Tap chi Khoa hgc Trudng Dgi hgc Cdn Tha Phdn A: Khoa hgc Tu nhien, Cong nghi vd Mdi trudng: 33 (2014): 58-68 •

Tap chl Khoa hoc Trtrdng Dai hoc Can Thd website: sj.ctu.ec^u.vn

HE THONG PHAT HIEN X A M N H A P CHO M A N G KHONG DAY DtTA TREN PHAN M E M NGUON M O

Ngd Ba Hiing' va Ngo Trung Hidu'

' Khoa Cdng nghe Thong tin & Truyin thdng, Trudng Bgi hgc Cdn Tlia Thdng tin chung:

Ngdy nhdn: 23/04/2014 Ngdy chdp nhan: 28/08/2014 Title-

Using open source software to build Intrusion Detection System for wireless network Tir khda:

Xam nhgp, IDS, mgng khon^

ddy, phdt hien xam nhgp, tdn cong mgng khdng ddy Keywords:

Intrusion, IDS, wireless network, intrusion detection system, wireless attack

ABSTRACT

WLAN (Wireless Local Area Network) have become ubiquitous in today's world. With a capability providing "over-the-air" connections, WLAN may be the best choice for accessing Internet anytime and anywhere without heavy investment in infrastructure. In recent times, insecure wireless networks have been exploited to break into companies, banks, and government organizations. The frequency of these attacks has intensified.

Therefore, it is very necessary and important to deploy a Wireless Intrusion Detection System (WIDS). Unfortiznalely, WIDS is usually very expensive, hard to customize and expand. This paper aims at proposing an effective alternative solution to deploy WIDS, which completely bases on open source software and customer-level network devices with low cost This WIDS solution offers many edge features which are only found in expensive devices. These fearures include inside/outside wireless attack detecting, SMS alerting, and database supporting.

TOM TAT

Ngdy nay, mgng cue bg khdng ddy (WLAN - Wireless Local Area Network) da trd nen vd ciing pho bien a khdp nai tren the gidi. Vai dgc tinh cung cdp kit ndi "qua khdng khi", mang WLAN cd thi dugc xem nhu lua chgn tdt nhdt cho nhu cdu phd bien Internet mgi luc mgi noi md khong cdn ddu tu nhiiu vdo ca sd ha tdng d cdc nude dang phdt triin. Trong thdi gian gdn ddy, nhiing diim yen ve bdo mat trong mgng WLAN da liin ti^c dugc khai thdc nhdm muc dich dot nhgp cdc ngdn hdng, cdng ty vd cdc td chiic khdc... Tdn sudt diin ra cdc cugc tdn cdng dd vd dang co chieu hudng gia tdng. Do do, ben cgnh viec trien khai mgng WLAN, viec trien khai mgt hi thdng phdt hien xdm nhap mgng khdng ddy (WIDS) cQng v6 cimg cdn thiet. Tuy nhien, cdc hi thdng WIDS ndy thudng ddt tiin, kho khan trong viic tiiy biin va md rgng theo muc dich rieng cua nhd trien khai. Bdi bdo ndy nhdm de xudt mot gidi phdp hieu qud de trien khai mgt he thdng WIDS vdi gid thdnh thdp, dua tren cdc sdn phdm md ngudn md vd cdc thiit bi truy cap khdng ddy thdng thudng, cd khd ndng phdt hien vd cdnh bdo sdm cdc hinh thiic tdn cdng mgng khdng ddy tit bin ngoai vd tir ben trong mgng WLAN.

Tgp chi Khoa hgc Trudng Dgi hgc CSn Tho 1 G l 6 l T H I $ U

Nhu ciu tmy cgp Internet qua mang khdng diy khdng ngimg gia ting, die biet d cac nude dang phit ttiln, vi dy hifn nay tgi Vift Nam ed chuong trinh phii sdng mgng khdng diy cho cic thinh phd tryc thupc tmng uong vi cic thdnh phd du lich nhu Hpi An, D i Ning, Qudng Nmh... Mgng khdng day mang ddn nhihig Ipi ich to ldn cho n^cri dimg thdi^ qua vifc cung cip kha ning kit ndi mpi noi mpi luc mft cich de dang. Ben canb nhung thuin Ipi, mgng khdng diy cung chiia dyng nhidu nil ro tiem in ve bao mat cho ngudi sir dung, vi du hacker hoan toin cd thi nghe len (sniffing) cic thdng tin quan trpng ciia ngudi dimg neu mgng khdng diy khdng sii dung mi hda, ngudi diing dd bi lira dl truy cip vio cic dilm tmy cip gii mao dl liy cip thdng tin... Ddng thdi, nhi cung cip dich vy mang khdng day hay doanh nghifp cung ed thd phdi hiing chiu cac rui ro nhu cie cudc tin cdng tir chii djch vy (De-authentication) dl 1dm te lift hoin t o ^ khi ning cung cip kit nil eiia cie dilm tmy c^p, tin cdng giy nhilu sdng [10]...

Hifn nay, cic hing cung eip thilt bj mgng noi tilng nhu Cisco, AirDefense, Air Tight... diu cung cip nhftng giii phap phit hifn xim nhap mang khdng diy (WIDS- Wireless Insttusion Dectection System) ciia ridng hp. Vi dy nliu Cisco cd kien true Cisco Unified Wireless Network (CUWN) hd ti-p tinh ning IDS dl phdt hifn cic hinh thiic tin cdng tir bdn ngoii mgng WLAN d ting 1 vd tang 2 eiing nhu phat hifn dupe eic hinh thfte tan cdng tft ben ttong mang WLAN (Inside Attack - tftc xuit phdt tu cic client trong mgng WLAN). Tuy nhiSn, eae giii phdp ndy diu khd dd ttidn khai tgi cic nude dang phat ttiln hay cie doanli nghifp vua vd nlid do nhilu ylu tl, trong dd gid thinh ttien khai cao li nhdn t l hdng diu. Vi dy gii dl ttiln khai mpt he tiidng CUWN ca bdn ciia Cisco khoing ttdn 8000 USD, bao gdm 1 Cisco Wheless Conttoler hd ttg cho 12 Access Point vdi gid 4000 USD [14][18], 2 Access Point gii 1000 USD [6] cho hf tiidng chi h6 ttp 5 Access Point, tit ci thilt hi ddu phii dgt hang vi nhip ^^'^ tft cic nude phat ttiln, ngoai ra cin cd nhin vien quin ttj duoc dao tgo dd cii dat, ciu hinh, quin l]^ [4]...

