability or often reset to default settings upon a power More sophisticated attacks, such as Denial-of-Service surge or system failure. and Man-in-the-Middle attacks, can shut down networks and compromise security of virtual private networks. Accidental Associations This paper goes into greater detail describing how these Accidental associations between a station and a attacks occur in the section Emerging Attacks on WLANs. neighboring wireless LAN are just now being recognized as a security concern as enterprises confront the issue of Copyright © 2003, AirDefense, Inc. Page 2 www.airdefense.net The Hacker’s Wireless LAN Toolbox authentication. However, University of Maryland Hackers – as well as white hat researchers – are professor William Arbaugh published a research paper in notorious for quickly breaking the new security standards February 2002 that demonstrated how the newly soon after the standards are released. Such is the case proposed security standard can be defeated. The IEEE is with the security standards for wireless LANs. This now working on a new standard, 802.1i, which is section provides a few examples of the hardware and expected to be ratified within the next two years. freeware tools available on the Internet. War Driving Available Freeware Tools To locate the physical presence of wireless LANs, As mentioned in the introduction, new wireless LAN hackers developed scanning and probing tools that hacking tools are introduced every week and are widely introduced the concept of “war driving” – driving around available on the Internet for anyone to download. Rather a city in a car to discover unprotected wireless LANs. than wait for a hacker to attack your network, security User-friendly Windows-based freeware tools, such as managers should familiarize themselves with tools to Netstumbler, probe the airwaves in search of access know what they have to defend themselves against. The points that broadcasted their SSIDs and offer easy ways table on this page gives a few examples of widely to find open networks. More advanced tools, such as available freeware tools. Network security managers Kismet, were then introduced on Linux platforms to should become familiar with these hacking tools in order passively monitor wireless traffic. to know the dangers of each. Both Netstumbler and Kismet work in tandem with a Antennas global positioning system (GPS) to map exact locations To connect with wireless LANs from distances greater of the identified wireless LANs. These maps and data are than a few hundred feet, sophisticated hackers use long- posted on web sites such as www.wigle.net and range antennas that are either commercially available or www.wifinder.com where wireless freeloaders and other built easily with cans or cylinders found in a kitchen hackers can locate these open networks. cupboard and can pick up 802.11 signals from up to 2,000 feet away. The intruders can be in the parking lot or completely out of site. Emerging Attacks on WLANs The development of effective wireless LAN security Breaking Encryption standards has been preceded by the evolution wireless- The industry’s initial encryption technology, WEP, was focused attacks that are becoming more sophisticated. quickly broken by published tools WEPCrack and AirSnort, which exploit vulnerabilities in the WEP Attacks at DefCon encryption algorithm. WEPCrack and AirSnort passively The growing number of attacks on wireless LANs is best observe WLAN traffic until it collects enough data by seen in a study of wireless LAN activity at the DefCon X which it recognizes repetitions and breaks the encryption hacker convention in August 2002. AirDefense surveyed key. the wireless LAN at the Las Vegas convention for two hours and identified more than 10 previously Breaking 802.1x Authentication undocumented wireless attacks from new creative ways The next step in the evolution of wireless LAN security in which hackers are learning to manipulate 802.11 was the introduction of 802.1x for port-based protocols to launch new forms of Denial-of-Service Tool Web site Description NetStumbler www.netstumbler.com Freeware wireless access point identifier – listens for SSIDs & sends beacons as probes searching for access points Kismet www.kismetwireless.net Freeware wireless sniffer and monitor – passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds Wellenreiter http://packetstormsecurity.nl Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS THC-RUT www.thehackerschoice.com Freeware WLAN discovery tool – Uses brute force to identify low traffic access points; “your first knife on a foreign network” Ethereal www.ethereal.com Freeware WLAN analyzer – interactively browse the capture data, viewing summary and detail information for all observed wireless traffic WEPCrack http://sourceforge.net/projects/wepcrack/ Freeware encryption breaker – Cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling AirSnort http://airsnort.shmoo.com Freeware encryption breaker – passively monitoring transmissions, computing the encryption key when enough packets have been gathered HostAP http://hostap.epitest.fi