System and method for monitoring and enforcing policy within a wireless network

US 6,957,067 B1
Filed: 09/24/2002
Issued: 10/18/2005
Est. Priority Date: 09/24/2002
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus adapted to a wireless network, comprising;

a transceiver to receive a wireless frame propagating over a prescribed signal coverage area between wireless devices of the wireless network, one of the wireless devices being an Access Point; and

at least one component to process information extracted from the wireless frame and to enforce a policy followed by the wireless network even though the apparatus has no involvement in an exchange of data between the wireless devices of the wireless network, the at least one component includes a processor and a memory adapted to store a table including a plurality or entries, at least one entry of the plurality of entries including (1) a media access control (MAC) address associated with an address of the wireless frame, and (2) information to indicate whether the MAC address is a wireless MAC address or a wired MAC, the processor to classify the MAC address of the wireless frame as either the wireless MAC address or the wired MAC address based on a value of a fromDS bit and a toDS hit in a header of the wireless frame, the fromDS bit is set and the toDS bit is not set if the MAC address is a wireless MAC address.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, one embodiment of the invention is a air monitor adapted to a wireless network. The air monitor enforces policies followed by the wireless network even though it is not involved in the exchange of data between wireless devices of the wireless network such as access points and wireless stations.

Citations

12 Claims

1. An apparatus adapted to a wireless network, comprising;
- a transceiver to receive a wireless frame propagating over a prescribed signal coverage area between wireless devices of the wireless network, one of the wireless devices being an Access Point; and
  
  at least one component to process information extracted from the wireless frame and to enforce a policy followed by the wireless network even though the apparatus has no involvement in an exchange of data between the wireless devices of the wireless network, the at least one component includes a processor and a memory adapted to store a table including a plurality or entries, at least one entry of the plurality of entries including (1) a media access control (MAC) address associated with an address of the wireless frame, and (2) information to indicate whether the MAC address is a wireless MAC address or a wired MAC, the processor to classify the MAC address of the wireless frame as either the wireless MAC address or the wired MAC address based on a value of a fromDS bit and a toDS hit in a header of the wireless frame, the fromDS bit is set and the toDS bit is not set if the MAC address is a wireless MAC address.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein the at least one entry of the table stored in the memory further comprises (3) an identifier of the Access Point.
  - 3. The apparatus of claim 2, wherein the identifier of the Access Point is a Basic Service Set Identifier (BSSID).
  - 4. The apparatus of claim 1, wherein the MAC address classified as the wireless MAC address is a destination MAC address.
  - 5. The apparatus of claim 4, wherein the at least one component classifies a source MAC address of the wireless frame a wired MAC address when the fromDS bit is set and the toDS bit is not set if the MAC address is a wireless MAC address.

6. A method comprising:
- detecting an Access Point (AP) previously undetected within a signal coverage area;
  
  extracting information from a wireless frame transmitted from the AP, the extracted information includes a Basic Service Set Identifier (BSSID) of the AP, a Service Set Identity (SSID) to identify a network that the AP is communicating, and a channel number to indicate a particular channel that the wireless frame is detected; and
  
  transmitting a first message including the information to a Management Server to begin classification of the AP the first message includes an AP class parameter to indicate a current classification of the AP, the AP class parameter is set to a “
  
  Rogue”
  
  state upon initially detecting the AP.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the first message transmitted to the Management Server further includes an AP type parameter to indicate either (i) a manufacturer, (ii) a make or (iii) a model of the AP.
  - 8. The method of claim 6 further comprising:
    - receiving a second message from the Management Server to classify the AP, the second message including at least the BSSID of the AP.
  - 9. The method of claim 8 further comprising:
    - transmitting a third message to the Management Server in response to the second message, the third message including the BSSID of the AP, identifiers for each AP detected within the signal coverage area, a number of wired nodes coupled to each AP, and Media Access Control (MAC) addresses for each of the wired nodes.

10. A method comprising:
- detecting an Access Point (AP) previously undetected within a signal coverage area;
  
  extracting information from a wireless frame transmitted from the AP;
  
  transmitting a first message including the information to a Management Server to begin classification of the AP;
  
  receiving a second message from the Management Server to classify the AP, the second message including at least the BSSID of the AP;
  
  transmitting a third message to the Management Server in response to the second message the third message including the BSSID of the AP, identifiers for each AP detected within the signal coverage area, a number of wired nodes coupled to each AP, and Media Access Control (MAC) addresses for each of the wired nodes; and
  
  classifying the MAC addresses into two groupings including a first grouping of wired MAC addresses for APs in a Valid state and a second grouping of wired MAC addresses for APs in a Rogue state.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10 further comprising:
    - signaling the detected AP to be classified as an Unsecured AP if a common MAC address is found in both the first grouping and the second grouping, otherwise, classified as an Interfering AP.
  - 12. The method of claim 11, further comprising sending a fourth message from the Management Server to all devices monitoring the newly detected AP to deauthenticate the newly detected AP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Aruba Networks Incorporated (Hewlett-Packard Enterprise Company)
Inventors
Iyer, Pradeep J., Narasimhan, Partha
Primary Examiner(s)
D AGOSTA, STEPHEN M

Application Number

US10/254,125
Time in Patent Office

1,120 Days
Field of Search

455/422.1, 455/426.1, 455/435.1, 707/1, 709/223, 709/225, 370/338, 435/432.1, 435/435.2
US Class Current

455/435.1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04W 12/122   Counter-measures against at...

H04W 24/00   Supervisory, monitoring or ...

H04W 24/02   Arrangements for optimising...

System and method for monitoring and enforcing policy within a wireless network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for monitoring and enforcing policy within a wireless network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links