DE102013206353B4 - Identify unauthorized or error-configured wireless network access using distributed end points - Google Patents

Identify unauthorized or error-configured wireless network access using distributed end points

Info

Publication number
DE102013206353B4
DE102013206353B4 DE102013206353.9A DE102013206353A DE102013206353B4 DE 102013206353 B4 DE102013206353 B4 DE 102013206353B4 DE 102013206353 A DE102013206353 A DE 102013206353A DE 102013206353 B4 DE102013206353 B4 DE 102013206353B4
Authority
DE
Germany
Prior art keywords
wap
waps
localized
central entity
endpoints
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
DE102013206353.9A
Other languages
German (de)
Other versions
DE102013206353A1 (en
Inventor
Terry Dwain Escamilla
Charles Steven Lingafelt
David Robert Safford
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US13/455,419 priority Critical
Priority to US13/455,419 priority patent/US20130291063A1/en
Priority to US13/459,383 priority
Priority to US13/459,383 priority patent/US20130291067A1/en
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of DE102013206353A1 publication Critical patent/DE102013206353A1/en
Application granted granted Critical
Publication of DE102013206353B4 publication Critical patent/DE102013206353B4/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W64/00Locating users or terminals or network equipment for network management purposes, e.g. mobility management
    • H04W64/003Locating users or terminals or network equipment for network management purposes, e.g. mobility management locating network equipment

Abstract

A system for identifying at least one of unauthorized and misconfigured wireless network access points (WAPs) in a communications network, the system comprising: a plurality of network endpoints; a plurality of agents executing on the plurality of endpoints, the agents being arranged to periodically locate WAPs and report localized WAPs to a central entity; and a central entity operably capable of receiving information regarding localized WAPs from the plurality of agents, determining whether at least one particular one of the localized WAPs needs to be tested, and actively checking localized WAPs when it is determined that the particular one of the localized WAPs needs to be tested, the central entity a) collecting and analyzing passive data on localization operations, and active data on audit operations, and b) the plurality of agents based on the plurality of endpoints are executed based on these results, the central entity comprising: a receiving module adapted to receive information from one or more of the WAPs; a reporting and alert issuing module connected to the receiving module; a database connected to the receiving module and the reporting and alerting module, a control module connected to the database, and wherein the control module is operable to apply prescribed rules stored in the database to a configuration status of an observed WAP to determine if the observed WAP should be checked by the at least one of the plurality of network endpoints.