Converts a WLAN station to function as an access point; (Available for WLAN cards that are based on Intersil's Prism2/2.5/3 chipset) Copyright © 2003, AirDefense, Inc. Page 3 www.airdefense.net attacks, identity thefts, and Man-in-the-Middle attacks. Malicious Association During the two hours of monitoring the conference’s Using widely available tools, hackers can force wireless LAN, AirDefense identified 8 sanctioned access unsuspecting stations to connect to an undesired 802.11 points, 35 rogue access points, and more than 800 network or alter the configuration of the station to different station addresses. operate in ad-hoc networking mode. A hacker begins this attack by using freeware HostAP to convert the attacking AirDefense’s 802.11 security experts estimate that 200 to station to operate as a functioning access point. 300 of the station addresses were fakes because roughly 350 people were in the wireless LAN network room at a single time. AirDefense discovered 115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours. Among the 807 attacks: • 490 were wireless probes from tools such as Netstumbler and Kismet, which were used to scan the network and determine who was most vulnerable to greater attacks; • 190 were identity thefts, such as when MAC addresses and SSIDs were spoofed to assume the identity of another user; • 100 were varying forms Denial-of-Service attacks that either (1) jammed the airwaves with noise to shut down an access point, (2) targeted specific stations by continually disconnecting them from an access point, As the victim’s station broadcasts a probe to associate or (3) forced stations to route their traffic through with an access point, the hacker’s new malicious access other stations that ultimately did not connect back to point responds to the victim’s request for association and the network; and begins a connection between the two. After providing an • 27 attacks came from out-of-specification IP address to the victim’s workstation (if needed), the management frames where hackers launched attacks malicious access point can begin its attacks. The hacker that exploited 802.11 protocols to take over other – acting as an access point – can use a wealth of stations and control the network. available hacking tools available that have been tested and proven in a wired environment. At this time, the The wireless LAN at DefCon was probably the best hacker can exploit all vulnerabilities on the victim’s place to learn about these new attacks and threats to wireless LANs because DefCon is one of few places laptop, which can include installing the HostAP where the focus is on breaking things. Enterprises firmware or any other laptop configuration or should be aware of these threats and learn what they programmatic changes. can do to combat them. – Pete Lindstrom, Spire Security, September 2002 The malicious association attack shows that wireless LANs are subject to diversion and stations do not always Of the more than 10 new types of attacks identified by know which network or access point they connect to. AirDefense, the company’s 802.11 security experts Stations can be tricked or forced to connect to a determined that many were new forms of Denial-of- malicious access point. Even wireless LANs that have Service attacks but an apparent danger came from the deployed VPNs are vulnerable to malicious associations. growing number of ways in which hackers have learned This attack does not try to break the VPN. Rather, it to abuse 802.11 protocols. takes over the security-poor client. The following section outlines four major attacks, which Enterprises must monitor the airwaves of their wireless represent significant dangers to wireless LANs because LAN to make sure their stations only connect to they are published attacks that unsophisticated hackers authorized access points and networks. Monitoring the can easily perform after downloading tools off the network is the only way to know whom your stations Internet. connect to and which stations connect to your access points. Copyright © 2003, AirDefense, Inc. Page 4 www.airdefense.net MAC Spoofing – Identity Theft random challenge from the access point, and the access Many enterprises secure their wireless LAN with point must respond to a successful challenge response authentication based on an authorized list of MAC with a success packet. addresses. While this provides a low level of security for smaller deployments, MAC addresses were never To begin this attack, the hacker passively observes the intended to be used in this manner. Any user can easily station as it connects to the access point, and the hacker change the MAC address of a station or access point to collects the authentication information, including the change its “identity” and defeat MAC address-based username, server name, client and server IP address, the authentication. ID used to compute the response, and the challenge and associate response. (See Figure 4) Figure 3: MAC Spoofing of an Authorized Station Figure 4: VPN Attack – Link Establishment, Challenge, Response Software tools, such as Kismet or Ethereal, are