Aruba and Darpa build super wireless defence software

Aruba and Darpa build super wireless defence software
Aruba and Darpa build super wireless defence software 

By John Cox
Network World
08 December 2006

Aruba and the US government's Defense Advanced Research Projects Agency 
(Darpa) are working on a new project to protect companies from wireless 
network attacks.

Researchers are developing a battery of algorithms and a software 
architecture running over radio frequency sensors to measure and analyse 
traffic and then react to wireless LAN (WLAN) attacks, especially to the 
spoofing and evasion that are ever more common today.

There are commercial wireless intrusion-detection systems (IDS) today 
from AirDefense, AirTight Networks, Network Chemistry, and Aruba itself. 
But Project MAP - the acronym stands for measure, analyze and protect - 
has two ambitious, distinguishing goals.

First, it is an IDS that's far more intelligent in what and how it 
measures and analyses wireless traffic. Second, it is an IDS that can 
handle not only the traffic from thousands of access points and clients, 
but also the flood of measurement data that its own RF sensors, or 
sniffers, will create.

Smarter software is needed because attacks are becoming smarter and 
sneakier. "The IDS [today] may not see certain frames, or the attacker 
may be doing radio frequency jamming, causing the attack to be 
invisible," says Josh Wright, senior security researcher with Aruba. 
"Attackers are using evasion techniques, and these are not being 
addressed by today's [IDS] products."

Scalability is essential to the project's design because the RF sensors 
will continuously track, collect, and combine a lot of real-time data 
about a site's entire radio environment.

Launched in summer of 2005, Project MAP is funded by the Department of 
Homeland Security through Darpa. The researchers are starting to analyse 
the results of a test MAP deployment. Those results will guide changes, 
tweaks, and refinements to the software through the first half of 2007. 
By the end of 2006, researcher plan to have deployed a full-production 
MAP system.

The pilot consists of off-the-shelf Aruba RF sniffers, which basically 
are 802.11a/b/g access points that listen only for radio signals. The 
MAP software listens to the traffic on all channels, measuring a range 
of statistics, aggregates that information to create an accurate picture 
of what's happening in the air, and then scans for evidence of attacks, 
says David Kotz, a Dartmouth professor of computer science and one of 
the lead MAP researchers.

Instead of trying to minimize the number of sniffers, MAP will do the 
opposite, deploying lots of them to provide effective coverage of all 
the access points, authorized clients, and attacking clients. "All three 
devices are involved in an attack," Kotz says. "An attacker may present 
itself as an access point and tell an authorized client to disassociate 
[from a legitimate access point]. You may need more than one sniffer to 
collect the needed data from all three of these parties, which may be 
separated by some considerable distance."

MAP will also monitor aggressively all 802.11 channels for activity. 
"Most other products configure their sniffers to listen to only one 
channel all the time, or to rotate through all the channels, spending 
the same amount of time listening to each one," Kotz says. MAP adds 
intelligence; it cycles through all the channels, but spends more time 
on the busiest ones. In addition, the MAP sensors can be refocused 
quickly on a channel with suspicious activity. "The software says 'this 
client appears to be under attack' and it tells the MAP measurement 
system to get more information," Kotz says. "The measurement system 
[software] refocuses and spends more time listening to that client."

MAP is intended to be effective against denial-of-service attacks, as 
well as against a new category of attacks called "reduction of quality 
(RoQ)." An RoQ attack doesn't deny service completely. Instead, it 
degrades the quality of the connection or the available bandwidth, 
either to disrupt communications for others or to get better service for 
the attacker. A wireless VoIP call, for example, might stay connected 
but be so plagued with dropped packets or other problems as to be 

"It's hard to detect who's doing it, or even whether it's being done at 
all," Henderson says. "You need much more sophisticated techniques to 
detect these attacks."

If successful, MAP could create the foundation of a dynamic WLAN 
security system that can monitor continuously for, and adapt to, 
constantly changing attacks.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods