Patent Grant
7516174
This application makes reference to the following commonly owned U.S. patent applications and/or patents, which are incorporated herein by reference in their entirety for all purposes:
U.S. patent application Ser. No. 10/155,938 in the name of Patrice R. Calhoun, Robert B. O'Hara, Jr. and Robert J. Friday, entitled “Method and System for Hierarchical Processing of Protocol Information in a Wireless LAN;”
U.S. application Ser. No. 10/183,704 in the name of Robert J. Friday, Patrice R. Calhoun, Robert B. O'Hara, Jr., Alexander H. Hills and Paul F. Dietrich, and entitled “Method and System for Dynamically Assigning Channels Across Multiple Radios in a Wireless LAN;”
U.S. application Ser. No. 10/302,508 in the name of Scott G. Kelly and Robert Tashjian, entitled “Network with Virtual ‘Virtual Private Network’ Server;”
U.S. patent application Ser. No. 10/407,584 in the name of Patrice R. Calhoun, Robert B. O'Hara, Jr. and Robert J. Friday, entitled “Method and System for Hierarchical Processing of Protocol Information in a Wireless LAN;”
U.S. patent application Ser. No. 10/407,370 in the name of Patrice R. Calhoun, Robert B. O'Hara, Jr. and David A. Frascone, entitled “Wireless Network System Including Integrated Rogue Access Point Detection;” and
U.S. application Ser. No. 10/447,735 in the name of Robert B. O'Hara, Jr., Robert J. Friday, Patrice R. Calhoun, and Paul F. Dietrich and entitled “Wireless Network Infrastructure including Wireless Discovery and Communication Mechanism.”
The present invention relates to wireless computer networks and, more particularly, to a wireless network security system that protects against access to internal network addresses.
Market adoption of wireless LAN (WLAN) technology has exploded, as users from a wide range of backgrounds and vertical industries have brought this technology into their homes, offices, and increasingly into the public air space. This inflection point has highlighted not only the limitations of earlier-generation systems, but the changing role WLAN technology now plays in people's work and lifestyles, across the globe. Indeed, WLANs are rapidly changing from convenience networks to business-critical networks. Increasingly users are depending on WLANs to improve the timeliness and productivity of their communications and applications, and in doing so, require greater visibility, security, management, and performance from their network.
As enterprises and other entities increasingly rely on wireless networks, security of wireless network environments becomes a critical component to ensure the integrity of the enterprise's network environment against unauthorized access. Indeed, wireless networks pose security risks not typically encountered in wired computer networks, since any wireless client in the radio frequency (RF) coverage area of an access point can, without a physical connection, potentially gain access to the network, or at the very least capture data transmitted in wireless frames. In an 802.11 wireless network, prior art security mechanisms are implemented in a variety of manners. For example, the 802.11 protocol provides for shared-key authentication according to which a wireless client must possess a shared secret key in order to establish a wireless connection with an access point. In addition, as with wired networks, the wireless network infrastructure can operate in connection with application level security mechanisms, such as a RADIUS or other authentication server, to control access to network resources.
Various measures have been developed to protect against eavesdropping. For example, the Wired Equivalent Privacy (WEP) algorithm is used to protect wireless communications from eavesdropping by encrypting wireless traffic based on a shared private key. WEP seeks to establish similar protection to that offered by the wired network's physical security measures by encrypting data transmitted over the WLAN. Data encryption protects the vulnerable wireless link between clients and access points. Wi-Fi Protected Access (WPA) has also been developed to address the known security flaws associated with WEP.
In addition, VPN functionality offers another or additional method of securing wireless connections. A Virtual Private Network (VPN) is a known communication application that typically operates at Layer 3 and of the OSI Reference model. This mechanism is used to provide secure communication among clients that have established a connection to a VPN server, typically a physical element in such a network. Specifically, a VPN server provides both authentication of, and privacy for, communications between the VPN server and a user device, such as a wireless client device. A traditional application of a VPN server is to secure the communications between user devices that are outside an enterprise's facilities and the enterprise's network over the public internet or dial-up connections. A typical VPN server, after authenticating the communications from the user devices and removing any encryption applied to protect the privacy of those communications, forwards the communications onto the company's internal network, providing reasonable assurance of secure communications. When used to secure wireless networks, Virtual Private Networking (VPN) client software creates a secure connection between a mobile station and a VPN server. The VPN client residing on a mobile station encrypts all data passed between it and a VPN server, making it very difficult for data contained in intercepted wireless frames to be read.
