1 DAIR: Dense Array of Inexpensive Radios Managing Enterprise Wireless Networks Using Desktop Infrastructure Victor Bahl † , Jitendra Padhye † , Lenin Ravnindranath † , Manpreet Singh ‡ , Alec Wolman † , Brian Zill † † Microsoft Research ‡ Cornell University
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
DAIR: Dense Array of Inexpensive Radios
Managing Enterprise Wireless Networks Using Desktop Infrastructure
Victor Bahl†, Jitendra Padhye†, Lenin Ravnindranath†, Manpreet Singh‡,
Alec Wolman†, Brian Zill†
† Microsoft Research ‡ Cornell University
2
Observations
• Outfitting a desktop PC with 802.11 wireless is becoming very inexpensive– Wireless USB dongles are cheap
– PC motherboards are starting toappear with 802.11 radios built-in
• Desktop PC’s with good wired connectivity are ubiquitous in enterprises
$6.99!
3
Key Insight
• Combine to provide a dense deployment of wireless “sensors”
• We can use this platform to realize the full potential of wireless networks– Enterprise wireless management tools– Enable new services where wireless is a key
component
4
The DAIR Platform
Wireless management tools
– Improve security
– Reduce IT ops costs
– Increase “quality of service”
New applications and services
– Location services
– Seamless roaming
– Alternative data distribution channel
5
Outline
• Motivation
• DAIR architecture
• Management apps (& Rogue networks)
• Related work
6
Enterprise WLAN Management
• Corporations spend a lot on WLAN infrastructure– Worldwide enterprise WLAN business expected to
grow from $1.1 billion this year to $3.5 billion in 2009– MS IT dept. – 72% of costs are people
• Security and reliability are major concerns– Wireless networks are becoming a target for hackers
– Reliability: • MS IT receives ~500 WLAN helpdesk requests per month• No easy way to measure cost of reliability problems
7
Advantages of the DAIR Approach
– High density• Wireless propagation is highly variable in enterprise
environments (many obstructions)• Lots of channels to cover: 11 for 802.11b/g, 13 for 802.11a • Improves fidelity of many management tasks• Enables accurate location (useful as a diagnosis tool)
– Stationary sensing• Provides predictable coverage• Also helps enable location services• Allows meaningful historical analysis
– Desktop resources • Spare CPU, disk, and memory• Good connectivity to wired network• Wall power
8
Outline
• Motivation
• DAIR architecture
• Management apps (& Rogue networks)
• Related work
9
DAIR Architecture
Air Monitor
Inference Engine
Land Monitors
Database
USB Dongle
Air Monitors
Commands and Database Queries
Air Monitor
USB Dongle
CommandsSummarized
Data
Summarized Data From Monitors
Data to Inference Engine
Data from database
Wired Network
10
Command Processor
Filter Processor
Driver Interface
Filter
WiFi Parser
SQL Client
Remote Object
Command (Enable/Disable Filter/
Send Packets)Heart Beat
CommandIssuer
Custom Wireless Driver SQL Server
Deliver Packets to all the Registered Filters
Enable/Disable Filters
Enable/Disable Promiscuous/Logging
Summarized Packet Information
Dump summarized data into the SQL Tables
Get Packets/Info from the Device
Send Packets/Query Driver
Monitor Architecture
DHCP Parser
Other Parser
Wired NIC Driver
FilterFilter
Sender
Packet
Packet Constructor
Send Packet
11
Outline
• Motivation
• DAIR architecture
• Management apps (& Rogue networks)
• Related work
12
Wireless Management Apps
Performance and Reliability• Performance monitoring
– Site planning: AP placement, frequency selection
– AP Load balancing– Isolating performance problems
• Helping disconnected clients– RF Holes– Misconfiguration, certificates, etc…
• Reliability– Recovery from malfunctioning APs– Recovery from poor association policies
13
Wireless Management: Security Apps
• Detecting DoS attacks:– Spoofing Disassociation– Large NAV values– Jamming
• Detecting Rogue Wireless Networks
14
Rogue Wireless Networks
• Detecting rogue APs and rogue ad-hoc networks
• An uninformed or careless employee who doesn’t understand (or chooses not to think about) the security implications
– An employee brings in an AP from home, and attaches it to the corporate network, creating a rogue AP
– It is trivial to configure a desktop PC with a wireless interface to create a rogue ad-hoc network
15
Risks
• Attaching unauthorized AP to a corporate network– May allow unauthorized wireless clients to gain
access
• A wireless client unknowingly connects to unauthorized AP on unauthorized network– May expose corporate information on that network
• Once rogue network is installed, physical proximity is no longer needed (esp. with directional antennas)…
16
A Simple Solution?
