Method, apparatus, and software product for detecting rogue access points in a wireless network

US 7,916,705 B2
Filed: 08/22/2007
Issued: 03/29/2011
Est. Priority Date: 07/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

managing managed access points (APs) of a wireless network, the managing using a central management entity and including carrying out one or both of power control and frequency selection to configure one or more configuration parameters of the managed access point;

maintaining an AP database that includes information about managed APs and friendly APs of the wireless network, including for each managed AP in the AP database, the service set identifier of the managed AP and one or more of the configuration parameters;

receiving information from at least one of the managed APs including information on any beacon or probe response received by the managed AP that was sent by any potential rogue AP, including the MAC address of the potential rogue AP and one or more configuration parameters; and

for each potential rogue AP that sent a beacon or probe response on which information is received, ascertaining if the potential rogue AP is a managed AP, including, ascertaining if there is a match for the service set identifier of the potential rogue AP in the AP database, and further ascertaining if there is a match for one or more configuration parameters of the potential rogue AP in the AP database,such that at least a plurality of parameters are matched in the AP database to ascertain whether a potential rogue AP is a managed AP.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus, and a software program to implement a method to detect a rogue access point of a wireless network. The method includes maintaining an AP database that includes information about managed access point (APs) and friendly APs, including the MAC address of each managed AP. The method further includes sending a scan request to one or more managed APs, including one or more of a request for the receiving managed AP to scan for beacons and probe responses and a request for the receiving managed AP to request its clients to scan for beacons and probe responses. The method further includes receiving reports from at least one of the receiving managed APs, a report including information on any beacon or probe response received that was sent by an AP. For each beacon or probe response on which information is received, the method analyzes the information received in the report about the AP that sent the beacon or probe response, the analyzing including ascertaining if the MAC address of the AP that sent the beacon or probe response matches a MAC address of an AP in the AP database to ascertain whether or not the AP is a potential rogue AP or a managed or friendly AP.

99 Citations

View as Search Results

20 Claims

1. A method comprising:
- managing managed access points (APs) of a wireless network, the managing using a central management entity and including carrying out one or both of power control and frequency selection to configure one or more configuration parameters of the managed access point;
  
  maintaining an AP database that includes information about managed APs and friendly APs of the wireless network, including for each managed AP in the AP database, the service set identifier of the managed AP and one or more of the configuration parameters;
  
  receiving information from at least one of the managed APs including information on any beacon or probe response received by the managed AP that was sent by any potential rogue AP, including the MAC address of the potential rogue AP and one or more configuration parameters; and
  
  for each potential rogue AP that sent a beacon or probe response on which information is received, ascertaining if the potential rogue AP is a managed AP, including, ascertaining if there is a match for the service set identifier of the potential rogue AP in the AP database, and further ascertaining if there is a match for one or more configuration parameters of the potential rogue AP in the AP database,such that at least a plurality of parameters are matched in the AP database to ascertain whether a potential rogue AP is a managed AP.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, wherein the maintaining the AP database includes updating the AP database from time to time.
  - 3. A method as recited in claim 1, further comprising for each potential rogue AP that sent a beacon or probe response on which information is received, determining the approximate location of the potential rogue AP in order to further ascertain whether the potential rogue AP is likely to be a rogue AP.
  - 4. A method as recited in claim 1, further comprising for each potential rogue AP that sent a beacon or probe response on which information is received, determining the approximate location of the potential rogue AP in order to further ascertain whether the potential rogue AP is likely to be a rogue AP, wherein the location determining method uses information determined from signals received from the potential rogue AP at a plurality of managed APs whose locations are known or at stations whose respective locations are known or determined, and calculating a likely location using the determined information.
  - 5. A method as recited in claim 4, wherein the information determined from signals received from the potential rogue AP at a plurality of managed APs includes absolute RSSI information, and wherein the location determining method uses the absolute RSSI together with a calibrated path loss model of an area of interest that provides path losses at various locations to or from managed stations at known locations.
  - 6. A method as recited in claim 1, further comprising sending a request to one or more wireless stations of the wireless network to listen for beacons and probe responses and to report the results of the listening.
  - 7. A method as recited in claim 1, further comprising for each potential rogue AP that sent a beacon or probe response on which information is received, using timing information determined from the beacon or probe response to further ascertain whether the potential rogue AP is likely to be a rogue AP.
  - 8. A method as recited in claim 7, further comprising for each potential rogue AP that sent a beacon or probe response on which information is received, using known location information of managed APs together with the timing information to determine the approximate location of the potential rogue AP.
  - 9. A method as recited in claim 1, further comprising for each potential rogue AP that sent a beacon or probe response on which information is received, using one or more complementary rogue AP detection techniques.