available for hackers to easily pick off the MAC addresses of an authorized user. The hacker can then assume the identity The hacker then tries to associate with the access point of that user by asserting the stolen MAC address as his by sending a request that appears to be coming from the own. The hacker then connects to the wireless LAN as an authenticated station. The access point sends the VPN authorized user. challenge to the authenticated station, which computes the required authentic response, and sends the response By monitoring the airwaves of their wireless LAN, to the access point. The hacker observes the valid enterprises are able to detect MAC spoofing by response. (See Figure 5) identifying when more than one MAC address are simultaneously on the network. Wireless LAN intrusion Figure 5: VPN Attack – Mounting the assault detection systems can also identify when a MAC address is spoofed by analyzing the vendor “fingerprints” of the wireless LAN card where by the IDS can see when, as an example, an Orinoco wireless LAN card connects to the network using MAC address of a Cisco WLAN card. Man-in-the-Middle Attacks As one of the more sophisticated attacks, a Man-in-the- Middle attack can break a secure VPN connection between an authorized station and an access point. By inserting a malicious station between the victim station and the access point, the hacker becomes the “man in the middle” as he tricks the station into believing he is the access point and tricks the access point into believing he is the authorized station. The hacker then acts as the access point in presenting a challenge to the authorized station. The station computes This attack preys upon a CHAP implementation to the appropriate response, which is sent to the access randomly force a connected station to re-authenticate point. The access point then sends the station a success with the access point. The station must respond to a packet with an imbedded sequence number. Both are Copyright © 2003, AirDefense, Inc. Page 5 www.airdefense.net captured by the hacker. After capturing all this data, the variations of DoS attacks can be just as worrisome as the hacker then has what he needs to complete the attack and most sophisticated. defeat the VPN. (See Figure 6) Because 802.11b wireless LANs operate on the unregulated 2.4 GHz radio frequency that is also used by Figure 6: VPN Attack – Getting in the Middle microwave ovens, baby monitors, and cordless telephones, commonly available consumer products can give hackers the tools for a simple and extremely damaging Denial-of-Service attack. Unleashing large amounts of noise from these other devices can jam the airwaves and shut down a wireless LAN. Hackers can launch more sophisticated Denial-of-Service attacks by configuring a station to operate as an access point. As an access point, the hacker can flood the airwaves with persistent “disassociate” commands that force all stations within range to disconnect from the wireless LAN. In another variation, the hacker’s malicious access point broadcasts periodic disassociate The hacker sends a spoofed reply with large sequence commands every few minutes that causes a situation number, which bumps the victim’s station off the where stations are continually kicked off the network, network and keeps it from re-associating. The hacker reconnected, and kicked off again. then enters the network as the authorized station. (See Figure 7) In addition to malicious disassociation attacks, hackers are now using abusing the Extensible Authentication Protocol (EAP) to launch Denial-of-Service attacks. Figure 7: VPN Attack – Entering the Network “The Unofficial 802.11 Security Web Page” at http://www.drizzle.com/~aboba/IEEE/ lists six forms of Denial-of Service attacks from various ways hackers can manipulate EAP protocols by targeting wireless stations and access points with log-off commands, start commands, premature successful connection messages, failure messages, and other modifications of the EAP protocol. Newly developing Denial-of-Service attacks exploit improperly configured wireless LANs or rogue access points to target the entire enterprise network. When an access point is attached to an unfiltered segment of the enterprise network, the access point broadcasts “Spanning Tree” (802.1D) packets. This opens the door Only 24x7 monitoring and a highly capable wireless IDS to attacks that take down all wireless equipment as well can detect this type of attack on a wireless LAN. An as spur a meltdown of the entire internal networking effective security solution must first keep a constant infrastructure – hubs, routers, switches, etc. – that are watch over the wireless LAN while it analyzes the connected behind the WLAN access point. activity it observes. A wireless IDS should be able to detect this type of attack based on its signature as well as In normal operation, the Spanning Tree algorithm the simultaneous use a single MAC address and user ensures the existence of a loop-free Ethernet topology in name by both the authorized station and the hacker. networks that contain parallel bridges and multiple