The present invention relates generally to wireless computer networking techniques. More particularly, the invention provides a method and a system for providing wireless vulnerability management for local area computer networks according to a specific embodiment. Merely by way of example, the invention has been applied to a computer networking environment based upon the IEEE 802.11 family of standards, commonly called “WiFi.” But it would be recognized that the invention has a much broader range of applicability. For example, the invention can be applied to Ultra Wide Band (“UWB”), IEEE 802.16 commonly known as “WiMAX”, Bluetooth, and others.
Computer systems proliferated from academic and specialized science applications to day to day business, commerce, information distribution, and home applications. Such systems include personal computers, which are often called “PCs” for short, to large mainframe and server class computers. Powerful mainframe and server class computers run specialized applications for banks, small and large companies, e-commerce vendors, and governments. Smaller personal computers can be found in many if not all offices, homes, and even local coffee shops. These computers interconnect with each other through computer communication networks based on packet switching technology such as the Internet protocol (IP). The computer systems located within a specific local geographic region such as office, home, retail outlet, or other indoor and outdoor premises interconnect using a Local Area Network, commonly called, LAN. Ethernet is by far the most popular networking technology for LANs. The LANs interconnect with each other using a Wide Area Network called “WAN” such as the famous Internet. The LANs are typically coupled to the Internet through firewalls. The LANs are typically considered as private networks, while the Internet is considered as a public network. Although much progress occurred with computers and networking, we now face a variety of security threats on many computing environments from the hackers connecting to the computer network in an unauthorized fashion. The application of wireless communication to computer networking further accentuates these threats.
As merely an example, the conventional LAN is usually deployed using an Ethernet based infrastructure comprising cables, hubs switches, and other elements. A number of connection ports (e.g., Ethernet ports) are used to couple various computer systems to the LAN. A user can connect to the LAN by physically attaching a computing device such as laptop, desktop or handheld computer to one of the connection ports using physical wires or cables. Other computer systems such as database computers, server computers, routers and Internet gateways also connect to the LAN to provide specific functionalities and services. Once physically connected to the LAN, the user often accesses a variety of services such as file transfer, remote login, email, word wide web, database access, and voice over IP. Security of the LAN often occurs by controlling access to the physical space where the LAN connection ports are located.
Although conventional wired networks using Ethernet technology proliferated, wireless communication technologies are increasing in popularity. That is, wireless communication technologies wirelessly connect users to the computer communication networks. A typical application of these technologies provides wireless access to the local area network in the office, home, public hot-spots, and other geographical locations. As merely an example, the IEEE 802.11 family of standards, commonly called WiFi, is the common standard for such wireless application. Among WiFi, the 802.11b standard-based WiFi often operates at 2.4 GHz unlicensed radio frequency spectrum and can offer wireless connectivity at speeds up to 11 Mbps. The 802.11g compliant WiFi can offer even faster connectivity up to 54 Mbps and can operate at 2.4 GHz unlicensed radio frequency spectrum. The 802.11a can provide speeds up to 54 Mbps operating in the 5 GHz unlicensed radio frequency spectrum. The 802.11n can provide speeds up to 600 Mbps using techniques such as channel bonding and MIMO (multiple input multiple output). The WiFi enables a quick and effective way of providing wireless extension to the conventional wired LAN.
In order to provide wireless extension of the LAN using WiFi, one or more WiFi access points (APs) connect to the LAN connection ports either directly or through intermediate equipment such as WiFi switch. A user now wirelessly connects to the LAN using a device equipped with WiFi radio, commonly called wireless station, wireless client, or simply station or client, which communicates with the AP. The connection is free from cable and other physical encumbrances and allows the user to “Surf the Web”, check e-mail or use enterprise computer applications in an easy and efficient manner. Unfortunately, certain limitations still exist with WiFi. That is, the radio waves often cannot be contained in the physical space bounded by physical structures such as the walls of a building. Hence, wireless signals often spill outside the area of interest. Unauthorized users can wirelessly connect to the AP and hence gain access to the LAN from the spillage areas such as the street, parking lot, and neighbor's premises. Consequently, the conventional security measure of controlling access to the physical space where the LAN connection ports are located is now inadequate.
In order to prevent unauthorized access to the LAN over WiFi, the AP can employ certain techniques. For example, the user is required to carry out authentication handshake with the AP (or a WiFi switch that resides between the AP and the LAN) before being able to connect to the LAN. Examples of such handshake are Wireless Equivalent Privacy (WEP) based shared key authentication, 802.1x based port access control, 802.11i based authentication etc. The AP can provide additional security measures such as encryption, firewall, and station MAC address based access control. Other techniques also exist to enhance security of the LAN over WiFi.
Despite these measures, many limitations still exist with WiFi. Hackers are increasingly exploiting these limitations as a way to attack the LANs of the organizations. As merely an example, as recently reported in the Wall Street Journal (see “Breaking The Code: How Credit-Card Data Went Out Wireless Door”, The Wall Street Journal, May 4, 2007), wireless communications were used to steal 45.7 million credit and debit card numbers from the LAN of the TJX Cos. of Framingham, Mass. It is also reported that the TJX's breach-related bill could surpass $1 billion over five years. As another example, the organizations often fail security audits on grounds of wireless vulnerabilities. Many of these organizations are also required to be compliant with regulatory standards such as PCI-DSS (Payment Card Industry Data Security Standard), HIPAA (Healthcare Insurance Portability and Accountability Act) etc. Failure of security audits can attract monetary and statutory penalties.
Appropriate security mechanisms are thus needed to protect the LAN resources from wireless intruders. Accordingly, techniques for improving security for local area network environments are highly desirable.