Many VPN solutions, such as Layer 2 Tunneling Protocol (L2TP) and IPSec in tunnel mode, require the use of two client IP addresses, one for the “outer” encapsulating IP packet header and another for the encapsulated IP packet. In a typical deployment, a VPN client obtains an IP address from an ISP which is used for the “outer” IP address and a second IP address from the VPN Server (the “inner” IP address) which is the VPN client's IP address on the VPN protected network. When used to secure wireless communications between a mobile station and an access point that bridges wireless traffic, a mobile station is typically assigned an IP address using DHCP functionality. Conventionally, the inner and outer IP addresses for the client or mobile station are often identical in VPN deployments used to protect wireless networks. This has the undesirable effect of decreasing network security by exposing the inner IP addresses assigned to the mobile stations, as well as any network topology information that can be gleaned from the inner IP address or collection of IP addresses from other mobile stations.
In light of the foregoing, a need in the art exists for methods, apparatuses and systems that prevent eavesdroppers from obtaining access to internal network addresses assigned to mobile stations. Embodiments of the present invention substantially fulfill this need.
The present invention provides methods, apparatuses and systems directed to preventing unauthorized access to internal network addresses transmitted across wireless networks. According to the invention, mobile stations are assigned virtual client network addresses that are used as the outer network addresses in a Virtual Private Network (VPN) infrastructure, as well as unique internal network addresses used as the inner network addresses. In one implementation, the virtual client network addresses have little to no relation to the internal network addressing scheme implemented on the network domain. In one implementation, all clients or mobile stations are assigned the same virtual client network address. A translation layer, in one implementation, intermediates the VPN session between the mobile stations and a VPN server to translate the virtual client network addresses to the internal network addresses based on the medium access control (MAC) address corresponding to the mobile stations. In this manner, the encryption inherent in the VPN infrastructure prevents access to the internal network addresses assigned to the mobile stations.
7B are flow chart diagrams providing methods, according to one implementation of the present invention, directed to intermediating VPN sessions between VPN clients and VPN servers.
A. Operating Environment
For didactic purposes an embodiment of the present invention is described as operating in a WLAN environment as disclosed in U.S. application Ser. Nos. 10/155,938 and 10/407,357 incorporated by reference herein. As discussed below, however, the present invention can be implemented according to a vast array of embodiments, and can be applied to a variety of WLAN architectures.
The access elements 11-15 are coupled via communication means using a wireless local area network (WLAN) protocol (e.g., IEEE 802.11a, 802.11b, 802.11g, etc.) to the client remote elements 16, 18, 20, 22. The communications means 28, between the access elements 12, 14 and the central control element 24 is typically an Ethernet network, but it could be anything else which is appropriate to the environment. As described in U.S. application Ser. No. 10/155,938, the access elements 12, 14 and the central control element 24 tunnel network traffic associated with corresponding remote client elements 16, 18; 20, 22 via direct access lines 28 and 30, respectively. Central control element 24 is also operative to bridge the network traffic between the remote client elements 16, 18; 20, 22 transmitted through the tunnel with corresponding access elements 12, 14.
As described in the above-identified patent applications, central control element 24 operates to perform data link layer management functions, such as authentication and association on behalf of access elements 12, 14. For example, the central control element 24 provides processing to dynamically configure a wireless Local Area Network of a system according to the invention while the access elements 12, 14 provide the acknowledgment of communications with the client remote elements 16, 18, 20, 22. The central control element 24 may for example process the wireless LAN management messages passed on from the client remote elements 16, 18; 20, 22 via the access elements 12, 14, such as authentication requests and authorization requests, whereas the access elements 12, 14 provide immediate acknowledgment of the communication of those messages without conventional processing thereof. Similarly, the central control element 24 may for example process physical layer information. Still further, the central control element 24 may for example process information collected at the access elements 12, 14 on channel characteristic, propagation, signal strength, and interference or noise. Central control element 26 and associated access elements 11, 13, 15 operate in a similar or identical manner. Other system architectures are possible. For example, U.S. application Ser. No. 10/407,357 discloses a system architecture where the access elements, such as access elements 12-15, are directly connected to segment of network 50. In addition, the present invention can operate in connection with conventional access points that do not include this hierarchical configuration.
