Method and apparatus for monitoring multiple network segments in local area networks for compliance with wireless security policy

US 20060193300A1
Filed: 08/29/2005
Published: 08/31/2006
Est. Priority Date: 09/16/2004
Status: Abandoned Application

First Claim

Patent Images

1. Method for monitoring a plurality of network segments in a local area network within a selected geographic region for compliance with one or more wireless security policies, the method comprising:

providing a selected geographic region comprising a local area network, the local area network comprising multiple network segments, one or more selected network segments of the multiple network segments to be monitored for compliance with one or more wireless security policies, each of the selected network segments comprising at least one wired portion;

providing a network monitoring device, the network monitoring device being coupled to a connection port of the local are network, the connection port being coupled to the wired portions of the selected network segments;

providing one or more sniffers, the sniffers being adapted to interact with a wireless medium and spatially disposed within and/or in a vicinity of the selected geographic region;

determining a connectivity status of at least one wireless access device to the local area network, the connectivity status being determined by correlating information associated with signals provided on the wired portions of the selected network segments by the network monitoring device and information associated with signals provided on the wireless medium by one or more of the sniffers;

processing at least information associated with the connectivity status of at least the one wireless access device; and

determining if the at least one wireless access device is in compliance with one or more of the wireless security policies for one or more of the selected network segments in the local area network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and system for monitoring a plurality of network segments in a local area network within a selected geographic region is provided. The monitoring is performed to check compliance with one or more wireless security policies. The method comprises providing a network monitoring device and coupling the network monitoring device to a connection port of the local are network. Moreover, the method includes providing one or more sniffers that are adapted to interact with a wireless medium. The sniffers are spatially disposed within and/or in a vicinity of the selected geographic region. The method includes determining a connectivity status of at least one wireless access device to the local area network.

78 Citations

View as Search Results

41 Claims

1. Method for monitoring a plurality of network segments in a local area network within a selected geographic region for compliance with one or more wireless security policies, the method comprising:
- providing a selected geographic region comprising a local area network, the local area network comprising multiple network segments, one or more selected network segments of the multiple network segments to be monitored for compliance with one or more wireless security policies, each of the selected network segments comprising at least one wired portion;
  
  providing a network monitoring device, the network monitoring device being coupled to a connection port of the local are network, the connection port being coupled to the wired portions of the selected network segments;
  
  providing one or more sniffers, the sniffers being adapted to interact with a wireless medium and spatially disposed within and/or in a vicinity of the selected geographic region;
  
  determining a connectivity status of at least one wireless access device to the local area network, the connectivity status being determined by correlating information associated with signals provided on the wired portions of the selected network segments by the network monitoring device and information associated with signals provided on the wireless medium by one or more of the sniffers;
  
  processing at least information associated with the connectivity status of at least the one wireless access device; and
  
  determining if the at least one wireless access device is in compliance with one or more of the wireless security policies for one or more of the selected network segments in the local area network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein the connectivity status identifies which one or more of the selected network segments the wireless access device is connected to.
  - 3. The method of claim 1 wherein the connectivity status identifies which one or more of the selected network segments the wireless access device is unconnected to.
  - 4. The method of claim 1 wherein the one or more wireless security policies is selected from:
    - a. no wireless access devices connected to a network segment; and
      
      b. only wireless access devices relating to a predetermined characteristic allowed on a network segment.
  - 5. The method of claim 4 wherein the predetermined characteristic corresponds to one or more parameters selected from a group consisting of one or more vendor names, one or more encryption techniques, one or more device identities, one or more radio channels of operation, one or more protocols and one or more SSIDs.
  - 6. The method of claim 5 wherein the one or more parameters comprise one or more device identities.
  - 7. The method of claim 5 wherein the one or more parameters comprise one or more SSIDs and one or more encryption techniques.
  - 8. The method of claim 1 wherein the one or more sniffers are spatially distributed to monitor substantial portion of the selected geographic region.
  - 9. The method of claim 1 wherein the network monitoring device is provided in a server room or a network operations center.
  - 10. The method of claim 1 wherein the network monitoring device is connected into a connection port of a switch, a router or a gateway, the connection port being configured to couple to the wired portions of the selected network segments.
  - 11. The method of claim 1 wherein the network monitoring device is provided within a switch, a router or a gateway device as one or more software process modules.
  - 12. The method of claim 1 wherein the multiple network segments are provided using VLANs.
  - 13. The method of claim 1 wherein the network monitoring device further comprises wireless interface device, the wireless interface device being adapted to interact with a wireless medium.
  - 14. The method of claim 1 wherein the determining the connectivity status comprises transferring one or more marker packets to the wired portions of the selected network segments using the network monitoring device.
  - 15. The method of claim 1 wherein the determining the connectivity status comprises receiving and processing one or more packets from the wired portions of the selected network segments using the network monitoring device.
  - 16. The method of claim 1 wherein the determining the connectivity status comprises transferring one or more marker packets to the at least one wireless device over the wireless medium using one or more of the sniffer devices.
  - 17. The method of claim 1 wherein the determining the connectivity status comprises comparing a first identity information with a second identity information, the first identity information being associated with one or more packet transmissions on the wireless medium detected using one or more of the sniffers, the second identity information being associated with at least a subset of computer systems connected to the selected network segments, the second identity information being collected using the network monitoring device.
  - 18. The method of claim 1 wherein one or more of the sniffers interact with one or more wired portions of one or more of the multiple network segments.

