International Journal of Computer Applications (0975 – 8887)

Volume 5– No.8, August 2010

Wireless Intrusion Detection System

Snehal Boob Priyanka Jadhav
TE (COMP) TE (COMP)
C.C.O.E.W C.C.O.E.W
Karvenagar, Pune Karvenagar, Pune

ABSTRACT schemes, a new solution to help combat this problem is the

The rapid proliferation of wireless networks and mobile Wireless Intrusion Detection System (WIDS). In the security and
computing applications has changed the landscape of network wireless world this has fast become a major part of securing a
security. The recent denial of service attacks on major Internet network.
sites have shown us, no open computer network is immune from
intrusions. The wireless ad-hoc network is particularly vulnerable
due to its features of open medium, dynamic changing topology,
1.1 Computer Security and Its Role
cooperative algorithms, lack of centralized monitoring and One broad definition of a secure computer system is given by
management point, and lack of a clear line of defense. The Garfinkel and Spafford as one that can be depended upon to
traditional way of protecting networks with firewalls and behave as it is expected to. It is always a point of benefit to
encryption software is no longer sufficient and effective. integrate security with dependability and how to obtain a
dependable computing system.
The IDS engine is the control unit of the intrusion detection
system. Its main purpose is to manage the system, i.e., supervise Dependability is the trustworthiness of a system and can be seen
all operations of the intrusion detection system. Its duty depends as the quality of the service a system offers. Integrating security
on the intrusion detection method used. and dependability can be done in various ways. One approach is
to treat security as one characteristic of dependability on the same
Wireless has opened a new and exciting world for many of us. Its level as availability, reliability and safety as shown in the figure.
technology is advancing and changing every day and its
popularity is increasing. The biggest concern with wireless, Dependability
however, has been security.

The traditional wired IDS is a great system, but unfortunately it

does little for the wireless world. Implementing WIDS systems is
definitely a step in the right direction. If you have wireless and are
concerned about attacks and intruders, a WIDS may be a great Availability Reliability Safety Security
idea.
A narrower definition of security is the possibility for a system to
protect objects with respect to confidentiality, authentication,
Keywords integrity and non-repudiation.
Intrusion Detection System, Sensors, Policy Enforcement,
Stations & Access Points Confidentiality: Transforming data such that only authorized
parties can decode it.
Authentication: Proving or disproving someone’s or something’s
1. INTRODUCTION claimed identity.
The networking revolution has finally come of age. The Integrity checking: Ensuring that data cannot be modified
possibilities and opportunities to the changing internet computing without such modification being detectable.
are limitless; so too are the risks and chances of malicious
intrusions. Non – repudiation: Proving that a source of some data did in fact
send data that he might later deny sending.
It is very important that the security mechanisms of a system are
designed so as to prevent unauthorized access to system resources
and data. However, completely preventing breaches of security
1.2 What is an Intrusion Detection System?
An Intrusion Detection System (IDS) is a software or hardware
appear, at present, unrealistic. We can, however, try to detect
tool used to detect unauthorized access of a computer system or
these intrusion attempts so that action may be taken to repair the
network. A wireless IDS performs this task exclusively for the
damage later. This field of research is called Intrusion Detection.
wireless network. These systems monitor traffic on your network
Wireless has opened a new and exciting world for many of us. Its
looking for and logging threats and alerting personnel to respond.
technology is advancing and changing every day and its
popularity is increasing. The biggest concern with wireless,
however, has been security. Along with improved encryption

9
 International Journal of Computer Applications (0975 – 8887)
Volume 5– No.8, August 2010

1.3 Why use a Wireless Intrusion Detection 3. COMPONENTS AND

System? ARCHITECTURE
The traditional wired IDS system does very little for the wireless
world. The problem with wireless is that in addition to attacks that This section describes the major components of typical
may be performed on a wired network, the medium itself has to be wireless IDS and illustrates the most common network
protected. To do this there are many measures which can be taken, architectures for these components. It also provides
however there are even more tools designed to break them. Due to recommendations for the placement of certain components. (Refer
the nature of wireless LANs (WLAN), it can be difficult to control Figure 1)
the areas of access. Often the range of a wireless network reaches IEEE 802.11 WLANs have two fundamental architectural
outside the physical boundaries of an organization. With such a components:
problem with wireless security, developing and implementing
WIDS systems is definitely a step in the right direction. If you Station (STA). A STA is a wireless endpoint device. Typical
have wireless and are concerned about attacks and intruders, a examples of STAs are laptop computers, personal digital
WIDS may be a great idea. assistants (PDA), mobile phones, and other consumer electronic
A large number of possible attacks can be detected by a WIDS. devices with IEEE 802.11 capabilities.
The following will list major attacks and events that can be
detected with the help of a WIDS. Rogue devices, such as an Access Point (AP). An AP logically connects STAs with a
employee plugging in an unauthorized wireless router, incorrect distribution system (DS), which is typically an organization’s
configurations, connectivity problems, jamming, man-in-the- wired infrastructure. The DS is the means by which STAs can
middle attacks, wardrivers, scanning with programs like communicate with the organization’s wired LANs and external
Netstumbler or Kismet, RF interference, MAC spoofing, DoS networks such as the Internet. Figure1 shows an example of how
attacks, attempts of brute force to get pass 802.1x, strong RFI, or APs, STAs, and DSs are related.
use of traffic injection tools. Different WIDS devices and software
have different capabilities in what can be detected. Make sure the
WIDS you chose will fit your company’s profile.

