Download Enterprise Wireless LAN (WLAN) Management

Enterprise Wireless LAN (WLAN)
Management and Services
Jitu Padhye
(Joint work with Ranveer Chandra, Alec Wolman, Brian
Zill & Victor Bahl)
Wireless Network Woes
• Corporations spend lots of $$ on WLAN infrastructure
– Worldwide enterprise WLAN business expected to grow from $1.1 billion
this year to $3.5 billion in 2009
• Wireless networks perceived to be “flaky”, less secure
– Microsoft’s IT Dept. logs several hundred complaints / month
– Users complain about:
 Lack of coverage, performance, reliability
 Authentication problems (802.1x protocol issues)
– Network administrators worry about
 Providing adequate coverage, performance
 Security and unauthorized access
– DefCon 2005 : WiFi Pistol, WiFi Sniper Rifle, WiFi Bouncing, AirSnarf box
Better WLAN management system needed!
Requirements for a WLAN Management System
Mobile Clients
Integrated location
service
Problems may be
location-specific
Complex signal
propagation in indoor
environment
Many orthogonal
channels
Asymmetric links
Multiple monitors
Dense deployment
Scalable
Self-configuring
Cope with incomplete
data
State of the Art
AP-based monitoring (Aruba, AirDefense, ManageEngine …)
– Pros: Easy to deploy (APs are under central control)
– Cons:
 Can not detect coverage problems using AP-based monitoring
 Single radio APs can not be effective monitors
 Limited coverage even with dual-radio APs
– MS IT currently uses dual-radio APs from Aruba
Specialized sensor boxes (Aruba, AirTight, …)
– Pros: Can provide detailed signal-level analysis
– Cons: Expensive, so can not deploy densely
Monitoring by mobile clients
– Research prototype @ MSR [Adya et. al., MobiCom’04]
– Pros: Inexpensive, suitable for un-managed environments (Ranveer’s talk).
– Cons:
 Coverage not predictable (clients are mobile)
 Lack of density
 Battery power may become an issue
 Only monitor the channel they are connected on
Observations
• Desktop PC’s with good wired connectivity are ubiquitous in
enterprises
+
• Outfitting a desktop PC with 802.11 wireless is inexpensive
– Wireless USB dongles are cheap
 As low as $6.99 at online retailers
– PC motherboards are starting to appear with 802.11 radios built-in
Combine to create a dense deployment of wireless sensors
DAIR: Dense Array of Inexpensive Radios
Details: HotNets’05, MobiSys’06
Key Characteristics of DAIR
• High sensor density at low cost
– Effective monitoring of multiple channels in indoor environments
– Tolerates failure of a few sensors
– Leverages existing desktop resources
• Sensors are stationary
– Provides predictable coverage
– Permits meaningful historical analysis
– Makes it easier to build an integrated location service
 Accuracy improves with sensor density
• Completely self-configuring
– Ease of deployment
DAIR Architecture
AirMonitor
AirMonitor
Commands
Land Monitor
Summarized
Data
Wired Network
Commands
and Database
Queries
Data from
database
Inference
Engine
Data to
inference engine
Summarized data
from Monitors
Database
Other data:
SNMP,
Configuration
Monitor Architecture
Command
Issuer
Command
(Enable/Disable Filter/
Send Packets)
Remote
Object
Heart
Beat
Command Processor
Sender
Packet
Constructor
WiFi Parser
Enable/Disable
Filters
Send Packet
Filter Processor
Filter
Filter
DHCP Parser
Filter
Other Parser
Packet
Enable/Disable
Promiscuous/Logging
Deliver Packets to all the
Registered Filters
Driver Interface
Send Packets/
Query Driver
SQL Client
Dump summarized data
into the SQL Tables
Get Packets/Info
from the Device
Custom Wireless Driver
Summarized
Packet Information
Wired NIC Driver
SQL Server
Managing Existing WiFi Networks using DAIR
Security Applications
– Detect Rogue APs, DoS attacks
 Response:
– Locate AP, Inform netops
– Launch DoS attacks against Rogue APs
Performance management
– Monitor RF coverage: Detect poor coverage, RF holes
 Response:
– Locate region of poor coverage
– Provide temporary coverage until an AP can be installed
– Load balancing: Detect overload, congestion, flash crowd, rate anomaly
 Response:
– DAIR nodes temporarily serve as APs or repeaters
– Reconfigure AP power levels (cell breathing)
Location service to support above applications
Overview of location service
• Distinguishing features:
–
–
–
Self-configuring
Can locate un-cooperative transmitters (e.g. unauthorized APs)
Office-level accuracy
• How it works:
1.
2.
3.
AirMonitors locate themselves
AirMonitors regularly profile the environment to determine radio
propagation characteristics
Inference engine uses profiles and observations from multiple
AirMonitors to locate clients, sources of interference (DoS attack?),
determine regions of poor performance
Example Application: Detecting Rogue AP
Problem:
– Careless employee brings AP from home, attaches it to the corporate network
– Bypasses security measures like 802.1x, allows unauthorized clients to gain access
– Once rogue network is installed, physical proximity is no longer needed
Simple solution: (state of the art)
– Build database of authorized SSIDs (Network Names) and BSSIDs (AP MAC
Addresses)
– Whenever an unknown entity appears (either SSID or BSSID), raise alarm
False positives:
– Reason: Shared office building
– Solution: determine whether suspect AP is connected to corporate wired network
 Array of tests: association test, src/dst address test, replay test
False negatives:
– Reason: Malicious user configures rogue AP with valid SSID/BSSID
– Solution: use location and breaks in packet sequence numbers to disambiguate
Current deployment
• Testbed: 40 nodes on one floor
– Operational since Nov’05
• NetGear USB Wireless Adapter
– Custom driver
• Database server: MS SQL 2005 on 1.7GHz P4 with 1GB RAM
• Inference engine server: 2GHz P4 with 512MB RAM
• Nodes submit summary data every 2 minutes (randomized)
• Inference engines query data every 1-3 minutes
System Scalability
• Load on database server < 75%
• Additional load on desktops < 2-3%
• Wired network traffic per node < 5Kbps
One database server per building should be sufficient.
Backup slides
Demo …..
1. Rogue AP detection and location
2. DoS attack (Disassociation attack) detection and location
3. Location-aware client performance monitoring
See 2 & 3 during break after the talk
How do AirMonitors locate themselves?
• Monitor machine activity to determine primary user
• Look up ActiveDirectory to determine office number
• Parse office map to determine coordinates of the office
• Verify and adjust coordinates by observing which
AirMonitors are nearby
Profiling the Environment to build a Radio Map
Each AirMonitor periodically transmits beacons
–
•
•
•
Repeat for various channels, power levels, various times of day
Other AirMonitors record signal strength
Inference engine fits curve(s) to collected observations
The curve is a compact and approximate representation of the radio
propagation characteristics of the environment
60
y = -1.4 x + 35.7
Normalized Signal Strength
•
50
y = 60*e-0.11x
40
802.11a (5GHz)
Normal office hours
3rd floor of building 112
30
20
33 AirMonitors
10
0
0
10
20
Distance
30
40
Determining location of clients (any “transmitter”)
• AirMonitors capture packets from the client, report
observed signal strength of database
• Inference engine:
1.
2.
Selects appropriate profile (frequency, time of day)
Locates client using the observations from AirMonitors and the
profile
–
Spring-and-ball algorithm for fast convergence