Security Reference Guide

Wireless Intrusion Detection Solutions

Last updated Jul 8, 2005.

This section will take a closer look at some of the wireless intrusion programs available for free and a couple proprietary solutions that you have to pay for. Most of the free solutions require some flavor of Linux (Redhat 9.0 in our case), which means you will need a little bit of Linux know how to get these programs up and running. For Windows users, we will look at a free Windows program and a couple solutions provided by Network Chemistry that not only detect wireless attacks, but also goes so far as to keep attackers off a network with the click of a button.

Network Chemistry

We try to be vendor neutral here when we review technologies and products, but you will probably note a little appreciation for RFprotect. I first noticed this product as a result of several reviews; one from SC Magazine and the other from Network Computing, both of whom gave it a Best Buy award. I point this out so you can read what others have written and know that this biased impression isn’t alone.

The reason I initially selected Network Chemistry is because it seemed to offer a distributed wireless IDS for a price that most small/medium businesses can afford. While there are several $30,000+ solutions out there that have the horse power to meet enterprise level needs, the low entrance cost and the scalability of Network Chemistry means it can work for the small guy, just as easily as it can for the big guy. For about $2000, you can purchase and install an RFprotect solution that does everything you will want it to.

RFprotect Products

RFprotect comes in two flavors. The distributed server/client based model and a Mobile RFprotect product that allows you to take an IDS with you where ever you travel. The following outlines the features and parts of each.

RFprotect Distributed: This option includes one or more RFprotect Sensors that can be placed throughout the site. The sensors are used to monitor the airwaves for 802.11 a/b/g traffic (figure 1), which is parsed for interesting information that is uploaded to a database on a dedicated server. A remote client program is then used to connect to the server and view the logs/alerts and manage the Sensors as required. This setup is great for a campus or business environment that hosts a spread out wireless network. While one Sensor can cover a fairly wide area, it is easy to install additional sensors as required.

RFprotect Mobile: This option turns your laptop into a wireless IDS using an installed wireless network card to perform the collection. The program basically gives you real time access to the threats and RF information collected. Additionally, the collected data can be uploaded to an existing RFprotect Distributed server. As a result, this program can be used in combination with other RFprotect sensors to help locate detected threats via triangulation algorithms.

Which product you need is based on your particular setup. If you only have one access point, then the mobile solution might be all you need. If you have a large building, then you might want an RFprotect Distributed 5-pack. The nice thing about either choice is that both use the same interface and provide the same level of detail about your wireless network. Therefore, the rest of this review applies to both products unless otherwise stated.

RFprotect Application

The RFprotect application connects to a database that holds the information parsed from the RF sensor. Upon viewing the main screen, you are given eight main tabs (figure 1) to choose from. These eight options provide us with an excellent segue into describing the main features an functions RFprotect has to offer.

Dashboard (Figure 2): The dashboard provides a good overview of the information being collected by the sensors. Alerts, RF spectrum analyzer, top talkers, etc. are all displayed for a quick review of what is happening in the airwaves. While not strictly security related, this information is very nice to see when trying to figure out why a network has unexplainable drops, or low throughput. You can quickly spot interference or other related problems that can be corrected by simply changing a channel.

Network (figure 3): This screen shows a list of current and previous contacts and their highest signal strength. If the item is grayed out, then it is no longer in use or within range of the detector. To learn more about the object, you can double click it to access the Station Details window that is covered later in this review.

Alerts (Figure 4): The alerts window is where you can find the list of threats, alerts, and other informational logs. Figure 4 highlights just some of the hundreds of possible alerts RFprotect can detect and identify. You can double click on the alert to learn a little more about what it means to your wireless network security. There are also numerous options available by right clicking on an alert. For example, you can add the selected station to an authorized or unauthorized list, acknowledge the alert, access detailed station information, or even kick the station off a network.

RF Environment: This screen simply shows you the current scanning status and the detected networks. Much of the same information is viewable from the Dashboard screen so no other screen shot is needed. Just note that RFprotect is more than just an IDS; it is also a RF analyzer.

Reports: RFprotect really shines when it comes to producing valuable reports. Whether you want a complete listing of alerts, a list of all the WLAN devices on your network, or just an audit of system activities, the reporting function has it covered. Figure 5 represents the top part of the WLAN Device Inventory Report.

RFlocate: As previously hinted at, RFprotect can actually be used to detect and locate wireless devices. This option does take some work as you have to upload an image of the layout of the coverage area. You will also have to have several sensors onsite or have RFprotect Mobile in order to find the target. If used in conjunction with a mobile sensor, you will be able to quickly locate and find the offending device. In fact, it is reported that RFlocate has achieved unprecedented accuracy when it comes to locating wireless devices thanks to their ability to turn a laptop into a sensor.

RFshield: Intrusion detection systems are generally log only solutions. This means they only detect and alert an admin that something is wrong. RFprotect takes this one step further and provides a method of fighting back, or in other words, removing the threat. This option has several benefits. First, if a sensor is installed at a remote site and the administrator is on the other side of the world, they can easily restrict the offending device from getting onto the network. This is accomplished by taking advantage of a little known part of the wireless protocol known as Deauthentication packets. Once a device has been labeled as a threat, an administrator can right click on it and select RFshield, which basically causes the sensor to send out deauthentication packets repeatedly in an attempt to kick the target off the network. While this can cause serious problems if used by the wrong person, in this case the power to deauthenticate unwanted stations is a great tool.

Station Details (Figure 7): As previously discussed, most of the parts of RFprotect will allow you to view more information about a selected station/AP. In this window you can get more detailed and live information about the signal strength, see alerts that are specific to the device, view packet rate information, and perform a rouge AP check. The rouge check is of interest because it allows you to see if the device is actually connected to your network by both wireless and wired checks that attempt to route packets through the AP, if doing the wireless check, or to the AP when doing the wired check.

From this short overview of RFprotect, you should be able to see that it is a full featured program that is easy for the new user, and detailed enough for the geek. With hundreds of detections features, location algorithms, strike back features, and even wireless analyzers, you really can’t beat it. In all honesty, there is no free product out there that even comes close to what RFprotect can do, and as far as I know, RFprotect offers the most bang for the buck when it comes to value when compared to proprietary solutions. So, if you want to spend about $1000 on a single product or $2000 on a five sensor pack (prices are based on website as of 7/1/2005), you definitely want to give RFprotect a test!