Description

  • Field of the invention
  • The present invention relates generally to the fields of electrical engineering, electronics, and computer engineering, and more particularly to secure wireless data transmission. The US Pat. No. 7,808,958 B1 and the US Pat. No. 7,336,670 B1 describe methods for the detection of abusive wireless network accesses.
  • background
  • The wireless network operation has become a commonly used data transmission means. Businesses of all sizes set up wireless networks (eg, using an IEEE 802.11 protocol standard or the like) for a variety of reasons, for example, to reduce cabling costs, provide connectivity in large offices or warehouses, for reasons of worker convenience To provide guests with access to provide remote access to data, etc., without limitation. However, as important business information is increasingly transmitted using wireless communication systems, the vulnerabilities of such systems are often used to gain access to critical business information and systems.
  • Wireless Local Area Network (WLAN) Security Issues, eg. Data transmission using an IEEE 802.11 wireless transmission protocol (WiFi) is well known. In particular, the problem of "open" Wireless Access Points (WAPs) that have not been properly configured for access control (eg, except for abusive network access) has received widespread attention, including wardriving, which involves searching for WiFi. Includes wireless networks by a person in a vehicle while driving, and warchalking, which involves drawing symbols in public places to indicate an open WiFi wireless network. In response, numerous wireless security systems have been developed to detect and identify open or misconfigured WAPs, including the Wireless Security Auditor (WSA) and the Distributed Wireless Security Auditor (DWSA) of IBM Corporation, Kismet Products, Airmagnet, Wireless Cisco Control System (WCS). Despite current efforts to control access through WAPs, traditional approaches continue to present significant challenges.
  • Summary
  • Advantageously, aspects of the present invention provide a mechanism for identifying unauthorized or misconfigured wireless network access (WAPs) in a communications network (e.g., a corporate intranet) having multiple endpoints. To accomplish this, illustrative embodiments of the invention advantageously place an agent at multiple endpoints and then initiate certain actions, at least a subset of the endpoints, based on the information received from the endpoints and the application of prescribed criteria (e.g., business rules) perform, for. B. Active checking to generate information sufficient to identify misconfigured and / or inappropriate WAPs in the network.
  • According to one embodiment of the invention, a system for identifying unauthorized and / or misconfigured wireless network access (WAPs) in a communications network includes a plurality of network endpoints and a plurality of agents executing on the plurality of endpoints. The agents are designed to periodically locate WAPs and report localized WAPs to a central entity. The system also includes a central entity that is operable to receive information regarding localized WAPs from the agents, that determines whether at least one particular one of the localized WAPs needs to be audited, and that it actively checks for localized WAPs initiates when it determines that the particular one of the localized WAPs needs to be tested.
  • According to a further embodiment of the invention, a method for identifying unauthorized and / or erroneous involves configured WAPs in a communications network, include the steps of: an agent running on an endpoint in the communications network locating one or more WAPs in the communications network; the agent reports at least one localized WAP to a central entity; and the central entity executing steps of applying prescribed business rules to determine if the at least one localized WAP needs to be audited and initiating an active audit of the at least one located WAP if it is determined that the at least one localized WAP must be checked to determine if the localized WAP is unauthorized and / or configured incorrectly.
  • According to yet another embodiment of the invention, an apparatus for identifying unauthorized and / or misconfigured WAPs in a communications network includes at least one processor. The processor is operable to: (i) activate an agent to run on at least one endpoint in the communications network, the agent being arranged to locate one or more WAPs in the communications network; (ii) receive information regarding at least one localized WAP from the agent; (iii) apply mandatory criteria to determine whether the localized WAP needs to be audited; and (iv) initiating active checking of the localized WAP if it is determined that the localized WAP needs to be tested to determine if the localized WAP is unauthorized and / or misconfigured.
  • As used herein, "facilitating" an action includes performing the action, facilitating the action, facilitating the performance of the action, or causing the action to be performed. Thus, for example, instructions executed on a processor could simplify an action performed by the instructions executed on a remote processor by sending appropriate data or instructions to cause the action to be performed or facilitating, but not limited to, performing the action. To eliminate any doubt, if an actor simplifies an action other than by performing the action, the action is nonetheless performed by an entity or a combination of entities.
  • One or more embodiments of the invention or elements thereof may be implemented in the form of a computer program product, for example in the form of a computer readable storage medium having computer usable program code for performing the specified method steps. Moreover, one or more embodiments of the invention or elements thereof may be implemented in the form of a system (or device) that includes a memory and at least one processor connected to and operatively connected to the memory Able to perform exemplary method steps. Additionally, one or more embodiments of the invention or elements thereof may be implemented in the form of a means for performing one or more of the method steps described herein; wherein the means may include: (i) hardware module (s), (ii) software module (s) stored in a computer-readable storage medium (or a plurality of such media) and implemented on a hardware processor; , or (iii) a combination of (i) and (ii); wherein one of (i) to (iii) implements the specific techniques set forth herein.
  • Techniques of the present invention can provide significant advantageous technical effects. For example, embodiments may provide, inter alia, one or more of the following advantages:
    • • Reduce the likelihood that unauthorized users will compromise a data communications network, thereby reducing the likelihood of data loss, bad data or corrupted data;
    • • reducing the likelihood of infection of the client infrastructure by a virus and / or malware;
    • • Ensure compliance with client-specific or regulatory security configuration standards for WAPs;
    • • Protecting employees on a corporate intranet from connecting to unauthorized or abusive WAPs trying to fake the identity of a valid client WAP.
  • Thus, unauthorized or misconfigured WAPs may be advantageously recognized using techniques in accordance with aspects of the invention without having to maintain a database of "allowed" network accesses that require a live update.
  • These and other features and advantages of the present invention will be apparent from the following detailed description of illustrative embodiments thereof, taken in conjunction with the accompanying drawings.
  • Brief description of the drawings
  • The following drawings are merely illustrative and not restrictive, wherein like reference numerals (when used) indicate corresponding elements throughout the several views, and wherein:
  • 1 a block diagram is that at least part of an exemplary system 100 according to an embodiment of the invention;
  • 2 5 is a flowchart depicting at least part of an example method for identifying unauthorized or misconfigured WAPs in a system (eg, communication network) in accordance with an embodiment of the invention; and
  • 3 FIG. 4 is a block diagram showing at least a portion of an example system suitable for executing software according to embodiments of the invention. FIG.