Xuat phit tft 1^ do ttdn, bai bao niy de xuit mdt giii phip khic giip tilt kifm vl mit kinh tl nhung vSn dim bao tfnh hifu qui cao de xiy dyng he thdng IDS cho mgng khdng diy dya ttdn kien tnic phin tin, sii dyng cic sin pham phan mem ngudn md va cic thiet bi tmy cip mgng khdng diy thdng thudng, phd bien ttdn thi budng vdi gii thinh re.

Phan A Khoa hgc Tu nhiin, Cong nghe vd Mdi Irudng- 33 (2014): 58-68 Hf thdng IDS ciia bai bio nay cd thd giim sit vi phit hifn dupe cac hinh thiic tin cdng tir bdn ttong lan ben ngoii mang WLAN, cinh bao tiic thi cho nha quan tri thdr^ qua tin nhin SMS (ed the tridn khai tiiem SNMP, SMTP...), luu trO lgi eic tiidng tin lien quan den cudc tin cdng bang co sd dft lifu tip trung, cd kha nang boat dpng nhu mdt he thdng nhgt ky trung tam cho mang cyc bd khdng diy (WLAN) Cling nhu cung cip khi nang qudn ttj hf thdng thdng qua iing dung Web.

Bii bao nay gdm 6 phan. Ke tiep li phan gidi thieu, ttong phan se ttinh bai eic nghien ciiu ed lien quan den hf thdng IDS duge de nghi. Phin thft ba se gidi thidu huong tiep can mdi ciia hf thdng. Chi tiet ve hf thdng se dupe ttinh bay d phan thii tu.

Phin thii nam sd trinh bay vao thio luin vd kit qui cai dgt, cdc tnrdng hpp thft nghifm ciing nhu ket qua. Cuoi cung la phan ket lugn va huong phat ttidn eua hf thdng dd xuit.

2 CAC NGHIEN CUtJ LIEN QUAN Cae hinh thiie tin cdng ttong mang cyc bp khdng day WLAN cd the chia ra lam 2 logi: Tan cong tu ben ngoai mang khdng diy va tin cdng tft ben ttong mgng khdng diy. Tan cdng tft ben ngoai mang khdng diy la cic hinh thfte tan cdng d ting 1 vi ting 2 trong md hinh OSI [7]. Phd bien nhat la 2 kieu tan cdng tft chdi dich vy (De-authentication Attack) va tin cdng ngc danh gii dang mpt Access Point (Rogue Access Point Attack) [16]. De- authentication Attack vdi -^ tudng chinh la hacker sd glii nhftng khung De-authentication (thudc kieu khung Management trong mgng khdng day) nham ep client vd Access Point thyc hien lgi qua ttinh chiing thuc, kit qua la hacker eo thi nghe trpm cic thdng sd Ciia qua ttinh chimg thyc gifta client vi Access Point dk tiln hdnh do va liy eic khda WEP, WPA, hay lam te lift hoan todn khi nang kdt ndi giOa eic client va Access Point bing eich giri qudng ba lien tuc nhftng khung De-authentication.

Rogue Access Point Attack la hinh thiie tan cdng vdi y tu'dng ehinh Id hacker sS tao mpt Access Point gia mgo, triing SSID vdi Access Pomt that, Ifta ngudi diing ket ndi vdo, tft do ttien khai cic hinh thuc tin cdng nang cao khic nhu Men-In-Tbe- Middle, SSL Sttipping Attack [8]...

Cic hmh thuc tan cdng tft ben ttong mgng WLAN la cic hinh tbiic tin cdng tft ting 3 ciia md hinh OSI ttd len. Cac cudc tin cdng niy xuit phat tft client da tham gia vao mgng WLAN tuong ty nbu cac hinh thiic tin cdng thdng thudng ttong mang co diy.

Tgp chi Khoa hgc Trudng Dai hgc Cdn Tha PhSn A: Khoa hgc Tv nhien, Cong nghi vd Mdi trudng: 33 (2014): 58-68 ^ | • Cac gidi phip WIDS tii cac hang bio mit ndi

tilng nhu Cisco, AuDefense, AirTight... ndi chung ddu cd khi nang giim sat vi phdt hifn cdc cudc tan cdng tu ben ngoii lin ben ttong ndi tren, cd khi ning luu trO cac thdng tin lien quan den cudc tan cdng vio CO sd dft lifu, gyi canh bio qua SNMP, SMTP... Tuy nhien, eic ^ai phap niy deu kho triln khai tgi cdc nude dang phat ttiln vi cac ly do nhu da ttinh bay ttong phin gidi thifu, ddng thdi, hiu hit diu thilu chftc nai^ gui canh bao tiie thi cho nha quin tri thdng qua tin nhin SMS khi cd sy kien xiu xay ra.

