Wireless Network Security Virtual Laboratory Anthony LoBono, Mike Steffen, and Shishir Gupta...
-
Upload
octavia-brooks -
Category
Documents
-
view
215 -
download
0
Transcript of Wireless Network Security Virtual Laboratory Anthony LoBono, Mike Steffen, and Shishir Gupta...
Wireless Network Security Virtual Laboratory
Anthony LoBono, Mike Steffen, and Shishir GuptaAdvisor: Doug Jacobson
Client: George Amariucai
Introduction
• Problem: Iowa State University’s CPRE537: Wireless Network Security course does not provide a laboratory environment in which students, which include both distance education and on campus students, can conduct wireless security experiments.
• Solution: Create an environment which is accessible from anywhere in the world using real wireless hardware and a virtual machine server, and provide the software tools necessary forconducting experiments on wireless security.
Functional Requirements
• Remote access for both on campus and off campus students
• Support for at least four concurrent users
• Support for WiFi and Bluetooth experiments
• A web interface to manage hardware access
• Non – interference between users
• Comprehensive documentation for both administrators and students
Non-Functional Requirements• User friendly access interface
• Adequate network bandwidth
• Adequate system resources
• Real world network simulation
• Extension to support other wireless technology
GSM
RFID
Schedule
1st Semester• Preliminary hardware setup• Preliminary laboratory design• Wi-Fi demo laboratory setup
2nd Semester • Final implementation
Hardware interfaceWeb interface
• GSM / RFID experimentation • Final setup and final testing
Task ResponsibilityAs a small team of three members, each member is equally involved with all aspects of project. However, here is a very basic work breakdown:
• Michael Steffen – Hardware SpecialistMichael leads the design and setup of the hardware architecture and
virtual machine server
• Anthony LoBono - System SpecialistAnthony leads the design and setup of the software architecture and
the web interface
• Shishir Gupta - Security SpecialistShishir leads the design and setup of wireless security hardware and
software
ImplementationHardware Architecture
• Commodity x86 server hardware• USB wireless dongles (Ralink)• Consumer-grade routers• USB Bluetooth/RFID/etc tools
ImplementationSoftware Architecture
• Multilevel– Hypervisor– OS– Software tools– Scripts
• Mostly invisible to end user
ImplementationSoftware Architecture
• Hypervisor– Vmware vSphere Hypervisor 4.1
• Free license• Robust platform• Team familiarity• Ease of configuration
– Custom scripted via console SSH
• Virtual machines– Four transmit client nodes– Four attack nodes– One host config node– One administration node
ImplementationSoftware Architecture
• Dilemma: How to ensure environment is equally available to all?
• Solution: Each user has own VM– Remains off until requested– Radio config patched before boot
and stripped after logoff– Result: greater uptime for all users
ImplementationSoftware Architecture
• Scripts– Backend: Hypervisor scripted to allow statistics
gathering, power state mods, file operations– Frontend: Configuration upon creation of machines– Scripts for environment user management,
administration
• User interface– Web portal– Access to system status, user file operations,
documentation– Terminal or X server access to user’s attack and
transmit nodes• X access via Nomachine NX
ImplementationNetwork Architecture
• Intent: user environments separate from each other– Users MAC-locked to router
• Can be bypassed
• Transmit nodes blocked from communicating via firewall
• Routing of HTTP versus SSH traffic achieved via firewall, routing tables
• Radio separation achieved by manual channel configuration
Cost Estimate
VM Host Server $1250 (approx)Wireless Adapters $80 ($10 x 8)Bluetooth Adapters $160 ($40 x 4)Routers / Switches $130
Total $1620 (approx)
Start Environment
1. User asks the web portal to attach radios and power on user machines.
2. Web portal check the PHP session to confirm the user is logged in and get the user’s username.
3. Web portal tells the hypervisor communication class to power on the users machines.
4. Hypervisor class invokes the provision and boot script on the host machine through an SSH connection.
Adding A User
1. User requests to add user2. Web portal check to make sure
user is an administrator3. Web portal checks to see if user
already exists4. Web portal tells hypervisor
communication class to verify that the datastore has enough disk space
5. Hypervisor class tells host machine to verify and create user machines
6. Web portal saves username and password temporarily.
Adding A User7. Web portal tells the control
machine to add the configuration script to crontab
8. Configuration script checks to see if the host machine is done creating user machines every five minuts
9. When ready, the script reads the username and password from the control machine
10. The script tells the hypervisor class to power on the user’s machines
11. The script runs commands over SSH to configure the virtual machines
12. User gets added to the database
Creating Users
• Results – Both creating individual user’s virtual machines and batch creating user’s virtual machines was successful
• Known Issues – Better functionality should be implemented for alerting and administrator when this process is completed.– If the portdef table in the MYSQL database becomes corrupt new virtual machines will not be configured correctly, nor will they be accessible from outside the firewall.