  • It is clear that elements in the figures are presented in terms of simplicity and clarity. Conventional but well-understood elements that may be useful or necessary in a commercially feasible embodiment may not be shown to facilitate a less limited view of the illustrated embodiments.
  • Detailed description of preferred embodiments
  • Aspects of the present invention are described herein in the context of an illustrative device and illustrative methods for identifying unauthorized or misconfigured wireless network access (WAPs) in a data transmission network (e.g., a corporate intranet) having multiple endpoints. To accomplish this, illustrative embodiments of the invention advantageously place an agent at multiple endpoints and then initiate certain actions, at least a subset of the endpoints, based on the information received from the endpoints and the application of prescribed criteria (e.g., business rules) perform, for. For example, actively checking to generate information sufficient to identify misconfigured and / or inappropriate WAPs in the network. Thus, techniques in accordance with illustrative embodiments of the invention advantageously perform monitoring and testing of WAPs to identify unauthorized or misconfigured WAPs.
  • It is to be understood, however, that the invention is not limited to the specific apparatus and / or the specific methods shown and described herein for purposes of illustration. Instead, embodiments of the invention are generally directed to techniques for identifying unauthorized or misconfigured WAPs in a communications network in a manner that does not interfere with the client's normal or wireless network operations. Furthermore, it will be apparent to those skilled in the art that, in light of the teachings herein, numerous changes can be made to the embodiments shown that fall within the scope of the present invention. That is, limitations with respect to specific embodiments described herein are not intended or should be considered as possible.
  • 1 Figure 12 is a block diagram that is at least part of an exemplary system 100 according to an embodiment of the invention. The system 100 includes a variety of endpoints, endpoint (A) 102 to end point (N) 104 , a variety of wireless network access, WAP 1 106 , WAP 2 108 , WAP 3 110 and WAP 4 112 , and a central entity 114 , A transmission path between the central entity 114 and the respective endpoints 102 to 104 usually exists within an intranet 116 or an alternative means of data transmission. At least part of the WAPs (eg WAPs 108 . 110 and 112 ) is inside the intranet 116 while one or more WAPs (eg WAP 106 ) can be outside the intranet. The intranet 116 is preferably for example a corporate intranet.
  • Each of at least a subset of the endpoints 102 to 104 contains a recognition agent or a recognition module 103a to 103n and wireless components 105a to 105n , Each of the wireless components 105a to 105n may be a wireless transceiver or an alternative wireless interface (eg, a wireless network access card) for data transmission with corresponding WAPs in the system 100 contain. For example, wireless components are swapping 105a Data with WAPs 106 . 108 and 110 out, and wireless components 105n exchange data with WAPs 110 and 112 out.
  • The central entity 114 has a central receiving entity or a central receiving module 118 , a reporting or alert issuing entity or a reporting and alert issuing module 120 , the one with the central receiving entity 118 connected, a database 122 or an alternative storage element associated with the central receiving entity 118 and the reporting and warning output module 120 and a central control entity or central control module 124 on top of that with the database 122 connected is. The central entity 114 collects and analyzes the passive data (eg, on "localization" operations) and the active data (eg, on "audit" operations) and controls the endpoint agents based on their results. More in detail is the central entity 114 essentially a server (or a collection of servers) that has the central receiving entity 118 , the reporting and warning output module 120 , database 122 and / or the central control entity 124 is functionally capable of the endpoint detection agents 103a to 103n (eg via the central control entity ( 124 ) so that they have prescribed information (eg business rules, etc.). in the database 122 Save that they receive messages that have a specific WAP under observation and the intranet 116 traverse (eg via the central receiving entity 118 ) and that it has a prescribed state depending on the one or more received messages (eg, via the reporting and alert issuing module 120 ) report (ie give a warning about this). The in the database 122 For example, stored data may include all endpoint agent received reports (eg, name and address of localized WAPs) and audit packets. This data is used to determine if a particular WAP is misconfigured or unauthorized, but these results are not necessarily stored in the database itself.
  • It will be understood that the term "localized" as used in connection with WAPs (e.g., a localized WAP) is intended to refer generally to a WAP that is recognized, discovered, or identified rather than a physical location. a physical location of the WAP. Similarly, as used in connection with WAPs (eg, localizing a WAP), the term "locate" is generally intended to refer to the act of detecting, tracking, or identifying a WAP and not to the act of determining a physical position / physical Refer to the location of the WAP. For example, in many cases, a WAP is "located" virtually (i.e., as an abstraction) with respect to its network address or alternate identifier. Thus, as used herein, the terms "located" or "locate" should generally include a virtual or physical location of an entity to which the expressions refer.
  • The detection agent or the detection module 103a to 103n , the one on the endpoints 102 to 104 may be configured to locate one or more corresponding WAPs in the communication network during prescribed time intervals, for example, in the context of performing a discovery operation. In some embodiments, the prescribed time intervals in which the agents are able to locate one or more WAPs are periodic.
  • According to an illustrative embodiment, the endpoints are 102 to 104 under the control of the central control entity 124 functionally capable of the WAPs 106 . 108 . 110 . 112 periodically (ie "listening in"). In terms of WAP 106 which in this illustration is outside the intranet 116 located, located at the endpoint 102 running detection agent 103a the WAP 106 , and the central entity 114 can instruct this agent to actively check this WAP based on mandatory policies. Because the WAP 106 not with the intranet 116 connected, the exam will not be sent to the central receiving entity 118 providing evidence that this WAP is not connected to the intranet.
  • A report on an observed WAP becomes the central control entity 124 which can receive more than one report, with multiple reports (different endpoints) identifying the same WAP. The central control entity 124 then applies prescribed rules (such as business rules) to the database 122 may be stored to determine a configuration status of the observed WAP to determine if the WAP should be scanned by an endpoint. For example, such rules applied to the observed WAP may determine whether the WAP is misconfigured (ie, "open"), whether the WAP transmits the company's Service Set Identifier (SSID), if there are more than a prescribed threshold number of endpoints, identifying the same WAP, whether a location of the identifying endpoints is within a prescribed physical location, whether a strength of the WAP radio signal is exceeding a prescribed threshold, or including a combination of one or more of these rules and / or other rules, but not limited thereto.
  • If it is determined that a particular WAP should be tested by an endpoint, the central control entity selects 124 at least one subset (eg one or more) of the endpoints 102 to 104 to perform an active WAP check. The selection of one or more endpoints depends on one or more of the prescribed (in the database 122 stored) rules. For example, the central control entity 124 make a selection of an endpoint based on a strength of the WAP radio signal received from endpoints (eg, an endpoint with the strongest radio signal from the WAP can be selected). Alternatively or additionally, an endpoint whose wireless networking map is most active may be selected, or a combination of these or other rules may be used.
