The present invention relates generally to wireless networking. More particularly, the present invention provides systems and methods for remote troubleshooting of a Wireless Local Area Networks (WLAN) using one or more distributed WLAN sensors and one or more servers
Wireless networking technology is growing in popularity. Businesses are not only migrating to wireless networking, they are steadily integrating wireless technology and associated components into their wired infrastructure. The demand for Wireless Local Area Networks (WLANs) is fueled by the growth of mobile computing devices, such as laptops and personal digital assistants (PDAs), and a desire by users for continual connections to the network without having to “plug in.”
Managing distributed WLANs poses unique challenges. The operational expenses in managing a large WLAN can be significant because wireless network outages are a common and frequent occurrence. Unlike wired networks, WLANs operate in a shared wireless medium that is constantly changing. In addition, wireless devices are mobile and frequently roam between different WLANs. WLAN performance and coverage can also be significantly impacted by noise and transient interference in the local air space. Similarly, misconfigurations, such as improper security keys, can prevent a device from successfully communicating.
The cost of testing and troubleshooting a wireless network is significant. Typically, when a WLAN goes down or a user reports connectivity problems, an on-site technician armed with a wireless laptop-based network analyzer is sent on site to capture wireless traffic and analyze the root cause of the issue. These techniques are costly and time consuming. Thus, the ability to “look into” a wireless network remotely from a central facility, perform connection tests, and analyze data would be indispensable for efficient WLAN troubleshooting.
In various exemplary embodiments, the present invention describes systems and methods for remote testing and troubleshooting of a WLAN using one or more distributed WLAN sensors and one or more servers. Specifically, the invention describes a method to test WLAN access points (APs) for connectivity and performance in the field. In an exemplary embodiment, the one or more distributed WLAN sensors and one or more servers can include a wireless monitoring system, such as a wireless intrusion prevention or detection system. The present invention utilizes a distributed network of WLAN sensors that typically operate to monitor the WLAN, and as needed, the present invention converts the monitoring sensors to WLAN clients capable to connecting and remotely testing one or more WLAN APs.
In an exemplary embodiment of the present invention, a method for remote testing of a wireless local area network access point includes selecting an access point to test; selecting a sensor in range of the access point; configuring the sensor as a wireless local area network client; and testing the access point with the sensor. The sensor includes a monitoring sensor configured to provide wireless network monitoring for wireless network intrusions in conjunction with a server that is in communication with the sensor. Configuring the sensor as a wireless local area network client includes assigning the sensor a media access control address to operate as a wireless client device, and can further include configuring the sensor to lock on and operate on a wireless channel that the access point is operating on. Testing the access point includes performing layer two connectivity tests and layer three connectivity tests. The layer two connectivity tests can include any of performing an association between the sensor and the AP, performing a four-way handshake and installing temporal and group keys, and performing physical layer rate testing including measuring a packet error rate based on acknowledgments received at the sensor from the AP. The layer three connectivity tests can include any of assigning an Internet Protocol address to the sensor operating as a wireless client, performing a ping to a known machine on a wired network connected to the wireless network, performing a traceroute test to the known machine, performing network performance testing including performing Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) throughput tests, scanning for open/blocked ports and services, and performing a Domain Name System test. The layer two connectivity tests and the layer three connectivity tests are each selected based upon user requirements and network configuration.
In another exemplary embodiment of the present invention, a wireless monitoring system configured for remote testing of an access point includes one or more wireless sensors configured to monitor traffic on a wireless network; one or more servers communicatively coupled to the one or more wireless sensors; and a remote access point testing procedure executed on one of the one or more wireless sensors and one of the one or more servers, wherein the remote access point testing procedure is configured to convert the one of the one or more wireless sensors to a wireless client in order to remotely test the access point. The one or more wireless sensors and the one or more servers include one of a wireless monitoring system, a wireless intrusion detection system, and a wireless intrusion prevention system. The one or more wireless sensors are configured to operate in a promiscuous mode while monitoring and converted to client mode to remotely test the access point. Converting the one of the one or more wireless sensors to a wireless client includes assigning the one of the one or more wireless sensors a media access control address to operate as a wireless client device. To remotely test the access point, the system performs layer two connectivity tests and layer three connectivity tests. The layer two connectivity tests can include any of performing an association between the sensor and the AP, performing a four-way handshake and installing temporal and group keys, and performing physical layer rate testing including measuring a packet error rate based on acknowledgments received at the sensor from the AP. The layer three connectivity tests can include any of assigning an Internet Protocol address to the sensor operating as a wireless client, performing a ping to a known machine on a wired network connected to the wireless network, performing a traceroute test to the known machine, performing network performance testing including performing Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) throughput tests, scanning for open/blocked ports and services, and performing a Domain Name System test. The wireless monitoring system can further include a graphical user interface for configuring, executing the test of the access point, and providing a test report.
