Wi-Fi is a Passion


WIDS and WIPS analysis and monitoring

In the overview WIDS/WIPS blog, I wrote of four analysis methods from the server used to collect data:
- Signature analysis looks for patterns.
- Behaviour analysis looks for anomalies.
- Protocol analysis analyses the MAC layer information or upper layer non-encrypted frames.
- Spectrum analysis analyses the RF spectrum.

The WIPS/WIDS has a database with patterns from different types of threats, like man-in-the middle. Analysing the frame patterns and comparing this with the database filled with layer 1 and layer 2 patterns, it is possible to recognise the attack before it does any damage. When there is a new attack, the database can be updated. The problem is that it is possible that an attack is not in the database.

Behaviour analysis looks into unusual patterns compared to normal WLAN activity. This is based on historical normal behaviour baseline. This method helps the signature analysis method that we described before. When the attack is not in the database, a behaviour analysis can recognize the new, unknown attacks (zero day attack). The behaviours are based on management, control and data frames, and thresholds like fragmentation thresholds.

Protocol analysis is able to analyse frame exchange when the upper-layers are not encrypted. As you can read in other blogs, a data frame is called a MAC Protocol Data Unit (MPDU) and can be divided in three blocks: MAC header, frame body (MSDU), and frame check sequence. There are three types of frames:
- Management
Used to join or leave the BSS. Management MPDU (MMPDU) has no upper-layer information and no MSDU encapsulated. There are informational elements that are needed to join or leave the BSS.
- Control
Control frames assist the delivery of the data frames. They are used for clearing the channel and acknowledging data frames. Control frames only have header information, no MSDU or upper-layer information.
- Data
Carries upper-layer information. The MSDU is encrypted and encapsulated within the MPDU.
WIDS/WIPS is able to do remote packet captures and mirror those packets to a remote IP address for analysing.

Spectrum analysis can analyse Layer 1. Layer 1 DOS attacks like RF jamming can be seen by a spectrum analyser. There are devices, like microwaves, that interfere with the spectrum, but those are known devices. Unintentional devices to interfere with the spectrum are DoS attacks and result into retransmit frames and bad performance issues on your wireless network. The modern WIDS/WIPS spectrum analysis tools focus on DSSS (direct sequencing spread spectrum) and OFDM (orthogonal frequency division multiplexing), but not any more on the FHSS (frequency hopping spread spectrum). An advantage of distributed spectrum analysis systems (DSASs) is that they are operating 24/7. Most of the time when you are on location with a spectrum analysis, the interference is not active. With monitoring the spectrum 24/7 you can find unintentional interferences or devices like microwaves. RF signature analysis can recognize those patterns and identify them.

Forensic analysis allows you to trace actions to a time track. Since all the methods that collect data are 24/7 you can rewind to a specific moment and see what happened and analyse this. This historic data can be used for attacks in the past and compare that with new attacks that will happen in the future.

Performance analysis is not the main focus of a WIDS/WIPS server, but with all the historic data you can analyse this for this purpose as well. Hidden notes, retransmissions, or excessive monitoring are able to be detected with those data by the server. You need to set a baseline to capture for a longer period on both peak and non-peak moments. This gives you a good view of your network. When the baseline is set, you can configure alerts on specific thresholds to alert you when the performance is less than expected.

With policy enforcements, it is possible to define a policy in the areas of security, usages, and vendors. This will help in customizing alarms based on your policies. Misconfigured devices will raise an alarm, and you can fix those devices or find out that there are devices that don’t belong to your network. Based on the alarms it is possible that the WIDS/WIPS already have a suggested mitigation action ready. Alarm levels are the known levels like safe, minor, major, critical, and severe and can be sent by mail, SMS, or to a syslog server. Since RF is pretty unpredictable it is possible that some interferences lead to corrupted data. This can lead into a false positive. This is a false alarm because the situation is a normal behaviour.

802.11w amendment is to protect management frames and prevent Layer 2 DoS attacks. Dissasociation and deauthentication frames are noticeable frames and cannot be denied. With 802.11w support it is possible to refuse those frames with management frame protection (MFP). The frames that are protected are the disassociation frames, deauthentication frames, and action frames like QoS action frames and radio measurement action frames.