  • In one embodiment, the one or more selected endpoints may associate with the WAP (ie, connect to the WAP) as part of performing an active check of the WAP and the network corresponding to the WAP, and then send one or more requests , z. For example, a Dynamic Host Configuration Protocol (DHCP) ping signal is used to network resources and to monitor the response from the WAP (eg, IP address, default route, etc.). When a wireless client connects to a WAP, the WAP responds with network information including, for example, a range of valid network addresses, an associated IP address of the client within that range, and the default route (ie, a default IP address for the client) Sending all external packets). This is the minimum information that the client needs to transfer data over the network.
  • In another embodiment, the endpoint may examine the WAP by attempting to send a message to the central receiving entity 118 (located on the corporate intranet 116 is to be sent). This action confirms that the WAP is connected to the corporate intranet and, in addition, certain information may be obtained, e.g. For example, the network path from the endpoint client to the central receive entity 118 , the IP address of the WAP, the routing between the endpoint and the central receive entity, etc. Both at the central control entity 124 as well as at the central reception entity 118 an alarm is generated (eg from the reporting and alert output module 120 ) if it detects that the WAP is configured incorrectly or on the intranet 116 should not be allowed. Even if a connection between the central control entity 124 and the reporting and warning output module 120 is not explicitly shown, it is clear that the interaction between the two functional modules comes into question. For example, the reporting and alert output module 120 in some embodiments, as the administrative interface, and the reporting and warning output module 120 On the basis of the observed data in the database, instructions can be sent to the central control entity 124 so that it changes its control of the endpoints.
  • 2 is a flowchart that is at least part of an example method 200 for identifying unauthorized or misconfigured WAPs in a system (e.g., communication network) in accordance with an embodiment of the invention. How out 2 Obviously, this is the procedure 200 divided into three functional components: a client component 202 wherein at least a portion thereof may be performed in a client module or endpoint, a centralized control component 204 , wherein at least a part thereof in the central control module (eg the central control entity 124 in 1 ) and a central receiving component 206 , wherein at least a part thereof in the central receiving module (eg in the central receiving entity 118 in 1 ) can be carried out. Each of the functional components may be implemented using one or more agents. These components / agents can perform the entire process 200 Identify unauthorized or misconfigured WAPs interacting with each other (for example, passing data between them).
  • As used herein, the term "agent" is intended to be broadly defined as a software program acting on behalf of a user or as another program in an order relationship. Thus, an agent refers to a software abstraction, idea, or concept similar to object-oriented programming terms such as methods, functions, and objects. The concept of an agent provides a convenient and powerful way to describe a complex software entity that can operate with a degree of autonomy to perform tasks on behalf of its host. Unlike objects defined in terms of procedures and attributes, an agent is generally defined in terms of behavior (eg, an agent's behavior may be to take no action, localize WAPs, and examine specific WAPs).
  • With reference to 2 will be a first client methodology that is included in at least one endpoint (eg endpoints 102 to 104 in 1 ) or another client module can be run in step 207 Enabled, where the endpoint / client is capable of performing WAPs in step 208 to monitor (ie to intercept). The endpoint / client transmits information (eg, reports) corresponding to observed WAPs in step 210 periodically to the central control entity. In step 212 The endpoint / client verifies that the first client methodology is in step 214 should end. If it is determined that the first client methodology should not end, the endpoint / client is functionally able to continue WAPs in step 208 listen.
  • In a second client methodology, in step 216 is activated and in at least one endpoint (eg endpoints 102 to 104 in 1 ) or other client module, the endpoint / client is capable of functioning in step 218 to a command from a central control entity (eg central control entity 124 in 1 ), which instructs the endpoint to begin actively checking an observed WAP. In step 220 when the command is received, the endpoint / client is operable to actively check the observed WAP and the corresponding network associated with the monitored WAP and generate a WAP verification report that includes active checking results. In step 222 will be the results of the active testing that in the in step 220 generated by the endpoint / client are sent to the central control entity for further processing. In step 224 For example, the endpoint / client is operatively capable of passing a correlated message over the observed WAP to a central receiving entity (e.g., central receiving entity 118 in 1 ) to send. The correlated message sent from the endpoint preferably includes the one in step 220 generated WAP test report. The endpoint / client then determines in step 226 , if she second client methodology in step 228 to end. If it is determined that the second client methodology should not be terminated, the endpoint / client is operationally capable of performing in step 218 continue to wait for a command from a central control entity.
  • In a first central control methodology, in step 230 is activated and in a central control entity (eg central control entity 124 in 1 ) or other control unit is the central control entity in step 232 functionally able to step by one or more endpoints / clients 210 to receive sent information (such as reports) that correspond to observed WAPs. In step 234 the central control entity is functionally able to select a particular one of the received WAP reports and to apply prescribed rules (eg business policies) in step 236 To determine if a particular WAP being monitored should be actively tested. When in step 236 it is determined that the observed WAP is to be actively tested, the central control entity selects one or more endpoints in step 238 to enable active checking of the WAP. In step 240 A command is sent to each of the selected endpoints to actively check the WAP. The first central control methodology then goes to step 232 in which the methodology is repeated. When in step 236 If it is determined that the observed WAP is not to be actively tested, the first centralized control methodology comes into step 232 in which the methodology is repeated.
  • In a second central control methodology, in step 242 activated and in a central control entity (eg central control entity 124 in 1 ) or other control unit is the central control entity in step 244 functionally able to step by one or more endpoints 222 received results of active testing of the observed WAP. Based on the information in the WAP audit report, the central control entity is in step 246 functionally capable of determining if the WAP under test is unauthorized or improperly configured. If the audited WAP is neither unauthorized nor misconfigured, the second central control methodology will return to step 244 to begin receiving additional results of active testing of observed WAPs. When in step 246 determining that the audited WAP is unauthorized and / or misconfigured, the central control entity is alternatively able to provide a warning or other indication in step 248 output (eg send out) that informs about the unauthorized and / or incorrectly configured status of the WAP. The second central control methodology then returns to step 244 to begin receiving additional results of active testing of observed WAPs.