In yet another exemplary embodiment of the present invention, a wireless monitoring method includes providing the wireless monitoring system including a server communicatively coupled to one or more distributed wireless sensors; monitoring the wireless network for intrusions with the wireless monitoring system; configuring access point test parameters in the wireless monitoring system; and responsive to access point test parameters, testing one or more access points in the wireless network with the wireless monitoring system. The testing includes converting a sensor of the one or more distributed wireless sensors into a wireless client configured to communicate on the wireless network and performing wireless connectivity tests between the sensor and the access point. The layer two connectivity tests can include performing an association between the sensor and the AP, performing a four-way handshake and installing temporal and group keys, and performing physical layer rate testing including measuring a packet error rate based on acknowledgments received at the sensor from the AP. The layer three connectivity tests can include assigning an Internet Protocol address to the sensor operating as a wireless client, performing a ping to a known machine on a wired network connected to the wireless network, performing a traceroute test to the known machine, performing network performance testing including performing Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) throughput tests, scanning for open/blocked ports and services, and performing a Domain Name System test.
The present invention is illustrated and described herein with reference to the various drawings, in which like reference numbers denote like method steps and/or system components, respectively, and in which:
In various exemplary embodiments, the present invention describes systems and methods for remote testing and troubleshooting of a WLAN using one or more distributed WLAN sensors and one or more servers. Specifically, the invention describes a method to test WLAN access points (APs) for connectivity and performance in the field. In an exemplary embodiment, the one or more distributed WLAN sensors and one or more servers can include a wireless monitoring system, such as a wireless intrusion prevention or detection system. The present invention utilizes a distributed network of WLAN sensors that typically operate to monitor the WLAN, and as needed, the present invention converts the monitoring sensors to WLAN clients capable to connecting and remotely testing one or more WLAN APs.
Referring to
By installing wireless access points (AP) 130a, 130b to the wired network (e.g., Ethernet 108 and router 110), personal computers and laptops equipped with wireless local area network (WLAN) cards and other wireless-enabled devices create a wireless network 140a, 140b which can connect to the wired network at broadband speeds (i.e., 11 Mb/s up to 600 Mb/s) using IEEE 802.11a/b/g/n protocols for example.
Wireless networks 140a, 140b operate over the airspace which is an uncontrolled and shared medium lacking the equivalent physical control and accessibility of its wired counterpart. As such, wireless hackers 145a, 145b can enter the local network 100 through the access points 130a, 130b even if the access points 130a, 130b are located behind the firewall 122. Therefore, wireless networks 140a, 140b (in conjunction with access points 130a, 130b) can provide opportunities for unauthorized users to attack the network 100, which can include in various examples: a local area network, a wide area network, a metropolitan area network, a corporate intranet, among many others.
A wireless AP 130c can be installed unbeknownst to an enterprise (e.g., rogue AP) or it can be installed and misconfigured (e.g. misconfigured AP). As such, the AP 130c can also provide opportunities for unauthorized users to access the network 100. Due to the low cost of APs 130c, anyone with access to an enterprise can install a rogue AP 130c and connect it to the Ethernet 108 network providing complete wireless access to the enterprise. A misconfigured AP 130c can have the wrong encryption settings allowing any user to gain access to the enterprise.
