Advantages in terms of ease of installation and use of wireless connections, low cost of hardware equipment, good performances in terms of maximum bit-rate comparable to that of wired data communications networks have favored, over the last years, a wide spread of Wireless Local Area Networks (WLANs).
Most WLAN deployments comply with the IEEE 802.11 standard, commonly called “Wi-Fi”, a short term for “Wireless Fidelity”. The IEEE 802.11 standard, available on the Internet for download via the URL: http://standards.ieee.org/getieee802/802.11.html (at the filing date of the present patent application), specifies the Medium Access Control (MAC) and physical (PHY) layers for devices capable of operation in the unlicensed Industrial, Scientific, and Medical (ISM) radio bands (2.4 GHz and 5 GHz).
In the present description, the terms Wi-Fi network, WLAN and wireless LAN are used as synonyms.
WLANs are however less secure than conventional wired LANs as they rely on radio as communication medium. In a wireless network it is then hard to control the exact extension range of the network; in the case of a company's WLAN, for example, the radio signal can easily get over the boundary of the company site and an attacker, with a suitable antenna, can passively monitor (“sniff”, in jargon) Wi-Fi traffic without the need to access neither physically nor logically the network.
For this reason, within the IEEE 802.11 standard, the Wired Equivalent Privacy (WEP) protocol has been defined, to implement authentication and confidentiality.
Nevertheless, the WEP protocol suffers from some weaknesses: in particular, it does not provide for a mutual authentication mechanism, it relies on the use of static coding keys shared between the Access Points (APs) and the mobile STAtions (STAs) of the wireless network, and it does not implement any mechanism for key distribution and dynamic key update over time. Moreover, the WEP protocol suffers from a serious flaw, described in S. Fluhrer, I. Mantin and A. Shamir, “Weaknesses in the Key Scheduling Algorithm of RC4”, Lecture Notes in Computer Science, vol. 2259, year 2001, which makes it possible for an attacker to discover the WEP key just by sniffing a certain amount of Wi-Fi data traffic (typically, of the order of millions of data packets). More recently, even more effective attacks against the WEP protocol, based on statistical cryptanalysis, have been documented (e.g., as reported at http://weplab.sourceforge.net/at the filing date of the present patent application) able to crack the WEP key by sniffing hundreds of thousands, rather than millions, of data packets.
These WEP protocol weaknesses, together with the absence of any authentication of the management and control messages, and the absence of a Cryptographic Message Integrity Check (MIC) of the Wi-Fi data packet contribute to make Wi-Fi networks insecure. Exploiting these vulnerabilities, an attacker can implement different kinds of attack, specific of Wi-Fi networks, like jamming, war-driving, management and control messages forgery, WEP cracking, layer 2 man in the middle, etc.
In addition to such Wi-Fi specific attacks, Wi-Fi networks are also subject to conventional (wired) LAN attacks that exploit vulnerabilities of layers 3 and above of the OSI (Open System Interconnect) seven layers model: in fact, wireless LANs operate according to the same protocols used in IEEE 802 wired LANs over those layers. Some examples of threats that affect both conventional, wired LANs and wireless LANs are IP spoofing, ARP cache poisoning, SYN Flood DoS (Denial of Service) attack, Teardrop attacks, Trojan Horses, application specific attacks etc..
To mitigate the above-discussed security threats, the IEEE 802.11 group has defined an amendment to the IEEE 802.11 standard, called IEEE 802.11i and commercially known as Wi-Fi Protected Access (WPA), which constitutes a new security standard for Wi-Fi networks.
Several solutions have been proposed for defining systems adapted to detect intrusions in Wi-Fi networks.
For example, In US 2003/0135762 a system and a method are described for monitoring IEEE 802.11 (a/b/g) wireless networks and detecting, neutralizing and locating unauthorized or eavesdropping, threatening IEEE 802.11 devices. The security system comprises a network appliance subsystem (WIT server, a wireless intrusion detection system that specifically focuses on the MAC and data-link layer of IEEE 802.11 networks based on information gathered sniffing the wireless traffic) and a portable computing subsystem, with data means to interface between the two systems. The WIT Server comprises an analysis module that looks for IEEE 802.11 specific attack patterns using real-time analysis and contains configurations related to alert levels and security policy configurations. Employing the WIT software in combination with a specially-developed antenna system, the physical location of the intruding device can be established. The neutralization capabilities of the system allow for automatic, remote counter-measures against the intruding device.
As another example, WO 03/088547 relates to the monitoring of a WLAN, by receiving transmissions exchanged between one or more stations and an AP in the WLAN. A database is compiled based on the sniffed wireless transmissions. The received transmissions are analyzed to determine the state of the stations. The compiled database and the determined state of the stations are used to diagnose connectivity/problems of the stations. The database is updated based on the concepts of “node element”, “session element” and “channel element”, and thanks to this information the “detector” (a particular station in the WLAN environment) can detect a list of security events and performance events (referred to the IEEE 802.11 protocol) like AP with WEP disabled, unauthorized AP, spoofed MAC address, AP with weak signal strength and so on.
As a still further example, WO 03/100559 describes a network security system and method for enhancing network security in the variant of IEEE 802.11. The system comprises a System Data Store (SDS) capable of storing different kind of information; a first Communication Interface (CI) comprising a wireless receiver that receives inbound communications and a wireless transmitter that transmits outbound communications from a communication channel associated with the Cl; a System Processor (SP) comprising one or more processing elements, wherein the SP is in communication with the SDS and wherein the SP is programmed or adapted to perform different steps. The step of the Intrusion Detection System (IDS) listens to wireless network traffic and analyses all packets passing through four detection systems, and performs different tests, serially or in parallel: signature-based testing, protocol-based testing, anomaly-based testing, policy deviation-based testing. The system can react to intercepted attacks passively (alert generation and notification) and actively (AP configuration changes, use of honeypots). The system also supports localization of the attack source based on triangulation.