Ethernet segments. A loop occurs when there are Denial-of-Service Attacks alternate routes between hosts. If a loop exists in an Every network and security managers fears the downtime extended network, bridges may forward traffic and loss of productivity from a crippling Denial-of- indefinitely to false or wrong Ethernet hosts, which can Service attack. In the wireless world, this damaging result in increased traffic and degradation in network attack can come from any direction, and the most basic performance to a point where they no longer will respond or operate. Copyright © 2003, AirDefense, Inc. Page 6 www.airdefense.net A hacker can launch a Denial-of-Service attack by intentionally inserting this loop on the network. The hacker goes through the wireless LAN to maliciously replay an altered Spanning Tree session back to the enterprise. A rogue sniffer can initiate this by attack echoing a manipulated replay Spanning Tree session back to the wireless LAN access point, which in turn echoes the manipulated Spanning Tree packets to other internal hosts with a devastating domino effect. Spanning Tree attacks will typically render the intelligent hubs, bridges, routers, and switches completely inoperative and usually require rebooting or reconfiguration of these devices to make them operative again. Any rogue access point plugged into a port on a hub or into a switch or router that is not filtered by a firewall The remote sensors: can open a network to this most damaging Denial-of- • Are deployed near Access Points; Service attack. AirDefense has found that nearly 1 out of • Cover 40,000 square feet of typical office space 20 wireless LANs surveyed are vulnerable to this form of • Provide 24x7 monitoring of all WLAN activities; Denial-of-Service attack from rogue access points and • Capture wireless traffic from Access Points and improperly configure wireless LANs. stations; • Report to a back-end server; and • Are centrally managed. The server appliances: The AirDefense Solution • Analyze traffic in real time; AirDefense provides the industry’s only security • Discover WLANs and rogue deployments; appliance for WLANs to discover WLAN vulnerabilities, • Detect intrusions and impending threats; enforce security policies, and detect and respond to • Includes ActiveDefense technologies to respond to intruders. AirDefense’s patent-pending technology attacks, network misconfigurations, and policy integrates multi-dimensional intrusion detection with violations; stateful monitoring to ensure security across enterprise • Enforce WLAN policies; 802.11 WLANs. • Monitor WLAN performance and troubleshoot network issues; More simply put, AirDefense is a wireless LAN intrusion protection and management system that discovers • Offer a secure web-based interface; and network vulnerabilities, detects and protects a WLAN • Provide comprehensive reporting. from intruders and attacks, and assists in the management of a WLAN. AirDefense’s Differentiating Technology AirDefense was developed based on sophisticated, AirDefense: (i) Discovers vulnerabilities and threats – patent-pending data capture and analysis technology. such as rogue APs and ad hoc networks – as they With its State-Analysis Engine TM, AirDefense provides happen; (ii) Secures a WLAN by detecting intruders and 24x7, real-time monitoring of all WLAN traffic and attacks and eliminating those threats; and (iii) Provides a correlates the data among its Multi-Dimensional robust WLAN management functionality that allows Detection Engine TM to identify security risks. users to understand their network, monitor network performance, and enforce network policies. AirDefense is the only WLAN security solution to provide stateful monitoring of the airwaves. Stateful Remote Sensors & Server Appliances means that AirDefense provides continuous monitoring The AirDefense solution consists of distributed sensors of the "state” of communication between all Access and server appliances. The remote sensors sit near Points and stations transmitting on the airwaves. With a 802.11 Access Points to monitor all WLAN activities minute-by-minute account of all WLAN traffic, intruders and report back to the server appliance, which analyzes are immediately recognized, attacks are quickly detected, the traffic in real time. and appropriate measures can be taken to secure the network. The State-Analysis Engine enables AirDefense Copyright © 2003, AirDefense, Inc. Page 7 www.airdefense.net to track and control the flow of communication on an to pick up data that the network administrator interprets enterprise WLAN. to identify all access points and wireless LAN traffic. While this process requires the physical presence and AirDefense built its patent-pending Multi-Dimensional valuable time of a network manager, the effectiveness is Detection Engine as a WLAN intrusion detection system limited because it only samples the airwaves for threats. based upon multiple detection technologies exclusively New rogue access points and other vulnerabilities can designed for Layer 1 and Layer 2 of 802.11 protocols. arise after a scan and will not be