Enterprise Wireless LAN (WLAN) Management and Services Jitu Padhye (Joint work with Ranveer Chandra, Alec Wolman, Brian Zill & Victor Bahl)

• Slide 1

Enterprise Wireless LAN (WLAN) Management and Services Jitu Padhye (Joint work with Ranveer Chandra, Alec Wolman, Brian Zill & Victor Bahl) Slide 2 Wireless Network Woes Corporations spend lots of $$ on WLAN infrastructure Worldwide enterprise WLAN business expected to grow from $1.1 billion this year to $3.5 billion in 2009 Wireless networks perceived to be flaky, less secure Microsofts IT Dept. logs several hundred complaints / month Users complain about: Lack of coverage, performance, reliability Authentication problems (802.1x protocol issues) Network administrators worry about Providing adequate coverage, performance Security and unauthorized access DefCon 2005 : WiFi Pistol, WiFi Sniper Rifle, WiFi Bouncing, AirSnarf box Better WLAN management system needed! Slide 3 Requirements for a WLAN Management System Integrated location service Complex signal propagation in indoor environment Many orthogonal channels Asymmetric links Multiple monitors Dense deployment Mobile Clients Problems may be location-specific Cope with incomplete data Scalable Self-configuring Slide 4 State of the Art AP-based monitoring (Aruba, AirDefense, ManageEngine ) Pros: Easy to deploy (APs are under central control) Cons: Can not detect coverage problems using AP-based monitoring Single radio APs can not be effective monitors Limited coverage even with dual-radio APs MS IT currently uses dual-radio APs from Aruba Specialized sensor boxes (Aruba, AirTight, ) Pros: Can provide detailed signal-level analysis Cons: Expensive, so can not deploy densely Monitoring by mobile clients Research prototype @ MSR [Adya et. al., MobiCom04] Pros: Inexpensive, suitable for un-managed environments (Ranveers talk). Cons: Coverage not predictable (clients are mobile) Lack of density Battery power may become an issue Only monitor the channel they are connected on Slide 5 Observations Desktop PCs with good wired connectivity are ubiquitous in enterprises Outfitting a desktop PC with 802.11 wireless is inexpensive Wireless USB dongles are cheap As low as $6.99 at online retailers PC motherboards are starting to appear with 802.11 radios built-in Combine to create a dense deployment of wireless sensors DAIR: Dense Array of Inexpensive Radios + Details: HotNets05, MobiSys06 Slide 6 Key Characteristics of DAIR High sensor density at low cost Effective monitoring of multiple channels in indoor environments Tolerates failure of a few sensors Leverages existing desktop resources Sensors are stationary Provides predictable coverage Permits meaningful historical analysis Makes it easier to build an integrated location service Accuracy improves with sensor density Completely self-configuring Ease of deployment Slide 7 Commands Wired Network Database AirMonitor Summarized Data Commands and Database Queries Data from database Data to inference engine Summarized data from Monitors AirMonitor Land Monitor Inference Engine DAIR Architecture Other data: SNMP, Configuration Slide 8 Monitor Architecture Slide 9 Managing Existing WiFi Networks using DAIR Security Applications Detect Rogue APs, DoS attacks Response: Locate AP, Inform netops Launch DoS attacks against Rogue APs Performance management Monitor RF coverage: Detect poor coverage, RF holes Response : Locate region of poor coverage Provide temporary coverage until an AP can be installed Load balancing: Detect overload, congestion, flash crowd, rate anomaly Response: DAIR nodes temporarily serve as APs or repeaters Reconfigure AP power levels (cell breathing) Location service to support above applications Slide 10 Overview of location service Distinguishing features: Self-configuring Can locate un-cooperative transmitters (e.g. unauthorized APs) Office-level accuracy How it works: 1.AirMonitors locate themselves 2.AirMonitors regularly profile the environment to determine radio propagation characteristics 3.Inference engine uses profiles and observations from multiple AirMonitors to locate clients, sources of interference (DoS attack?), determine regions of poor performance Slide 11 Example Application: Detecting Rogue AP Problem: Careless employee brings AP from home, attaches it to the corporate network Bypasses security measures like 802.1x, allows unauthorized clients to gain access Once rogue network is installed, physical proximity is no longer needed Simple solution: (state of the art) Build database of authorized SSIDs (Network Names) and BSSIDs (AP MAC Addresses) Whenever an unknown entity appears (either SSID or BSSID), raise alarm False positives: Reason: Shared office building Solution: determine whether suspect AP is connected to corporate wired network Array of tests: association test, src/dst address test, replay test False negatives: Reason: Malicious user configures rogue AP with valid SSID/BSSID Solution: use location and breaks in packet sequence numbers to disambiguate Slide 12 Current deployment Testbed: 40 nodes on one floor Operational since Nov05 NetGear USB Wireless Adapter Custom driver Database server: MS SQL 2005 on 1.7GHz P4 with 1GB RAM Inference engine server: 2GHz P4 with 512MB RAM Nodes submit summary data every 2 minutes (randomized) Inference engines query data every 1-3 minutes Slide 13 System Scalability Load on database server < 75% Additional load on desktops < 2-3% Wired network traffic per node < 5Kbps One database server per building should be sufficient. Slide 14 Slide 15 Backup slides Slide 16 Demo .. 1.Rogue AP detection and location 2.DoS attack (Disassociation attack) detection and location 3.Location-aware client performance monitoring See 2 & 3 during break after the talk Slide 17 How do AirMonitors locate themselves? Monitor machine activity to determine primary user Look up ActiveDirectory to determine office number Parse office map to determine coordinates of the office Verify and adjust coordinates by observing which AirMonitors are nearby Slide 18 Profiling the Environment to build a Radio Map Each AirMonitor periodically transmits beacons Repeat for various channels, power levels, various times of day Other AirMonitors record signal strength Inference engine fits curve(s) to collected observations The curve is a compact and approximate representation of the radio propagation characteristics of the environment 802.11a (5GHz) Normal office hours 3 rd floor of building 112 33 AirMonitors Slide 19 Determining location of clients (any transmitter) AirMonitors capture packets from the client, report observed signal strength of database Inference engine: 1.Selects appropriate profile (frequency, time of day) 2.Locates client using the observations from AirMonitors and the profile Spring-and-ball algorithm for fast convergence