  • In a central reception methodology, in step 250 is activated and in a central receiving entity (eg central receiving entity 118 in 1 ) or other interface / control unit is the central receiving entity in step 252 functionally capable of monitoring data transmissions from one or more endpoints that are transmitted over an intranet (eg Intranet 116 in 1 ) or other network. The in step 252 For example, monitored data transmissions preferably include, for example, the WAP audit report generated in step 220 was generated by one or more endpoints. In step 254 the central receiving entity is functionally capable of determining whether such data transmission has been received from an endpoint. If no data transmission has been received from an endpoint, the central reception methodology returns to step 252 the central receive entity continues to monitor data transfers from one or more endpoints. The steps 252 and 254 essentially form a repeat loop that is exited upon receipt of a data transfer from an endpoint.
  • When in step 254 it is determined that a data transmission has been received from an endpoint, the central receiving entity is in step 256 functionally capable of correlating the received data transfer with an endpoint WAP report contained therein (e.g., WAP audit report). In some embodiments, there are at least two associated "check" messages: a first message indicated by the dashed line of step 222 and is referred to herein as a "test report" that includes some of the results of actively examining the WAP, including a Dynamic Host Configuration Protocol (DHCP) address and a default route; and a second message through the dashed line of step 224 is shown here and referred to as "test package". A difference between the two test messages is that the "test report" is sent on a known connection of an endpoint to the intranet, while the "sample packet" is to move on the connection of the WAP to the intranet (if any).
  • With further reference to 2 is the central receiving entity in step 258 functionally capable of determining network attributes corresponding to the checked WAP depending on the information contained in the data transmission received from the endpoint. In step 260 The central reception method determines whether the WAP is unauthorized or incorrectly configured. If If the checked WAP is neither unauthorized nor configured incorrectly, the central receiving methodology returns to step 252 back to continue monitoring data transfers from the endpoints. When in step 260 it is determined that the WAP is unauthorized and / or configured incorrectly, the central receiving methodology alternatively issues a warning or other indication in step 262 off (eg sends out) that informs about the unauthorized and / or incorrectly configured status of the WAP. The central reception methodology then returns to step 252 back to continue monitoring data transfers from the endpoints.
  • Techniques of the present invention can provide significant advantageous technical effects. Embodiments of the invention may provide one or more of the following advantages, including: reducing the likelihood that a data transmission network will be compromised by unauthorized users, thereby reducing the likelihood of data loss, erroneous data, or corrupted data; Reducing the likelihood of infection of the client infrastructure by a virus and / or malware; Ensuring compliance with client-specific or regulatory security configuration standards in relation to WAPs; and protecting employees in a corporate intranet or other communications network from connecting to unauthorized or abusive WAPs attempting to impersonate a valid client WAP, but without being limited to the foregoing.
  • Details of exemplary system and object of manufacture
  • As those skilled in the art will appreciate, aspects of the present invention may be implemented in the form of a system, method, or computer program product. Accordingly, aspects of the present invention may take the form of an all-hardware embodiment, an all-software embodiment (firmware, resident software, microcode, etc.) or an embodiment combining software and hardware aspects, all of which herein commonly referred to as a "circuit", "module" or "system". Further, aspects of the present invention may take the form of a computer program product implemented as one or more computer-readable media having computer-readable program code.
  • One or more embodiments of the invention or elements thereof may be implemented in the form of a device, for example in the form of a memory and at least one processor connected to the memory and functionally capable of performing exemplary method steps.
  • 3 Figure 12 is a block diagram that is at least part of an exemplary system 300 in accordance with embodiments of the invention capable of executing software. The system 300 For example, it may represent a general-purpose computer or other computing device or systems of computing devices that, when programmed in accordance with embodiments of the invention, may become a specialized entity that is operable to perform the techniques of the invention. With reference to 3 For example, such an implementation could be a processor 302 , a store 304 and use an input / output interface provided, for example, by a display 306 and a keyboard 308 is formed.
  • As used herein, the term "processor" is intended to include any processing unit, such as one containing a CPU (central processing unit), and / or other forms of processing circuitry. Further, the term "processor" may refer to more than a single processor. The term "memory" is intended to include any memory associated with a processor or CPU, such as random access memory (RAM), read only memory (ROM), fixed memory ( for example, a hard disk drive), a removable storage device (eg, a floppy disk), a flash memory, and the like. In addition, as used herein, the term "input / output interface" is intended to include, for example, one or more mechanisms for inputting data to the processing unit (eg, a mouse) and one or more mechanisms for providing results from the processing unit (e.g. A printer). The processor 302 , the memory 304 and an input / output interface, e.g. B. an advertisement 306 and a keyboard 308 , for example, via a bus 310 as part of a data processing unit 312 be connected to each other. A suitable connection, for example via the bus 310 , can also be provided with: a network interface 314 , z. A network card, which may be provided to provide an interface with a computer network, or a media interface 316 , z. A floppy disk or a CD-ROM drive, which may be provided to interface with media 318 provide.
  • Accordingly, computer software including instructions or code for carrying out the methodologies of the invention as described herein may be embodied in one or more of the appended claims Storage devices (eg, ROM, fixed or removable storage) are stored, and when ready for use, partially or fully loaded (eg, into RAM) and implemented by a CPU. Such software could include, but is not limited to, firmware, resident software, microcode, and the like.
  • A data processing system suitable for storing and / or executing a program code includes at least one processor 302 that is directly or indirectly via a system bus 310 with memory elements 304 connected is. The memory elements may include a local memory used during actual implementations of the program code, a mass storage, and cache memory that provide temporary storage of at least a portion of the program code to reduce the frequency with which the code is retrieved from a mass storage during translation must become.
  • Input / output or I / O units (for example, keyboards 308 , Show 306 , Pointing devices and the like, but without being limited to these) can either be directly (eg via the bus 310 ) or via intermediate I / O controllers (not shown for clarity) to the system.
  • AC adapter, z. B. the network interface 314 , may also be connected to the system so that the data processing system can be connected via private or public intermediate networks to other data processing systems or remote printers or storage units. Modems, cable modems, and Ethernet cards are just some of the types of network adapters currently available.
  • Furthermore, a phone card 430 which is connected to the bus and has an interface with a telephone network, and a wireless interface 432 which is connected to the bus and interfaces with a local and / or mobile wireless network.