10. One or more non-transitory computer-readable media with computer program instructions encoded thereon that when executed on one or more processors of a processing system are operable to implement a method comprising:
- managing managed access points (APs) of a wireless network, the managing using a central management entity and including carrying out one or both of power control and frequency selection to configure one or more configuration parameters of the managed access point;
  
  maintaining an AP database that includes information about managed APs and friendly APs of the wireless network, including for each managed AP in the AP database, the service set identifier of the managed AP and one or more of the configuration parameters;
  
  receiving information from at least one of the managed APs including information on any beacon or probe response received by the managed AP that was sent by any potential rogue AP, including the MAC address of the potential rogue AP and one or more configuration parameters; and
  
  for each potential rogue AP that sent a beacon or probe response on which information is received, ascertaining if the potential rogue AP is a managed AP, including, ascertaining if there is a match for the service set identifier of the potential rogue AP in the AP database, and further ascertaining if there is a match for one or more configuration parameters of the potential rogue AP in the AP database, such that at least a plurality of parameters are matched in the AP database to ascertain whether a potential rogue AP is a managed AP.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. One or more non-transitory computer-readable media as recited in claim 10, wherein the maintaining the AP database includes updating the AP database from time to time.
  - 12. One or more non-transitory computer-readable media as recited in claim 10, wherein the method further comprises for each potential rogue AP that sent a beacon or probe response on which information is received, determining the approximate location of the potential rogue AP in order to further ascertain whether the potential rogue AP is likely to be a rogue AP.
  - 13. One or more non-transitory computer-readable media as recited in claim 10, wherein the method further comprises for each potential rogue AP that sent a beacon or probe response on which information is received, determining the approximate location of the potential rogue AP in order to further ascertain whether the potential rogue AP is likely to be a rogue AP, wherein the location determining method uses information determined from signals received from the potential rogue AP at a plurality of managed APs whose locations are known or at stations whose respective locations are known or determined, and calculating a likely location using the determined information.
  - 14. One or more non-transitory computer-readable media as recited in claim 13, wherein the information determined from signals received from the potential rogue AP at a plurality of managed APs includes absolute RSSI information, and wherein the location determining method uses the absolute RSSI together with a calibrated path loss model of an area of interest that provides path losses at various locations to or from managed stations at known locations.
  - 15. One or more non-transitory computer-readable media as recited in claim 10, wherein the method further comprises sending a request to one or more wireless stations of the wireless network to listen for beacons and probe responses and to report the results of the listening.
  - 16. One or more non-transitory computer-readable media as recited in claim 10, wherein the method further comprises for each potential rogue AP that sent a beacon or probe response on which information is received, using timing information determined from the beacon or probe response to further ascertain whether the potential rogue AP is likely to be a rogue AP.
  - 17. One or more non-transitory computer-readable media as recited in claim 16, wherein the method further comprises for each potential rogue AP that sent a beacon or probe response on which information is received, using known location information of managed APs together with the timing information to determine the approximate location of the potential rogue AP.
  - 18. One or more non-transitory computer-readable media as recited in claim 10, wherein the method further comprises for each potential rogue AP that sent a beacon or probe response on which information is received, using one or more complementary rogue AP detection techniques.

19. A system comprising:
- a central management entity of a wireless network, the central management entity coupled to one or more managed access points (APs) of the wireless network and operative to manage the managed APs, including carrying out one or both of power control and frequency selection to configure one or more configuration parameters of the managed access point;
  
  a storage subsystem maintaining an AP database that includes information about managed APs and friendly APs of the wireless network, including for each managed AP in the AP database, the service set identifier of the managed AP and one or more of the configuration parameters; and
  
  a processing system coupled to the central management and the storage subsystem operative toreceive information from at least one of the managed APs including information on any beacon or probe response received by the managed AP that was sent by any potential rogue AP, including the MAC address of the potential rogue AP and one or more configuration parameters; and
  
  for each potential rogue AP that sent a beacon or probe response on which information is received, ascertain if the potential rogue AP is a managed AP, including, ascertaining if there is a match for the service set identifier of the potential rogue AP in the AP database, and further ascertain if there is a match for one or more configuration parameters of the potential rogue AP in the AP database,such that at least a plurality of parameters are matched in the AP database to ascertain whether a potential rogue AP is a managed AP.
- View Dependent Claims (20)
- - 20. A system as recited in claim 19, wherein the processing system is further operative, for each potential rogue AP that sent a beacon or probe response on which information is received, to determine the approximate location of the potential rogue AP in order to further ascertain whether the potential rogue AP is likely to be a rogue AP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Roshan, Pejman D., Olson, Timothy S., Kaiser, Daryl A.
Primary Examiner(s)
Eng; George
Assistant Examiner(s)
Brandt; Christopher M

Application Number

US11/843,088
Publication Number

US 20070286143A1
Time in Patent Office

1,315 Days
Field of Search

370/338, 370/328, 713/155, 713/201, 455/411, 455/410
US Class Current

370/338
CPC Class Codes

H04L 63/1433   Vulnerability analysis

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

Method, apparatus, and software product for detecting rogue access points in a wireless network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, and software product for detecting rogue access points in a wireless network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links