Maximum Wireless Security

URL: http://www.wildpackets.com

Supported Platforms

Windows 9 x /ME/2000/XP

Description

AiroPeek NX is the most comprehensive and feature-packed wireless analyzer available. This program not only performs real-time monitoring and analysis of 802.11b traffic, but it also provides virtual mapping, traffic filtering, and intrusion detection. In short, this program is the only diagnostic software you need to keep a watchful eye on any WLAN.

Requirements

You will need to review the requirements for AiroPeek NX before using this program. Although it does support Windows operating systems, the program has some hardware guidelines that need to be considered . Table 9.3 shows a list of WNICs that AiroPeek supports. Note that Lucent's ORiNOCO WNICs require Windows 2000.

Table 9.3. WNICs Supported by AiroPeek

Vendor

Model

Cisco Systems

340 Series PC Card

Cisco Systems

350 Series PC Card

Symbol

Spectrum24 11 Mbps DS PC Card

Nortel Networks

e-mobility 802.11 WLAN PC Card

Intel

PRO/Wireless 2011 LAN PC Card*

3Com

AirConnect 11Mbps WLAN PC Card

Lucent

ORiNOCO PC Card (Silver/Gold)

Installation

Installation of AiroPeek NX is fairly straightforward, with the exception of getting your WNIC to work with the program. A demo is available for testing, or you can purchase the full version from the http://www.wildpackets.com Web site. Once you obtain the software, you will want to disable any virus protection software, remove previous versions of the software, and proceed through the installation process.

The demo and full versions of AiroPeek differ in features and limits on use. Figure 9.36 shows a list of functional restrictions placed on the demo version as prepared by AiroPeek NX.

Figure 9.36. Demo limits window.

The only additional installation process is that of the WildPackets driver needed to allow AiroPeek to interface with the WNIC. This driver is included with the software, and can often be found in the C:\Program Files\WildPackets\AiroPeek\drivers folder. To install the driver, you will need to perform the following steps. Note that depending on the OS and how you have it configured, these steps might be slightly different. (The following instructions are for ORiNOCO).

  1. Go to the Start Menu Settings Network and Dial-up Connections.

  2. Locate the WNIC that will be used with AiroPeek and select Properties from the Right-click menu

  3. Click the Configure button Driver tab, and then Update Driver.

  4. Click Next.

  5. Select Display a List of the Known Drivers for This Device and then click the Next button.

  6. Click the Have Disk button.

  7. Locate the C:\Program Files\WildPackets\AiroPeek\Driver directory and select the appropriate driver.

  8. Click Open and then OK.

  9. Choose the WNIC's manufacturer and network adapter and click Next.

  10. If the Digital Signature Was Not Found message appears, click OK.

  11. If asked for file WLLUC48.SYS , select the same directory as in step 7.

  12. Click Finish to complete the installation and close the Properties window.

  13. Click OK and reboot.

Your network adapter should now be set up with the supplied AiroPeek NX driver. If not, review the documentation provided by AiroPeek NX, or call them for technical support. At the time of this writing, we have found WildPackets to be one of the most courteous and responsive vendors in the industry.

Using AiroPeek NX

Once you get past AiroPeek's requirements, you will quickly forget about any and all trouble (if you had any) getting the program operational. (In our tests, we had to either install Windows 2000 or purchase yet another WNIC to get it working). This program is a dream to use, has excellent features and informational tools, and is fairly easy to understand. From the complex analysis of packet traffic to the sexy speedometer bandwidth gauges (see Figure 9.37), this tool is an excellent choice for WLAN monitoring. The following will describe some of the features and useful options this program sports.

Figure 9.37. AiroPeek's bandwidth gauges.

Real-Time/Saved-Time Monitoring

AiroPeek can perform real-time monitoring and analysis of WLAN traffic. This is its main purpose, and as such there are many options to help you drill down on the dats.

In addition to real-time analysis, AiroPeek allows you to save a capture file and replay the capture as if it were live. To do this, you simply open a capture file and sit back to watch the data flow. By doing this, AiroPeek allows you to search for patterns.

When operating AiroPeek, there are several different views you can used to analyze data. These are presented through different tabs at the bottom of the capture window. The following is a list of these options and their general purpose.

  • Packets This is the first screen you will see when initializing a capture. Its main purpose is to list the source/destination MAC address and various other bits of information that can help you determine how traffic is flowing (see Figure 9.38).

    Figure 9.38. Packet listing window.

    This information is useful in many ways. For example, if you were trying to track down an unauthorized access point, or interference problems, you would want to look at an overview of the data presented in this screen. In addition to this general information, by double-clicking on a packet, you can get a very detailed look at the data in the packet as well as a vast amount of supporting statistical data (see Figure 9.39).

    Figure 9.39. Packet data detail.

  • Nodes The Nodes screen presents a statistical overview of all the detected nodes that appear while capturing WLAN data. As you can see in Figure 9.40, the node screen can provide a snapshot of a WLAN's heaviest user . If you want to see more detail on a particular node, a simple double-click on that listing will provide the protocol data and packet statistics.

    Figure 9.40. Node statistics.

  • Protocols When viewing a WLAN's data, administrators often want to know what type of data is being transmitted over their networks. This can help network technicians track down abuse, dysfunctional hardware, and even hackers. As you can see in Figure 9.41, our sniffing session captured mostly beacon signals. This indicates that there are networks in the area that are transmitting their BSSID to any WNIC that happens to wander into their area.

    Figure 9.41. Protocol statistics.