Removing Users
• Results – Tests for removing virtual machines were successful
• Known Issues – When removing individual users from the pordef table in the MYSQL Database their assigned ports will not be able to be used again until all users are removed.
Change Account Passwords
• Results – The system was able to catch all combinations of characters we tested without error.
• Known Issues– None
Powering Down Machines
• Results – The system was able to power down a user’s machines. The web interface was also successful in powering down machines from both the user session and the admin session.
• Known Issues – Powering down a user’s machine while it is being backed up fails.
Backing Up And Restoring Machines
• Results – The system was mostly successful in this process. A few test resulted in failure however the failures were not reproducible.
• Known Issues – If a user restores his or her working image from a backup after being assigned new ports on the firewall the machine will no longer function properly. However the current implementation should not allow a users ports to be redefined.
Attaching Radios And Booting
• Results – All tests for the system resulted in success.
• Known Issues – With the current implementation only non-cascading USB hubs can be used with the server. Cascading hubs cause the ‘getavailibleusbdevices.sh’ script to fail.
Wireless ExperimentationEnvironment
Each user -> Remote access to two virtual machines
Attack Machine
-Backtrack 5 R1-NX Server-SSH Server-Attack Tools
Client Machine
-Ubuntu 10.04 (LTS)-NX Server-SSH Server-Traffic Generators
Wi- Fi + BluetoothThe laboratory currently supports experimentation for Wi-Fi and Bluetooth.
Wi-Fi Bluetooth Hardware USB Wi-Fi Adapter (Rosewill RTL-8187) Wireless Router (D - Link XXXXX)
Software Backtrack Tools Lorcon (packet injection) Airpwn (Wi-Fi spoofing) Scapy (packet injection) coWPAtty (WPA cracking)
Hardware USB Bluetooth Adapter (Linksys BT100)
Software Backtrack Tools
Laboratory ExtensionThe coursework for the class does not limit to a specific wireless technology and instead touches different wireless technology.
Wi-Fi Bluetooth
GSMRFID
As part of this senior design project, client requirements insisted initial integration of at least Wi-Fi and Bluetooth and optional extension or preparatory work for future extension to other technology.The team researched and performed experiments with a SDR platform to potentially integrate GSM, RFID and maybe other technology in the future.
HardwareUniversal Software Radio Peripheral (USRP)
USRP version 1Daughterboards
LF RX (DC-30 MHz RX)TV RX (50-870MHz RX)DBSRX (800MHz-2.4GHz RX)RFX2400 (2.3-2.9 GHz RX+TX)
AntennasUSB Connector
SoftwareGNU Radio + Universal Hardware Driver(UHD)
Core Framework AirProbe (GSM decoder)RIDAC (RFID toolkit)DSP Buttler (signal processing)
Experiments Performed
Wireless jammingGNU Radio Signal Generator
GSM receiving/decodingAirProbe GSM RX/sniffer
RFID captureRIDAC RFID audit toolkit
Wireless RF spectrum analysisDSP ButtlerBaudline RF spectrum analyzer
*Note – All experiments were conducted using open source software available on the internet.
Additional Problems / Notes• The RSA private key for the web user must remain unencrypted.• Before the configure machines script can work, the web user must accept
the RSA id from the SSH server on the stock images.• Before the configure machines script can work the RSA public key for the
web user must be added to the root users ‘authorized_keys’ file on both stock images.
• When restoring user images from the stock image, the image was no longer functional. The solution was to edit the configuration script to see if the user already exits. If the user does exist the script looks up the user in the portdef table in the MYSQL database and configures the machine accordingly.
• Currently for a new user to be created there must be at least 70 gigabytes of free space on the requested datastore. This is to account for user backups. A more space efficient method should be investigated.
Additional Problems / Notes• Currently the firewall is only configured to allow 100 users on the system.
Given the diskspace constraint listed above this is not really an issue. However, the firewall should be reconfigured and the machine configuration script should be modified to allow more than 100 users on the system.
• Currently when a user’s allotted session time comes to an end, the user’s machines are powered down. Since we made the switch from PCI cards to USB devices it is now possible to ‘hot plug’ the devices. Now when a user’s session comes to an end, the devices attached should be removed and the machines remain powered on. This change would prevent data loss.
• To allow for the PHP scripts to write log files to ‘/var/log/wseclab.d/FILENAME’ the web user Apache server runs as needed to be added to the log group.
• To allow for the web user Apache server runs as to schedule cron jobs, the web user had to be added to the user group.
Testing
• Our original plan was to have a closed beta test for this semester’s Computer Engineering 537 class. However, Computer Engineering 537 was not offered this semester so we acted as the test subjects. We test all the use cases in appendix A with a large amount of success.