无线局域网入侵防范及响应系统
|
摘要
使用IEEE 802.11协议的无线局域网(Wireless LAN, WLAN)当前已经有了广泛的市场应用,但是由于无线网络开放性的特点和802.11协议自身存在的缺陷,无线局域网的安全性一直受到各种各样入侵方式的威胁,对其发展造成了不小的影响。无线局域网面临的威胁最初还只是未授权用户访问网络资源,网络错误配置(安装未授权访问点)和通过嗅探器进行非法窃听等初级方式,而现在更为常见的是一些更高级的主动攻击方式,例如MAC地址欺骗、中间人攻击和拒绝服务攻击。由于大部分无线局域网都将连接扩展到了有线网络,因此很多情况下无线局域网也成为了入侵有线网络的起点。
针对无线局域网当前存在的安全问题提出了一种无线局域网入侵防范及响应系统的设计方案。整个系统由单个控制中心和若干个代理节点构成一个接入网络,部署在无线局域网和原有网络之间。代理节点不但作为访问点(Access Point, AP)连接到接入网络的入口,还能检测无线局域网内的入侵行为,并及时通知控制中心。控制中心负责实时监控整个无线网络的安全情况,对代理节点检测到的可疑行为作进一步判断后确定性质,并控制代理节点对入侵行为做出适当的响应。
系统根据无线节点的接入状态和发送MAC帧的关系判断无线站点行为是否正常,从捕获的无线通信中分析入侵行为,并能根据某些无线入侵工具通信中的特点检测网络内是否在运行该软件。通过测试结果,表明该系统能有效的检测无线局域网的入侵行为,在一定程度上提高了无线局域网的安全性。
Wireless LAN (WLAN) using the IEEE 802.11 protocols are being widely applied in the market. However, due to WLAN’s feature of being open and the deficiencies of the IEEE 802.11 protocols themselves, the security of WLAN is always being threatened. The situation affects their development significantly.
At the very beginning, WLAN security is threatened just by some basic attacks, including unauthorized access to network resources, network misconfigurations like installation of rogue access points, and illegal sniffing or eavesdropping via promiscuous mode. Now active and advanced attacks, such as MAC spoofing, Man in the Middle attacks or Denial of Service (DoS) attacks are more prevalent. Because most WLAN have connection with LAN, WLAN become the entry of intruding LAN in some instances.
Aimed at the security problem existing in WLAN, a WLAN intrusion detection and response system has been designed. The system that consists of a single control center and several agents is deployed between WLAN and LAN. The agent is not only the entry for AP to access LAN, but also be able to detect intrusion activity in WLAN and notify the suspected activity to the control center immediately. The control center is responsible to monitor the WLAN security in real time, identifies the threats detected by agents and makes agent respond properly against the threats.
According to the relationship between the status of station and MAC frame sent by station, the system can discover unauthenticated stations. In addition, the system can detect some WLAN discovery tools by analyzing its communication. It is proved in the test that the system is capable of detecting WLAN intrusion activity effectively and protects network from some attacks to some extend.
针对无线局域网当前存在的安全问题提出了一种无线局域网入侵防范及响应系统的设计方案。整个系统由单个控制中心和若干个代理节点构成一个接入网络,部署在无线局域网和原有网络之间。代理节点不但作为访问点(Access Point, AP)连接到接入网络的入口,还能检测无线局域网内的入侵行为,并及时通知控制中心。控制中心负责实时监控整个无线网络的安全情况,对代理节点检测到的可疑行为作进一步判断后确定性质,并控制代理节点对入侵行为做出适当的响应。
系统根据无线节点的接入状态和发送MAC帧的关系判断无线站点行为是否正常,从捕获的无线通信中分析入侵行为,并能根据某些无线入侵工具通信中的特点检测网络内是否在运行该软件。通过测试结果,表明该系统能有效的检测无线局域网的入侵行为,在一定程度上提高了无线局域网的安全性。
Wireless LAN (WLAN) using the IEEE 802.11 protocols are being widely applied in the market. However, due to WLAN’s feature of being open and the deficiencies of the IEEE 802.11 protocols themselves, the security of WLAN is always being threatened. The situation affects their development significantly.
