|Research Home >>||
Distributed Wireless Security Auditor
Distributed Wireless Security Auditor
MotivationSecurity is one of the major challenges for 802.11b wireless networking. That is why we developed the Wireless Security Auditor (WSA) , a mobile tool used for performing wireless security assessments. WSA determines the current security configuration of an access point and helps administrators in locating access points. The latter is very useful for finding rogue or incorrectly configured access points. WSA is one of the primary tools used by IBM Global Services for their wireless security service offering and shipped by Tivoli as part of their Risk Manager product.
By design, WSA requires administrators to physically move around the building to locate access points and/or determine their security configuration. This is, to say the least, inconvenient in organizations that have a large wireless deployment and error prone since not every access point may be covered. Furthermore, WSA can only provide a snapshot of an enterprise's wireless network security stance. Continuous monitoring is something we consider crucial for todays wireless installations, where the security of an enterprise's Intranet may be easily compromised by a single incorrectly configured or rogue access point.
Distributed Wireless Security AuditorContinuous monitoring is exactly the problem that our Distributed Wireless Security Auditor (DWSA) addresses: it provides an ongoing autonomic assessment of the security configuration of access points in an enterprise and reports the physical location of these wireless access points.
Instead of an administrator with a single copy of WSA examining the wireless system, we harness the power of all the wireless clients in the organization. Each client runs a stripped down version of WSA that periodically reports its view of the wireless network to a back-end server in an anonymous fashion. This view consists of all the access points that the client detected along with their security configuration. The back-end server verifies this observation against a list of known and valid access points.
If the server detects an unknown access point or one with a security configuration violation, the server computes the physical location of the offending access point using the signal strength observed by the client and the locations of some known valid access points through a process of tri-lateration. The physical location of the access point together with the violation is then reported to the administrator.
To summarize, among DWSA key features are:
DWSA in Action
is an example of DWSA in action. In this test we have 4 known access points
and 6 clients that report their findings back to a central server.
centralized reporting is nice it is not particularily useful. It simply reports
to the operator that somewhere on the premise something is wrong. This is
why we have focussed on physically locating access points.
Of course, you can zoom around the building to get a better view of the wireless clients and access points.
Current StatusWe have built a prototype DWSA system. It uses a specialized version of WSA that runs on the client and periodically, every minute, examines the wireless network for a couple of seconds and anonymously reports its view to the back-end server. This version of WSA is transparent to the user of the client and does not interfere with normal operation.
In case of a violation, the back-end server generates a report consisting of a map of the building with the location of the offending access point and the reason. We currently achieve a location accuracy of approximately 6 feet.
DWSA runs on Linux, Windows 2000 and Windows XP. We are working with various IBM product groups but no final product plans have been made yet.
DWSA was developed jointly by IBM Research and the IBM PC Division.
|Privacy | Legal | Contact | IBM Home | Research Home | Project List | Research Sites | Page Contact ----------------------------------->|