  • The data processing unit 312 stands for a unit, z. An endpoint, personal digital assistant, smart phone or tablet; the data processing unit 312 moreover stands for a server in a data transmission network or the like. Some embodiments use multiple servers in a network. The multiple servers can communicate over network interfaces over a local computer network (eg, Ethernet) 314 be connected. The tasks can be divided among servers; For example, some servers may have phone access through cards 430 provide; some servers perform number crunching for speech recognition, and so on. When techniques are run on a mobile device, all or part of the processing can be done externally. For example, signals may be wireless over the wireless interface 432 sent to a high-performance external server, possibly with a certain amount of local preprocessing.
  • As used herein incorporating the claims, a "server" includes a physical data processing system (eg, computing device 312 , as in 3 shown) running a server program. It will be appreciated that such a physical server may optionally include a display and a keyboard. In addition, not every server or unit necessarily has any in it 3 have shown feature.
  • As noted, aspects of the present invention may take the form of a computer program product implemented by one or more computer readable media including computer readable program code. Any combination of one or more computer-readable media may be used. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer-readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing. A media block 318 is a non-limiting example. More specific examples (non-exhaustive list) for the computer-readable storage medium include: an electrical connection to one or more lines, a portable computer diskette, a hard disk, Random Access Memory (RAM), Read Only Memory (ROM) Only Memory, Erasable Programmable Read Only Memory (EPROM) or Flash Memory), optical fiber, Compact Disc Read Only Memory (CD-ROM) In the context of this document, a computer readable storage medium may be any tangible medium containing a program for use by or in conjunction with an instruction execution system, apparatus or unit or save.
  • The program code contained in a computer-readable medium can be transmitted by means of a suitable medium, for example wirelessly, cable-bound, Fiber optic cable, RF, etc., or a combination of the foregoing, but not limited thereto.
  • Computer program code for performing operations for aspects of the present invention may be written in any combination of one or more programming languages, such as object-oriented programming languages such as Java, Smalltalk, C ++ or the like and conventional procedural programming languages such as the "C" programming language, FORTRAN or similar programming languages , The program code may be executed entirely on the user's computer, partly on the user's computer, as a standalone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server , In the latter scenario, the remote computer can be connected to the user's computer via any type of network, such as local area network (LAN) or wide area network (WAN), or the connection to an external computer can be established (eg via an internet service provider via internet).
  • Aspects of the present invention are described herein with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be appreciated that each block of the schedule illustrations and / or block diagrams and combinations of blocks in the schedule illustrations and / or block diagrams may be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general-purpose computer, a special purpose computer or other programmable data processing device to produce a machine such that the instructions that are executed via the processor of the computer or other programmable data processing device provide means for translating the computer create functions / actions specified in the one or more schedule and / or block diagram blocks.
  • These computer program instructions may also be stored in a computer-readable medium that may instruct a computer, other programmable computing device, or other device to operate in a particular manner so that the instructions stored in the computer-readable medium produce an article of manufacture that includes instructions that include the instructions implement the function / action specified in the one or more flowchart and / or block diagram blocks.
  • The computer program instructions may also be loaded into a computer, other programmable computing device, or other device to cause a series of operations to be performed in the computer, on the other programmable device, or on other devices to produce a computer-implemented process the instructions executed on the computer or on the other programmable device provide methods for implementing the functions / actions specified in the one or more flowchart and / or block diagram blocks.
  • The flowchart and / or block diagrams in the figures illustrate the architecture, functionality and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block of the flowchart or block diagrams may represent a module, segment, or portion of code that includes one or more executable instructions for the implementation of the one or more specified logical functions. It should also be noted that the functions identified in the blocks may occur in some alternate implementations in a different order than shown in the figures. For example, two consecutive blocks may in fact be executed substantially concurrently, or the blocks may sometimes be executed in reverse order, depending on functionality. It should also be noted that each block of the block diagrams and / or the flowchart representation and combinations of blocks in the block diagrams and / or in the flowchart representation may be implemented by specific hardware based systems having the stated functions or actions or combinations of specific ones Perform hardware and computer instructions.
  • It should be understood that each of the methods described herein may include an additional step of providing a system having unique software modules implemented on a computer-readable storage medium; For example, the modules may include any or all of the elements shown and / or described in the block diagrams. The method steps may thereafter be performed using the unique software modules and / or sub-modules of the system as described above that are based on one or more hardware processors 302 be executed. In addition, a computer program product may include a computer readable storage medium having a code adapted to be implemented to perform one or more of the method steps described herein, including providing the system with the unique software modules.
  • Anyway, it is clear that the components shown here can be implemented in various forms of hardware, software or combinations thereof; for example, with Application Specific Integrated Circuits (ASICs), functional circuits, one or more appropriately programmed universal digital computers with associated memory, and the like. In view of the teachings of the invention provided herein, one skilled in the art will be able to contemplate other implementations of the components of the invention.
  • The terminology used herein is merely for describing particular embodiments and is not intended to limit the invention. As used herein, the singular forms of articles such as "a" and "the" are also intended to include the plural forms unless the context clearly dictates otherwise. It should also be understood that the terms "comprising" and / or "having" as used herein refer to the presence of specified features, integers, steps, operations, elements and / or components, the presence or addition of however, do not preclude one or more other features, integers, steps, operations, elements, components, and / or groups thereof.
  • The corresponding structures, materials, acts and all means or step-plus-function elements in the following claims are intended to include any structure, material or action for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or to limit the invention to the form disclosed. Many changes and variations will be apparent to those skilled in the art without departing from the scope and spirit of the invention. The embodiment has been chosen and described in order to best explain the principles of the invention and the practical application, and to enable others skilled in the art to understand the invention in various embodiments with various changes as appropriate to the particular use contemplated.

