Wireless Network Forensics

emsignia.jpgWireless events tend to be transient, seemingly happening here and there without rhyme or reason. This can make analyzing security and performance issues difficult, given that interference or a security event might not be visible at the time an RF administrator or monitoring device checks the environment. So for trend analysis, granular historical records of what took place over the airwaves is imperative. How can having the ability to "rewind" and see what's happened historically benefit Wi-Fi performance, connectivity and security in an enterprise? That's the question that this Thought Leadership Discussion with Nathan Rowe, senior product manager at Motorola in the company's AirDefense group, will answer.


| Post a new comment/Start a new thread.
|To reply to an existing comment, please click "Reply" next to the original poster’s name and post date.

I’m assuming wireless forensics is a management capability that lets you closely track the behavior of a mobile device. Is this accurate and, if so, why do I need to track my company’s mobile devices?

Forensics capabilities are more of a universal tool for wireless network administrators than limited to management capability. They are needed for two primary reasons. First, the IT staff is stretched very thin, so it may take hours or days to investigate an issue or security incident. If administrators don’t have the right tools to troubleshoot, they are left guessing what the problem was. Second, wireless technologies are fundamentally dynamic and the environment is constantly changing. Being able to rewind time and look back at the state of the environment historically is an important asset to tackle the tricky wireless problems.

Why is forensics important to an enterprise? Is the capability mostly about spotting usage trends and capacity planning? Troubleshooting? Security?

The forensic toolset is equally useful for troubleshooting and security purposes but is used in very different ways depending on the role of the administrator. For troubleshooting, as you mentioned, capacity planning is a very common use. But we also see administrators using it frequently to identify intermittent interference issues. From a security prospective, it is often used to help understand the exposure that results from a security incident.

When I identify intermittent interference issues, do I also identify the cause or do I need a separate tool for that? Also, do I need a separate tool for eliminating the reason for the repeated interference?

Forensics can provide the details on the specific interference sources that were classified. The type of interference will drive next steps; sometimes a simple configuration change will help avoid future occurrences. Other times the interference source may need to be physically removed to eliminate the interference.

How do forensics differ from or enhance wireless intrusion detection and prevention systems, such as your AirDefense system?

Forensics is an integral part of a wireless IPS system such as AirDefense. Without forensics, the IPS system simply tells you that a security incident occurred. The administrator cannot go back and understand the nature of the threat of exposure to the organization. Take, for example, a rogue device on the network. If it was introduced for non-malicious reasons, it will be key to understand who connected to the device while it was in the environment. If no mobile devices connected or only known employees connected, it presents a much different exposure than if unknown device connected and downloaded gigabits worth of data.

Can you provide an example of a situation involving an unknown device being able to connect (doesn’t it have to be authenticated?) and using history/forensics to somehow improve upon the situation? If the deed has been done, what’s to be done with the historical info?

Sure. Take a rogue AP plugged into a standard wall jack. Out of the box it advertises its SSID and doesn’t run any encryption or authentication so any user can connect. It’s also located very near a window and on the other side is a parking lot and hotel. Someone at the hotel looking for free Wi-Fi stumbles across the SSID and connects. At this point, it’s just like they walked into the office and plugged the laptop in. As the network requires authenticated proxy to access the Internet, the user quickly finds he is out of luck and disconnects.

Forensics would reveal that this user was connected for a very short time period and didn’t access any significant amount of data; likely less than a few kb of traffic. The administrator that looked at this can clearly tell they have no threat to the enterprise and wouldn’t have to worry about anything but getting the rogue removed from the network.

This forensic record is also used for compliance reasons like PCI. The organization can use this detail to prove although they had a security violation, no cardholder data was compromised.

Now take a malicious user who found this open AP and connected. It’s likely they would start poking around the network for a few hours to see what they could get access to and perhaps even gain access to a key system. In this case the administrator would see an unknown user connected for hours and much more significant data transfer. This would drive an internal investigation to understand what systems and data were compromised.

To better understand differences between wireless forensics and wireless IDS, it might help to consider how these two differ in the wired world.