As discussed in U.S. application Ser. No. 10/183,704, in one implementation, there is both a logical data path 66 and a control path 68 between a central control element 24 or 26 and an access element (e.g., access element 11). The control path 68 allows the central control element 24 or 26 to communicate with the radio access elements 11-15, as well as intercept and process various messages (e.g., DHCP requests and responses) sourced from or destined for the remote client elements. By monitoring the data path 66, the central control element 24 can, for example, intercept DHCP messages and transmit them to DHCP proxy 78 for processing. More specifically, a flag detector 62 identifies various packet or message types routing them through logical switch 64 to a high-speed data path 66 in communication with the wired network 50 or to control path 68 within the central control element 24 or 26. Identification of DHCP messages is based on analysis of one or more packet attributes against a signature that incorporates one or more elements of known DHCP message elements. One of ordinary skill in the art is able to configure flag detector 62 to recognize DHCP messages based on the DHCP specification described for example at RFC 2131, R. Droms, “Dynamic Host Configuration Protocol” (March 1997), which is incorporated by reference herein. As discussed in the above-identified applications, the data path 66 is optionally monitored by a wireless node data collector 70 to collect various information, such as signal strength data and the like. As
In the network of
B. Reverse Address Translation and DHCP Intermediation
A variety of implementations are possible. For example, DHCP proxy 78 can be configured to transmit a DHCPREQUEST in response to a DHCPOFFER, and simply discard the DHCPREQUEST transmitted by the mobile station. Additionally, DHCP proxy 78 can be configured to broadcast the DHCP messages over network 50, instead of relaying the messages to an identified DHCP server. In such an implementation, DHCP proxy intercepts the DHCPOFFER packet(s), selects one of them (if necessary), replaces the dynamic IP address in the selected DHCPOFFER packet with the virtual outer IP address assigned to all clients and forwards the modified DHCPOFFER packet to the mobile station. Still further, central control elements 24, 26 may include DHCP server functionality obviating the need for the DHCP messages to be relayed or broadcast over network 50. Nevertheless, DHCP proxy 78 intermediates the DHCP transaction in such an implementation. Still further, the present invention can be used in connection with permanent leases of DHCP addresses. In addition, the DHCP server functionality may be modified to reserve IP addresses based on the MAC address of the mobile station.
After a remote client element receives a virtual client network address, in one implementation, it then initiates a VPN session with VPN server 74. RAT layer 72, in one implementation, intermediates the VPN session (including the Internet Key Exchange (IKE) protocol session) between the remote client elements and VPN server 74, using the information in RAT table 79 to replace the virtual client network address with the internal client network address as necessary.
Of course other configurations are possible. For example, in another implementation, each mobile station may be statically configured with a virtual client network address. Initiation of a WLAN connection, causes the central control element to spoof the mobile station and obtain an internal network address from a DHCP server, for example, and insert it in RAT table 79 in association with the MAC address and virtual client network address of the mobile station. RAT layer 72 operates as discussed above to intermediate the VPN session between the mobile station and the VPN server 74.
C. Virtual Network Addresses
The virtual client network address and the virtual VPN server network address can be configured in a variety of ways. For example and in a preferred embodiment, the virtual client network address is 1.1.1.2, while the virtual VPN server network address is 1.1.1.1 with a /31 subnet mask. One skilled in the art will recognize that this network addressing scheme achieves the smallest possible subnet with two host addresses, a network address and a broadcast address. As discussed above, one host address is assigned, in one implementation, to all mobile stations as the virtual client network address, while the other host address is assigned to the VPN servers 74 associated with the central control elements 24, 26. In a preferred form, the virtual network addresses are within the smallest subnet possible to reduce the potential for address space collisions for legitimate network traffic. One skilled in the art will also recognize that the above addresses are non-routable (at present) network addresses. Other IP addresses can also be used, such as other addresses reserved by the Internet Address Number Authority (IANA) (e.g., 000/8, 002/8 and 010/8 networks, etc.). Of course, larger subnets for the virtual network addresses may also be used. For example, in one implementation, virtual network addresses may be configured on a per-domain basis, a per-WLAN basis. In addition, virtual network addresses may be assigned based on the time of association to a WLAN, or any other suitable criterion.