Also, municipal wireless networks 150 are proliferating such as local governments providing free or reduced cost IEEE 802.11 access. These networks 150 can be used by the wireless hacker 145a to gain access to a device on the enterprise's wireless network 140a which is set to allow inbound connections effectively bypassing the enterprise firewall and content filtering. Additionally, mobile users 160 face threats from evil twin APs 130e which gain access to the user's 160 login credentials by posing as a legitimate AP 130d. Such a threat can allow the evil twin AP 130e to relay the credentials to a hacker for access to the enterprise's wireless network 140a, 140b.
In addition to IEEE 802.11 access, other wireless protocols 170 such as Bluetooth, WiMax, and cellular data are emerging and proliferating. Bluetooth is deployed within the enterprise with PDA, cellular phones, and the like. WiMax is a wireless standard for the delivery of last mile wireless broadband access as an alternative to cable and DSL.
The network 100 can be configured with wireless sensors 180a, 180b and a server 190 for monitoring, detecting, and preventing wireless intrusions on the wireless networks 140a, 140b. The sensors 180a, 180b connect to the Ethernet 108 network, and each sensor 180a, 180b is located to monitor, detect, and prevent intrusions over a pre-defined area for wireless activity. The sensors 180a, 180b are configured to monitor data transmitted on the wireless networks 140a, 140b and to communicate relevant data, events, and statistics to the server 190. The sensors 180a, 180b can be configured to monitor one or more wireless channels such as IEEE 802.11 standard channels and non-standard user-defined channels. The sensors 180a, 180b can monitor more than one channel simultaneously if the sensors 180a, 180b are configured with multiple wireless radios. The sensors 180a, 180b can include a local processor to perform data analysis on wireless events to minimize communications to the server 190.
The server 190 connects to the Ethernet 108 or optionally through the network 120 (not shown) and the server 190 is configured to receive and correlate data, events, and statistics from the sensors 180a, 180b. Further, multiple servers 190 can operate to provide redundancy and load-balancing. Additionally in some examples, access points 130 and/or local clients 106 can occasionally operate as sensors 180a, 180b to communicate data, events, and statistics to the server 190. Also, local clients 106 equipped with WLAN cards can be configured with software agents, allowing the local clients 106 to periodically monitor the wireless networks 140a, 140b and to communicate data, events, and statistics from monitoring the wireless networks 140a, 140b to the server 190.
The server 190 can be configured to detect attacks and events, network performance degradation, and network policy compliance on the wireless networks 140a, 140b. Further, the server 190 can be configured to direct the sensors 180a, 180b to terminate a rogue wireless client (e.g. an unauthorized user) such as wireless hackers 145a, 145b. Also, the server 190 can include a data store to log history and trends relating to monitoring of the wireless network 140a, 140b. The combination of the server 190 and sensors 180a, 180b is known as a wireless intrusion prevention system (WIPS) or a wireless intrusion detection system (WIDS).
This present invention provides systems and methods for remote testing and troubleshooting of the wireless networks 140a, 140b using the sensors 180a, 180b and the server 190. Specifically, the sensors 180a, 180b and the server 190 can be configured to test WLAN access points 130 for connectivity and performance in the field. Additionally, the server 190 can direct the sensors 180a, 180b to act as WLAN clients capable to connecting and testing the one or more access points 130.
Referring to
The server 202 includes a core 210 and a data store 212. The core 210 generally includes a processing element and interfaces to the network 206. The core 210 is configured to receive data from the sensors 204a, 204b, to analyze the data, and to store the data in the data store 212. In an exemplary embodiment, the core 210 can apply multiple intrusion detection tests to received data to detect possible intrusions or violations. These intrusion detection tests can relate to wireless policy deviation, statistical anomalies, signature-based attacks, wireless protocol usage, and the like.
The server 202 can be accessed through a user interface 220 locally or remotely through a remote browser interface 230. Specifically, the server 202 can include a Graphical User Interface (GUI) to display network topology, alarms and warnings, network performance, and the like. The GUI can also be utilized to configure the server 202 and the sensors 204a, 204b.