Claims (20)

  1. A system for identifying at least one of unauthorized and misconfigured wireless network access (WAPs) in a communications network, the system comprising: a plurality of network endpoints; a plurality of agents executing on the plurality of endpoints, the agents being arranged to periodically locate WAPs and report localized WAPs to a central entity; and a central entity functionally capable of receiving information regarding localized WAPs from the plurality of agents, determining whether at least one particular one of the localized WAPs needs to be audited, and initiating active checking of localized WAPs if it is determined that the particular one of the localized WAPs needs to be tested, being the central entity a) passive data on localization operations, and active data on test operations, collects and analyzes and b) controlling the plurality of agents executing on the plurality of endpoints based on these results, wherein the central entity comprises: a receiving module adapted to receive information from one or more of the WAPs; a reporting and alert issuing module connected to the receiving module; a database associated with the receiving module and the reporting and alert issuing module, a control module connected to the database and wherein the control module is operable to apply prescribed rules stored in the database to determine a configuration status of an observed WAP to determine whether the observed WAP should be tested by the at least one of the plurality of network endpoints.
  2. The system of claim 1, wherein the active checking of localized WAPs is performed by an agent running on a corresponding endpoint.
  3. The system of claim 1, wherein the central entity is operable to apply one or more prescribed business criteria to determine if the at least one of the located WAPs needs to be tested.
  4. The system of claim 1, wherein at least a subset of the agents is operable to have one or more WAPs in the Data transmission network to locate during prescribed time intervals.
  5. The system of claim 4, wherein the prescribed time intervals in which the subset of agents is operable to locate one or more WAPs are periodic.
  6. The system of claim 1, wherein the central entity is operable to control at least one of the plurality of agents via the receiving module and / or the reporting and alerting output module and / or the database and / or the control module to provide prescribed information in the database to determine whether the at least one of the localized WAPs needs to be checked to receive one or more messages that are under surveillance by a particular WAP and through the communications network, and to have a prescribed state of the particular WAP reported received messages.
  7. The system of claim 1, wherein at least a subset of the plurality of network endpoints under the control of the control module is operable to periodically monitor one or more corresponding WAPs.
  8. The system of claim 1, wherein a selected endpoint is operable to establish a connection with the particular WAP to perform at least one request to network resources as part of performing an active audit of a particular WAP and a network corresponding to the particular WAP and observe a response from the particular WAP to the at least one request.
  9. The system of claim 8, wherein the at least one request comprises a Dynamic Host Configuration Protocol ping signal.
  10. A computer program product for identifying at least one of unauthorized and misconfigured wireless network access (WAPs) in a communications network, the computer program product comprising a computer readable storage medium containing computer readable program code, the computer readable program code comprising: computer readable program code configured to: it causes an agent running on an endpoint in the communications network to locate one or more WAPs in the communications network; computer readable program code configured to cause the agent to report at least one localized WAP to a central entity; computer readable program code configured to cause the central entity to perform steps of applying prescribed criteria to determine if the at least one localized WAP needs to be tested and initiating an active check of the at least one localized WAP if it is determined that the at least one localized WAP needs to be examined to determine if the localized WAP is unauthorized and / or misconfigured, the central entity a) Passive data on localization operations, and active data on audit operations, collects and analyzes and b) controls the plurality of agents executing on the plurality of endpoints based on these results, the central entity comprising: a receiving module adapted to receive information from one or more of the WAPs; a reporting and alert issuing module connected to the receiving module; a database connected to the receiving module and the reporting and alerting module, a control module connected to the database, and wherein the control module is operable to apply prescribed rules stored in the database to a configuration status of an observed WAP to determine if the observed WAP should be checked by the at least one of the plurality of network endpoints.
  11. An apparatus for identifying at least one of unauthorized and misconfigured wireless network accesses (WAPs) in a communications network, the apparatus comprising: at least one processor, wherein the at least one processor is operable to: (i) activate an agent to run on at least one endpoint in the communications network, the agent being adapted to receive one or more WAPs in the communications network located; (ii) receive information regarding at least one localized WAP from the agent; (iii) apply mandatory criteria to determine whether the localized WAP needs to be audited; and (iv) initiating active checking of the localized WAP if it is determined that the at least one localized WAP needs to be tested to determine if the localized WAP is unauthorized and / or misconfigured; being the central entity a) passive data on localization operations, and active data on test operations, collects and analyzes and b) controlling the plurality of agents executing on the plurality of endpoints based on these results, wherein the central entity comprises: a receiving module adapted to receive information from one or more of the WAPs; a reporting and alert issuing module connected to the receiving module; a database associated with the receiving module and the reporting and alert issuing module, a control module connected to the database and wherein the control module is operable to apply prescribed rules stored in the database to determine a configuration status of an observed WAP to determine whether the observed WAP should be tested by the at least one of the plurality of network endpoints.
  12. A method for identifying at least one of unauthorized and misconfigured wireless network access (WAPs) in a communications network, the method comprising the steps of: an agent running on an endpoint in the communications network locates one or more WAPs in the communications network; the agent reports at least one localized WAP to a central entity; and the central entity performs steps of applying prescribed criteria to determine if the at least one localized WAP needs to be audited and initiating an active audit of the at least one localized WAP if it is determined that the at least one localized WAP is being audited to determine if the localized WAP is at least unauthorized and / or misconfigured, being the central entity a) passive data on localization operations, and active data on test operations, collects and analyzes and b) controlling the plurality of agents executing on the plurality of endpoints based on these results, wherein the central entity comprises: a receiving module adapted to receive information from one or more of the WAPs; a reporting and alert issuing module connected to the receiving module; a database associated with the receiving module and the reporting and alert issuing module, a control module connected to the database and wherein the control module is operable to apply prescribed rules stored in the database to determine a configuration status of an observed WAP to determine whether the observed WAP should be tested by the at least one of the plurality of network endpoints.
  13. The method of claim 12, wherein the at least one agent in the communications network is adapted to perform the active checking of the localized WAP.
  14. The method of claim 12, further comprising selecting at least one endpoint in the communications network to perform the active checking, and instructing the endpoint to actively check the localized WAP.
  15. The method of claim 14, wherein selecting an endpoint to perform the active checking is performed by the central entity in response to one or more prescribed business rules.
  16. The method of claim 12, further comprising generating a warning when it is determined that the located WAP is unauthorized and / or misconfigured.
  17. The method of claim 12, wherein the agent is adapted to locate one or more WAPs in the communications network during prescribed time intervals.
  18. The method of claim 17, wherein the prescribed time intervals are periodic.
  19. The method of claim 12, further comprising selecting a plurality of endpoints in the communications network to initiate active checking of a particular localized WAP.
  20. The method of claim 12, wherein the step of actively verifying the at least one located WAP comprises connecting to the WAP, sending at least one request to network resources, and monitoring a response from the WAP to the at least one request.
DE102013206353.9A 2012-04-25 2013-04-11 Identify unauthorized or error-configured wireless network access using distributed end points Active DE102013206353B4 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US13/455,419 2012-04-25
US13/455,419 US20130291063A1 (en) 2012-04-25 2012-04-25 Identification of Unauthorized or Misconfigured Wireless Access Point Using Distributed Endpoints
US13/459,383 2012-04-30
US13/459,383 US20130291067A1 (en) 2012-04-25 2012-04-30 Identification of Unauthorized or Misconfigured Wireless Access Point Using Distributed Endpoints

