1. Field of the Invention
The present invention relates generally to wireless computer networking techniques. More particularly, the invention provides methods and systems for intrusion detection for local area networks with wireless extensions. The present intrusion detection can be applied to many computer networking environments, e.g. environments based upon the IEEE 802.11 family of standards (WiFi), Ultra Wide Band (UWB), IEEE 802.16 (WiMAX), Bluetooth, and others.
2. Description of the Related Art
Computer systems have proliferated from academic and specialized science applications to day-to-day business, commerce, information distribution and home applications. Such systems can include personal computers (PCs) to large mainframe and server class computers. Powerful mainframe and server class computers run specialized applications for banks, small and large companies, e-commerce vendors, and governments. Personal computers can be found in many offices, homes, and even local coffee shops.
The computer systems located within a specific local geographic area (e.g. an office, building floor, building, home, or any other defined geographic region (indoor and/or outdoor)) are typically interconnected using a Local Area Network (LAN) (e.g. the Ethernet). The LANs, in turn, can be interconnected with each other using a Wide Area Network (WAN) (e.g. the Internet). A conventional LAN can be deployed using an Ethernet-based infrastructure comprising cables, hubs switches, and other elements.
Connection ports (e.g. Ethernet ports) can be used to couple multiple computer systems to the LAN. For example, a user can connect to the LAN by physically attaching a computing device (e.g. a laptop, desktop, or handheld computer) to one of the connection ports using physical wires or cables. Other types of computer systems, such as database computers, server computers, routers, and Internet gateways, can be connected to the LAN in a similar manner. Once physically connected to the LAN, a variety of services can be accessed (e.g. file transfer, remote login, email, WWW, database access, and voice over IP).
Using recent (and increasingly popular) wireless technologies, users can now be wirelessly connected to the computer network. Thus, wireless communication can provide wireless access to a LAN in the office, home, public hot-spot, and other geographical locations. The IEEE 802.11 family of standards (WiFi) is a common standard for such wireless communication. In WiFi, the 802.11b standard provides for wireless connectivity at speeds up to 11 Mbps in the 2.4 GHz radio frequency spectrum; the 802.11g standard provides for even faster connectivity at about 54 Mbps in the 2.4 GHz radio frequency spectrum; and the 802.11a standard provides for wireless connectivity at speeds up to 54 Mbps in the 5 GHz radio frequency spectrum.
Advantageously, WiFi can facilitate a quick and effective way of providing a wireless extension to an existing LAN. To provide this wireless extension, one or more WiFi access points (APs) can connect to the connection ports either directly or through intermediate equipment, such as WiFi switch. After an AP is connected to a connection port, a user can access the LAN using a device (called a station) equipped with WiFi radio. The station can wirelessly communicate with the AP.
In the past, security of the computer network has focused on controlling access to the physical space where the LAN connection ports are located. The application of wireless communication to computer networking can introduce additional security exposure. Specifically, the radio waves that are integral to wireless communication often cannot be contained in the physical space bounded by physical structures, such as the walls of a building.
Hence, wireless signals often “spill” outside the area of interest. Because of this spillage, unauthorized users, who could be using their stations in a nearby street, parking lot, or building, could wirelessly connect to the AP and thus gain access to the LAN. Consequently, providing conventional security by controlling physical access to the connection ports of the LAN would be inadequate.
To prevent unauthorized access to the LAN over WiFi, the AP can employ certain techniques. For example, in accordance with 802.11, a user is currently requested to carry out an authentication handshake with the AP (or a WiFi switch that resides between the AP and the existing LAN) before being able to connect to the LAN. Examples of such handshake are Wireless Equivalent Privacy (WEP) based shared key authentication, 802.1x based port access control, and 802.11i based authentication. The AP can provide additional security measures such as encryption and firewalls.