Cac dy an IDS mien phi cho mgng khdng diy da timg dupe khdi ddng va phit ttien nhu widz hay Snort Wireless ddu ttd thanh dy in "chet" hogc ngimg cip nhit tft nhieu nam ve trudc. Hifn nay, gidi phip IDS miln phi duy nhit cho mgng khdng diy vin cdn dupe duy tri vi phdt trien li Kismet [12]. Kismet dupe phat ttiln bdi Mike Kershaw dudi giiy phep GPL va cd the hogt dfng nhu mdt WIDS, tuy nhien. Kismet chi cd the phdt hifn dupe cdc cufc tin cdng tft ben ngoai mgng WLAN dua vdo viec phin tich dO lieu d ting MAC Layer (ting con thupe ting Data-Link) khdng duac ma hda. De 1dm dupe vifc niy. Kismet tao mpt giao difn mgng do (virtual interface) hogt dpng d che dp monitor dya tren giao difn mgng khdng day ciia Access Point, sau do tiln hdiih bat cdc gdi tin bang giao difn mgng io niy de phin tich. Ddi vdi cac khung dft lifu dupe ma hoa thi Kismet khdng thd phan tich de phit hifn ra cac dau hifu tin cdng. Ngoai ra. Snort [11 ] dupe biet den nhu mgt giii phap phat hifn va phdng chdng tham nhgp (IDS/IPS - Intmsion Detection and Prevention Systems) ngudn md mgnh me va dugc su dyng rpng rai tten toin thi gidi de phat hifn cac cudc tin cdng tft tang 3 ttd ISn. Tuy nhien, do dft lifu tmyln ttong mang khdng diy dupe bao vf bdi khda phien, khiln cho Snort klidng the "dgc-hieu" dupe dft lieu, tft do khdng phat bifn dupe cac cupc tin cdng ttong ndi bp ciia mpt mang khdng diy.

Quadrant Information Security ciing dua ra giai phap IDS midn phi cho mang khdng day vdi y tudng chinh li cii dat mdy ti'nh ttd thanh mdt Access Point, sau do ttiln khai Snort vi Kismet ldn miy tinh, tir dd, cd tiie phit hifn dupe cdc cudc tin cdng ben ngoii lan ben ttong [2]. Tuy nhien, giai phap nay chi mang tmh chit *"thft nghifm", khdng thd ttien khai dupe ttong thyc te vi nhilu ly do nhu kich thudc cfta may tinh to hon nhilu so vdi Access Point, khdng thi dgt miy tmh d nhftng vi tri nhu tteo tudng hay ngoii ttdi, difn ndng tieu thy

cua may tinh cao ban nhilu so vdi Access Point, tdn kinh phi ti-ang hi phin cimg miy tinh...

Jason Murray tftng cd bdi vilt vl giai piiap IDS cho khdng day vdi y tudng chinh la cii dit Kismet ttdn nen tdng OpenWRT ldn Access Pomt, nhd v^y, Access Point ed thd phit hifn dupe cic cufc tin cdng tii ben ngoii mgng WLAN [9], Tuy nhiSn, gidi phip nay chua the phat hifn dugc cic eupc tin cdng tft bdn ttong mgng WLAN, khdng hh ttp luu ttO thong tin vd cdc cudc tan cdng vio ca sd dft lifu, dl din den qui tii do vifc xft ly gdi tin dupe thyc hifn tten Access Point, khdng ty dpng gfti cinh bio.

3 HUOfNG TIEP C^N M 6 I

Hinh 1 cho thiy phuang thfte ttien khai mpt he thdng IDS tmyln thdng cho mgng khdng day.

Trong do. Switch se dupe cau hinli vdi ky thugt Port Mirroring nhim chuyen tiep bio sao eiia tit cd gdi tin vdo/ra ciia Access Point A hay B vl IDS Server de tiln hdnh pbin tich dO lifu ttong cdc goi tin nhim phat hifn ra cie hdnh vi xdra nhgp va tan cdng mgng. Trong kieu ttien khai nay, he thdng IDS cd thi kilm sodt mdt each hifu qui toan bp luu thong vdo vd ra ciia he thdng mgng khdng day, vi xic djnh dupe cac mdi nguy hilm tilm in nhu cdc hoat ddng xam nhap, virus, worm, hay cdc hdnh dpng nguy hiem khac... Tuy nhidn, hf thing IDS hoan toin khdng the kiem soit hogt ddng tren mpt mgng WLAN rieng le, Uic nhOng luu thdng ndi bd ttong WLAN cua Access Point A hay B.

Ket qua la khi hacker thim nhap vio hf thdng mgng WLAN, hacker hoan toin cd thd tin cdng bat kj client nao ttong WLAN (inside attack) ma khdng bj he thing IDS tmyln thdng phat hien [1].

J ^

Hinh 1: Giai phap IDS truyen thing cho mgng khdng day

Tap chi Khoa hgc Trudng Dgi hgc Cdn Tha

De giim sit va phat hifn dugc nhOng cudc ^ cong bdn ngoai mgng khdng diy, i^udi ta thudng su dyng mdt hay nhieu wireless sensor, nhung thilt hi niy cd nhiem vy bit tit e i cic khung dO lifu ttoi^ phgm vi thu sdng cua nd, tmyen tit c i cac khung niy vl IDS Server dl phin tich xft ly.

Dd vugt qua nhOng ttd nggi ndy, hudng tilp can dupe dl xuit d day la sft dyng chinh cac Access Point nhu nhiing wireless sensor co khi nang nhan va giii ma cic goi tin duge tmyln tii giOa cic thilt bi ndi kit ttong cung mpt mang WLAN ma Access Point do qudn iy va gfti chiing vl cho IDS server dl phin tich phit hifn cae cudc tin cdng xiy ra ben ttong mgng WLAN. Ddng thdi Access Point cung dugc cii dit dl thu thgp tit c i cac khung dO lieu ben ngoii nham phit hifn ca cac cupc tin cdng tit Wireless Attacks

Ph^ A: Khoa hgc Tunhiin, Cong nghi vd Mdi Irudng- 33(2014): 58-68 ben ngoii theo kieu De-authentication Attack hay Rogue Access Point Attack.

