SEINIT Security for Heterogenous Mobile Network Services John Ronan, Miguel Ponce de Leon, Jimmy McGibney TSSG, Waterford Institute of Technology Ireland

Threats in Mobile/Wireless Networks Eavesdropping by a third party The medium is shared, public Hard to precisely control transmission range Often weak encryption Sometimes no encryption Bogus user Masquerading as genuine customer to gain illegitimate access or perpetrate fraud (e.g. free calls on telecoms networks) WiFi often has no authentication Cloning of Subscriber Identity Module (SIM) Stolen phones Bogus network Base station presenting itself as network to the user, for example to collect user data (not a major problem for GSM/UMTS at the moment) Denial of service e.g. by signal jamming

Eavesdropping by a third party

The medium is shared, public

Hard to precisely control transmission range

Often weak encryption

Sometimes no encryption

Bogus user

Masquerading as genuine customer to gain illegitimate access or perpetrate fraud (e.g. free calls on telecoms networks)

WiFi often has no authentication

Cloning of Subscriber Identity Module (SIM)

Stolen phones

Bogus network

Base station presenting itself as network to the user, for example to collect user data (not a major problem for GSM/UMTS at the moment)

Denial of service

e.g. by signal jamming

The Need for a smart access point WLAN: An open medium far more vulnerable than its “wired cousin” It needs powerful security functions: Authentication,Firewall, IDS, Honeypot, …

WLAN: An open medium far more vulnerable than its “wired cousin”

It needs powerful security functions:

Authentication,Firewall, IDS, Honeypot, …

What is an intrusion? “ Any attempt to compromise the confidentiality, integrity, or availability of a computer or network” “ Any attempt to bypass the security mechanisms of a computer or network”

“ Any attempt to compromise the confidentiality, integrity, or availability of a computer or network”

“ Any attempt to bypass the security mechanisms of a computer or network”

Intrusion Detection Systems “ Burglar alarm” within the network (or host) Protected Network Firewall Internet IDS Network-based Intrusion Detection System

“ Burglar alarm” within the network (or host)

Network-based Intrusion Detection System

Honeypots Definition: “ A resource whose value lies in being probed, attacked or compromised” System or component with no real-world value, set up to lure attackers By definition, all activity on a honeypot is highly suspect Advantages Collect small data sets of high value Reduce false positives Catch new attacks, false negatives Work in encrypted or IPv6 environments Simple concept requiring minimal resources Disadvantages Limited field of view Fingerprinting allows attackers to spot honeypots May introduce risk

Definition:

“ A resource whose value lies in being probed, attacked or compromised”

System or component with no real-world value, set up to lure attackers

By definition, all activity on a honeypot is highly suspect

Advantages

Collect small data sets of high value

Reduce false positives

Catch new attacks, false negatives

Work in encrypted or IPv6 environments

Simple concept requiring minimal resources

Disadvantages

Limited field of view

Fingerprinting allows attackers to spot honeypots

May introduce risk

Outline Major ideas The need for a smart access point Combining IDS and Honeypot Collaboration and “Reputation” Architecture Generic architecture 5 main components Sensor, Alert analysis, Action engine, Data control, Collaboration IDMEF Implementation Prototype architecture Hardware CqureAP Prelude-IDS Snort Honeyd

Major ideas

The need for a smart access point

Combining IDS and Honeypot

Collaboration and “Reputation”

Architecture

Generic architecture

5 main components

Sensor, Alert analysis, Action engine, Data control, Collaboration

IDMEF

Implementation

Prototype architecture

Hardware

CqureAP

Prelude-IDS

Snort

Honeyd

Combining IDS and Honeypots Common components Data collection Analysis and decision algorithm Action module Main differences Honeypot must be used to be effective IDS operate continuously on the data flow Both are necessary: IDS can provide information even if the honeypot is not the target of attacks . When used the honeypot provides more accurate and valuable information .

Common components

Data collection

Analysis and decision algorithm

Action module

Main differences

Honeypot must be used to be effective

IDS operate continuously on the data flow

Both are necessary:

IDS can provide information even if the honeypot is not the target of attacks .

When used the honeypot provides more accurate and valuable information .

Major O utcomes /Results A network of collaborative access points Exchange security information through a common vehicle Compute a “level of trust” for each host 5 Main components Sensors Alert Analysis Action engine Collaboration Data control

A network of collaborative access points

Exchange security information through a common vehicle

Compute a “level of trust” for each host

5 Main components

Sensors

Alert Analysis

Action engine

Collaboration

Data control

Implementation - Use available components CqureAP Linux based a 802.11 wireless AP Prelude-IDS Our core framework: an hybrid IDS Snort Used as a nids and a wireless sensor Honeyd Used to provide various honeypot services

CqureAP

Linux based a 802.11 wireless AP

Prelude-IDS

Our core framework: an hybrid IDS

Snort

Used as a nids and a wireless sensor

Honeyd

Used to provide various honeypot services

Implementation - Prelude IDS An hybrid, modular intrusion detection system, under GPL Reason for choice: Hybrid IDS, means multilayered intrusion detection Modularity: convenient plugin framework to add and remove module Extensibility: easy integration of existing or new application in the framework thanks to the libprelude library IDMEF compliant Main components : Libprelude, prelude-manager, sensors

An hybrid, modular intrusion detection system, under GPL

Reason for choice:

Hybrid IDS, means multilayered intrusion detection

Modularity: convenient plugin framework to add and remove module

Extensibility: easy integration of existing or new application in the framework thanks to the libprelude library

IDMEF compliant

Main components :

Libprelude, prelude-manager, sensors

Conclusion and outlook Ideal is a system that: Does not entirely rely on predetermined definitions such as signatures (so it can catch new attacks) Can keep running in the event of an attack Can learn to adapt to changing attack scenarios Generates few false alerts

Ideal is a system that:

Does not entirely rely on predetermined definitions such as signatures (so it can catch new attacks)

Can keep running in the event of an attack

Can learn to adapt to changing attack scenarios

Generates few false alerts