Publications (2)

Publication Number Publication Date
DE102013206353A1 DE102013206353A1 (en) 2013-10-31
DE102013206353B4 true DE102013206353B4 (en) 2018-01-25

Family

ID=49323406

Family Applications (1)

Application Number Title Priority Date Filing Date
DE102013206353.9A Active DE102013206353B4 (en) 2012-04-25 2013-04-11 Identify unauthorized or error-configured wireless network access using distributed end points

Country Status (1)

Country Link
DE (1) DE102013206353B4 (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050060576A1 (en) * 2003-09-15 2005-03-17 Kime Gregory C. Method, apparatus and system for detection of and reaction to rogue access points
US20060068811A1 (en) * 2004-09-24 2006-03-30 Microsoft Corporation Collaboratively locating disconnected clients and rogue access points in a wireless network
US20070002762A1 (en) * 2005-06-29 2007-01-04 Fujitsu Limited Management policy evaluation system and recording medium storing management policy evaluation program
US20070058598A1 (en) * 2005-09-09 2007-03-15 Hon Hai Precision Industry Co., Ltd. Method and system for detecting rogue access points and device for identifying rogue access points
US7257107B2 (en) * 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points
US7336670B1 (en) * 2003-06-30 2008-02-26 Airespace, Inc. Discovery of rogue access point location in wireless network environments
US7808958B1 (en) * 2006-09-28 2010-10-05 Symantec Corporation Rogue wireless access point detection
US20100333177A1 (en) * 2009-06-30 2010-12-30 Donley Daryl E System and method for identifying unauthorized endpoints
US20110083165A1 (en) * 2004-04-06 2011-04-07 Airtight Networks, Inc. (F/K/A Wibhu Technologies, Inc.) Method and system for regulating, disrupting and preventing access to the wireless medium
US20120023552A1 (en) * 2009-07-31 2012-01-26 Jeremy Brown Method for detection of a rogue wireless access point

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7336670B1 (en) * 2003-06-30 2008-02-26 Airespace, Inc. Discovery of rogue access point location in wireless network environments
US7257107B2 (en) * 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points
US20050060576A1 (en) * 2003-09-15 2005-03-17 Kime Gregory C. Method, apparatus and system for detection of and reaction to rogue access points
US20110083165A1 (en) * 2004-04-06 2011-04-07 Airtight Networks, Inc. (F/K/A Wibhu Technologies, Inc.) Method and system for regulating, disrupting and preventing access to the wireless medium
US20060068811A1 (en) * 2004-09-24 2006-03-30 Microsoft Corporation Collaboratively locating disconnected clients and rogue access points in a wireless network
US20070002762A1 (en) * 2005-06-29 2007-01-04 Fujitsu Limited Management policy evaluation system and recording medium storing management policy evaluation program
US20070058598A1 (en) * 2005-09-09 2007-03-15 Hon Hai Precision Industry Co., Ltd. Method and system for detecting rogue access points and device for identifying rogue access points
US7808958B1 (en) * 2006-09-28 2010-10-05 Symantec Corporation Rogue wireless access point detection
US20100333177A1 (en) * 2009-06-30 2010-12-30 Donley Daryl E System and method for identifying unauthorized endpoints
US20120023552A1 (en) * 2009-07-31 2012-01-26 Jeremy Brown Method for detection of a rogue wireless access point

Also Published As

Publication number Publication date
DE102013206353A1 (en) 2013-10-31

Similar Documents

Publication Publication Date Title
US9584487B2 (en) Methods, systems, and computer program products for determining an originator of a network packet using biometric information
US9112896B2 (en) Mobile risk assessment
Raiyn A survey of cyber attack detection strategies
EP2742711B1 (en) Detection of suspect wireless access points
US8972571B2 (en) System and method for correlating network identities and addresses
US8789191B2 (en) Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
Han et al. A timing-based scheme for rogue AP detection
EP2837159B1 (en) System asset repository management
EP2936189B1 (en) Determining a location of a mobile user terminal
CN104838681B (en) It is detected using the pseudo-base station that core network is supported
US7751393B2 (en) Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods
US8626912B1 (en) Automated passive discovery of applications
US7634252B2 (en) Mobility management in wireless networks
KR100800370B1 (en) Network attack signature generation
US8225379B2 (en) System and method for securing networks
US7447184B1 (en) Method and system for detecting masquerading wireless devices in local area computer networks
Bahl et al. Enhancing the security of corporate Wi-Fi networks using DAIR
US8756697B2 (en) Systems and methods for determining vulnerability to session stealing
TWI248737B (en) Methods, apparatus and program products for wireless access points
CN103152374B (en) Know the method and apparatus of terminal presence
US8806567B1 (en) Using encoded identifiers to provide rapid configuration for network access
US9094309B2 (en) Detecting transparent network communication interception appliances
US7216365B2 (en) Automated sniffer apparatus and method for wireless local area network security
US20120297059A1 (en) Automated creation of monitoring configuration templates for cloud server images
US6920330B2 (en) Apparatus and method for the use of position information in wireless applications

Legal Events

Date Code Title Description
R012 Request for examination validly filed
R016 Response to examination communication
R016 Response to examination communication
R018 Grant decision by examination section/examining division
R084 Declaration of willingness to licence
R020 Patent grant now final