Hinh 2 cho thay so do kien tnic ciia hf thdng IDS dupe de nghi. Trong giii phap nay, moi Access Point se dupe cii dit dk cd thd thu thg^ 2 logi dii lifu thdng qua 2 sensor ao (virtual sensor):

Outside Attack sensor sd thu thip cic Frame khdng mi hda phyc vy cho phat hifn tin cdng ngoii vi Inside Attack sensor se thu thip cic khung dft lifu ttong WLAN, giai ma chiing dl tmydn ve IDS Server, diy li nai tiln hdnh phdn tich khung nhgn dupe tu 2 logi sensor, nlu phat hifn cd hien tugng tin cdng ben ttong hay bgn ngoii WIDS server se gui thdng tin nay den Alert system. Hf thing Alert system se ed nhung hanh ddng dap tti lai sy kifn nay, vi du giri tm nhan SMS din sd dien tiioai da cii dft sin.

Outside Attack

Access P a i n t

liulde Attadt

Data V

Hinh 2: Kiln triic mdi ciia he thong IDS Vdi tidu chi cung cap mdt giii phip WIDS bleu

qua gia thinh thap cho nen chiing tdi chpn giii phip mi ngudn md va cac access point khdng dit tiln dl cai dit thilt kl giii phap ciia minh. Chi tiet vl vifc thilt kl vi cii dgt hf thing IDS dupe dh.

nglij sd dugc ttinh bay d phin kl tilp.

4 T 6 N G Q U A N VE H | : T H 6 N G IDS B^QIC fit NGHI

Npi dung phan nay ciia bii bio se gidi thifu mdt cich tdng quan vl cic thinh phin ciia hf thing IDS ma bii bdo nay dl xuit cung nhu each tiiftc

boat ddng, tuong tic cua cic thanh phin nay vdi nhau.

4.1 Gioi thieu chung vl cic thinh phan chinh Dya tten cae danh gia tft cic cdng ddng ma ngudn md, chiing tdi chpn eae phan mem ma ngudn rad sau dl cai dat cho gidi phdp cua minh:

- OpenWRT [15] la mgt bdn pban phdi GNU/Linux dinh cho cdc thiet bj nhung. Thay vi tgo ra mdt firmware don le, tinh va khdng thay ddi, OpenWRT cung cap mpt hf thdng tip tin hd ttg

^ chep day dii (fiilly writable filesystem) cung vdi he thdng qudn ly goi (package management).

Tgp chi Khoa hgc Trudng Dgi hgc Cdn Tha Phdn A: Khoa hgc Tye nhien, Cdng nghi vd Mdi irudng: 33 (2014): 58-68 Thdng qua vifc ttiln khai OpenWRT len Access

Point, Access Point ttd tiianh mdt thilt hi van hdnh tten nln ting Linux, nhd do dd ding cii dat cac phin mim khdc lam nhifm vu ciia Outside Attack Sensor vi Inside Attack Sensor.

- Kismet Drone [12] id gdi phin mem dugc cii dat ldn OpenWRT dl 1dm nhifm vu ciia mdt Outside Attack sensor, thu thap eic khung ho trp cho vifc phat hifn cie cupc tin cdng tu ben ngoai.

- Kismet Server [12]: Gdi phin mim cai dat tren IDS server don nhan va phan tich cdc frame gfti vl tft Kismet Drone nhim de phdt hien cae tan cdng ngodi mgng WLAN.

Daemonlogger [5] la gdi phin m£m dugc cdi dit len OpenWRT de lam nhifm vu eiia mdt Inside Attack sensor, thu thip eic khung ttuyen tii gifta cac thilt bi da ndi ket vdo mgng WLAN cua Access Point va chuyin cac khung (dS dupe giii mi) ve IDS Server phyc vu cho vifc phat hifn cdc cudc tin cdng ben ttong mang WLAN.

Snort [11]: Gdi phin mdm cii dgt tten IDS

Wlretes Altada

server ddn nhin va pban tich cic frame giii vl tft Daemonlogger nhim dl phit hifn cac tin cdng ben ttong mang WLAN.

Script Component: mdt tip hgp cic doan ma script nham ddn nhin cae sy kifn tft Kismet Server v i Snort xuit ra de tien hinh dua ra cinh bao ciing nhu luu trft cic thdng tin lien quan vio ca sd dft lifu.

ADB (Android Debug Bridge): ciu ndi giao tiep gifta Linux vi Android Phone. Alert System se thdng qua eiu ndi niy dk tuang tie vdi Android Phone.

Ngoii ra cdn su dung mft s i phan mim cdng cy khac nham ting tdc qui ttinh xft IJ chuyin ddi dft lidu tang hifu qui hogt dOng cua toin bp giii phap.

Hinh 3 cho thay vi tti eila cic phin mim nay ttong hf thong IDS dupe dl nghi. Cic phin tilp tiieo sg ttinh biy vai ttd va nguyen tic hogt ddng ciia tiing thanli phin ttong hf thong.

1 »„»,. 1

AcEsu point vtOlOptnY/KT

1 teanotfamf |

Hinh 3: V| trj cdc phan mem trong hf thong IDS 4.2 OpenWRT tr£n Access Point

OpenWRT la mdt ban phin phdi GNU/Linux danh cho cac thiet hi nhung dupe tiiy biln dd ngp vi chgy nhu mft hf dieu hinh cho cdc Wireless Access Point dl cung cip cac ndi kit ddng tiidi cho cie thilt bj khdng day nhu miy tinh xich tay, dien thogi di dpng mdy tinh bing... Vl mat vat ly, mdt Access Point dugc thilt kl nbu mpt miy tinh vdi ciu hinh khiem tdn, vi dy RAM 32 MB, flash size 4MB, bp vi xft ly 400 MHz va eic card giao tilp mgng. Mpt Access Point thudng cd 2 logi card giao

tiep mang: mdt hoic nhidu NIC dl giao tilp vdi mgng co diy va mot WNIC d& giao tilp vdi mang khdng diy. OpenWRT xem cie giao tilp mang nhu nhflng giao dien mang ttong mpt he dilu hdnh Linux thdng tiiudng. Ching hgn, vdi thilt bi TL- WR941ND cfta TP-Luik, card giao tilp mgng khdng diy WNIC se ftng vdi giao difn mang wlanO, card giao tilp mgng cd diy NIC sS dupe kit ndi vdi switch dl cho ra 4 giao difn mgng lin lupt li lanl, lan2, lan3, lan4 tuong ftng vdi 4 cdng d mit sau cua thilt bi (nhu Hinh 4),