In the wired world, network forensics appliances passively capture and index all traffic so that this complete historical record can be easily consulted and searched in the future for many different reasons, including post-incident investigation, deeper situational awareness and compliance reporting. Currently, we're seeing growing integration between wired IDS and SIEM systems and wired network forensics systems, letting operators click on an IDS alert to drill right into relevant forensics data - for example, pivoting through traffic exchanged by affected systems right before/after an event, making it easy to eyeball not just raw packets but reconstructed sessions and documents.

It's easy to see how this extends to the wireless world - Nathan gave some great examples here of rogue post-incident investigation. But wired forensics data, once recorded, can support many different tasks, such as searching for insider acceptable use policy violations, looking back for leakage (extrusion) of sensitive documents and data, re-running old traffic against newly-installed IDS signatures to see if any intrusions slipped through, etc. I'd be interested in hearing whether these kinds of activities are also supported by wireless network forensics and if so, how.

Yes, wireless forensics can serve many of the same purposes. The anomalous threat detection engines implemented in the product use the forensic data to find users and activity which is well outside the standard behavior for the network. For example, on a network which is normally used during regular business hours for basic web and email , [the threat engines] would be able to find a user who was on the network well after hours downloading a significant amount of data. The forensic data provides the information required for the system to determine the baseline of what is normal for the network. The product provides sophisticated visualization toolset so administrators can view forensic data for a device or a group of devices for manual inspection of usage activity. Although the toolset provides one way to check on acceptable usage and policy violations, the data is also exportable for customers to integrate it into other systems [to perform] automated processing and analysis if required.

Could we “talk” through an example of how forensics might allow me to find and resolve a source of attack rather than repeatedly reacting to problems coming over and over from the same source?

This is a great question. Performing trend analysis is a key aspect of how forensics is used. By using forensics to understand the baseline behavior for an environment, it becomes much easier to see what is abnormal. Looking at the traffic patterns for the device over time can help identify if the same attack is being launched repeatedly against the infrastructure. We also see forensics being helpful in understanding the sequence of attack and day zero attack analysis. The building blocks for many of the 802.11 attacks are very similar so it’s always interesting to look at exactly what happened over time and how the attack escalated.

Once I identify a repeated attack, how do I resolve it? Is that part of forensics or do I need another system for that?

The forensic record of events can be used to build the IPS policies that would mitigate the threat the next time it was seen. [At Motorola] the IPS policies are part of the AirDefense Services Platforms WIPS capability.

Your collateral says that your system collects 325 data points per minute about each wireless device.

1) Could you give me a sampling of 5 or 6 of these key data points?

1.  Wireless client association data, including what AP it connected to, roaming history and how much data was uploaded and downloaded from each AP
2.  Client and AP signal strength
3.  Authentication and encryption methods the device has used
4.  Traffic details, including traffic flow information about the transmit and receive volumes of unicast, multicast and broadcast data; 802.11 frame subtype and utilized data rates
5.  Retry and CRC percentage information

2) What can one do with 325 data points per minute? Does the system interpret what those data points collectively mean and automate anything as a result?

With such a wealth of data, the options are endless. We see customers continuing to find new purposes and innovative uses for it. The data is presented to the user in an interactive graphical format. This provides the administrator a simple way to work through the volume of data and get to meaningful, actionable information.

What do wireless infrastructure “polls” bring to the forensics table? How is this different from other wireless data monitoring and collection?

Some details about the wireless infrastructure such as CPU or memory utilization can only be captured via network polls. This information is not available in the airspace as is much of the other data captured. Infrastructure polls bring a very complementary set of data to what is captured from the airspace. By bringing it together, we are able to offer a more comprehensive picture of the network to aid in troubleshooting and management tasks.

Reply to a comment/Post a comment

Note: A "Captcha" box will appear once you start typing a comment. If you have trouble seeing where to respond to the challenge, it goes in the space between the box showing the characters and the words "Type the Characters..."

Return to
Thought Leadership Series

Recent Comments