In one implementation, a network administrator may configure a virtual network address for VPN server 74 or for the mobile stations. In one implementation, central control element 24 includes functionality that computes the narrowest possible subnet and another unique IP address, given the IP address configured by the network administrator. For didactic purposes, assume that a 32-bit IP address consists of two pieces, a network address and a host address. Further, assume that each address consists of adjacent bits in the IP Address, and that the host address occupies the least significant (right most) bits of the IP address. For IP networks, a host address of all ‘1’s is reserved for a broadcast address, and a host address of all ‘0’s is reserved for a ‘network’ address. Accordingly, a host address must be at least two bits wide. A subnet mask consists of a 32 bit quantity with a ‘1’ in every network address bit position and a ‘0’ in every host address position.
In light of the foregoing, given an arbitrary IP address, <IP>, central control element 24 finds the largest subnet mask for the IP address containing <IP>, a second, discrete IP address, a broadcast address and network address. Because a host address that includes all 1's or 0's is not a valid host address, central control element 24 starts with the least significant bit (bit(0), by convention) and examine each bit sequentially for bit(n+1)≠bit(n), for n=0 to 30. The subnet mask consists of bits(31):bit(n+2), or (2exp(32)−1)−(2exp(n+2)−1). In other words, central control element 24 examines the binary representation of a given IP address and identifies the bit position of the first sequential bit pair that is neither all 1's or 0's. Once identified, the subnet mask is computed based on the identified bit position n. For example, if the last octet of a given IP address is <00001000>, n (the bit position) equals 2. Therefore, the subnet mask equals 0xffffffff−0x0000000f{2exp(n+2)−1}=0xfffffff0. In addition, to determine a unique second network address, central control element 24 XORs the given network address with the inverse of the computed subnet mask. Since XOR does not involve a carry operation it can be used on an arbitrary bit width value and does not need additional operations when the carry extends outside the host address.
The invention has been explained with reference to specific embodiments. For example, although the embodiments described above operate in connection with IEEE 802.11 networks, the present invention can be used in connection with any suitable wireless network protocol. Still further, although the embodiments described above operate in connection with a WLAN system including hierarchical processing of protocol information, the present invention can also be used in connection with a WLAN system comprising one or more substantially conventional access points that do not include this split or hierarchical configuration. Other embodiments will be evident to those of ordinary skill in the art. It is therefore not intended that the invention be limited except as indicated by the appended claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5335246 | Yokev et al. | Aug 1994 | A |
| 5491692 | Gunner et al. | Feb 1996 | A |
| 5564079 | Olsson | Oct 1996 | A |
| 5621727 | Vaudreuil | Apr 1997 | A |
| 5684860 | Milani et al. | Nov 1997 | A |
| 5749044 | Natarajan et al. | May 1998 | A |
| 5809059 | Souissi et al. | Sep 1998 | A |
| 5920699 | Bare | Jul 1999 | A |
| 6112095 | Wax et al. | Aug 2000 | A |
| 6115605 | Siccardo et al. | Sep 2000 | A |
| 6134448 | Shoji et al. | Oct 2000 | A |