Tgp chi Khoa hgc Trudng Dgi hgc Cdn Tho Phan A: Khoa hgc Tu nhiin. Cong nghi vd Mdt Irudng: 33 (2014): 58-68

LANl UUII2 LAN3 LAN!

i

s

3 -

O p e n W R T

Hinh 4: Kiln triic TP-Link TL-WR941ND dirffc sir dgng trong he thong thuc te Access Point ia diem ket tip toin bd luu thdng ciia mang WLAN, do dd, tit c i cic gdi tin luu thdng ttong mgng WLAN diu xuat hifn d giao difn wlan, nhu viy, nhifm vy ciia daemonlogger (ddng vai ttd Inside Attack sensor) Ii ling nghe ttdn giao difn wlan nay de gfti bin sao eua tit e i gdi tin ttong giao difn nay sang mpt giao difn lan mi tft do IDS Server cd the nhin dugc. Do daemonlogger hogt ddng o ting Application ttong md hinh OSI, nen dO lieu diu vio (tftc nhOng dft lifu daemonlogger nhin dugc tft giao difn wlan) l i nhiing dO lidu da dugc giii ma d dang plain-text bdi chinh Access Point. Hon nfta, giao dien wlan cung ed kha nang thu thgp nhung khimg dft lieu ben ngoii mang khdi^ diy, nhung do dang boat dgng d master mode nen nd khdng the Idm duoc dieu niy, gidi phdp li Kismet Drone se tgo mdt giao difn io (virmal interface) hogt ddng d monitor mode tft giao difn wlan nhim thu thip nhftng khung do lifu bdn ngoii mang khdng diy va chuyen tilp cic khung niy den Kismet Server dupe cai dit ttdn IDS Server phyc vy cho vifc phit hifn cac cupc tan cdng ngoii vao mgng WLAN.

4.3 IDS Server

IDS server thyc tl la mdt may tinh van hanh tten nln ting Linux, dugc cii dit Kismet Server vi Snort dl phdn ti'ch eic khung va gdi tin do Kismet Drone va Daemonio^er cua Access Point giri den.

Ndu m§t khung hay gdi tin chiia cic diu hifu hay khdp vdi cie quy tie da dugc thilt dgt ttong Kismet Server hay Snort tiii IDS Server se dua ra

cinh bao (xuit ndi dung cinh bio ra man hinh, ddng thdi, gui yeu ciu sang Android Phone) ddng thdi ghi nhdn npi dung gdi tin do eiing cac tbdng tin lien quan vao mot co sd dO lifu nhit ky.

4.3.1 Ludng xulydit lieu cua Kismet Ludng xft ly dft hfu cua Kismet dugc md t i nhu Hinh 5.

Server

• •

§ ^

Android Phone

Kismet Log

ADB

#

^

Database Ssver Hinh 5: Luong sir Iy dft lifu eiia Kismet Trudc het. Kismet Server nhin dft lifu tu Kismet Drone (van hanb tren Access Point) gfti dSn, xft ly do lifu niy vd xuit cinh bio ra tip tin Kismet Log (neu ed). Tifn ich Swatch se theo ddi tgp tin Kismet Log. Neu phit hifn ed sy thay ddi.

Swatch se gpi mpt dogn Script dgc bift, truyen tham so vao dogn Script niy thdng qua ]!y thuit dng dan pipe. Doan Script nhgn tham sd truydn vio tft Swatch (tham sd d diy la ehu§i cdnh bao ma Kismet dua ra vi luu vao Kismet Log),-Jidir hinh phin tich chudi, ttich xuat cae thdng tin cin thilt, tgo ttuy vin de luu trO vio ca sd dft lifu, ddng tbdi, thdng qua eiu ndi ADB (Android Debug Bridge), tgo ydu eiu cho didn thoai Android dl gfti tm nhan din sd difn thoai eua nhd qudn tti da dupe cii dat trudc.

4.3.2 Luong xu ly dd lieu ciia Snort Ludng xft ly dft lifu eua Snort dugc md ta nhu Hinh 6.

Tgp chi Khoa hgc Truong Dgi hgc dn Thg Phin A: Khga hgc Tu nhien, Cgng nghi va Mdi mmng: 33 (2014): SS-6

M

^ ••

^Unified:

^

^Barnvard2

-• a

A]?rtFast

#

^{Swrtch i * Script}

#

^ADB

Trudc het. Snort nhgn dO lifu tii Access Point gfti din, xft ly dft lifu niy, va xuat einh bao (neu cd) ra tip tin theo 2 djnh dang khdc nhau li:

Unified2 vd AlertFast Log. Mdt tiln trinh ddc Igp vdi tdn gpi li Bamyard2 se dpc ^ p tm cd dinli dang Unified2, phin tich, trich xuit ra cac thdng tin, vi tao tmy van de chen nhihig thdng tin cin thilt vdo co sd dft lifu. Phin con lgi tuong ty nhu lying xft ly dft lieu cua Kismet. Swatch se theo ddi t§p tin Alert Fast, nlu cd thay doi, se gpi mdt doan Script, ttuyin tham so thdng qua ky thudt dng din.

Dogn Script niy se tien hdnh phan tich chudi dupe truyin vdo, tiidng qua ciu noi ADB, tgo yeu ciu cho difn thogi Android de giri tin nhan ddn sd dien thoai cua nhd qudn ttj da dupe cii dit tmdc.

4.4 Hf thong quan 1^ sy kifn xim nhgp Ben cgnh chuc ning cdnh bao bang each gfti SMS din s6 difn thogi da thidt dit trudc cuajtiid ttj hf thong, mft iing dyng web cung dupe cii dit dl"

cho phep nhd quan tri xem mdt cich tong quit hay chi tilt vl eae su kien xiu xdy ra ttong hf tbdng mgng khong day cua minh da dupe luu lgi ttong ca

Hinh 6: Luong xiir ly dir lifu cua Snort

sd do lieu bdi Kismet Server v i Snort.

5 CAIDAT,THU'NGHI$M,KETQUA VA SO SANH

5.1 Cai dgt, thur nghiem va kit qui D I kilm tta khi nang hogt dgng va dap ftng ciia hf thong IDS dl nghi, tic gii di ttiln khai tiift nghifm tten thilt bj thit. Firmware cua Access Point TP-Link TL-WR941ND dupe thay thi bing OpenWRT phien ban Attitude Adjustinent 12.09.

Sau do cdi dgt them vio OpenWRT gdi Kismet Drone nira ttong bd Kismet-2013-03-Rlb cua Kismet va daemonlogger tft respository cua OpenWRT dl Access Point TP-Lmk TL- WR941ND trd tiianh mpt WIDS Access Point eiia giai phap di xuat. IDS Server van hdnh ttdn nen tang Ubuntu 13.04, dugc cii dit thdm Kismet Server nim ttong bp Kismet-2013-03-RIb, Snort 2.9.4.5 vi cac gdi khdc nhu Apache2, PHP5, MySQL, android-tools-adb...tii respository cua Ubuntu. Difn thogi Android li logi difn thogi Android thdng thudng, bit ke van hdnh dudi quyIn root hay user deu tuang thich tot vdi hf thong niy.

Hinh 7: Md hinh kiem tra tan cdng ben ngoai mgng khdng diy Md hinh thft nghiem tan cdng ben ngoii dupe

thi hifn nhu Hinh 7. Ket qud khi trien khai tan

cdng ben ngoai mgng khdng diy thft nghifm ttinh bay cu the trong Bing 1, ket hpp vdi vifc so sinh vdi giii phdp thuong mgi CUWN eua CISCO.

Tgp chi Khoa hgc Trudng Dai hgc Can Tho Phdn A: Khoa hgc Tu nhien, Cdng nghi vd Mdi trudng: 33 (2014): 58-68 Baag 1: Kiem thiir tan cdng ben ngoai v i so sanh

STT Ten tan cdn^

1 2 3 4 5 6 7 li 9 10 11 12 13 14 15 16 17 18 19 20 21

AnUACKSSlD APSPOOF BSSTIMESTAMP CRYPTODROP DEAUTHFLOOD BCASTDISCON DHCPCLIENTID DHCPCONFLICT DISASSOCTRAFFIC DISCONCODEINVALID DEAUTHCODEINVALID DHCPNAMECHANOE DHCPOSCHANGE LONGSSID LUCENTTEST MSFBCOMSSID MSFDLINKRATE MSFNETGEARBEACON NETSTUMBLER NULLPROBERESP PROBENOJOIN

IDS cna bai bao Phat hien Phat hien Phit hien Phat hien Phit hien Phat hien Phit hien Phat hien Phat hidn Phat hien Phat hien Phit hidn Phat hien Phat hidn Phit hien Phat hien Phat hien Phat hien Phat hien Phdt hien Phat hidn

CUWN Phat hidn Phat hiSn Phat hiSn Phat hifn Phat hien Phit hien Phdt hidn Phat hien Phdt hien Phat hidn Phit hien Phat hifn Phat hien Phat hifn Phat hign Phat hifn Phit hien Phat hidn Phit hien Phat hien Phat liif n Trong cic tnrdng hpp kilm thft, hf thdng IDS

eiia bii bio nay diu phat hifn dugc va dua ra canh bio ngay Igp ttie thdng qua tin nhan SMS, luu thdng tin vao ca sd dO lieu. Ngoai ra, he thdng cung CO khi nang pliat hien cae hinh thuc tan cdng ben ngoai khac, cu thd dugc lift ke tai Kismet Documentation [11].

Theo do, vdi giai phip nguon md mien j)hi cua bii bio da co till hd ttp phit liifn duge tit ci 21 hinh thfte tin cdng khac nhau tft ben ngodi mang khdng diy, ngang vdi giai phap tiiuong mai CUWN ciia CISCO.

v l thyc tl, cic hinh tiiftc t ^ cdng ben ttong mgng klidng diy tuang ddng hoac gidng vdi cac hinh tiiftc tin cdng ttong m?ng Etiiemet tiidng thudng. Do do, cac hinh tiiftc tin cdng dang nay vd

cimg da dang vi phong phu, nen khdng the kiem thft dk bao quit tit ca. Chiing tdi chi dua ra mdt kdt qui thyc nghifm dd chftng rainh dupe rang: vdi hf thing IDS cfta bai bao, co the iing dyng dupe Snort cung nhu mles cua nd nham kiem tra cac gdi tin (bit kl hinh thfte ma hda) dk phat hifn cac cudc tin edi^ tft ben ttong mang khdng day.

Md hinh thft nghidm tin cdng bdn ttong mgng khdng diy dupe thi hifn nhu Hinh 8. Theo do, vi mdt ly do nao dd, hacker da tham nhap dupe vao mang WLAN. Diu tien, hacker se tien hinh quet mang dl thu thap thdng tin ve cac host dang hoat ddng cung nhu cac dich vy dang van hanh trdn host dd. Sau do, hacker sd tien hanh exploit de chiem quydn dilu khien miy tinh target dang vgn hinh dich vu Samba.