At the very beginning, WLAN security is threatened just by some basic attacks, including unauthorized access to network resources, network misconfigurations like installation of rogue access points, and illegal sniffing or eavesdropping via promiscuous mode. Now active and advanced attacks, such as MAC spoofing, Man in the Middle attacks or Denial of Service (DoS) attacks are more prevalent. Because most WLAN have connection with LAN, WLAN become the entry of intruding LAN in some instances.
Aimed at the security problem existing in WLAN, a WLAN intrusion detection and response system has been designed. The system that consists of a single control center and several agents is deployed between WLAN and LAN. The agent is not only the entry for AP to access LAN, but also be able to detect intrusion activity in WLAN and notify the suspected activity to the control center immediately. The control center is responsible to monitor the WLAN security in real time, identifies the threats detected by agents and makes agent respond properly against the threats.
According to the relationship between the status of station and MAC frame sent by station, the system can discover unauthenticated stations. In addition, the system can detect some WLAN discovery tools by analyzing its communication. It is proved in the test that the system is capable of detecting WLAN intrusion activity effectively and protects network from some attacks to some extend.
引文
[1] Andrew S, Tanenbaum. 计算机网络, 第三版. 熊桂喜译. 北京: 清华大学出版社, 1998: 262~273
[2] 朱洪波, 傅海阳, 吴志忠等. 无线接入网, 第一版. 北京: 人民邮电出版社, 2000: 80~102
[3] Jim Geier. 无线局域网. 干群, 李馥娟, 叶清扬译. 北京: 人民邮电出版社, 2001: 315~328
[4] 牛伟, 郭世泽, 吴志军. 无线局域网, 第一版. 北京: 人民邮电出版社, 2003: 183~185
[5] 唐岗. 无线局域网综述. 现代通信, 2002, 26(8): 12~14
[6] 左小栋, 戴英侠. 无线局域网的安全性分析. 电信科学, 2001, 46(7): 145~156
[7] S. Fluhrer, I. Mantin, and A. Shamir. Weakness in the key scheduling algorithm of RC4. In Eigth Annual Workshop on selected Areas in Cryptography, Toronto, Canada, August, 2001, 30~46
[8] Stubblefield, J. Ioannidis, A. D. Rubin. Using the Fluhrer, Mantin, and Shamir. Attack to break WEP, In Network and Distributed System Security Symposium. San Diego, California, February, 2002, 100~122
[9] Schneier. 应用密码学:协议、算法与 C 源程序. 吴世忠等译. 北京: 机械工业出版社, 2000, 1: 150~210
[10] Djenouri D, Khelladi L, Badache A N. A survey of security issues in mobile ad Hoc and sensor networks. Communications Surveys&Tutorials IEEE, 2005, 7(4):2~28
[11] N. L. Petroni Jr. and W. A. Arbaugh. The Dangers of Mitigating Security Design Flaws: A Wireless Case Study. IEEE Security & Privacy, 2003, 1(1): 28~36
[12] 孙树峰, 石兴方, 顾君忠. 关于 802.11 协议的攻击研究. 网络安个技术与应用,2002, 33(10): 33~36
[13] 李庆, 唐学琴. 基于 IEEE 802.11 无线局域网的安全性研究. 信息技术, 2005, 29(8): 152~155
[14] N. Cam-Winget et al. , Security Flaws in 802.11 Data Link Protocols, Comm. ACM, 2003, 46(5): 35~39
[15] R. Housley and W. Arbaugh, Security Problems in 802.11-based Networks, Comm. ACM, 2003, 46(5): 31~34
[16] Bruce Potter. Wireless Security Future [J]. Security & Privacy Magazine, 2005, 1(4): 68~72
[17] Drew Robb. 802.11i Brings More Security To WLANs. Business Communications Review, 2006, 36(4): 52~54
[18] 陈航, 陈占计, 陈中双. IEEE 802.11i 标准与 WLAN 安全性分析. 电子工程师, 2005, 31(10): 66~68
[19] 梁峰, 史杏荣, 曲阜平. 基于802.1x认证与WEP结合使用提高WLAN安全性. 计算机工程与应用, 2006, 42(1): 147~150
[20] 张帆, 马建峰. WAPI 实施方案的安全性分析. 西安电子科技大学学报, 2005, 32(4): 545~548, 592
[21] 林秀春, 全春来, 王清理. 基于效率提高和安全性完善的 WAPI 标准改进实现. 计算机工程与设计, 2006, 27(3): 449~450: 471
[22] J. Hightower and G. Borriella, Location Systems for Ubiquitous Computing, Computer, 2001, 34(8): 57~66
[23] Bryce H Peterson, William G Heninger, Craig J Lindstrom. How SECURE is your WIRELESS NETWORK? The Internal Auditor, 2006, 63(1): 60~65
[24] LAN MAN Standards Committee of the IEEE Computer Society. ANSI/IEEE Std 802.11, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. 2004: 20~79
[25] Arbaugh W A, Shanker N, Wan Y C J, Your 802,11 network has no clothes [J],IEEE Wireless Communications, 2002, 9(6): 44~51
[26] 崔玉文, 无线局域网安全问题的研究, 哈尔滨学院学报, 2002, 23(6): 118~119
[27] 沈芳阳, 李振坤, 林志, 无线局域网安全机制探讨, 广东工业大学学报, 2004, 21(3): 69~73
[28] E, Dawson and L, Nielsen, Automated cryptanalysis of XOR plaintext strings, Cryptologia, 2003, (2): 165~181
[29] Mohamad Badra, Ibrahim Hajjeh, Key-Exchange Authenication Using Sharing Secrets, Computer, 2006, 39(3): 58
[30] Avishai Wool, Lightweight Key Management for IEEE 802,11 Wireless LANs with Key Refresh and Host Revocation, Wireless Networks, 2005, 11(6): 677
[31] R, Jueneman, S, Matyas, and C, Meyer, Message authentication, IEEE Communications Magazine, 2003, 23(9): 29~40
[32] G, Huston, TCP in a wireless world, Internet Computing, 2001, 5(2): 82~84
[33] 王欣靖, 李星, 通信与网络新技术点评, 第一版, 北京: 人民邮电出版社, 2003: 13~37
[34] J, Mirkovic, P, Reiher. A Taxonomy of DDoS Attacks and Defense Mechanisms. ACM SIGCOMM Computer Communications Review, 2004, 34(2): 39~54
[35] Perkins C E, Bhagwat P. Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers. Computer Communications Review, 1994, 24(4): 234~244
[36] 程风, 林极峰. Windows 下的抓包体系结构 WinPcap 及其应用[J]. 电信技术研究, 2002 (1): 24~30
[37] 赵心宇, 朱齐丹, 朱达书. 应用 WinPcap 捕获网络数据包. 应用科技, 2004, 31(11): 29~31
[38] 吴勇军. 用 WinS0ck 编程捕获局域网上所有 IP 包. 计算机工程与设计, 2004, 25(5): 691~693
[39] 李雪莹, 刘宝旭, 许榕生. 基于 WinPcap 的网络监控系统性能优化. 计算机工程, 2004, 30(1): 8~9
[40] 郑啸, 魏仰苏. 一种新的面向协议测试的包捕获结构. 华中科技大学学报:自然科学版, 2004, 32(7): 16~18
[41] Frank Bulk. The ABCs of WPA2 Wi-Fi Security. Network Computing, 2006, 17(2): 65~67
[42] Michael Finneran. Wi-Fi Security-Are We There Yet? Business Communications Review, 2005, 35(11): 14~16
[43] S. K. Miller. Facing the challenge of wireless security. Computer, 2001, 34(7): 16~18
[44] 王大虎, 翁翼飞, 杨维. 针对 IEEE 802.11 标准的无线局域网的攻击和防卫研究. 中国安全科学学报, 2005, 15(2): 77~80
[45] 王艳春, 张晨霞. 无线网络安全研究. 齐齐哈尔大学学报, 2005, 21(2): 76~78
[46] 王曼珠, 何文才, 杨亚涛. 无线局域网 IEEE 802.11 的安全缺陷分析. 微电子学与计算机, 2005, 22(7): 189~192
[2] 朱洪波, 傅海阳, 吴志忠等. 无线接入网, 第一版. 北京: 人民邮电出版社, 2000: 80~102
[3] Jim Geier. 无线局域网. 干群, 李馥娟, 叶清扬译. 北京: 人民邮电出版社, 2001: 315~328
[4] 牛伟, 郭世泽, 吴志军. 无线局域网, 第一版. 北京: 人民邮电出版社, 2003: 183~185
[5] 唐岗. 无线局域网综述. 现代通信, 2002, 26(8): 12~14
[6] 左小栋, 戴英侠. 无线局域网的安全性分析. 电信科学, 2001, 46(7): 145~156
[7] S. Fluhrer, I. Mantin, and A. Shamir. Weakness in the key scheduling algorithm of RC4. In Eigth Annual Workshop on selected Areas in Cryptography, Toronto, Canada, August, 2001, 30~46
[8] Stubblefield, J. Ioannidis, A. D. Rubin. Using the Fluhrer, Mantin, and Shamir. Attack to break WEP, In Network and Distributed System Security Symposium. San Diego, California, February, 2002, 100~122
[9] Schneier. 应用密码学:协议、算法与 C 源程序. 吴世忠等译. 北京: 机械工业出版社, 2000, 1: 150~210
[10] Djenouri D, Khelladi L, Badache A N. A survey of security issues in mobile ad Hoc and sensor networks. Communications Surveys&Tutorials IEEE, 2005, 7(4):2~28
[11] N. L. Petroni Jr. and W. A. Arbaugh. The Dangers of Mitigating Security Design Flaws: A Wireless Case Study. IEEE Security & Privacy, 2003, 1(1): 28~36
[12] 孙树峰, 石兴方, 顾君忠. 关于 802.11 协议的攻击研究. 网络安个技术与应用,2002, 33(10): 33~36
[13] 李庆, 唐学琴. 基于 IEEE 802.11 无线局域网的安全性研究. 信息技术, 2005, 29(8): 152~155
[14] N. Cam-Winget et al. , Security Flaws in 802.11 Data Link Protocols, Comm. ACM, 2003, 46(5): 35~39
[15] R. Housley and W. Arbaugh, Security Problems in 802.11-based Networks, Comm. ACM, 2003, 46(5): 31~34
[16] Bruce Potter. Wireless Security Future [J]. Security & Privacy Magazine, 2005, 1(4): 68~72
[17] Drew Robb. 802.11i Brings More Security To WLANs. Business Communications Review, 2006, 36(4): 52~54
[18] 陈航, 陈占计, 陈中双. IEEE 802.11i 标准与 WLAN 安全性分析. 电子工程师, 2005, 31(10): 66~68
[19] 梁峰, 史杏荣, 曲阜平. 基于802.1x认证与WEP结合使用提高WLAN安全性. 计算机工程与应用, 2006, 42(1): 147~150