The present invention utilizes the distributed nature of the sensors 204a, 204b and the proximity of the sensors 204a, 204b to APs to enable remote testing and troubleshooting of APs. The sensors 204a, 204b typically operate in a monitoring mode thereby receiving and processing wireless traffic. Occasionally, the sensors 204a, 204b can transmit for various active defense mechanisms to terminate a rogue device. The present invention utilizes the sensors 204a, 204b as WLAN client devices for purposes of testing and troubleshooting APs remotely.
Referring to
The AP testing procedure 300 selects a WLAN AP to test (step 306) for a periodic test or receives an input for which WLAN AP to test (step 308) for a manual test. For example, the server can periodically test one or more APs based on a predetermined order or schedule, based on the server's determination in regard to a particular AP (e.g., performance degradation), and the like. For the manual test, the server can prompt a user to select an AP, such as through a list.
One the AP is chosen for testing, a sensor is chosen to test the AP (step 310). The sensor can be chosen by the server based on proximity or the like. For example, the sensor that is closest to the AP with the best received signal strength can be selected or can be a default choice for selection. Other sensors in range can also be used.
Next, the AP testing procedure 300 obtains configuration data regarding the AP from the server or from user input (step 312). The configuration data can include security keys, service set identifier (SSID), Internet Protocol (IP) address, AP password, and the like. This data can be stored on the server, such as in a pre-configured profile, or input from the user. The server can include a user-modifiable profile for each AP.
The selected sensor is then locked on the AP's operating channel (step 314). For example, WLAN APs operating according to the various IEEE 802.11 specifications can use different channels in the 2.4 GHz and 5 GHz bands. For example, the sensor can typically operate in promiscuous mode while it is solely monitoring the WLAN (e.g., to avoid detection by a rogue device). In an AP testing mode, the sensor acts as a client and also transmits.
Once the sensor is locked on the appropriate channel and configured, the sensor is utilized to perform various layer two (step 400) and layer three (step 500) connectivity tests. For example, the layer two 400 tests can include various IEEE 802.11 connectivity tests, such as Authentication, Association, and Wi-Fi Protected Access (WPA) Handshake. The layer three 500 tests can include Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), Traceroute, Domain Name System (DNS), Ping, and Portscan related tests.
Accordingly, the sensor operates as a wireless client to perform these tests, and not in a promiscuous receive-only mode as a sensor. Additionally, the AP testing procedure 300 can produce a layer two test report (step 316), and exit if the layer two test is unsuccessful (step 318). Also, the AP testing procedure 300 can produce a layer three test report (step 320), and perform the AP testing procedure 300 again for a different AP.
Referring to
The association request frame is sent from the sensor to enable the AP to allocate resources and synchronize to the sensor (acting as a client). The frame carries information about the sensor including supported data rates and the SSID of the network the sensor wishes to associate with. If the request is accepted, the AP reserves memory and establishes an association ID for the sensor. The association response frame is sent from the AP to the sensor with an acceptance or rejection to the association request. If it is an acceptance, the frame contains information such an association ID and supported data rates.
If the AP uses 802.11i-based security (step 404), a four-way handshake is performed and temporal as well as group keys are installed (step 406). Based on the success of the layer two connection an appropriate report is generated (step 408). Further, if physical layer rate testing is enabled (step 410), the sensor sends several data packets at the supported physical layer rates (based on the association) and measures the packet error rate (PER) based on acknowledgements received from the AP (step 412).
The PER can use any technique for conducting error tests on an 802.11 device. For example, the system can obtain raw data bits received by the sensor and compare them with sent ones from the AP to determine bit error rate (BER). Also, the sensor can read out an internal cyclic redundancy check (CRC) mismatch counter. With the 32-bit CRC used by the 802.11 standard, the probability of undetected erroneous packets is very small. Therefore the CRC mismatch method is commonly used, as the practical implementation costs are low.
Once the PER is complete, the layer two connectivity test 400 can provide a wireless connectivity report (step 414). Upon completion (step 416), the layer two connectivity test 400 returns to the AP testing procedure 300 in
Referring to
Once an IP address is obtained, the sensor performs a ping and traceroute test to see if a client can successfully ping a known machine on the wired network (step 508). The ping performs a test to see whether the sensor can reach a particular host through the AP over an IP network, and traceroute is a tool used to determine the route taken by packets across an IP network. These tests can be performed to an arbitrary device to determine if a wireless client can reach a wired device via the AP.