SSlD: NeoTVungHieuWRT

T a r t e t Hacker

Hinh 8: Md hinh kidm tra tin cdng bdn trong mgng khdng day

Tgp chi Khoa hgc Trudng Dgi hgc Cdn Tho Phdn A: Khoa hgc T^r nhien, Cdng nghi vd Mdi trudng: 33 (2014): 58-68 Tuong ty, ttong c i 2 budc quet mgng va

exploit, hf thdng IDS cua bdi bao cung deu phit hifn dupe vi dua ra cdnh bdo ngay lap tiic khi sy kifn tiiam nh|p vira xay ra (tftc ngay khi hacker vfta quet mgng va ngay khi hacker vfta exploit) thdng qua tin nhdn SMS, luu tiidng tin vao ca sd dft lifu. Vifc phit hifn dya tten nhimg rule dugc Bang 2: Kilm thii' tin cdng ben ngoai va so sanh

dinh nghia trong Snort

5.2 So sanh vdi cac kit qua khac va nh^n xet Giai phap IDS ciia bii bao sd dupe so sanh vl mit chftc nang cimg vdi cic giii phap ngudn md tuong ty khac va giii phap thirong mgi CUWN cfta CISCO tiieo Bang 2:

Ten chij-c nang IDS dirprc dl

CUWN Quadrant

Information Security Jason Murray Phat hifn tan cdng tft

ben ngoai Phat hifn tin cdng tft bdn ttong Hd trp mles dl nhan difn them tin cdng tft bdn trong Hd trp canh bao tftc thi bing tin nhin SMS H§ ttp qudn l^ su kifn vdi CO sd dft lifu Chan dftng goi tin xiu (IPS)

Khd nang md rfng Gid thdnh bien khai

Co, dya ttfin Kismet Cd, dya tten Snort

Cd, tuong ty Kismet

Cd, Snort rules Cd

Cd Khdng Cd, hd ttp cd

Snort lan Cd Kismet

Khdng Cd Cd, khdng ring Khdng, rang bupc bdi phan budc phan cftng cftng CISCO Rdt thdp Rat cao

Cd, dya tien Kismet Cd, dya tten Snort Cd, Snort rules Khdng Chi hd ttg Snort, Kismet khdng ho ttg san

Khdng C6, khdng rang budc bdi phan ciing Rit tiiip

Cd, dua trdn Kismet Khdng Khdng Khdng Khdng Khdng Cd, khdng ring budc bdi phin cftng Rit thip Qua Bing 2 c6 the thiy, giii phdp IDS cfta bai

bdo mang nhilu uu diem vupt ttpi so vdi eic gi^

phdp ngudn md khdc, cy the li ve khi ning phit hifn dugc cdc hinh thfte tin cdng tft ben ngoai lin ben ttong, cdnh bdo tftc thi bang SMS cho mdt hay nhilu nhi quin tri ngay khi phat hifn tin cdng; h6 ttp quan Ij? cic sy kifn xiu tft tin cdng ben ngodi (Kismet) lin b£n ttong (Snort) bing co sd dft lifu thdng qua ftng dyng Web, cic giii phip ngudn md nhu Quadrant Information Securi^ chi quin ly eic sy kifn xiu tft tan cdng ben ttong bing cich diing ftng dung Web cd sin cua Snort, khdng hS ttp cho Kismet (do Kismet khdng luu trO vdo ca sd dft lifu cung nhu klidng cd iing dung Web di kdm).

Khd ning md rdng cua nhOng giii phap sft dyng phdn mem ma nguon md li vd cung cao, vi dy nbu tft vifc ho ttp gfti canh bio tftc thdi thdng qua tin nhan SMS, hodn toan ed the dl ddng tich hgp tiiem vifc giri cdnh bio qua SMTP, SNMP...

Mgt dieu quan ttpng khdc li nhiing giii phdp nay khdng hi phy thupc vao phin cimg, cd the sft dyng ket hgp cdc thiet bj tu eic nha sin xuit phin cftng khic nhau. Trong khi do, cic giii phdp ngudn dong

thuong mgi nhu CUWN duong nhu khdng cung cdp cho ngudi diing nhibig thuin Icri niy.

Chirc nang chin dung gdi tin xiu (IPS) cua CUWN vin boat dfng dya tten mles, dilu nay ddng nghia vdi vifc chftc nang IPS khdng Ihl chan dirng mpt eupe tin cdng mdi (tftc cudc tan cdng chua dugc dinh nghia ttong rules)..Mgc dft;;giii i;

phdp cua bdi bdo van chua cii dgt dupe chftiTning chin diing gdi tin xiu (IPS) nhu d giii phdp CUWN cua CISCO, nhung vdi nhOng tinh nSng cung nhu hifu qui mi giii phap nay IDS ngudn md miln phi ciia bai bao niy mang lgi, diy th^t sy Id mpt gidi phap tiem ning cho phin ldn cic quic gia dang phat ttien.

6 KET LU.AN VA HirofNG PHAT TRifeN Qua cae phin da trinh bay ben ttdn, bii bdo di dua ra dupe mdt giii phip thay thd hifu qui v i tilt kiem ttong vifc ttien khai hf thdng IDS cho mgng khdng diy. Giii phip niy khic phuc dupe nhihig nhupc diem eua hf thdng WIDS trayin thing nhu di dk eip d phin 3, cung cip nhihig tinh ning ndi bat nhu luu trO sy kien vao co sd dft lifu, khi ning quin ly sy kien, cinh bao tftc tbi bing SMS... chi

Tgp chi Khoa hgc Trudng Dgi hgc CSn Tho Phdn A: Khoa hgc Tit nhiin. Cdng nghi va Moi irudng. 33 (2014): 58-68 CO d nhung hf tiidng WIDS dit tiln. Chi phi ttiln

khai eiia ^ i i phip vd ciing re do hoan toan sft dung nhOng thigt hi mgng thdng thudng v i cae sdn phim phin mem mi ngudn md. He thdng niy cd the dupe tridn khai mot each rdng rai tgi nhieu noi nhu CO quan, td cbftc, cdng Q*... vdi quy md nhd, vira, hay thim chi quy md ldn cin tilt kifm chi phi trong vifc ttiln khai mpt he thing bio rait cho mgng khdng diy nhimg vin dam bao tinh bao rait vi hifu qui.