detected until the next time a network administrator surveys the network. Traditional intrusion detection systems are plagued by false positives because they rely on a single detection Only AirDefense provides 24x7 monitoring of the technology – mostly attack signatures. AirDefense has airwaves to provide and identify: developed its Multi-Dimensional Detection Engine as a • Site Surveys comprehensive WLAN intrusion detection system that • Rogue Deployments integrates multiple detection technologies that correlate • Unauthorized Use data to recognize real threats and reduce false positives. • Security Vulnerabilities. The patent-pending State-Analysis Engine coordinates inputs and the multi-dimensional detection engine Combating Malicious & Accidental Associations analyzes threats to identify security breaches based on: By monitoring all wireless LAN traffic, AirDefense identifies all wireless LAN stations and access points in • Signature analysis the area. AirDefense then analyzes the traffic to ensure • Policy compliance that the stations and laptops are only associating with • Protocol assessment authorized users. Network security managers are alerted • Statistically anomalous behavior. to the intruders or accidental associations, and AirDefense has the ability to disconnect stations from ActiveDefense technology allows AirDefense to unauthorized access points and disconnect unauthorized integrate with enterprise WLANs and respond to attacks, stations from network access points. network misconfigurations, and policy violations. Once an intruder or attack is identified, AirDefense Combating MAC Spoofing & Identity Theft communicates with the Access Point to terminate the AirDefense monitors the airwaves of wireless LANs and malicious connection. If an access point is identified as detects MAC spoofing by identifying when more than violating a configuration policy, such as mandated one MAC address are simultaneously on the network. encryption, AirDefense reconfigures the Access Point to AirDefense also identifies when a MAC address is only allow encrypted traffic to flow through WLAN. spoofed by analyzing the vendor “fingerprints” of the wireless LAN cards connecting to the network. Once an By monitoring wireless device traffic, AirDefense can intruder is identified, AirDefense can disconnect the isolate, prevent, or mitigate network intrusions and unauthorized station. subsequent downtime. – InfoWorld, March 2003 Combating Man-in-the-Middle Attacks A VPN with strong mutual authentication can guard Combating Wireless Threats & Attacks against many Man-in-the-Middle attacks. AirDefense AirDefense secures wireless LANs with 24x7 stateful protects a wireless LAN against all Man-in-the-Middle monitoring of all wireless traffic and advanced intrusion attacks by first identifying the attack as it occurs, then detection. The State Analysis Engine and Multi- alerting security managers of the attack, and finally Dimensional Detection Engine power AirDefense to disconnecting the attacker from the network. secure wireless LANs against the threats and attacks mentioned in this paper AirDefense identifies the attack based on known attack signatures and protocol abuses whereby the hacker forces Combating Rogue WLANs & Insecure Network an access point and station to alter the established Configurations protocols for association and authentication. By monitoring the airwaves for all wireless LAN traffic, AirDefense identifies rogue access points and network Combating Denial-of-Service Attacks vulnerabilities as soon as they arise. Freeware, such as In monitoring the health of a wireless LAN, AirDefense Netstumbler and Kismet, and other commercial scanners alerts network security managers to Denial-of-Service can survey the airwaves for rogue access points and attacks and can combat many forms of DoS attacks by some network vulnerabilities. However, this process launching a reverse attack on the hacker. requires a network administrator to physically walk through the wireless LAN coverage area for the scanner Copyright © 2003, AirDefense, Inc. Page 8 www.airdefense.net About AirDefense, Inc. AirDefense is a thought leader and innovator of wireless LAN security and operational support solutions. Founded in 2001, AirDefense pioneered the concept of 24x7 monitoring of the airwaves and now provides the most advanced solutions for rogue WLAN detection, policy enforcement, intrusion protection and monitoring the health of wireless LANs. As a key element of wireless LAN security, AirDefense complements wireless VPNs, encryption and authentication. Based on a secure appliance and remote sensors, AirDefense solutions scale to support single offices, corporate campuses or hundreds of locations. Blue chip companies and government agencies rely upon AirDefense solutions to secure and manage wireless LANs around the globe. For more information or feedback on this white paper, please contact: AirDefense, Inc. 11475 Great Oaks Way Suite 200 Alpharetta, GA 30022 www.AirDefense.net phone: 770.663.8115 email: info@airdefense.NET Copyright © 2003, AirDefense, Inc. Page 9 www.airdefense.net