Distributed wireless network security system

US 7,342,906 B1
Filed: 04/04/2003
Issued: 03/11/2008
Est. Priority Date: 04/04/2003
Status: Active Grant

First Claim

Patent Images

1. In a wireless network environment comprising a plurality of access elements for wireless communication with at least one remote client element, a method enabling an enhanced wireless network security system, comprisingmaintaining security states for remote client elements detected by the access elements,applying a security mechanism to control access to wireless connections to remote client elements, wherein operation of the security mechanism is based on the security states of the remote client elements,adjusting the security state associated with a remote client element based on its interaction with the security mechanism, andexchanging with other access elements security states associated with remote client elements.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems enabling a distributed wireless network security system. In one embodiment, the present invention provides a wireless network system where security policies are automatically distributed and uniformly implemented across wireless network access points. Embodiments of the present invention address the situation where a malicious user moves to a different access point within a wireless network environment after failing to properly authenticate and/or associate at a first access point. Embodiments of the present invention enable an integrated, multi-layer network security system, wherein a security mechanism at one layer (e.g., link layer security mechanisms) can set policies based on information gleaned from operation of a security mechanism at another layer (e.g., application layer authentication servers).

146 Citations

View as Search Results

39 Claims

1. In a wireless network environment comprising a plurality of access elements for wireless communication with at least one remote client element, a method enabling an enhanced wireless network security system, comprisingmaintaining security states for remote client elements detected by the access elements,applying a security mechanism to control access to wireless connections to remote client elements, wherein operation of the security mechanism is based on the security states of the remote client elements,adjusting the security state associated with a remote client element based on its interaction with the security mechanism, andexchanging with other access elements security states associated with remote client elements.

2. A central control element for supervising a plurality of access elements, comprisinga processor operative tomanage wireless connections between access elements and corresponding remote client elements,maintain security states for remote client elements detected by access elements,apply, at access elements, a first security mechanism to control access to the wireless connections to remote client elements, wherein operation of the security mechanism is based on the security states of the remote client elements, wherein a remote client element for which there is no security state information is initially allowed access to interact with a second security mechanism;
- andadjust the security state associated with the remote client element based on its interaction with the second security mechanism.

3. A wireless network security system, comprisinga plurality of access elements for wireless communication with at least one remote client element and for communication with a central control element;
- a central control element for supervising said access elements, wherein the central control element is operative to manage wireless connections between the access elements and corresponding remote client elements,wherein the central, control element is operative tomaintain security states for remote client elements detected by the access elements,apply, at the access elements, a first security mechanism to control access to the wireless connections to remote client elements, wherein operation of the security mechanism is based on the security states of the remote client elements, wherein a remote client element for which there is no security state information is initially allowed access to interact with a second security mechanism; and
  
  adjust the security state associated with the remote client element based on its interaction with the second security mechanism.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 4. The system of claim 3 wherein the first security mechanism is a link layer security mechanism;
    - and wherein the second security mechanism is an application layer security mechanism.
  - 5. The system of claim 4 wherein the application-level security mechanism is an authentication server.
  - 6. The system of claim 5 wherein the authentication server is a RADIUS server.
  - 7. The system of claim 3 wherein security states are stored in mobile station data structures, each comprising a wireless client identifier and a black list flag.
  - 8. The system of claim 7 wherein each mobile station data structure further comprises a time stamp.
  - 9. The system of claim 8 wherein the central control element comprises a mobile station table, and wherein the mobile station data structures are entries in the mobile station table.
  - 10. The system of claim 8 wherein the mobile station data structure is a software object.
  - 11. The system of claim 7 wherein the wireless client identifier is a MAC address.
  - 12. The system of claim 7 wherein the wireless client identifier is an application-layer credential.
  - 13. The system of claim 12 wherein the application-layer credential is a user name.
  - 14. The system of claim 7 wherein the central control element is operative to:
    - set the black list flag associated with a remote client element if the remote client element fails the first security mechanism beyond a threshold number of times.
  - 15. The system of claim 14 wherein the central control element is operative to deny access to wireless connections with a corresponding access element to remote client elements associated with a set black list flag.
  - 16. The system of claim 3 further comprisinga second plurality of access elements for wireless communication with at least one remote client element and for communication with a central control element;
    - a second central control element for supervising said second plurality of access elements, wherein the second central control element is operative to manage wireless connections between the access elements and corresponding remote client elements,wherein the second central control element is operative tomaintain security states for remote client elements detected by the access elements,apply, at the access elements, a first security mechanism to control access to the wireless connections to remote client elements, wherein operation of the security mechanism is based on the security states of the remote client elements, wherein a remote client element for which there is no security state information is initially allowed access to interact with a second security mechanism; and
      
      adjust the security state associated with the remote client element based on its interaction with the second security mechanism; and
      
      wherein the first and second central control elements are operative to exchange security states associated with remote client elements.
  - 17. The system of claim 16 wherein each central control element is operative to query other central control elements for the security state associated with a remote client element, in response to an access request transmitted by the remote client element.