There are currently only a handful of vendors who offer a wireless

IDS solution - but the products are effective and have an extensive
feature set. Popular wireless IDS solutions include Airdefense,
RogueWatch and Airdefense Guard, and Internet Security
Systems Realsecure Server sensor and wireless scanner products.
A homegrown wireless IDS can be developed with the use of the
Linux operating system, for example, and some freely available
software. Open source solutions include Snort-Wireless and
WIDZ, among others.

2. WLAN STANDARDS
Most WLANs use the Institute of Electrical and Electronics
Engineers (IEEE) 802.11 family of WLAN standards. The most
commonly used WLAN radio transmission standards are IEEE FIGURE1: WIRELESS LAN ARCHITECTURE EXAMPLE
802.11b and IEEE 802.11g, which use the 2.4 gigahertz (GHz)
band, and IEEE 802.11a, which uses the 5 GHz band. IEEE
Some WLANs also use wireless switches. A wireless switch is a
802.11a, b, and g include security features known collectively as
device that acts as an intermediary between APs and the DS.
Wired Equivalent Privacy (WEP). Unfortunately, WEP has
several well-documented security problems. To overcome these,
IEEE 802.11i was created; it specifies security components that The IEEE 802.11 standard also defines the following two WLAN
work in conjunction with IEEE 802.11a, b, and g. architectures:

Ad Hoc Mode: The ad hoc mode does not use APs. Ad hoc
Another set of WLAN standards has been created by a non-profit
mode, also known as peer-to-peer mode, involves two or more
industry consortium of WLAN equipment and software vendors
STAs communicating directly with one another.
called the Wi-Fi Alliance. While IEEE was working on finalizing
the 802.11i standard, the Alliance created an interim solution
Infrastructure Mode: In infrastructure mode, an AP connects
called Wi-Fi Protected Access (WPA). Published in October
wireless STAs to a DS, typically a wired network.
2002, WPA is essentially a subset of the draft IEEE 802.11i
requirements available at that time. WPA provides stronger
security for WLAN communications than WEP. In conjunction 3.1 Typical Components
with the ratification of the IEEE 802.11i amendment, the Wi-Fi The typical components in a wireless IDS are consoles, database
Alliance introduced WPA2, its term for interoperable equipment servers (optional), management servers, and sensors.
that is capable of supporting IEEE 802.11i requirements. WPA2
offers stronger security controls than either WPA or WEP.