Despite these measures, security risks still exist. For example, an unauthorized AP may connect to the LAN and then, in turn, allow unauthorized users to connect to the LAN. These unauthorized users can thereby access proprietary/trade secret information on computer systems connected to the LAN without the knowledge of the owner of the LAN. Notably, an unauthorized AP can easily masquerade as an authorized AP. That is, an unauthorized AP can advertise the same feature set (e.g. MAC address and other settings) as an authorized AP (a type of security attack generically called “MAC spoofing”), thereby making its detection difficult.
Moreover, even if an unauthorized AP is not LAN-connected, it may still pose a security threat. Specifically, authorized clients in communication with the unauthorized AP may be unwittingly providing proprietary/trade secret information to the unauthorized AP. Therefore, a need arises for a system and technique that improves security for LAN environments.
Prior solutions have attempted to provide mechanisms to detect unauthorized or counterfeit APs. One conventional technique is provided in the IEEE 802.11 wireless LAN standard. According to this technique, the APs are required to advertise SSID (service set identifier) in their beacon packets. Preferably, the SSID is a string of characters and/or numerals that is not easy to guess and known only to legitimate wireless devices in a selected communication group (e.g. wireless devices in the office or in the department in the office). The wireless stations receive these beacon packets and analyze them to check if the value contained in the SSID field is the legitimate one. If so, the corresponding AP is regarded as authorized, if not it is regarded as unauthorized or counterfeit. In a similar manner, other parameters in the beacon packets can also be analyzed (e.g. compared with legitimate values) to detect unauthorized or counterfeit APs. These parameters can include, but not limited to, source MAC address, BSSID, supported data rates, parameters for the contention and contention-free access to the wireless medium, QoS parameters, security parameters, information elements (IEs), and capability parameters. However, these techniques may not be able to detect MAC spoofing counterfeit APs, as these APs can advertise the exact same feature set as that of authorized APs in their beacon packets.
Another conventional technique to detect unauthorized APs performing MAC spoofing computes the rate of beacon packets (i.e., beacon packets per unit time) transmitted in the wireless medium from a specified MAC address (e.g. as found in the source address or BSSID field of the beacon packet). The computed rate is then compared with the beacon packet rate specified in the beacon packet itself (e.g. in the “beacon interval” field of the beacon packet). If the computed rate is different from the specified rate, MAC spoofing is inferred. There are several limitations of this technique. One limitation is that it requires a significant fraction of the total beacon packets transmitted in the wireless medium from a specified MAC address to be captured by a sensor device used to detect MAC spoofing. Otherwise, the computed beacon packet rate may not accurately reflect the true rate of beacon packets transmitted in the wireless medium. However, the sensor device often scans multiple radio channels, one at a time, and thus can often miss many of the beacon packets transmitted on a specific radio channel. Other limitations of this conventional technique are described in further detail throughout the present specification and more particularly below.
Yet another conventional technique to detect MAC spoofing is based on the examination of sequence numbers in the beacon packets. This is much like the conventional technique described by Steven Bellovin of AT&T Labs Research in a paper titled “A Technique for Counting NATed Hosts” at Internet Measurement Workshop (IMW) in November 2002 for counting the number of independent devices contributing to the total observed packet stream. This technique compares the sequence number in the beacon packet captured by a sensor device to the sequence number of the previously captured beacon packet. If the current and the previous sequence numbers are not sequential, MAC spoofing (i.e., presence of multiple independent devices contributing to the total observed beacon packet stream) is inferred. There are several limitations of this technique. One limitation results from the fact that there are often gaps in the sequence numbers in the consecutive beacon packets transmitted by a given AP. This is due to the transmission of data packets (each of which causes the sequence number to be incremented by 1) from the AP between the transmission of successive beacon packets. These gaps in the sequence numbers make the above technique difficult to implement and unreliable. These and other limitations of conventional techniques are described in further detail throughout the present specification and more particularly below.
From the above, techniques for improving security in wireless networks, and in particular the ability to detect MAC spoofing, are highly desired.