One of the biggest Wi-Fi security fears for network professionals is the "van in the parking lot" scenario, in which an intruder breaks into the network from outside the company's walls.
Newbury Networks tackles this problem with WiFi Watchdog, which uses location-based technology to let administrators set up invisible borders for the wireless LAN. If the location technology shows the user to be inside the "border", connections are allowed. Anywhere else, connections are denied, even if the wireless signal is present. The system also detects rogue access points and has other security features to help protect the WLAN (this method of controlling access to a WLAN is also promised by Cirond).
We recently tested the WiFi Watchdog system and found that while it has an arduous installation process, it eventually pays off with very good results. WiFi Watchdog won't replace wireline security or other network defenses, but it can be a good component as part of a secure wireless network. WiFi Watchdog overlays existing infrastructure, provided access points are on a (long) approved list. It doesn't optimise infrastructure in the way that homogeneous switched or other types of WLAN equipment does. Rather, it's an authenticator/de-authenticator with strong location-based smarts.
How the system works
WiFi Watchdog consists of a set of sensors - passive 802.11b/g access points called LocalePoints - and administration software, including a RADIUS server, which Newbury suggests should be run on a dedicated system.
The system sets up an overlay to an existing Wi-Fi network of access points that can authenticate through the RADIUS protocol. It uses patented methods to locate wireless 802.11b/g users and then authenticates those that fall within the prescribed physical region.
The system needs physical "training". You need to "walk the dog" around the perimeters of an installation so the sensors become familiar with the geometry of the wireless layout. The LocalePoints then triangulate clients and access points, establish a relative location, and match the location against a database to decide whether to continue authentication or remove it.
In practical use, physical location tracking will prevent a number of common attacks, but it cannot protect against wireline attacks. The Watchdog system currently only supports 802.11b/g systems, although 802.11a monitoring might be added soon, Newbury says.
Dancing through installation
The location-training process requires walking around with a working Wi-Fi device and pirouetting (making a 360-degree rotation) so the LocalePoints can learn specific location characteristics. A large sampling is not necessary; just enough to establish boundaries, including ingress/egress points and other boundaries where Watchdog can draw "authentication lines". This information is used to plot user movements and rogue detection points on a user-defined layout map.
Before you do this, though, there is software installation to overcome. We found that Watchdog needs to be installed on an otherwise pristine platform, because it required very specific versions of MySQL and Sun's Java software developers' kit. The wide compatibility of these two products means they can be installed on a number of platforms, including Windows 2000 and above (we used XP), Linux 2.4 and above (we used 2.4.7), Sun Solaris or Mac OS/X 10.3 (we didn't try these).
The LocalePoints are highly modified Cisco/Linksys access points, initially configured on the same logical IP subnet as the WiFi Watchdog Management AP - and the MySQL-Java SDK combination.
What we did
We installed WiFi Watchdog in its minimum configuration (four LocalePoints) in two locations (as used in our review of AirMagnet Distributed. The first location was a five-level office comprising 4,200 square feet and containing five access points. Two access points shared channels 6 and 11 and had nominal co-channel interference. The second installation location was a flat, 4,000 square-foot office in a business park containing six access points; this location had an adjacent business using one channel (1), while we used the other two non-interfering channels available (6 and 11). We used various access points from 3Com, DLink and Proxim and used four HP/Compaq notebooks with a variety of 802.11b and 802.11b/g cards; we also used two Apple Powerbook G4s using Apple internal ExtremeG cards.
We tested locale authentication and alarms using Windows XP and OS/X 10.2.3 clients (with the aforementioned notebooks) after 'training' Watchdog. Over a seven-day period, the MySQL database grew to only 35 Mbyte of data in size, and subsequently grew very slowly. The Watchdog application and MySQL database never took more than 20 percent CPU in the host machine (HP/Compaq ML330 Server with 1.3-GHz CPU and 1G-byte DRAM). We found the reports and logs WiFi Watchdog generated to brief and terse, but useful.
We had difficulty configuring the LocalePoints with the Watchdog-bundled Windows-based SensorManager. Part of the application should update the LocalePoint with its IP information and WLAN scanning information, and we found that at times it didn't.
After the LocalePoints are discovered and configured, the Watchdog Web-based application manages wireless devices, users and the like. On Windows, the application runs as a service and on Linux it is an ".initrc-launched" application, both with MySQL.
Watchdog defines physical geography as Zones that contain Locales and areas are either inside or outside a Locale. To get good location data, Locales must be defined and then installed as Zones within an on-screen, two-dimensional layout.
Signatures or measurements between two locales are taken: physical walkabout is required with a Watchdog feature called the Predictor. Signatures are then bound to the locales. Measurements are also taken at transition points between locales, so the inside/outside signatures can be determined.
Once the setup is complete, there's the matter of taking discovered devices and putting them into groups for administrative purposes. Watchdog does not integrate with directory services, so users and group information must either be imported, or entered, manually.
Strong against attacks
We tried to attack the Watchdog system in two common ways: testing its location-based authentication system and trying common spoofing/cracking attempts.
Location-based authentication in both testing layouts was strong. When we went out of the door, it took from a few to 20 seconds before Watchdog would cut us off. We took 20 measurements to train Watchdog where inside and outside were and paid special attention to common demarcation points - doorways -and we were rewarded with consistent service.
We also made signatures at various points outside the layout perimeter and thwarted the "van in the parking lot" spoof. Indeed, we found that if we went upstairs and downstairs from our two layouts and made signatures there, we could prevent unauthorised logons from different floors in the building. This means that high-density Wi-Fi environments can be protected in a 3-D air space.
We also tried man-in-the-middle attacks (attempts to hijack an existing association to an access point by using a client) using spoofed media access control addresses and "stolen" Wired Equivalent Privacy keys. Again, location-based and signature information was used to authorise the correct device. Ad hoc mode devices also could be readily identified and once again alarms were sent correctly.
It was possible to forge access-point credentials, shut off an access point and substitute it with a like-model access point, an event that properly generated an alarm no matter how fast we switched in the substitute access point. However, this disappearance from the radar could let an intruder substitute equipment that might enable a wireline connection (such as an Ethernet port on a wireless router). Wireless connection attempts, through the forged access point, would still be detected and not authenticated through RADIUS, however. Because WiFi Watchdog doesn't cover wireline access (although it certainly can be controlled in other ways) such breaches could open uncontrolled, albeit wireline, access.
The test LocalePoints that Newbury sent us weren't quite finished but were usable. The default system configuration lets the LocalePoints probe the network by sending port probes to the wireline broadcast addresses. This will set off intruder alarms, as the probes view intrusion-detection systems and firewall applications as various kinds of Trojan attacks. This feature fortunately can be turned off.
The SNMP traps Watchdog sends must use the SNMP community name "public", which has known security problems. This is a moderate security flaw for a product otherwise strongly focused on security.
Finally, Watchdog takes a good deal of threading into an installation to become useful. The target user will be someone familiar with several facets of system administration and you'll need a mid-level technical staffer to sew everything together.
But when sewn correctly, Watchdog should prove difficult to defeat. The correct infrastructure is required to make it work and the Watchdog must be trained and set up correctly. The payoff comes when you walk out of a door and watch your FTP session cut off in midstream as you become de-authenticated. Our unscientific location-based accuracy testing found that Watchdog is accurate to about 5 feet.
If you have serious concerns about intruders on your WiFi network - and a skilled tech staff to set this up - then WiFi Watchdog could help. If you already have other wireless management and switching systems, you should check whether its features are duplicated.