19. A network monitoring process module for monitoring a plurality of network segments in a local area network within a selected geographical region, the network monitoring process module being directed to at least determining connectivity status of wireless access devices to the network segments, the network monitoring process module comprising one or more computer readable memories, the one or more computer readable memories comprising:
- one or more codes directed to generating one or more marker packets for a selected plurality of network segments in a local area network; and
  
  one or more codes directed to transferring the one or more marker packets to wired portion of the selected network segments.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19 wherein the network monitoring process module is provided within a network monitoring device, the network monitoring device being connected into a port on a switch, a router or a gateway device in the local area network, the port being coupled to the wired portion of the selected network segments.
  - 21. The system of claim 19 wherein the network monitoring process module is provided within a switch, a router or a gateway device in the local area network.
  - 22. The system of claim 19 further comprising one or more codes directed to receiving configuration information comprising identity information associated with the selected plurality of network segments.
  - 23. The system of claim 22 wherein the identity information comprises VLAN identifiers of the network segments.
  - 24. The system of claim 22 wherein the identity information comprises IP addresses of the network segments.
  - 25. The system of claim 19 wherein marker packets associated with a network segment have a format, the format corresponds to identity of the network segment.
  - 26. The system of claim 19 further comprising one or more codes directed to receiving one or more packets from the selected plurality of network segments and processing information associated with the packets to determine identity information associated with the network segments.

27. A network monitoring process module for monitoring a plurality of network segments in a local area network within a selected geographic region, the network monitoring process module being directed to at least determining connectivity status of wireless access devices to the network segments, the network monitoring process module comprising one or more computer readable memories, the one or more computer readable memories comprising:
- one or more codes directed to receiving one or more packets from wired portion of a selected plurality of network segments in a local area network; and
  
  one or more codes directed to processing information associated with the one or more packets to identify one or more selected format in the one or more packets.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. The system of claim 27 wherein the network monitoring process module is provided within a network monitoring device, the network monitoring device being connected into a port on a switch, a router or a gateway device in the local area network, the port being coupled to the wired portion of the selected network segments.
  - 29. The system of claim 27 wherein the network monitoring process module is provided within a switch, a router or a gateway device in the local area network.
  - 30. The system of claim 27 wherein the selected format comprises a selected IP multicast destination address.
  - 31. The system of claim 27 wherein the selected format comprises identity information associated with a wireless access device, the wireless access device being coupled to at least one of the selected network segments.
  - 32. The system of claim 31 wherein the identity information associated with the wireless access device is provided in packets by originator of the packets.
  - 33. The system of claim 31 wherein the identity information comprises at least one of SSID (service set identifier) and a wireless side MAC address of the wireless access device.
  - 34. The system of claim 27 further comprising one or more codes directed to transferring information associated with the one or more packets to a server device over one or more computer networks.

35. A network monitoring process module for monitoring a plurality of network segments in a local area network within a selected geographical region, the network monitoring process module being directed to at least determining connectivity status of wireless access devices to the network segments, the network monitoring process module comprising one or more computer readable memories, the one or more computer readable memories comprising:
- one or more codes directed to receiving one or more packets from wired portion of a selected plurality of network segments in a local area network; and
  
  one or more codes directed to processing information associated with the one or more packets to derive identity information associated with at least a subset of computer systems coupled to the selected network segments.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. The system of claim 35 wherein the network monitoring process module is provided within a network monitoring device, the network monitoring device being connected into a port on a switch, a router or a gateway device in the local area network, the port being coupled to the wired portion of the selected network segments.
  - 37. The system of claim 35 wherein the network monitoring process module is provided within a switch, a router or a gateway device in the local area network.
  - 38. The system of claim 35 wherein an identity information associated with a computer system comprises a MAC address of the computer system.
  - 39. The system of claim 35 wherein the one or more packets comprise ARP (address resolution protocol) packets.
  - 40. The system of claim 35 further comprising one or more codes directed to transferring one or more ARP (address resolution protocol) request packets to the selected network segments.
  - 41. The system of claim 35 further comprising one or more codes directed to transferring the derived identity information to a server device over one or more computer networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Airtight Networks Incorporated (Arista Networks, Inc.)
Original Assignee
Airtight Networks Incorporated (Arista Networks, Inc.)
Inventors
Parekh, Jatin, Rawat, Jai

Application Number

US11/215,405
Publication Number

US 20060193300A1
Time in Patent Office

Days
Field of Search
US Class Current

370/338
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 16/18   Network planning tools

H04W 24/00   Supervisory, monitoring or ...

H04W 84/12   WLAN [Wireless Local Area N...

Method and apparatus for monitoring multiple network segments in local area networks for compliance with wireless security policy

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for monitoring multiple network segments in local area networks for compliance with wireless security policy

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others