Intrusion Detection
Last Post: May 31, 2005:
-
I know a lot of vendors (even Symbol) are now offering Intrusion Detection capabilities in Access Points. My understanding is that the Access Point radio is incapable of monitoring and transmitting/receiving data at the same time. Therefore, when it is scanning as part of Intrusion Detection, an Access Point would have to be down.
My question is, how is this implemented without affecting network performance? Are the scans fast enough that client stations don't notice? Do Access Points perform active scans so that they can stay up? Do clients roam to nearby Access Points when scanning occurs?
Thanks in advance for any help you all can offer on this.
Cheers,
Ben -
Most vendors who have Wireless IDS also have scanning-only mode or probe APs that are an overlay to the wireless network. This enables the AP vendor to allow higher gain antennas that provide a larger coverage area and don't have to comply with FCC restrictions since they are passive devices only, basically wireless sniffers that report all information back to a centralized management engine.
Joel -
Thanks, Joel. A few questions still come to mind.
1) I know some vendors advertise that you can use existing APs to do IDS functions while acting as APs. To me, this seems like a poor fit. Would you agree?
2) How do IDS sensors with high gain antennas handle traffic that comes across simultaneously? CSMA/CA requires that each frame is transmitted in a unique time space. An IDS sensor that can reach multiple APs might be able to monitor traffic from APs that have no CSMA/CA with each other. Therefore, you could get frames transmitting at the same time. I think this would affect protocol analysis and therefore IDS.
3) Does the higher gain antenna design not include IDS sensors with Deauth capabilities? I would assume that since these sensors are capable of transmitting, that they would have to conform to FCC rules. Or is there something in the code that reduces the transmission power to account for the higher gain antenna when Deauth frames are sent?
Thanks in advance for your help on this, Joel. I really appreciate the insight.
Cheers,
Ben -
If the AP is scanning while associating clients, then clients will be momentarily disassociated when the AP performs its scan on different channels. This will not be noticeable to end users, unless they are running protocols that are sensitive to delay/latency such as voice applications or multicast. If you don't have that type of environment then you could implement this solution without major issues. I don't recommend it because I like to design wireless networks that accomodate advanced capabilities.
Wireless probes are typically passive devices that listen to wireless traffic across multiple channels sequentially (not simultaneously, unless they have multiple radios). They leave the CSMA/CA traffic management up to the Wi-Fi devices. This is the overlay version of WIDS. They analyze devices that are communicating simultaneously as RF interference and report that to the management engine so the network admin can do something to resolve it. Usually WIDS are incorporated into an overall network analysis package as well, so you can not only tell that you are being hacked or interferred with, but also when it occurred and from where with a graphic "heat map" indication on a floorplan. Not all WIDS packages have this capability but the more robust ones I've seen do.
In addition, SOME (but not all) WIDS include active measures to contain undesireable clients and rogue APs. To do this they implement either wireless deauth processes or wired switch port disabling (some do both). Rarely will you see a device like that also act as a "normal" AP which associates regular wireless clients. If it doesn't do that then it does not have to comply with IEEE restrictions however it does have to comply with FCC restrictions (at least that's the way I understand it -- I could be wrong). There is still some controversy associated with active disassociations as to whether they are within the rights of a business owner's capability or not. Check your state laws for clarification (or more likely more confusion) on that issue.
Joel -
Thanks, Joel. There is just one other scenario that confuses me.
IDS sensor 1 (IDS1) has a high gain antenna so that it can monitor a larger area. AP1 and AP2 are both within range of IDS1, both on the same channel, but not within range of each other. Therefore, AP1 and AP2 can transmit at the same time with no interference and no CSMA/CA.
How does IDS1 accurately read the traffic from both AP1 and AP2 if they are transmitting simultaneously?
Cheers,
Ben -
If packets arrived at exactly the same microsecond then I would assume it would either ignore them or count them as a CRC error. As a passive device, it doesn't have to ACK or anything, it just has to "see" them.
I'll check further into this and see how we handle that situation.
Joel -
Thanks, Joel. I appreciate it.
- 1