Next, the layer three connectivity test 500 performs a DNS test (step 510). This test can determine if the sensor can communicate using DNS to another device over the IP network. After completion of these tests, the layer three connectivity test 500 can provide a layer three connectivity test report (step 512). Additionally, the layer three connectivity test 500 can include other types of layer three tests as are known in the art such as test for open or blocked ports.
The layer three connectivity test 500 can include network performance testing (step 514). If network performance testing is enabled, the sensor generates a traffic load to test the throughput obtained from the wireless network performing Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) throughput tests (step 516). The layer three connectivity test 500 can provide a layer three performance test report (step 518), and return to the AP testing procedure 300 in
Referring to
The antennas on the radios 610, 620 are configured to receive and transmit wireless signals according to a predetermined protocol such as one of the IEEE 802.11 protocols. The radios 610, 620 can be configured as transceivers or as receiving devices. When configured as transceivers, the radios 610, 620 operate to transmit and receive wireless traffic similar to a wireless AP or a wireless client, and other wireless devices can connect to the radios 610, 620 and communicate through a network interface 630. When configured as a receiving device, the radios 610, 620 monitor the wireless network only.
In an exemplary embodiment, the wireless radio 602 includes one transceiver radio and one sensing radio to allow monitoring of the wireless network with the sensing radio and active transmission with the transceiver radio. The radios 610, 620 can be operated as transceivers in “promiscuous mode” in order to be undetectable from the airwaves and still read all IEEE 802.11 network traffic. The sensor software embedded on the device would capture IEEE 802.11 frames from the wireless network, analyze management, control and data frames, collect events and statistics and send it to a server. The sensor 600, 602 can further include a local processor 640 that serves as the system processor. Optionally, the local processor 640 can be configured to perform data processing on collected data prior to sending it to the server to minimize network communications by performing distributed data analysis.
The network interface 630 is configured to connect to an external network such as a local Ethernet or a direct connection such as an RS232. The network interface 630 is utilized to communicate to external devices such as the server. The sensor 600, 602 can further include local data storage 645 that serves as a system data store (SDS). This local storage 645 contains any necessary operating code and/or data such as accumulated security data, network configuration data, sensor identification information and/or network communication related data. The local storage 645 typically includes DRAM, FLASH memory or combinations thereof.
The local processor 640 supports communication management, security collection, and security analysis functionality. The local processor 640 can be any microprocessor, ASIC, FPGA or combination thereof that has the computing power capable of managing the radios 610, 620 and the auxiliary components of the device (e.g., local storage 645, network interface 620, etc.). The sensors 600, 602 also include a connection to a power source 650 such as an alternating current (AC) interface, direct current (DC) interface, power over Ethernet (PoE) compatible interface, or a repository for one or more disposable and/or rechargeable batteries.
As described herein, the sensors 600, 602 can be uses to collect and forward security related data, events, and statistics to the server 201 for further processing and analysis. In some particular embodiments using an IEEE 802.11 network, the sensors 600, 602 read IEEE 802.11 management and control frames, aggregate statistics and send collected data to a server. A wireless sensor can have several embodiments including the sensors 600, 602 depicted in
Additionally, APs and wireless clients can provide a similar functionality to wireless sensors. APs can be configured to monitor the wireless network while idle and to report data, statistics, and events back to the server. Wireless clients with WLAN cards can be configured with a software agent that utilizes the idle time on the client to monitor the wireless network and to report data, statistics, and events back to the server.
A wireless sensor will typically include at least one IEEE 802.11 radio capable of reading IEEE 802.11 frames. To provide functionality for securing a wireless network, the wireless sensor analyzes IEEE 802.11 management, control and data frames, and sends real-time or batched data back to a centralized server for analysis and processing to determine intrusions or other network activity such as health or performance monitoring or performing such analysis and processing locally in peer-to-peer configurations.
