Transcript ppt

DAIR: Dense Array of Inexpensive Radios
Managing Enterprise Wireless Networks Using
Desktop Infrastructure
Victor Bahl†, Jitendra Padhye†,
Lenin Ravnindranath†, Manpreet Singh‡,
Alec Wolman†, Brian Zill†
† Microsoft
Research
‡ Cornell
University
1
Observations
• Outfitting a desktop PC with 802.11
wireless is becoming very inexpensive
– Wireless USB dongles are cheap
$6.99!
– PC motherboards are starting to
appear with 802.11 radios built-in
• Desktop PC’s with good wired connectivity
are ubiquitous in enterprises
2
Key Insight
• Combine to provide a dense deployment of
wireless “sensors”
• We can use this platform to realize the full
potential of wireless networks
– Enterprise wireless management tools
– Enable new services where wireless is a key
component
3
The DAIR Platform
Wireless management tools
New applications and services
– Improve security
– Location services
– Reduce IT ops costs
– Seamless roaming
– Increase “quality of
service”
– Alternative data
distribution channel
4
Outline
•
•
•
•
Motivation
DAIR architecture
Management apps (& Rogue networks)
Related work
5
Enterprise WLAN Management
• Corporations spend a lot on WLAN infrastructure
– Worldwide enterprise WLAN business expected to
grow from $1.1 billion this year to $3.5 billion in 2009
– MS IT dept. – 72% of costs are people
• Security and reliability are major concerns
– Wireless networks are becoming a target for hackers
– Reliability:
• MS IT receives ~500 WLAN helpdesk requests per month
• No easy way to measure cost of reliability problems
6
Advantages of the DAIR Approach
– High density
• Wireless propagation is highly variable in enterprise
environments (many obstructions)
• Lots of channels to cover: 11 for 802.11b/g, 13 for 802.11a
• Improves fidelity of many management tasks
• Enables accurate location (useful as a diagnosis tool)
– Stationary sensing
• Provides predictable coverage
• Also helps enable location services
• Allows meaningful historical analysis
– Desktop resources
• Spare CPU, disk, and memory
• Good connectivity to wired network
• Wall power
7
Outline
•
•
•
•
Motivation
DAIR architecture
Management apps (& Rogue networks)
Related work
8
DAIR Architecture
USB Dongle
USB Dongle
Air Monitors
Air Monitor
Commands
Air Monitor
Summarized
Data
Commands and
Database Queries
Data from
database
Inference
Engine
Wired
Network Data to Inference
Engine
Land
Monitors
Summarized
Data From
Monitors
Database
9
Monitor Architecture
Command
Issuer
Command
(Enable/Disable Filter/
Send Packets)
Remote
Object
Heart
Beat
Command Processor
Sender
Packet
Constructor
WiFi Parser
Enable/Disable
Filters
Send Packet
Filter Processor
Filter
Filter
DHCP Parser
Filter
Other Parser
Packet
Enable/Disable
Promiscuous/Logging
Deliver Packets to all the
Registered Filters
Driver Interface
Send Packets/
Query Driver
SQL Client
Dump summarized data
into the SQL Tables
Get Packets/Info
from the Device
Custom Wireless Driver
Summarized
Packet Information
Wired NIC Driver
SQL Server
10
Outline
•
•
•
•
Motivation
DAIR architecture
Management apps (& Rogue networks)
Related work
11
Wireless Management Apps
Performance and Reliability
• Performance monitoring
– Site planning: AP placement, frequency selection
– AP Load balancing
– Isolating performance problems
• Helping disconnected clients
– RF Holes
– Misconfiguration, certificates, etc…
• Reliability
– Recovery from malfunctioning APs
– Recovery from poor association policies
12
Wireless Management: Security Apps
• Detecting DoS attacks:
– Spoofing Disassociation
– Large NAV values
– Jamming
• Detecting Rogue Wireless Networks
13
Rogue Wireless Networks
• Detecting rogue APs and rogue ad-hoc networks
• An uninformed or careless employee who doesn’t
understand (or chooses not to think about) the
security implications
– An employee brings in an AP from home, and attaches it
to the corporate network, creating a rogue AP
– It is trivial to configure a desktop PC with a wireless
interface to create a rogue ad-hoc network
14
Risks
• Attaching unauthorized AP to a corporate
network
– May allow unauthorized wireless clients to gain
access
• A wireless client unknowingly connects to
unauthorized AP on unauthorized network
– May expose corporate information on that network
• Once rogue network is installed, physical
proximity is no longer needed (esp. with
directional antennas)…
15
A Simple Solution?
• Build a database of known:
– SSIDs (network names)
– BSSIDs (access point MAC addresses)
• Use DAIR infrastructure to scan
– Whenever an unknown entity appears (either
SSID or BSSID), raise an alarm
• This is the level at which most previous
work solves this problem
16
False Alarms
• In many enterprise environments, one can
hear other legitimate APs
– E.g. shared office buildings
• Is the unknown wireless network
connected to your corporate wired
network?
17
Testing for Wired Connectivity
• Association test
– Associate with suspect AP, contact wired node
• Mac address tests:
– First-hop router test
• Wireless “DEST” = known router on wired network
– ARP test
• Wireless “DEST” = known entity on local subnet
• DHCP signature test
– For wireless routers: Identify device type through DHCP options
• Packet correlation test
– Use timing and packet lengths to see traffic on both wired/wireless
• Replay test
18
First-Hop Router Test
Access Point
Land Monitor
Database
Air Monitor
Subnet Router
?
Client
AirMonitor
Land Monitor
overhears
discovers
a client
MACcommunicating
addresses of allwith
subnet
an
unknown
routers, submits
access results
point to the database
19
First-Hop Router Test
802.11 Frame (with encryption):
Unencrypted Header
Encrypted Payload
MAC Addresses:
Receiver
Access Point
Transmitter
Client
Destination
Subnet Router
20
Outline
•
•
•
•
Motivation
DAIR architecture
Management apps (& Rogue networks)
Related work
21
Current Approaches & Related Research
• Many commercial offerings in this space
• Leverage existing access points (APs)
– AirWave, ManageEngine, …
– AP’s primary goal is to provide service to clients,
limited time listening on other channels
• Specialized sensors
– Aruba (MS IT choice), AirDefense, AirTight …
– Expensive  limited density
• [Adya et al. Mobicom 04] – use assistance of mobile clients
– Difficult to provide predictable coverage
– Less proactive due to energy constraints
• Other wireless monitoring
22
Wrapping Up…
– Status
• Built much of the “plumbing”: AirMonitors, Inferencing
Service, Management Console (GUI)
• Built set of wireless security apps, ongoing evaluation
• Deployed ~22 AirMonitors on one floor of our building
– Next 6 months:
• Performance & reliability apps
• Provide location services
• Larger scale deployment
– Longer Term: going beyond management tools
• Seamless roaming
• Self-configuring complete replacement for existing
wireless infrastructure
23