Wireless communications, such as IEEE 802.11 (WiFi), have proliferated due to the availability of wireless spectrum and wireless communications components. Traditional wired networks use cables to transfer information. Cables are a controlled medium, protected by the buildings that enclose them. External traffic that enters a wired network is policed by a firewall and established wired intrusion-protection technologies. To gain access to a wired network, an intruder or hacker must bypass the physical security of the building or breach the firewall.
Wireless networks, on the other hand, use the airspace to transfer information. The airspace is an uncontrolled and shared medium—it lacks the equivalent physical control of its wired counterpart. Once a user connects a wireless access point (AP) into the network, its signals can travel through the walls, ceilings, and windows of the building, exposing the traditionally secure physical and link layers. This renders the entire network accessible from another floor of the building, from an adjoining building, from the parking lot, or from across the street. Radio signals from a single wireless AP can travel up to thousands of feet outside of the building. Additionally, wireless devices share the airspace. Any wireless device in the network can sniff all the traffic of all other wireless devices within the same the basic service set.
As wireless networks proliferate and costs decrease for wireless components, networks are becoming more insecure due to the inherent security weaknesses of wireless networks. Enterprises have deployed wireless monitoring systems such as wireless intrusion prevention systems (WIPS) and/or wireless intrusion detection systems (WIDS) to proactively monitor and prevent attacks on the wireless networks. Wireless monitoring systems are configured to monitor a wireless network continuously (i.e., 24×7) and provide the most advanced solution for rogue detection and prevention, intrusion detection, policy monitoring and compliance, automated protection, historical analysis, and remote troubleshooting
FIG. 1 illustrates an exemplary embodiment of a local network 100 including both wired and wireless components. The wired components depicted in FIG. 1 include a variety of connected systems such as local servers 120, local clients 130 and network accessible data storage servers 110. The local servers 120, local clients 130, and data servers 110 are connected through an Ethernet 150 connection. A router 140 connects the Ethernet 150 and the components 110, 120, 130 to an external network 160 such as the Internet. A firewall 145 can be included to protect the wired local network and act as a security gate to prevent unauthorized traffic coming from the network 160 such as a potential hacker 135. A firewall 145 can effectively deter an attack from a wired hacker 135 via the network 160.
By installing wireless access points (AP) 180a, 180b to the wired network (e.g., Ethernet 150 and router 140), personal computers and laptops equipped with wireless local area network (WLAN) cards create a wireless network 170a, 170b which can connect to the wired network at broadband speeds (i.e., 11 Mb/s to 54 Mb/s) using IEEE 802.11a/b/g protocols for example.
Wireless networks 170a, 170b operate over the airspace which is an uncontrolled and shared medium lacking the equivalent physical control of its wired counterpart. As such, wireless hackers 185a, 185b can enter the local network 100 through the access points 180a, 180b even if the access points 180a, 180b are located behind the firewall 145. Therefore, wireless networks 170a, 170b (in conjunction with access points 180a, 180b) can provide opportunities for unauthorized users to attack a network, which can include in various examples: a local area network, a wide area network, a metropolitan area network, a corporate intranet, among many others.
A wireless AP 180c can be installed unbeknownst to the enterprise (e.g., rogue AP) or it can be installed and misconfigured (e.g. misconfigured AP). As such, the AP 180c can also provide opportunities for unauthorized users to access the network. Due to the low cost of APs 180c, anyone with access to an enterprise can install a rogue AP 180c and connect it to the Ethernet 150 network providing complete wireless access to the enterprise. A misconfigured AP 180c can have the wrong encryption settings allowing any user to gain access to the enterprise.
Also, municipal wireless networks 195 are proliferating such as local governments providing free IEEE 802.11 access. These networks 195 can be used by a wireless hacker 185a to gain access to a device on the enterprise's wireless network 170a which is set to allow inbound connections effectively bypassing the enterprise firewall and content filtering. Additionally, mobile users 170c face threats from evil twin APs 180e which gain access to the user's 170c login credentials by posing as a legitimate AP 180d. Such a threat can allow the evil twin AP 180e to relay the credentials to a hacker for access to the enterprise's wireless network 170a,170b. 
In addition to IEEE 802.11 access, other wireless protocols 190 such as Bluetooth and WiMax are proliferating. Bluetooth is deployed within the enterprise with PDA, cellular phones, and the like. WiMax is a wireless standard for the delivery of last mile wireless broadband access as an alternative to cable and DSL.
The local network 100 can be configured with wireless sensors 202a, 202b and a server 201 for monitoring and preventing wireless intrusions on the wireless networks 170a, 170b. The sensors 202a, 202b connect to the Ethernet 150 network, and each sensor 202a, 202b is located to monitor and prevent intrusions over a pre-defined area for wireless activity. The sensors 202a, 202b are configured to monitor data transmitted on the wireless networks 170a, 170b and to communicate relevant data, events, and statistics to the server 201. The sensors 202a, 202b can be configured to monitor one or more wireless channels such as IEEE 802.11 standard channels and non-standard user-defined channels, Bluetooth, and WiMax channels. The sensors 202a, 202b can monitor more than one channel simultaneously if the sensors 202a, 202b are configured with multiple radios. The sensors 202a, 202b can include a local processor to perform data analysis on wireless events to minimize communications to the server 201.
The server 201 connects to the Ethernet 150 or optionally through the network 160 (not shown) and the server 201 is configured to receive and correlate data, events, and statistics from the sensors 202a, 202b. Further, multiple servers 201 can operate to provide redundancy and load-balancing. Additionally in some examples, access points 180a, 180b and/or local clients 130 can occasionally operate as sensors 202a, 202b to communicate data, events, and statistics to the server 201. Also, local clients 130 equipped with WLAN cards can be configured with software agents, allowing the local clients 130 to periodically monitor the wireless networks 170a, 170b and to communicate data, events, and statistics from monitoring the wireless networks 170a, 170b to the server 201.
The server 201 can be configured to detect attacks and events, network performance degradation, and network policy compliance on the wireless networks 170a, 170b. Further, the server 201 can be configured to direct the sensors 202a, 202b to terminate a rogue wireless client (e.g. an unauthorized user) such as wireless hackers 185a, 185b. Also, the server 201 can include a data store to log history and trends relating to monitoring of the wireless network 170a, 170b. The combination of the server 201 and sensors 202a, 202b is known as a wireless intrusion prevention system (WIPS) or a wireless intrusion detection system (WIDS). An example of a WIPS system is the AirDefense Enterprise Release 7.0 (available from the assignee, AirDefense, Inc. of Alpharetta, Ga.).
Upon receiving and correlating data, events, and statistics, the server 201 is configured to generate alarms and performance data relating to the wireless network. Also, the server 201 can include a data store to log history and trends relating to the wireless network. The server 201 includes a display means such as a graphical user interface (GUI) operable to notify and organize alarms and performance data for a network operator.
As wireless network deployments proliferate, the server 201 receives significantly more data, events, and statistics from the distributed sensors. For example, a WIPS or WIDS can be configured to generate alarms every minute depending on specific events that occur in that minute. Disadvantageously, this is more error prone, results in false positives, and generates multiple instances of the same alarm for a single event. Further, alarm storage is an issue. Furthermore, large scale deployments of wireless networks require a single interface to monitor and manage alarms and other data related to wireless networks.
Thus, systems and methods are needed to efficiently generate, manage, and display alarms and other data associated with monitoring wireless networks.