User Guide
Intrusion Detection 165
Chapter 13
z Sequence number analysis: During an impersonation attack, the attacker
will generally spoof the MAC address of a client or AP. If two devices are
active on the network with the same MAC address, their 802.11 sequence
numbers will not match – since the sequence number is usually generated
by the NIC firmware, even a custom driver will not generally be able to
modify these numbers. Sequence number analysis will detect possible
impersonation attacks by looking for anomalies between sequence num-
bers seen in frames in the air.
z AP Impersonation: AP impersonation attacks can be done for several pur-
poses, including as a Man-In-the-Middle attack, as a rogue AP attempting
to bypass detection, and as a possible honeypot attack. In such an attack,
the attacker sets up an AP that assumes the BSSID and ESSID of a valid
AP.
Signature Detection
Many Wireless LAN intrusion and attack tools generate characteristic
signatures that can be detected by the Alcatel network. The system comes
pre-configured with several known signatures, and also includes the ability for
network managers to create and edit new signatures. For more details on how
to configure and create new signatures refer to the Configuring Signature
detection section.
Wireless LAN Policies
z Adhoc network detection/containment: As far as network administrators
are concerned, ad-hoc wireless networks are uncontrolled. If they do not
use encryption, they may expose sensitive data to outside eavesdroppers.
If a device is connected to a wired network and has bridging enabled, an
ad-hoc network may also function like a rogue AP. Additionally, ad-hoc
networks can expose client devices to viruses and other security vulnera-
bilities. For these reasons, many administrators choose to prohibit ad-hoc
networks. The Alcatel system can perform both ad-hoc network detection
and also disable ad-hoc networks when they are found.
z Wireless bridge detection: Wireless bridges are normally used to connect
multiple buildings together. However, an attacker could place (or have an
authorized person place) a wireless bridge inside the network that would
extend the corporate network somewhere outside the building. Wireless
bridges are somewhat different from rogue APs in that they do not use
beacons and have no concept of association. Most networks do not use
bridges – in these networks, the presence of a bridge is a signal that a
security problem exists.