The present invention extends the functionality of the sensors 600, 602 from being passive monitoring devices and/or active defense devices to also operate as testing and troubleshooting devices. Specifically, the sensors 600, 602 can be used as wireless clients managed by a centralized server for the purposes of remotely testing connectivity at layers two and three with an AP or group of APs. Here, the sensors 600, 602 are configured as wireless clients seeking to associate with an AP. Once associated, the sensors 600, 602 can perform the connectivity tests described herein under the direction of the centralized server, and report results to the centralized server.
Referring to
The processor 710 is a hardware device for executing software instructions. The processor 710 can be any custom made or commercially available processor, a central processing unit (CPU), an auxiliary processor among several processors associated with the server 700, a semiconductor-based microprocessor (in the form of a microchip or chip set), or generally any device for executing software instructions. When the server 700 is in operation, the processor 710 is configured to execute software stored within the memory 740, to communicate data to and from the memory 740, and to generally control operations of the server 700 pursuant to the software instructions.
The I/O interfaces 720 can be used to receive user input from and/or for providing system output to one or more devices or components. User input can be provided via, for example, a keyboard and/or a mouse. System output can be provided via a display device and a printer (not shown). I/O interfaces 720 can include, for example, a serial port, a parallel port, a small computer system interface (SCSI), an infrared (IR) interface, a radio frequency (RF) interface, and/or a universal serial bus (USB) interface.
The network interface 730 can be used to enable the server 700 to communicate on a network. The network interfaces 730 can include, for example, an Ethernet card (e.g., 10BaseT, Fast Ethernet, Gigabit Ethernet) or a WLAN card (e.g., 802.11a/b/g/n). The network interfaces 730 can include address, control, and/or data connections to enable appropriate communications on the network. For example, the network interface 730 can be utilized to communicate with one or more WLAN sensor, such as the sensors 600, 602 in
The data store 750 can be used to store alarms, events, data, state, AP profiles, and statistics that the server 750 receives or analyzes from devices monitoring a wireless network. The data store can include any of volatile memory elements (e.g., random access memory (RAM, such as DRAM, SRAM, SDRAM, etc.)), nonvolatile memory elements (e.g., ROM, hard drive, tape, CDROM, etc.), and combinations thereof. Moreover, the data store may incorporate electronic, magnetic, optical, and/or other types of storage media.
In one example, the data store 750 can be located internal to the server 700 such as, for example, an internal hard drive connected to the local interface 760 in the server 700. Additionally in another embodiment, a data store 770 can be located external to the server 700 such as, for example, an external hard drive connected to the I/O interfaces 720 (e.g., SCSI or USB connection). Finally in a third embodiment, a data store 780 can be connected to the server 700 through a network, such as, for example, a network attached file server.
The memory 740 can include any of volatile memory elements (e.g., random access memory (RAM, such as DRAM, SRAM, SDRAM, etc.)), nonvolatile memory elements (e.g., ROM, hard drive, tape, CDROM, etc.), and combinations thereof. Moreover, the memory 740 may incorporate electronic, magnetic, optical, and/or other types of storage media. Note that the memory 740 can have a distributed architecture, where various components are situated remotely from one another, but can be accessed by the processor 710.
The software in memory 740 can include one or more software programs, each of which includes an ordered listing of executable instructions for implementing logical functions. In the example of
The AP testing 702 program is a software program loaded in the memory 740 of the server 700 configured to interface with one or more remote WLAN sensors (e.g., sensors 600, 602 in
In another exemplary embodiment, the server 700 can include configuration settings in the data store 750 for various APs. The AP testing 702 program can be configured to automatically adjust these configuration settings responsive to results from remote testing and troubleshooting.
Referring to
Generally, the server 700 can display a map or list of various WLAN APs. In an exemplary embodiment, a user can click on a specific AP, such as AP 800, and select Test AP Connectivity 802. An AP test screen 804 allows the user to input various settings associated for remote testing of the AP 800.
Although the present invention has been illustrated and described herein with reference to preferred embodiments and specific examples thereof, it will be readily apparent to those of ordinary skill in the art that other embodiments and examples may perform similar functions and/or achieve like results. All such equivalent embodiments and examples are within the spirit and scope of the present invention and are intended to be covered by the following claims.