| 6140964 | Sugiura et al. | Oct 2000 | A |
| 6175379 | Ishii et al. | Jan 2001 | B1 |
| 6198935 | Saha et al. | Mar 2001 | B1 |
| 6208629 | Jaszewski et al. | Mar 2001 | B1 |
| 6212391 | Saleh et al. | Apr 2001 | B1 |
| 6249252 | Dupray | Jun 2001 | B1 |
| 6259406 | Sugiura et al. | Jul 2001 | B1 |
| 6269246 | Rao et al. | Jul 2001 | B1 |
| 6275190 | Sugiura et al. | Aug 2001 | B1 |
| 6282427 | Larsson et al. | Aug 2001 | B1 |
| 6286038 | Reichmeyer et al. | Sep 2001 | B1 |
| 6304218 | Sugiura et al. | Oct 2001 | B1 |
| 6304912 | Oguchi et al. | Oct 2001 | B1 |
| 6414634 | Tekinay | Jul 2002 | B1 |
| 6415155 | Koshima et al. | Jul 2002 | B1 |
| 6441777 | McDonald | Aug 2002 | B1 |
| 6456892 | Dara-Abrams et al. | Sep 2002 | B1 |
| 6526283 | Jang | Feb 2003 | B1 |
| 6556942 | Smith | Apr 2003 | B1 |
| 6643278 | Panasik et al. | Nov 2003 | B1 |
| 6754220 | Lamberton et al. | Jun 2004 | B1 |
| 6760318 | Bims | Jul 2004 | B1 |
| 6772226 | Bommareddy et al. | Aug 2004 | B1 |
| 6788658 | Bims | Sep 2004 | B1 |
| 6823462 | Cheng et al. | Nov 2004 | B1 |
| 6917819 | Collins | Jul 2005 | B2 |
| 6925070 | Proctor, Jr. | Aug 2005 | B2 |
| 6934292 | Ammitzoboell | Aug 2005 | B1 |
| 6944785 | Gadir et al. | Sep 2005 | B2 |
| 6957067 | Iyer et al. | Oct 2005 | B1 |
| 6993026 | Baum et al. | Jan 2006 | B1 |
| 7002943 | Bhagwat et al. | Feb 2006 | B2 |
| 7016948 | Yildiz | Mar 2006 | B1 |
| 7036143 | Leung et al. | Apr 2006 | B1 |
| 7088689 | Lee et al. | Aug 2006 | B2 |
| 7107614 | Boden et al. | Sep 2006 | B1 |
| 7110375 | Khalil et al. | Sep 2006 | B2 |
| RE39317 | Sakagawa | Oct 2006 | E |
| 7152117 | Stapp et al. | Dec 2006 | B1 |
| 7154889 | Rekhter et al. | Dec 2006 | B1 |
| 7164663 | Frank et al. | Jan 2007 | B2 |
| 7212837 | Calhoun et al. | May 2007 | B1 |
| 20020174335 | Zhang et al. | Nov 2002 | A1 |
| 20020188723 | Choi | Dec 2002 | A1 |
| 20020194384 | Habetha | Dec 2002 | A1 |
| 20030023746 | Loguinov | Jan 2003 | A1 |
| 20030054794 | Zhang | Mar 2003 | A1 |
| 20030117985 | Fujii et al. | Jun 2003 | A1 |
| 20030134648 | Reed et al. | Jul 2003 | A1 |
| 20030135762 | Macaulay | Jul 2003 | A1 |
| 20030172149 | Edsall et al. | Sep 2003 | A1 |
| 20030181215 | Cromer et al. | Sep 2003 | A1 |
| 20030186679 | Challener et al. | Oct 2003 | A1 |
| 20030188006 | Bard | Oct 2003 | A1 |
| 20030198208 | Koos, Jr. et al. | Oct 2003 | A1 |
| 20030219008 | Hrastar | Nov 2003 | A1 |
| 20030224787 | Gandolfo | Dec 2003 | A1 |
| 20040003285 | Whelan et al. | Jan 2004 | A1 |
| 20040008652 | Tanzella et al. | Jan 2004 | A1 |
| 20040023639 | Noel | Feb 2004 | A1 |
| 20040023640 | Ballai | Feb 2004 | A1 |
| 20040047324 | Diener | Mar 2004 | A1 |
| 20040049699 | Griffith et al. | Mar 2004 | A1 |
| 20040076134 | Barber et al. | Apr 2004 | A1 |
| 20040111607 | Yellepeddy | Jun 2004 | A1 |
| 20040121827 | Murakami et al. | Jun 2004 | A1 |
| 20040176108 | Misikangas | Sep 2004 | A1 |
| 20040185777 | Bryson | Sep 2004 | A1 |
| 20040198392 | Harvey et al. | Oct 2004 | A1 |
| 20050030929 | Swier et al. | Feb 2005 | A1 |
| 20050073979 | Barber et al. | Apr 2005 | A1 |
| 20050114649 | Challener et al. | May 2005 | A1 |
| 20050207381 | Aljadeff et al. | Sep 2005 | A1 |
| 20050210150 | Bahl | Sep 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| 0 930 514 | Jul 1999 | EP |
| 0 967 816 | Dec 1999 | EP |
| 1 018 457 | Jul 2000 | EP |
| 1 296 531 | Mar 2003 | EP |
| 1 301 055 | Apr 2003 | EP |
| 02044929 | Feb 1990 | JP |
| WO 9841048 | Dec 1999 | WO |
| WO 9908909 | Jul 2000 | WO |
| WO 9733386 | Oct 2000 | WO |
| WO 0243425 | May 2002 | WO |
| WO 02054813 | Jul 2002 | WO |
| WO 03023443 | Mar 2003 | WO |
