Organizations incorporate wireless local area networks (WLANs) to provide wireless access to a wired local area network (LAN) for desktop and laptop personal computers, personal digital assistants (PDAs), and other fixed or mobile computing devices. WLANs typically include wireless access points that provide wireless coverage over a defined area, according to the radio characteristics of the access point. They also provide connectivity to a wired LAN. Computing devices such as laptops, desktop computers, personal digital assistants, transactional terminals and similar devices gain access to the WLAN via a network interface, typically a network interface card (NIC). Access points usually provide security features and recognition between the wireless infrastructure and computing devices, and recognize authorized users by association, authorization and authentication. The access points often work in cooperation with a server application on the wired LAN to manage the network login process using a login/password mechanism. Commonly used WLAN technologies include IEEE 802.11b (Wi-Fi), IEEE 802.11a (Wi-Fi5), and IEEE 802.11 g. Other WLAN technologies known to those skilled in the art can also be used.
WLANs provide many advantages to network users and administrators. Users of wireless devices may move about within the effective radio range of the associated access point without loss of service. If the WLAN supports seamless roaming, the users may move from one access point radio area to an adjacent access point radio area without loss of service. For example, a laptop user may be able to move from an office to a conference room without loss of service and without reconfiguring the network. Depending on the WLAN design, users may also be able to move from inside to outside the building without loss of service. This may be by design or by an unwanted radio feature of the access points.
WLANs provide many conveniences for network users, but they also present some security risks and issues. For example, unauthorized or “rogue” access points may be installed by either a friendly or a malicious person. The installation of such device is a security risk because it is unknown to and unmanaged by the network's Information Technology (IT) staff. For example, the risks include unauthorized persons having access to the wired LAN with little or no wireless security, even if the organization normally uses WLANs associated with their wired LANs. This may result in exposure, modification, or destruction of organizational data, including private, proprietary, and personal information. Exposing this data can be the friendly or malicious intent of the person introducing the rogue access points, but may also expose the data to some other, unintended person. An example of “friendly” intent is an employee who desires the conveniences of a WLAN but is frustrated with the company's slowness in adopting WLAN technology and therefore installs his own inexpensive access point.
Another problem confronting information technology professionals operating LAN systems is the appearance of an unauthorized or “impersonating” access point, whose purpose is to impersonate the managed WLAN infrastructure to capture security information from unsuspecting, authorized users. This impersonating AP may reside, for example, in an organization's building, attached to the wired LAN, or outside the building. An unsuspecting user's wireless device may find and attempt to associate with the unauthorized access point, which logs into the organization's wireless LAN, thereby revealing security codes, security procedures, and similar information to the owner of the unauthorized access point. The owner can use this information, for example, to gain unauthorized access to the managed wireless LAN (“hacking”) and thereby to the wired LAN, resulting in the exposure, modification, or destruction of organizational data, including private, proprietary, and personal information.
Another problem confronting the IT professional is the unauthorized use of wireless LAN clients to defeat the security measures of a wired network (“hacking” or “war driving”). Such use of wireless clients is becoming more common and has been included as standard software in some personal computers, including laptops and other portable computers. Yet another problem is that many wireless LAN devices are configured to operate in a peer-to-peer mode and create an unauthorized point-to-point wireless connection between two devices, for example, between two computers or between a networked computer and a wireless personal digital assistant (PDA).
These examples show the type of risks confronted by IT professionals and those working in the wireless LAN and network security area. These unauthorized access points and wireless devices present security risk for the administrators and owners of associated wired LANs, and in some cases, even non-networked computers unauthorized access points or wireless devices are part of wireless peer-to-peer networks.
One prior art proposal currently used to limit these security risks is manual tracking. In this method, network administrators survey the known, authorized wireless devices in the network and make periodic, manual searches for unauthorized devices using portable wireless clients or access points. This method is ineffective, however, for large organizations because it is limited by the capabilities of the wireless clients or access points used in the search, including range, frequency coverage, and reporting capabilities.
Another currently used proposal used to limit network security risks is the use of access points or other monitoring devices as permanent monitoring stations positioned throughout the coverage area, or the use of such devices in conjunction with a wireless LAN management system. These devices have many limitations, including a limited ability to detect equipment from other vendors, a limited detection range, a limited ability to detect unauthorized devices that are fire-walled or have their “beacons” turned off, and a requirement to support additional management systems for the sole purpose of monitoring the wireless LAN.
Similar proposals are disclosed in published PCT patent applications WO 03/085544; WO 03/075021; WO 03/079708; WO 03/084255; WO 03/088687; WO 03/088547; and WO 03/100559.
In WO 03/085544, an unauthorized station is detected by transmitting over the WLAN from a station a network probe request frame. The probe request frame is received at a detector and analyzed to determine if the station that transmitted the probe request frame is an unauthorized station. This frame is received at an access point and a probe response frame is sent from this access point. The probe request frame typically has a service set identification address (“SSID”), and is analyzed by examining the probe request frame to determine if the length of the SSID is zero. The probe request frame is also analyzed to determine if the probe request frame only has an SSID information element field. A determination can be made if the station that transmitted the probe request frame fails to proceed with authentication or authorization in response to the probe response frame.
A wireless local area network (WLAN) is monitored using the system disclosed in WO 03/088547, by receiving transmissions exchanged between one or more stations and an access point using a detector. A database is compiled based on the received transmissions, which are analyzed to determine the state of the station. The compiled database and the determined state of the station are used to diagnose connectivity problems of the station. A Medium Access Control (MAC) adjusts so the station can be obtained and the transmission received using the detector. The transmission includes a source access and a destination address. These are determined if they are MAC addresses of the station. Other details of monitoring and measuring transmissions from a station to an access point for detecting a hidden node are set forth in the other published PCT patent applications.
Even with the many existing proposals, there is still a need for improved systems, devices and methods to detect the presence of unauthorized access points and wireless devices in the LAN systems as described above.