18. In a wireless network environment comprising a plurality of access elements for wireless communication with at least one remote client element, the wireless network environment maintaining security states for remote client elements detected by the access elements, a method enabling an enhanced wireless network security system, comprisingreceiving, at a wireless access element, a link layer authentication request from a remote client element;
- querying one or more elements of a wireless network environment for a security state associated with the remote client element;
  
  conditionally responding to the link layer authentication request with an authentication challenge, wherein the responding to the link layer authentication request is conditioned on the security state associated with the remote client element;
  
  adjusting the security state based on the interaction between the wireless access element and the remote client element.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The method of claim 18 wherein the adjusting step comprisesadjusting the security state of the remote client element, if the remote client element fails the authentication challenge a threshold number of times.
  - 20. The method of claim 19 wherein the security state includes a time stamp, and wherein the time stamp is set to the current time during the adjusting step.
  - 21. The method of claim 20 further comprising resetting the time stamp to the current time if the remote client attempts to authenticate after failing the authentication challenge a threshold number of times.
  - 22. The method of claim 20 further comprising resetting the security state of the remote client element upon expiration of the time stamp.
  - 23. The method of claim 18 wherein the security state includes a time stamp.

24. A wireless network security system, comprisinga wireless network infrastructure comprising a plurality of access elements for wireless communication with at least one remote client element,wherein each access element is operative tomaintain security states for remote client elements detected by the access elements,apply a security mechanism to control access to the wireless connections to remote client elements, wherein operation of the security mechanism is based on the security states of the remote client elements,adjust the security state associated with a remote client element based on its interaction with the security mechanism, andexchange with other access elements security states associated with remote client elements.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 25. The system of claim 24 wherein the security mechanism is a link layer security mechanism;
    - and wherein the system further comprisesa second security mechanism operating in connection with the access elements to control access to wireless connections with the access elements,wherein the access elements are operative to;
      
      adjust the security state associated with a remote client element based on its interaction with the second security mechanism.
  - 26. The system of claim 25 wherein the second security mechanism is an application-level security mechanism.
  - 27. The system of claim 26 wherein the application-level security mechanism is an authentication server.
  - 28. The system of claim 27 wherein the authentication server is a RADIUS server.
  - 29. The system of claim 24 wherein security states are stored in mobile station data structures, each comprising a wireless client identifier and a black list flag.
  - 30. The system of claim 29 wherein each mobile station data structure further comprises a time stamp.
  - 31. The system of claim 29 wherein the wireless client identifier is a MAC address.
  - 32. The system of claim 31 wherein each access element comprises a mobile station table, and wherein the mobile station data structures are entries in the mobile Station table.
  - 33. The system of claim 31 wherein the mobile station data structure is a software object.
  - 34. The system of claim 29 wherein the wireless client identifier is an application-layer credential.
  - 35. The system of claim 34 wherein the application-layer credential is a user name.
  - 36. The system of claim 24 wherein each access element is operative to query the other access elements for the security state associated with a remote client element.

37. In a network environment including a plurality of security mechanisms operating at different layers with the network environment, a method enhancing the security of network environments, comprisingdetecting an attempt by a network access device to access a computer network;
- applying a first security mechanism operative to control access to the computer network, wherein the first security mechanism operates at a first network layer to a network access device, and wherein the applying step comprises authenticating the user associated with the network access device, comprising;
  
  maintaining an authentication count, transmitting an authentication challenge to the network access device, receiving an authentication response from the network access device, validating the authentication response;
  
  if the authentication count is below a threshold count and the response is not valid, repeating the authentication step;
  
  if the authentication count exceeds the threshold count and the response is not valid, then configuring the second security mechanism to deny access to the network access device; and
  
  configuring a policy for a second security mechanism operating at a second network layer based on information obtained from the applying step;
  
  wherein the first security mechanism is an application-level security mechanism, and wherein the second security mechanism is a link layer security mechanism.
- View Dependent Claims (38, 39)
- - 38. The method of claim 37 wherein the application-level security mechanism is an authentication server.
  - 39. The method of claim 38 wherein the authentication server is a RADIUS server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Airespace, Inc. (Cisco Systems, Inc.)
Inventors
Calhoun, Patrice R.
Primary Examiner(s)
Milord; Marceau

Application Number

US10/407,346
Time in Patent Office

1,803 Days
Field of Search

370/310, 370/338, 370/315, 370/316, 709/229, 713/168, 713/156, 713/186, 455410-411
US Class Current

370/338
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04W 84/12   WLAN [Wireless Local Area N...

Distributed wireless network security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

146 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed wireless network security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

146 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links