[20] 张帆, 马建峰. WAPI 实施方案的安全性分析. 西安电子科技大学学报, 2005, 32(4): 545~548, 592
[21] 林秀春, 全春来, 王清理. 基于效率提高和安全性完善的 WAPI 标准改进实现. 计算机工程与设计, 2006, 27(3): 449~450: 471
[22] J. Hightower and G. Borriella, Location Systems for Ubiquitous Computing, Computer, 2001, 34(8): 57~66
[23] Bryce H Peterson, William G Heninger, Craig J Lindstrom. How SECURE is your WIRELESS NETWORK? The Internal Auditor, 2006, 63(1): 60~65
[24] LAN MAN Standards Committee of the IEEE Computer Society. ANSI/IEEE Std 802.11, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. 2004: 20~79
[25] Arbaugh W A, Shanker N, Wan Y C J, Your 802,11 network has no clothes [J],IEEE Wireless Communications, 2002, 9(6): 44~51
[26] 崔玉文, 无线局域网安全问题的研究, 哈尔滨学院学报, 2002, 23(6): 118~119
[27] 沈芳阳, 李振坤, 林志, 无线局域网安全机制探讨, 广东工业大学学报, 2004, 21(3): 69~73
[28] E, Dawson and L, Nielsen, Automated cryptanalysis of XOR plaintext strings, Cryptologia, 2003, (2): 165~181
[29] Mohamad Badra, Ibrahim Hajjeh, Key-Exchange Authenication Using Sharing Secrets, Computer, 2006, 39(3): 58
[30] Avishai Wool, Lightweight Key Management for IEEE 802,11 Wireless LANs with Key Refresh and Host Revocation, Wireless Networks, 2005, 11(6): 677
[31] R, Jueneman, S, Matyas, and C, Meyer, Message authentication, IEEE Communications Magazine, 2003, 23(9): 29~40
[32] G, Huston, TCP in a wireless world, Internet Computing, 2001, 5(2): 82~84
[33] 王欣靖, 李星, 通信与网络新技术点评, 第一版, 北京: 人民邮电出版社, 2003: 13~37
[34] J, Mirkovic, P, Reiher. A Taxonomy of DDoS Attacks and Defense Mechanisms. ACM SIGCOMM Computer Communications Review, 2004, 34(2): 39~54
[35] Perkins C E, Bhagwat P. Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers. Computer Communications Review, 1994, 24(4): 234~244
[36] 程风, 林极峰. Windows 下的抓包体系结构 WinPcap 及其应用[J]. 电信技术研究, 2002 (1): 24~30
[37] 赵心宇, 朱齐丹, 朱达书. 应用 WinPcap 捕获网络数据包. 应用科技, 2004, 31(11): 29~31
[38] 吴勇军. 用 WinS0ck 编程捕获局域网上所有 IP 包. 计算机工程与设计, 2004, 25(5): 691~693
[39] 李雪莹, 刘宝旭, 许榕生. 基于 WinPcap 的网络监控系统性能优化. 计算机工程, 2004, 30(1): 8~9
[40] 郑啸, 魏仰苏. 一种新的面向协议测试的包捕获结构. 华中科技大学学报:自然科学版, 2004, 32(7): 16~18
[41] Frank Bulk. The ABCs of WPA2 Wi-Fi Security. Network Computing, 2006, 17(2): 65~67
[42] Michael Finneran. Wi-Fi Security-Are We There Yet? Business Communications Review, 2005, 35(11): 14~16
[43] S. K. Miller. Facing the challenge of wireless security. Computer, 2001, 34(7): 16~18
[44] 王大虎, 翁翼飞, 杨维. 针对 IEEE 802.11 标准的无线局域网的攻击和防卫研究. 中国安全科学学报, 2005, 15(2): 77~80
[45] 王艳春, 张晨霞. 无线网络安全研究. 齐齐哈尔大学学报, 2005, 21(2): 76~78
[46] 王曼珠, 何文才, 杨亚涛. 无线局域网 IEEE 802.11 的安全缺陷分析. 微电子学与计算机, 2005, 22(7): 189~192