Containment of rogue systems in wireless network environments

US 7,453,840 B1
Filed: 06/30/2003
Issued: 11/18/2008
Est. Priority Date: 06/30/2003
Status: Active Grant

First Claim

Patent Images

1. In a wireless network environment comprising at least one authorized access point, a method for containing rogue access points, the rogue access points including a virtual carrier-sense mechanism operative to adjust a counter in response to wireless frames transmitted from wireless stations, wherein the data frames include a duration value, the counter controlling the transmission of frames by the rogue access point, comprisingdetecting a rogue access point,identifying at least one authorized access point that neighbors the rogue access point;

selecting at least one authorized access point in the identifying step;

configuring the at least one selected access point to periodically transmit wireless frames, the data frames including a predetermined duration value, and wherein the interval at which the data frames are periodically transmitted is less than the duration value.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems facilitating containment of the effects of rogue or unauthorized access points on wireless computer network environments. Embodiments of the present invention support one to a plurality of rogue containment methodologies. A first rogue containment type involves identification of the physical connection of the rogue access point to the wired network infrastructure and, thus, allows for disabling of that physical connection to contain the rogue access point. Other rogue containment methods involve wireless techniques for containing the effect of rogue access points. As discussed below, the rogue containment functionality described herein can be applied to a wide variety of wireless network system architectures.

Citations

15 Claims

1. In a wireless network environment comprising at least one authorized access point, a method for containing rogue access points, the rogue access points including a virtual carrier-sense mechanism operative to adjust a counter in response to wireless frames transmitted from wireless stations, wherein the data frames include a duration value, the counter controlling the transmission of frames by the rogue access point, comprisingdetecting a rogue access point,identifying at least one authorized access point that neighbors the rogue access point;
- selecting at least one authorized access point in the identifying step;
  
  configuring the at least one selected access point to periodically transmit wireless frames, the data frames including a predetermined duration value, and wherein the interval at which the data frames are periodically transmitted is less than the duration value.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the wireless frames are transmitted on all available frequency channels.
  - 3. The method of claim 1 further comprisingidentifying the channel on which the rogue access point is transmitting;
    - and wherein the wireless frames are transmitted on the identified channel.
  - 4. The method of claim 1 further comprisingidentifying the channel on which the rogue access point is transmitting;
    - and wherein the wireless frames are transmitted on a range of channels centered on the identified channel.

5. In a wireless network environment implementing a protocol according to which wireless stations terminate connections with access points upon receipt of de-authentication and/or disassociation frames, a method for containing rogue access points, comprisingdetecting a rogue access point, the rogue access point identified by a wireless network address;
- selecting at least one authorized access point;
  
  emulating the rogue access point and periodically broadcasting, at repetition interval, beacon frames, wherein the beacon frames announce a contention-free period, and wherein the contention-free period is greater than the repetition interval.

6. A wireless network system enabling a directed association mechanism, comprisinga plurality of access elements for wireless communication with at least one remote client element and for communication with a central control element;
- a central control element for supervising at least one of said access elements, wherein the central control element is operative to manage and control the wireless connections between the access elements and corresponding remote client elements; and
  
  wherein the access elements are each operative to;
  
  establish and maintain, in an access point mode, wireless connections with remote client elements;
  
  switch to a scanning mode for a scanning period at a scanning interval to detect wireless traffic,record scan data characterizing the detected wireless traffic, andtransmit the scan data to the central control element;
  
  wherein the central control element is operative toprocess the scan data against information relating to known access elements to identify rogue access points,to contain the detected rogue access point(s); and
  
  wherein the central control element is operative toestablish a tunnel with access elements for transmission of wireless traffic associated with corresponding remote client elements, andbridge network traffic between a computer network and a remote client element through a tunnel with a corresponding access element.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The system of claim 6 wherein the computer network comprises at least one network device operative to switch or route data units between devices connected thereto, the data units including a source address and a destination address, wherein the at least one network device comprises at least two ports to which other devices connect, and wherein the at least one network device is operative to store the source addresses of the data units encountered at the ports of the at least one network device, andwherein the central control element is operative todetermine the address of at least one rogue client associated with the rogue access point;
    - andidentify the port to which the rogue access point is connected by querying, using the addresses of the at least one rogue client, the at least one network device for the port at which data units sourced from the at least one rogue client were encountered.
  - 8. The system of claim 7 wherein the central control element is operative to report the identified port to a network administrator.
  - 9. The system of claim 7 wherein the central control element is operative to disable the identified port.
  - 10. The system of claim 6 wherein the central control element is operative to configure one or more access elements to contain the detected rogue access point(s).
  - 11. The system of claim 10 wherein the central control element is operative to configure one or more of the access elements to emulate the rogue access point and transmit connections terminating frames.
  - 12. The system of claim 11 wherein the connection terminating frames are de-authentication frames.
  - 13. The system of claim 11 wherein the connection terminating frames are disassociation frames.
  - 14. The system of claim 11 wherein the connection terminating frames are transmitted at a fixed repetition interval.
  - 15. The system of claim 11 wherein the connection-terminating frames are transmitted as a repetition interval, and wherein the repetition interval is adjusted in response to detection of wireless traffic transmitted between the rogue access point and a wireless client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Systems, Inc.
Inventors
Calhoun, Patrice R., Friday, Robert J., O'Hara, Robert B. Jr., Dietrich, Paul F., Frascone, David Anthony, Howard, Matthew Douglas
Primary Examiner(s)
Harper; Kevin C

Application Number

US10/611,660
Time in Patent Office

1,968 Days
Field of Search

370/328, 370/338, 370/401, 726 22- 23, 726/2
US Class Current

370/328
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04W 12/122   Counter-measures against at...

Containment of rogue systems in wireless network environments

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Containment of rogue systems in wireless network environments

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links