10
 International Journal of Computer Applications (0975 – 8887)
Volume 5– No.8, August 2010

A wireless IDS work by sampling traffic. There are two frequency Wireless switches are intended to assist administrators
bands to monitor (2.4 GHz and 5 GHz), and each band is with managing and monitoring wireless devices; some of these
separated into channels. It is not currently possible for a sensor to switches also offer some wireless IDS capabilities as a secondary
monitor all traffic on a band simultaneously; a sensor has to function. Wireless switches typically do not offer detection
monitor a single channel at a time. When the sensor is ready to capabilities as strong as bundled APs or dedicated sensors.
monitor a different channel, the sensor must shut its radio off,
change the channel, then turn its radio on. The longer a single Because dedicated sensors can focus on detection and do not need
channel is monitored, the more likely it is that the sensor will miss to carry wireless traffic, they typically offer stronger detection
malicious activity occurring on other channels. To avoid this, capabilities than wireless sensors bundled with APs or wireless
sensors typically change channels frequently, which is known as switches. However, dedicated sensors are often more expensive to
channel scanning, so that they can monitor each channel a few acquire, install, and maintain than bundled sensors because
times per second. To reduce or eliminate channel scanning, bundled sensors can be installed on existing hardware, whereas
specialized sensors are available that use several radios and high- dedicated sensors involve additional hardware and software.
power antennas, with each radio/antenna pair monitoring a Organizations should consider both security and cost when
different channel. Because of their higher sensitivities, the high- selecting wireless IDS sensors.
power antennas also have a larger monitoring range than regular
antennas. Some implementations coordinate scanning patterns Some vendors also have host-based wireless IDS sensor software
among sensors with overlapping ranges so that each sensor needs that can be installed on STAs, such as laptops. The sensor
to monitor fewer channels. software detects attacks within range of the STAs, as well as
misconfigurations of the STAs, and reports this information to
Wireless sensors are available in multiple forms: management servers. The sensor software may also be able to
enforce security policies on the STAs, such as limiting access to
3.1.1 Dedicated: wireless interfaces.
A dedicated sensor is a device that performs wireless
IDS functions but does not pass network traffic from source to 3.2 Network Architectures
destination. Dedicated sensors are often completely passive, Wireless IDS components are typically connected to each other
functioning in a radio frequency (RF) monitoring mode to sniff through a wired network. A separate management network or the
wireless network traffic. Some dedicated sensors perform analysis organization’s standard networks can be used for wireless IDS
of the traffic they monitor, while other sensors forward the component communications. Because there should already be a
network traffic to a management server for analysis. The sensor is strictly controlled separation between the wireless and wired
typically connected to the wired network (e.g., Ethernet cable networks, using either a management network or a standard
between the sensor and a switch). Dedicated sensors are usually network should be acceptable for wireless IDS components. Also,
designed for one of two deployment types: some wireless IDS sensors (particularly mobile ones) are used
Fixed—the sensor is deployed to a particular location. Such standalone and do not need wired network connectivity. (Refer
sensors are typically dependent on the organization’s Figure 2)
infrastructure (e.g., power, wired network). Fixed sensors are
usually appliance-based.
Mobile—the sensor is designed to be used while in motion. For
example, a security administrator could use a mobile sensor while
walking through an organization’s buildings and campus to find
rogue APs. Mobile sensors are either appliance-based or software-
based (e.g., software installed onto a laptop with a wireless NIC
capable of doing RF monitoring).

3.1.2 Bundled with an AP:

Several vendors have added IDS capabilities to APs. A
bundled AP typically provides a less rigorous detection capability
than a dedicated sensor because the AP needs to divide its time
between providing network access and monitoring multiple
channels or bands for malicious activity. If the IDS only needs to
monitor a single band and channel, a bundled solution might
provide reasonable security and network availability. If the IDS
has to monitor multiple bands or channels, then the sensor needs
to perform channel scanning, which will disrupt the AP functions
of the sensor by making it temporarily unavailable on its primary
band and channel.

