The present invention relates to wireless networks, and in particular to a method to dynamically measure properties of and re-classify an access point in an infrastructure wireless local area system (WLAN).
WLANs have recently become popular, in particular WLANS that comply with the IEEE 802.11 standard. Such a standard provides for ad-hoc networks wherein any wireless station can directly communicate with any other wireless station, and also for infrastructure networks in which one station, called the access point (AP) acts as a base station for a set of client stations. Thus, an AP forms a cell in which any of its client stations (or a repeater) may communicate with the AP. Any client station communicates only via its access point to another client station or to any part of the network, e.g., a wired network that may be connected to one of the access points.
WLANs allow companies to extend the benefits of networks to mobile workforces, as well as deliver new networking service and applications wirelessly. One of the challenges that a company face in deploying wireless networks is security, including preventing a “foreign” wireless device to connect as a rogue access point to the company's networks.
Some security problems specific to WLANs arise from wireless client stations requesting access to the various APs. Often in a deployment of a WLAN environment, AP cells' coverages are overlapped to achieve maximum RF coverage to reduce nonservice spots. Wireless client stations can move between APs, and thus change the RF environment of the WLAN depending on their location. Additionally, WLANs are often required to grow with increased demand as more and more client stations require service from the WLAN. Expanding the WLAN requires reconfiguring equipment, adding APs, and placing APs in locations that do not conflict with other APs or otherwise complicate managing the WLAN.
Because wireless is an open medium, anyone can contend for access and send information over a wireless channel.
A wireless network typically uses management frames at the MAC layer designed, sent, and received for management purposes. For example, in a WLAN that conforms to the IEEE 802.11 standard, an AP regularly transmits beacon frames that announce the AP's presence, i.e., advertises the AP's services to potential clients so that a client may associate with the AP. Similarly, a client can send a probe request frame requesting any AP in its radio range to respond with a probe response frame that, in a similar manner to a beacon frame, provides information for the requesting client (and any other radios in its radio range and able to receive its channel) sufficient for a client to decide whether or not to associate with the AP.
IEEE 802.11 management frames are typically sent without any protection, some management frame protection methods have recently been proposed. With unprotected management frames, an attacker can therefore easily spoof a legitimate AP, sending directives to client stations as if it were the AP serving the client stations. For example, nearly all attacks begin with an attacker spoofing as an AP by sending disassociation or de-authentication requests to a client station.
Thus, there has been a need for methods and equipment to efficiently protect a WLAN and provide WLAN managers with information needed to make management and access control decisions. In particular, because many customers of WLANs do not control which types of devices can connect to wired Ethernet networks and to wireless networks, such customers are facing the difficult challenge of controlling whether, when, and how access points are deployed in their environment. Often times, users will plug in unapproved wireless access points to deliver wireless networks that are not corporate-sanctioned and/or available from the corporate information technology department. Less often, but of more serious concern, are network attackers that, at one time, place access points inside a corporate network, and at a different time, perhaps from a different location, use that unapproved access point to gain illegitimate access to the corporate network.
Rogue Access Point Detection Systems (RAPDS), also called Wireless Intrusion Detection Systems (WIDS), are known and provide for managing some aspects of wireless RF security. Aspects of such systems include the ability to detect, locate, alert, and ideally, shut down rogue access points on their networks. These systems generally utilize a tiering model of classification for access points, with categorizations of access points as known and managed APs (called managed APs herein), known APs that are in the neighborhood of the managed network or that are known to clients of managed APs, i.e., to managed clients, and that are known to not cause problems, e.g. interference, to the managed wireless network. Such APs are called friendly APs. One example of a friendly AP is an AP at a coffee shop where an employee of the enterprise often works using a computer that is a managed client and that associates with this friendly AP. Finally, there are unknown and/or known-to-be “rogue” APs (collectively called rogue APs herein).
An overview of some rogue AP detection methods is provided in the DETAILED DESCRIPTION section herein below.
What these rogue AP detection systems lack are dynamic capabilities to classify, and re-classify an AP into one of a category of a categorization scheme should AP behaviors change.
As an example, a particularly clever attacker could take advantage of known rogue AP detection systems to place an access point nearby a corporate network, with an expectation that over time, that access point would be labeled as a “friendly AP.” This attacker could then move this access point inside a corporate network and use this access point as a “Trojan horse” and avoid detection through typical rogue AP detection systems.
Thus there is a need in the art to for a method to measure, cause a radio scan, and cause a reclassification of access points that have already been classified in a managed wireless network.