  • Size Another quick snapshot option available to AiroPeek users is the packet size distribution. This is a very useful feature if you suspect a DoS attack against the WLAN. By seeing how big the packet sizes are, you can quickly spot abnormal traffic flow, which can help track down or eliminate WLAN problems. Figure 9.42 is the size analysis of our test scan.

    Figure 9.42. Packet size distribution.

  • Summary The summary tab shows a breakdown of all the collected data statistics. This is simply another view of the data illustrated in the Packets/Nodes/Protocols/Size tabs, but it presents the information in a format that allows you to spot problems, attacks, and more.

  • History The history tab provides you with a graphical illustration of data flux. This information can be useful if you are trying to determine peak WLAN traffic times, which can then be used to regulate bandwidth control settings, and more. This is yet another excellent management tool that AiroPeek NX provides you to monitor your WLAN's traffic.

  • Channels When setting up multiple access points or WLANs in a local area, it is important to be sure that you avoid interference. By viewing the channel statistics, you can see what channels are in use and how heavily they are loaded. This can help you determine where to place clients and access points and how to manage WLAN bandwidth issues.

  • Log If there are filters, alarms, or other flags that you want to monitor when using AiroPeek, refer to this screen. AiroPeek NX provides you with full logging capability.

  • Expert (Expert Analysis) Expert is one of the features that separate AiroPeek from other programs that attempt to imitate it. Using preset flags, this feature allows you to make AiroPeek NX a powerful anomaly detector. By selecting from a list of built-in problem filters and warning flags, you can create a rule set that monitors your WLAN traffic for particular signs of over use, misuse, and more. In Figure 9.43, you can see alert listings that can be used to create a warning system for your WLAN.

    Figure 9.43. Expert ProblemFinder settings window.

    NOTE

    This software package is continuously being updated. Recent additions to this program include rogue AP detection, support for 802.11a traffic and more.

  • Peer Map Our favorite feature in this program is the mapping capability. AiroPeek NX will monitor directional flow and create a virtual map of the data relationships. This tool is incredibly useful for getting the big picture of how people are using the WLAN. With the mapping tool, you can quickly spot intruders, bandwidth hogs, and unauthenticated traffic. Because it is visual, this tool can also be used to explain to non-technical types what a WLAN does and where your problems lie. It is much easier to point your manager to a bold line (representing traffic flow) than to explain that user X is using all the bandwidth. Figure 9.44 provides an illustration of how the maps can be used.

    Figure 9.44. Mapping small WLAN traffic.

Security Audit Templates

As previously mentioned, AiroPeek NX can serve as a wireless intrusion detection tool. This is a necessity for any company that wishes to safely deploy WLANs. The security template acts like a ruleset in a firewall or LAN-based IDS. By monitoring for various traffic patterns, AiroPeek can detect suspicious activity. The following is a list of the items detected and the reasons they are included. See Figure 9.45 for the filter screenshot.

Figure 9.45. Security audit filter.

  • Contention Free Indicates that an access point is polling stations for transmission versus the more secure method of a station attempting to connect to an access point.

  • Default ESSID Indicates a rogue access point that could have been set up by a disobedient employee or a hacker.

  • Unfamiliar Client Indicates an unauthorized client is attempting to connect to the network.

  • HSRP, IGRP, OSPF, Spanning Tree These are routing methods and protocols that should not be used on WLANs. Because these are redundancy and performance-enhancing methods , they could be used to bypass AP security.

  • Non-WEP If a WLAN is using WEP (and it should), non-WEP packets would indicate an unauthorized connection attempt.

  • RTS These are the requests to send packets, which are used on CSMA networks. This is a potential weakness of 802.11b networks.

  • SNMP (not necessarily via SNMP; often via Telnet or HTTP) Excessive SNMP traffic could indicate a hacker attempting to access the AP's settings.

  • Telnet Telnet is the long-time favorite tool for hackers. Although Telnet sessions are usually valid, if this traffic shows up unexpectedly, an administrator will want to investigate.

Alarms

AiroPeek comes with several important alarms. The following is a list of each alert and its purpose.

  • Wireless Distribution System In Use This indicates that there are relays set up that could indicate the WLAN's boundaries are beyond the "seen" horizon.

  • Excessive 1 Mbit/s Packet Transmission Low packet transmission means the WLAN is overloaded, or WLAN users are on the outer border of the radiation zone. Either is an issue that needs to be addressed to ensure maximum efficiency.

  • Excessive 802.11 Management Traffic As with the security template, excessive SNMP traffic indicates someone is altering or attempting to connect to a device using SNMP. This type of traffic should be expected only when administrators are adjusting settings.

  • WEP IV Errors Weak WEP keys should never occur. If this is happening, and WEP is the only form of protection, you will need more protection to ensure your wireless data is secure.

As you can see, this program has a lot of potential. In fact, the only thing this program does not do is crack WEP protectionwhich is appropriate, as it is a commercial product meant to analyze WLAN traffic rather than serve as a hacker's tool. If you administer a large company with several WLANs, this is one program that might help you gain control over a seemingly impossible task. Prior to the release of this tool, management of WLAN traffic was a difficult thing to accomplish.

The most unique feature of AiroPeek, and possibly its biggest selling point, is its capability to act as an IDS. Although wired IDSs are quite common, and can help determine whether a WLAN is being used to access a network, the IDS will almost always finger the access point as the hacker. However, because the hacker is actually on the other side of the WLAN bridge (access point), a separate wireless IDS must be used to detect unauthorized or problematic traffic in the air. This feature alone helps justify the considerable cost of this program.

Категории