软件按字母搜索：
中文按声母搜索：Wireless Security Auditor (WSA)
What is it?
WSA is an IBM research prototype of an 802.11 wireless LAN security auditor,
running on Linux on an iPAQ PDA.& WSA automatically audits a wireless
network for proper security configuration, to help network administrators
close any vulnerabilities before the hackers try to break in.& While
there are other 802.11 network analyzers out there (,
these tools are aimed at protocol experts who want to capture wireless
packets for detailed analysis.& WSA is intended for the more general
audience of network installers and administrators, who want a way to easily
and quickly verify the security configuration of their networks, without
having to understand any of the details of the 802.11 protocols.
802.11 Security Issues
The current 802.11 standard defines two security protocols: Shared Key
authentication was designed to provide secure access control, and WEP encryption
was designed to provide confidentiality. (Some vendors also try to claim
that the SSID and station MAC addresses provide secure access control.
As the SSID and MAC addresses are transmitted in the clear, they really
don't provide any meaningful security, and are trivially bypassed.)
There are several security issues with these protocols. Most importantly,
WEP and Shared Key are optional, and turned off by default in access points.&
If these protocols are not turned on in even one access point, it is trivial
for hackers to connect to the network, using standard wireless cards and
drivers.& The 802.11 signal can travel surprisingly large distances
from the access point, often a thousand feet or more, allowing the hackers
to connect from outside the building, such as from a parking lot, or from
the street, (leading to the term "drive-by hacking".)& If, as is often
the case, the wireless network is connected directly to a corporate intranet,
this gives the hackers direct access to the intranet, bypassing any internet
boundary firewalls.
The problem of "open" access points is made more difficult due to the
low cost and easy availability of access points, and the difficulty of
detecting them.& It is not uncommon to find individuals or groups
within a company who have installed "rogue" access points without the knowledge
of the normal networking group, and without properly configuring the access
point.& These rogue access points are often difficult to detect with
normal network monitoring tools, as access points are normally configured
as invisible bridges.
In addition, the WEP and Shared Key protocols have been shown to have
significant cryptographic errors, that
allow cryptographic attack on both the confidentiality and access control
functions. (For details, see the Wagner/Goldberg paper ,
and the Arbaugh paper
Note that while WEP and Shared Key are flawed, they should still be turned
on, as attacks are much easier with them off.
Vendors are responding to the flawed protocols with fixes in several
stages. In the short term, vendors are adding new authentication/key management
protocols that provide secure authentication, and that provide new WEP
keys for each card, for each session. In addition, in the near term, vendors
are working on a tweak to WEP to make attacks more difficult, and they
are also working on a long term complete fix.
From a management perspective, network administrators need a tool to
verify that all access points are at the desired firmware revision, so
that they have the most current version of these 802.11 fixes.
802.11 Management Issues
A network administrator needs a convenient way to answer these questions:
&&& What access points are actually installed?
&&& Where are they?
&&& Are they properly configured?
&&& Do they have the latest firmware?
The wireless network needs to be checked periodically, as access points
are easily added and modified, and
as updates are going to be rolled out frequently. The wireless auditing
tool needs to look at the actual wireless signals, as the needed information
may not be available from the wired side. To monitor the wireless data,
the auditor needs to be small an lightweight, so that it can be easily
carried around a site to ensure thorough checking.
What does WSA Do?:
Most importantly, we wanted WSA to be easy to use, and to require absolutely
no knowledge of the 802.11 protocols.& WSA is not a packet dump/
it does all the necessary packet monitoring and analysis, and provides
the user with just the answers to the important management questions.&
The results are color coded (green is good, red is bad) for rapid and easy
understanding.
&&& Tracks beacon packets to find all access points.
&&& Determines SSID and AP name.
&&& Tracks probe packets, and the probe responses.
&&& Tracks data packets.
&&& Determines: link encryption method.
&&& Tracks authentication packets.
&&& Determines authentication method
&&& Tracks clients
&&& Determines firmware versions by fingerprinting the
access point's detailed behavior.
Components:
WSA currently runs on Linux, on either a notebook, or iPAQ PDA.& We
currently support the Cisco/Aironet pcmcia 802.11 cards, either the old&
Prism I based cards, or the current Prism II based cards. On the iPAQ,
we are using the Familiar Linux distribution, with the fltk library, and
on thinkpads, we are using RedHat 7.1.
research prototype, and no definite decision has been made whether or not
to make it into a full product, or to release it as open source.&
(The necessary "airo" driver module modifications have already been open
WSA screenshots:
Here's the root window background:
Here's the main application window, showing basic information on two
visible access points. The green color indicates that the first access
point is configured to use WEP. The yellow color indicates that the second
access point has been seen, but that we have not yet seen data to tell
whether or not the access point is correctly configured.
In this screenshot, another access point has been seen, and the "tsunami"
access point has been determined to be misconfigured (allowing unauthenticated,
unencrypted) connections.
Clicking on any Access Point line gives a more detailed screen. This
access point has been correctly configured for WEP data.
WSA has seen this access point accept unencrypted data:
Options include attempting an active association to a given access point,
and the recording of GPS location information, which is useful in tracking
signal propagation and in locating access points.
This screen shows some configuration items, including packet source
(specified file, or specified interface),& and an optional GPS device
specification.
This screen shows options for saving the current data to a file, setting
an audit policy, resetting the current data, or quitting.
The help menu can call up a statistics screen for the current run, and
a program information screen.
Here's a statistics screen: