Enterprise Wireless LAN (WLAN) Management and Services Jitu Padhye (Joint work with Ranveer Chandra, Alec Wolman, Brian Zill & Victor Bahl)
Wireless Network Woes Corporations spend lots of $$ on WLAN infrastructure Worldwide enterprise WLAN business expected to grow from $1.1 billion this year to $3.5 billion in 2009 Wireless networks perceived to be “flaky”, less secure Microsoft’s IT Dept. logs several hundred complaints / month Users complain about: Lack of coverage, performance, reliability Authentication problems (802.1x protocol issues) Network administrators worry about Providing adequate coverage, performance Security and unauthorized access DefCon 2005 : WiFi Pistol, WiFi Sniper Rifle, WiFi Bouncing, AirSnarf box Better WLAN management system needed! 2
Requirements for a WLAN Management System Integrated location service Mobile Clients Problems may be location-specific Multiple monitors Dense deployment Complex signal propagation in indoor environment Many orthogonal channels Asymmetric links Management system consists of a monitoring subsystem that gathers data, inference engine that processes it and then takes action. Wireless presents challenges for gathering and processing data Scalable Self-configuring Cope with incomplete data
State of the Art AP-based monitoring (Aruba, AirDefense, ManageEngine …) Pros: Easy to deploy (APs are under central control) Cons: Can not detect coverage problems using AP-based monitoring Single radio APs can not be effective monitors Limited coverage even with dual-radio APs MS IT currently uses dual-radio APs from Aruba Specialized sensor boxes (Aruba, AirTight, …) Pros: Can provide detailed signal-level analysis Cons: Expensive, so can not deploy densely Monitoring by mobile clients Research prototype @ MSR [Adya et. al., MobiCom’04] Pros: Inexpensive, suitable for un-managed environments (Ranveer’s talk). Coverage not predictable (clients are mobile) Lack of density Battery power may become an issue Only monitor the channel they are connected on Aruba system works, but not clear how effective it is. Supposed to detect rogue APs. They found one recently – it was deployed by another group on our floor, but they have never detected ours – we have been doing this for good six months! Mo
+ Observations DAIR: Dense Array of Inexpensive Radios Desktop PC’s with good wired connectivity are ubiquitous in enterprises Outfitting a desktop PC with 802.11 wireless is inexpensive Wireless USB dongles are cheap As low as $6.99 at online retailers PC motherboards are starting to appear with 802.11 radios built-in + Leverage desktops to become wireless monitors Combine to create a dense deployment of wireless sensors DAIR: Dense Array of Inexpensive Radios Details: HotNets’05, MobiSys’06
Key Characteristics of DAIR High sensor density at low cost Effective monitoring of multiple channels in indoor environments Tolerates failure of a few sensors Leverages existing desktop resources Sensors are stationary Provides predictable coverage Permits meaningful historical analysis Makes it easier to build an integrated location service Accuracy improves with sensor density Completely self-configuring Ease of deployment To reiterate, the key characteristics of DAIR are … Self configuration is not a direct consequence of the basic idea. Rather, it is a need (due to high sensor density), and we have explicitly designed our system to be so. 6
DAIR Architecture AirMonitor AirMonitor Land Monitor Wired Network Summarized Data Commands Wired Network Commands and Database Queries Four main components: AirMon, LandMon: use wired services like DHCP, ex, Database, Inference AirMonitors: wireless sensors. Primarily passive, in certains cases generate active traffic LandMonitors: wired sensors. One per subnet. Inference engine: queries database, performs complex, cpu intensive computations. Database: goal is to support a small # of 100’s of clients per database Data from database Data to inference engine Summarized data from Monitors Other data: SNMP, Configuration Inference Engine Database
Monitor Architecture Extensibility : new task = new filter Filters summarize what they hear, periodically submit summaries to a db server. Filter for Rogue wireless detection summarizes SSID and BSSID information. All support modules make the filters simple to write. 8
Managing Existing WiFi Networks using DAIR Security Applications Detect Rogue APs, DoS attacks Response: Locate AP, Inform netops Launch DoS attacks against Rogue APs Performance management Monitor RF coverage: Detect poor coverage, RF holes Locate region of poor coverage Provide temporary coverage until an AP can be installed Load balancing: Detect overload, congestion, flash crowd, rate anomaly DAIR nodes temporarily serve as APs or repeaters Reconfigure AP power levels (cell breathing) Location service to support above applications Told you about challenges, now let’s look at some specific applications. We have already built blue ones. . And we have built a location service to support these apps.
Overview of location service Distinguishing features: Self-configuring Can locate un-cooperative transmitters (e.g. unauthorized APs) Office-level accuracy How it works: AirMonitors locate themselves AirMonitors regularly profile the environment to determine radio propagation characteristics Inference engine uses profiles and observations from multiple AirMonitors to locate clients, sources of interference (DoS attack?), determine regions of poor performance Many wireless location systems have been proposed.
Example Application: Detecting Rogue AP Problem: Careless employee brings AP from home, attaches it to the corporate network Bypasses security measures like 802.1x, allows unauthorized clients to gain access Once rogue network is installed, physical proximity is no longer needed Simple solution: (state of the art) Build database of authorized SSIDs (Network Names) and BSSIDs (AP MAC Addresses) Whenever an unknown entity appears (either SSID or BSSID), raise alarm False positives: Reason: Shared office building Solution: determine whether suspect AP is connected to corporate wired network Array of tests: association test, src/dst address test, replay test False negatives: Reason: Malicious user configures rogue AP with valid SSID/BSSID Solution: use location and breaks in packet sequence numbers to disambiguate Trivial to create a rogue ad-hoc network with a desktop machine 11
Current deployment Testbed: 40 nodes on one floor Operational since Nov’05 NetGear USB Wireless Adapter Custom driver Database server: MS SQL 2005 on 1.7GHz P4 with 1GB RAM Inference engine server: 2GHz P4 with 512MB RAM Nodes submit summary data every 2 minutes (randomized) Inference engines query data every 1-3 minutes
One database server per building should be sufficient. System Scalability Load on database server < 75% Additional load on desktops < 2-3% Wired network traffic per node < 5Kbps One database server per building should be sufficient.
Backup slides
See 2 & 3 during break after the talk Demo ….. Rogue AP detection and location DoS attack (Disassociation attack) detection and location Location-aware client performance monitoring See 2 & 3 during break after the talk
How do AirMonitors locate themselves? Monitor machine activity to determine primary user Look up ActiveDirectory to determine office number Parse office map to determine coordinates of the office Verify and adjust coordinates by observing which AirMonitors are nearby
Profiling the Environment to build a Radio Map Each AirMonitor periodically transmits beacons Repeat for various channels, power levels, various times of day Other AirMonitors record signal strength Inference engine fits curve(s) to collected observations The curve is a compact and approximate representation of the radio propagation characteristics of the environment 802.11a (5GHz) Normal office hours 3rd floor of building 112 33 AirMonitors
Determining location of clients (any “transmitter”) AirMonitors capture packets from the client, report observed signal strength of database Inference engine: Selects appropriate profile (frequency, time of day) Locates client using the observations from AirMonitors and the profile Spring-and-ball algorithm for fast convergence