Newbury Networks’ WiFi Watchdog

An invisible fence to keep attack dogs away from your WLAN.

One of the biggest Wi-Fi security fears for network professionals is the “van in the parking lot” scenario, in which an intruder breaks into the network from outside the company’s walls.

Newbury Networks tackles this problem with WiFi Watchdog, which uses location-based technology to let administrators set up physical borders for the wireless LAN (WLAN). If a user is inside the “border,” connections are allowed. Anywhere outside the network, connections are denied, even if the wireless signal is present. The system also detects rogue access points and has other security features to help protect the WLAN.

We recently tested the WiFi Watchdog system and found that while it has an arduous installation process, it eventually pays off with very good results. WiFi Watchdog won’t replace wireline security or other network defenses, but it can be a good component as part of a secure wireless network. WiFi Watchdog overlays existing and compatible (meaning access points must be on its long approved list) WLAN infrastructure. It doesn’t optimize infrastructure in the way that homogeneous switched or other types of WLAN equipment does. Rather, it’s an authenticator/de-authenticator with strong location-based smarts.

How the system works

WiFi Watchdog is a system of passive sensors that use patented methods to locate wireless 802.11b/g users inside an administrator-defined physical geography. Watchdog is used as an overlay to an existing Wi-Fi network that has access points that can authenticate through the RADIUS protocol.

Users within the physical Watchdog boundaries are authenticated through a Newbury-provided RADIUS server and RADIUS-compatible access points. An administrative system (a dedicated Windows 2000/XP PC is suggested) tracks user location and allows authentication via RADIUS following a procedure that the Watchdog application manages.

Watchdog sensors (called LocalePoints) are passive 802.11 access points that add to the intelligence that physical training gains – you need to “walk the dog” around the perimeters of an installation so the sensors become familiar with the geometry of the wireless layout. The LocalePoints then triangulate clients and access points, establish a relative location, and match the location against a database to continue authentication or remove it. In practical use, physical location tracking will prevent a number of common attacks, but it cannot protect against wireline attacks. Additionally, the Watchdog system currently only supports 802.11b/g systems, although 802.11a monitoring might be added soon, Newbury says.

Dancing through installation

The location-training process requires walking around with a working Wi-Fi device and pirouetting (making a 360-degree rotation) so the LocalePoints can learn specific location characteristics. A large sampling is not necessary; just enough to establish boundaries, including ingress/egress points and other boundaries where Watchdog can draw “authentication lines.” This information is used to plot user movements and rogue detection points on a user-defined layout map.

Before you do this, though, there is software installation to overcome. We found that Watchdog needs to be installed on an otherwise pristine platform, because it required very specific versions of MySQL and Sun’s Java software developers kit. The wide compatibility of these two products lets these devices be installed on a number of platforms, including Windows 2000 and above (we used XP), Linux 2.4 and above (we used 2.4.7), and Sun Solaris (we didn’t try Solaris or Mac OS/X 10.3).

The LocalePoints are highly modified Cisco/Linksys access points, initially configured on the same logical IP subnet as the WiFi Watchdog Management AP – and the MySQL-Java SDK combination.

We had difficulty configuring the LocalePoints with the Watchdog-bundled Windows-based SensorManager. Part of the application should update the LocalePoint with its IP information and WLAN scanning information, and we found that at times it didn’t. (See How we did it.)

After the LocalePoints are discovered and configured, the Watchdog Web-based application manages wireless devices, users and the like. The application runs as a service on Windows and has an “.initrc-launched” application on Linux, both with MySQL.

Watchdog defines physical geography as Zones that contain Locales and areas are either inside or outside a Locale. The sequence of events required to get good location data mandates that Locales are defined, installed as Zones within an on-screen, two-dimensional layout.

Signatures or measurements between two locales are taken, and physical walkabout is required with a Watchdog feature called the Predictor. Signatures then are bound to the locales. Measurements also are taken at transition points between locales, so the inside/outside signatures can be determined.

Once the setup is complete, there’s the matter of taking discovered devices and putting them into groups for administrative purposes. Watchdog does not integrate with directory services, so users and group information must either be imported or entered manually.

The bite of Watchdog

We tried to attack the Watchdog system in two common ways: testing its location-based authentication system and trying common spoofing/cracking attempts.

Location-based authentication in both testing layouts was strong. When we went out the door, it took from a few to 20 seconds before Watchdog would cut us off. We took 20 measurements to train Watchdog where inside and outside were, and paid special attention to common demarcation points – doorways -and we were rewarded with consistent service.

We also made signatures at various points outside the layout perimeter and thwarted the “van in the parking lot” spoof. Indeed, we found that if we went upstairs and downstairs from our two layouts and made signatures there, we could prevent unauthorized logons. This means that high-density Wi-Fi environments can be protected in a 3-D air space.

We also tried man-in-the-middle attacks (attempts to hijack an existing association to an access point by using a client) using spoofed media access control addresses and “stolen” Wired Equivalent Privacy keys. Again, location-based and signature information was used to authorize the correct device. Ad hoc mode devices also could be readily identified, and once again alarms were sent correctly.

It was possible to forge access-point credentials, shut off an access point and substitute it with a like-model access point, an event that properly generated an alarm no matter how fast we switched in the substitute access point. This disappearance from the radar could let an intruder substitute equipment that might enable a wireline connection (such as an Ethernet port on a wireless router). Wireless connection attempts through the forged access point still would be detected and not authenticated through RADIUS, however. Because WiFi Watchdog doesn’t cover wireline access (although it certainly can be controlled in other ways), such breaches could open uncontrolled, albeit wireline, access.

Downsides

The test LocalePoints that Newbury sent us weren’t quite finished, but were usable. The default system configuration permits the LocalePoints to probe the network that it’s on by sending port probes to the wireline broadcast addresses. This will set off intruder alarms as the probes look to intrusion-detection systems and firewall applications as various kinds of Trojan attacks. This feature fortunately can be turned off.

The SNMP traps Watchdog sends also must use the SNMP community name public, despite user SNMP community name entry options. As the use of the SNMP community name “public” has known security problems, this is a moderate security flaw for a product otherwise strongly focused on security.

Finally, Watchdog takes a good deal of threading into an installation to become useful. The target user will be someone familiar with several facets of system administration, and you’ll need a mid-level technical staffer to sew together everything.

But when sewn correctly, Watchdog should prove difficult to defeat. The correct infrastructure is required to make it work, and the Watchdog must be trained and set up correctly. The payoff comes when you walk out a door and watch your FTP session cut off in midstream as you become de-authenticated. Our unscientific location-based accuracy testing found that Watchdog is accurate to about 5 feet.