Wireless networks have experienced increasing development over the past several years. Two particular examples are the wireless local area network (LAN), and the wireless metropolitan area network (MAN). In a basic service set (BSS), such networks include one or more wireless stations (e.g., a laptop with a wireless network interface card (NIC)) that communicate with an a point or base station (e.g., a server) via radio frequency signals, for example. The base station performs numerous functions, such as synchronization and coordination, forwarding of broadcast packets, and providing a bridge between the wireless LAN/MAN and a wired network, such as telephone network, for example.
In an extended service set (ESS), multiple base stations are included in the network. On the other hand, in some wireless LANs/MANs there may be no base stations at all, only wireless stations engaging in peer-to-peer communications with one another. This topology is called an independent basic service set (IBSS), and in an IBSS one of the wireless stations is typically elected to act as a proxy for the missing base station.
Perhaps the most significant reason for the popularity of wireless LANs/MANs is that such networks are relatively inexpensive and easy to deploy in that a wired infrastructure is not required. Yet, wireless LANs/MANs also have several significant drawbacks not found in wired networks. For example, because wireless LAN/MAN devices are so prevalent, such devices are readily available to would-be hackers who may attempt to intrude upon the network and compromise network security using an unauthorized wireless station (i.e., a rogue station). Also, if wireless LANs/MANs are operated too closely to one another the networks may intrude upon one another and cause network disruption, particularly if they share common channels.
One of the more prominent standards which has been developed for regulating communications within wireless LANs/MANs is that of the Institute of Electrical and Electronic Engineers' 802 LAN/MAN Standards Committee, entitled “IEEE Standards for Information Technology—Telecommunications and Information Systems—Local and Metropolitan Area Network—Specific Requirements—Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,” 1999, which is hereby incorporated herein in its entirety by reference. In addition to providing wireless communications protocols, the 802.11 standard also defines a wired equivalent privacy (WEP) algorithm which is used to protect wireless signals from eavesdropping. More particularly, WEP provides for the encryption of messages to be sent between stations as well as an integrity check to ensure that the integrity of the originally transmitted messages has not been compromised.
While the WEP algorithm does provide some measure of network security, it does not detect or report potential intrusions into the network. Only recently have such intrusion detection systems been made available. These systems typically include security monitoring software to be installed on stations where intrusion detection is desired. Such software may attempt to detect intruders by monitoring and recording media access control (MAC) addresses or Internet protocol (IP) addresses and comparing them to known addresses of authorized network stations. Furthermore, such systems may observe when WEP is not enabled.
One particular example of an intrusion detection system from WildPackets, Inc. is called AiroPeek. AiroPeek searches for unauthorized rogue stations based upon ESS and BSS identifications (ESSIDs, BSSIDs) in use in the network. That is, a list of all authorized BSSIDs and ESSIDs in use in the network is created. A filter is then used to exclude all unauthorized stations. This filter is created by capturing normal network traffic and determining the data offset in an 802.11 frame corresponding to the ESSID or BSSID. AiroPeek also includes an alarm that is triggered on the basis of frame count. That is, if the frame count exceeds zero, the alarm is triggered (i.e., if any frames are detected from a rogue station, then the alarm is triggered). Further, AiroPeek can provide notification of an alarm via email or by using a modem to dial out of the system (e.g., to a pager).
Despite the advancements made by the above systems, some intrusions into a wireless LAN/MAN may still go undetected by such systems. That is, if a rogue station has obtained access to an authorized address and/or ID, for example, the above approaches may not detect the intrusion of the rogue station into the network.