3.1.3 Bundled with a Wireless Switch:

FIGURE 2: WIRELESS IDS ARCHITECTURE

11
 International Journal of Computer Applications (0975 – 8887)
Volume 5– No.8, August 2010

3.3 Sensor Locations 5. POLICY ENFORCEMENT

Choosing sensor locations for a wireless IDS deployment is a A wireless IDS not only detects attackers, it can also help to
fundamentally different problem than choosing locations for any enforce policy. WLANs have a number of security-related issues,
other type of IDS sensor. If the organization uses WLANs, but many of the security weaknesses are fixable. With a strong
wireless sensors should be deployed so that they monitor the RF wireless policy and proper enforcement, a wireless network can be
range of the organization’s WLANs (both APs and STAs), which as secure as the wired equivalent - and a wireless IDS can help
often includes mobile components such as laptops. Many with the enforcement of such a policy.
organizations also want to deploy sensors to monitor physical
regions of their facilities where there should be no WLAN Suppose policy states that all wireless communications must be
activity, as well as channels and bands that the organization’s encrypted. A wireless IDS can continually monitor the 802.11
WLANs should not use, as a way of detecting rogue APs and ad communications and if a WAP or other 802.11 device is detected
hoc WLANs. communicating without encryption, the IDS will detect and notify
on the activity. If the wireless IDS is pre-configured with all the
3.3.1 Physical Security: Sensors are often deployed into authorized WAPs and an unknown (rogue) WAP is introduced to
open locations (e.g., hallway ceilings, conference rooms) because the area, the IDS will promptly identify it. Features such as rogue
their range is much greater there than in closed locations (e.g., WAP detection, and policy enforcement in general, go a long way
wiring closets). Sensors are sometimes deployed outdoors as well. to increase the security of the WLAN. The additional assistance a
Generally, sensors in open interior locations and external wireless IDS provides with respect to policy enforcement can also
locations are more susceptible to physical threats than other maximize human resource allocation. This is because the IDS can
sensors. If the physical threats are significant, organizations might automate some of the functions that humans would ordinarily be
need to select sensors with anti-tamper features or deploy sensors required to manually accomplish, such as monitoring for rogue
where they are less likely to be physically accessed (e.g., within WAPs.
view of a security camera).
6. THREATS AGAINST WLANS
3.2.2 Sensors Location Wireless attacks typically require the attacker or a device placed
The actual range of a sensor varies based on the by the attacker to be within close physical proximity to the
surrounding facilities (e.g., walls, doors). Some wireless IDS wireless network. However, many WLANs are configured so that
vendors offer modeling software that can analyze building floor they do not require any authentication or require only weak forms
plans and the attenuation characteristics of walls, doors, and other of authentication; this makes it much easier for local attackers to
facility components to determine effective locations for sensors. perform several types of attacks, such as a man-in-the-middle
Sensor range can also vary based on the location of people within attack.
the facility and other changing characteristics, so sensors should
be deployed so that their ranges have some overlap (e.g., at least Most WLAN threats involve an attacker with access to the radio
20%). link between a STA and an AP (or between two STAs, in ad hoc
mode). Many attacks rely on an attacker’s ability to intercept
network communications or inject additional messages into them.
4. MANAGEMENT
Most wireless IDS products offer similar management
capabilities. This section discusses major aspects of Hackers can also attack a WLAN and gather sensitive data by
management—implementation, operation, and maintenance—and introducing a rogue WAP into the WLAN coverage area. The
provides recommendations for performing them effectively and rogue WAP can be configured to look like a legitimate WAP and,
efficiently. since many wireless clients simply connect to the WAP with the
best signal strength, users can be "tricked" into inadvertently
4.1 Implementation associating with the rogue WAP. Once a user is associated, all
communications can be monitored by the hacker through the
Once a wireless IDS product has been selected, the administrators
rogue WAP.
need to design architecture, perform IDS component testing,
secure the IDS components, and then deploy them. Implementing 7. SUMMARY
a wireless IDS can necessitate brief wireless network outages if Wireless has and is opening many new possibilities for expanding
existing APs or wireless switches need to be upgraded or have networks. Its potential is amazing.
IDS software installed. Generally, the deployment of sensors
causes no network outages. A wireless IDS monitors wireless network traffic and analyzes its
wireless networking protocols to identify suspicious activity. The
typical components in a wireless IDS: consoles, database servers
4.2 Operation and Maintenance (optional), management servers, and sensors.
Wireless IDS consoles offer similar management, monitoring, Wireless sensors are available in multiple forms.
analysis, and reporting capabilities. One significant difference is Wireless IDS components are typically connected to each other
that wireless IDPS consoles can display the physical location of through a wired network. Because there should already be a
threats. A minor difference is that because wireless IDS sensors strictly controlled separation between the wireless and wired
detect a relatively small variety of events, compared to other types networks, using either a management network or a standard
of IDSs, they tend to have signature updates less frequently.

12
 International Journal of Computer Applications (0975 – 8887)
Volume 5– No.8, August 2010

network should be acceptable for wireless IDS components. WLANs require a number of other security measures to be
Choosing sensor locations for a wireless IDS deployment is a employed before an adequate level of security can be reached, but
fundamentally different problem than choosing locations for any the addition of a wireless IDS can greatly improve the security
other type of IDS sensor. posture of the entire network. With the immense rate of wireless
Compared to other forms of IDS, wireless IDS is generally more adoption, the ever-increasing number of threats to WLANs, and
accurate; this is largely due to its limited scope. the growing complexity of attacks, a system to identify and report
on threat information can greatly enhance the security of a
wireless network.
8. CONCLUSION
As with most new technologies, wireless has several 9. REFERENCES
vulnerabilities. It is important to note that absolute security is an
[1] Wireless Intrusion Detection Systems Including Incident
abstract concept – it does not exist anywhere. All networks are
Response & Wireless Policy, by Jeff Dixon.
vulnerable to insider or outsider attacks, and eavesdropping. No
http://www.infosecwriters.com/text_resources/pdf/Wireless_I
one wants to risk having the data exposed to the casual observer
DS_JDixon.pdf
or open malicious mischief.
[2] An Overview of the Wireless Intrusion Detection
System,byOliverPoblete.
Wireless IDS solutions are available from both the open-source
http://www.sans.org/reading_room/whitepapers/wireless/over
and commercial markets and both have their own advantages.
view-wireless-intrusion-detection-system_1599
Wireless intrusion detection systems are an important addition to
[3] Guide to Intrusion Detection and Prevention Systems (IDPS),
the security of wireless local area networks. With the capability to
NIST special publication 800-94, by Karen Scarfone
detect probes, DoSs, and variety of 802.11 attacks, in addition to
PeterMell
assistance with policy enforcement, the benefits of a wireless IDS
http://www.sans.org/reading_room/whitepapers/wireless/over
can be substantial. Of course, just as with a wired network, an IDS
view-wireless-intrusion-detection-system_1599
is only one part of a greater security solution.
[4] Wireless Intrusion Detection Systems, Security Articles, by
Jamil Farshchi

13