Ben cgnh dd, hf thdng nay vin cdn tdn tgi nhiing khuylt dilm nhit dinh: kha nang phit hifn tan cdng b8n ngoii hoin toin phy thupc vao khi ning phit hifn cua Kismet Server, khdng hd ttg vifit mle de nhin dang eic cupc tin cdng mdi; khd nang phat hidn cic cupc tin cdng bdn ttong ddi hdi phii dinh nghia tmdc vd cac cupc tin cdng ndy thdng (jua rule cua Snort; dft lifu gfti tft Access Point ve IDS Server mang tinh du thua do Kismet Drone s6 gfti nhOng Frame cd ma hda vl IDS Server.

Do diy la giai phap cho mdt hf thdng phat hifn xara nhip nen chi diing lai d vifc dua ra cinh bdo cung nhu cung cip cae thdng tin lien quan ve cudc xira nhip, hoin toan khdng cd kha ning ngin c h ^ cugc xim nhip xay ra hay han che nhihig hgu qui xau ma nd giy ra. Access Point vdn hdnh tren nen ting Linux nhd vao OpenWRT, nen vifc ftng dyng iptables de Access Point tien hanh chin (drop or reject) cae gdi tin xiu hay chin dia chl gfti goi tin xau mdt cich ty ddng bang chinh iptables hoic MAC Filter, tft do chin dupe cac cupc tin cdng tft ben ttong cung li hudng ngliien ciiu tiem ning.

TAI LIEU THAM KHAO

1." ARUBA networks, 2013. Inte^tmg Whed IDS witii Wi-Fi Usmg Open-Source IDS to Complement a Wireless IDS/IPS Deployment.

2. Champ Clark HI, 2014. Building Wireless IDS system usmg open source, http://sasan.qiiadrantsee.cora/papers/wireles s-ids/, assessed on 02/06/2014.

3. Cisco, 2014. Cisco Licensing and Ordering Guide,

http://www.eisco.com/en/US/prod/collateral /wireless/ps5755/ps6301/ps6305/product_da ta_sheet0900aecd804b4646.html, assessed on 02/06/2014.

4. Cisco, 2014. Cisco Unified Wheless Network,

hnp://www.ciseo.coni/enAJS/docs/solutions

/Enterprise/Mobility/seewlandg20/ch4_2_S PMb.html, assessed on 02/06/2014.

5. Dice Holdings, 2014. SourceForge:

Daemonlo^er,

http://sourceforge.net/projeets/daemonlogger/, accessed on 19/5/2014.

6. Geminicomputersme, 2014. CSC- AIRLAP1261NAK9,

http://www.geminicomputersine.com/csc- airl^l261nak9-html, accessed on 19/5/2014.

7. Grant Wilson, 2001. OSI Defense in Deptii to Increase Application Security, http://wAvw.giac.org/paper/gsee/2868/osi- defense-in-depth-increase-application- securily/10484, assessed on 02/06/2014.

8. Hossein Bidgoli, 2006. The Handbook of Information Security. John Wiley & Sons, Inc.

9. Jason Murray, 2014. An Inexpensive Wheless IDS using Kismet and OpenWRT, http://www.sans.org/reading_room/whitepa pers/detection/lnexpensive-wireless-ids- kisraet-openwrt_33103, assessed on 02/06/2014.

10. John Bellardo and Stefan Savage, 2003. 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions. Department of Computer Science and Engineering, University of California at San Diego.

11. Martin Roesch, Chris Green, 2014. SNORT Users Manual, http://manual.snort.org/, assessed on 02/06/2014.

12. Mike Kershaw, 2014. Kismet Documentation,

http://www.kisraetwheless.net/documentati on.shUnl, assessed on 02/06/2014.

13.Nathan Einwechter, 2010. An Inttoduction To Disttibuted Intmsion Detection Systems, http://www,symantee.com/conneet/articles/i nttoduction-disttibuted-intrusion-detection- systems, assessed on 02/06/2014.

14. Network Hardware Austtalia. 2014, Cisco Wireless Conttol System,

hn^j ://www.networkhardware.net.au/cisco- wcsapbase50-p-

15452.html?utm_term=CISCO+WCS+APB ASE+50&utm_campaign=Network+Produe ts&utm_medium=cpc&utm_source=mysho pping, accessed on 19/5/2014.

Tgp chiKhoa hgc TrudngDgi hgc CSn Tha Phdn A. Khoa hgc Tu nhien. Cong nghi vd Mdi tnrdng: 33 (2014): 58-6 15. OpenWrt, 2014. OpenWrt: Wireless

Freedom, htq3s://openwrLorg/, accessed on 19/5/2014.

le.PrabhakerMateti, 2005. Hacking Techniques in Wireless Networks, http://cees.wright.edu/~pmateti/intemetSecu rity/Lectures/WhelessHaeks/Mateti- WirelessHacks-htm, assessed on 02/06/2014

17. Rafeeq Ur Rehman, 2003. Intmsion Detection Systems with Snort: Advanced IDS Techniques Usmg Snort, Apache, MySQL, PHP, and ACID.

18. Router-switch Ltd, 2014. AIR-WLC4402- 12-K9, http://www.router-switch.cora/air- wlc4402-12-k9-p-4378.html, accessed on 17/3/2014.