• Build a database of known:– SSIDs (network names) – BSSIDs (access point MAC addresses)
• Use DAIR infrastructure to scan– Whenever an unknown entity appears (either
SSID or BSSID), raise an alarm
• This is the level at which most previous work solves this problem
17
False Alarms
• In many enterprise environments, one can hear other legitimate APs– E.g. shared office buildings
• Is the unknown wireless network connected to your corporate wired network?
18
Testing for Wired Connectivity
• Association test– Associate with suspect AP, contact wired node
• Mac address tests:– First-hop router test
• Wireless “DEST” = known router on wired network
– ARP test• Wireless “DEST” = known entity on local subnet
• DHCP signature test– For wireless routers: Identify device type through DHCP options
• Packet correlation test– Use timing and packet lengths to see traffic on both wired/wireless
• Replay test
19
First-Hop Router Test
Land Monitor Air Monitor
Subnet RouterDatabase
Land Monitor discovers MAC addresses of all subnet routers, submits results to the database
Client
AirMonitor overhears a client communicating with an unknown access point
Access Point
?
20
First-Hop Router Test
Unencrypted Header Encrypted Payload
Receiver Transmitter Destination
Access Point Client Subnet Router
802.11 Frame (with encryption):
MAC Addresses:
21
Outline
• Motivation
• DAIR architecture
• Management apps (& Rogue networks)
• Related work
22
Current Approaches & Related Research
• Many commercial offerings in this space
• Leverage existing access points (APs)– AirWave, ManageEngine, …– AP’s primary goal is to provide service to clients,
limited time listening on other channels
• Specialized sensors– Aruba (MS IT choice), AirDefense, AirTight …– Expensive limited density
• [Adya et al. Mobicom 04] – use assistance of mobile clients– Difficult to provide predictable coverage– Less proactive due to energy constraints
• Other wireless monitoring
23
Wrapping Up…– Status
• Built much of the “plumbing”: AirMonitors, Inferencing Service, Management Console (GUI)
• Built set of wireless security apps, ongoing evaluation• Deployed ~22 AirMonitors on one floor of our building
– Next 6 months:• Performance & reliability apps• Provide location services• Larger scale deployment
– Longer Term: going beyond management tools• Seamless roaming• Self-configuring complete replacement for existing
wireless infrastructure
24
Backup Slides
25
Doesn’t IPsec/VPN just solve the rogue AP problem?
• It certainly helps, but…– Doesn’t address the bootstrapping problem– Doesn’t address the AP impersonation scenario– Not all corps use IPsec and/or VPNs to secure
wireless– IPsec difficult to deploy in multi-vendor installations
– Multiple levels of security
26
Association Test
• One Air Monitor attempts to associate with suspect AP– If this step succeeds, the Air Monitor makes a
TCP connection to a well known entity on CorpNet (e.g. http://hrweb at Microsoft)
– Test fails if AP is not “open”• Mac Address filtering, WEP, WPA, 802.1x, etc…
27
Details of 1st Hop Router Test
• With encryption and/or MAC filtering, the 802.11 MAC addresses may still tell us something – MAC addresses are not encrypted– AP acts as an Ethernet bridge
• Suppose we can see an associated client using the suspect AP– If the client is communicating off the local subnet,
then the destinaiton MAC on the air = the MAC address of the 1st Hop router
– ARP test handles the case where the wired communication endpoint is on the local subnet
28
Details of DHCP Signature Test
• Wireless router != Wireless AP– MAC addresses seen on the air will not match those on the wire
• A router needs to get a wired IP address• DHCP requests are easy to observe
– Sent to the IP broadcast address
• DHCP protocol has many options• Can create device type signatures:
– Typical DHCP request from Windows looks very different from a wireless router
– Initial results look good: tested these techniques on 3 major brands of wireless routers: NetGear, D-Link, and ZyWall
– At IETF, observed many types of end hosts (Windows, Apple, Linux)
Related Documents
