Project Skip to main content
IBM Research Homepage  
 Research Home  >> Distributed Wireless Security Auditor

GSAL
WSA

Distributed Wireless Security Auditor

Motivation

Security is one of the major challenges for 802.11b wireless networking.  That is why we developed the Wireless Security Auditor (WSA) , a mobile tool used for performing wireless security assessments. WSA determines the current security configuration of an access point and helps administrators in locating access points. The latter is very useful for finding rogue or incorrectly configured access points. WSA is one of the primary tools used by IBM Global Services for their wireless security service offering and shipped by Tivoli as part of their Risk Manager product.

By design, WSA requires administrators to physically move around the building to locate access points and/or determine their security configuration. This is, to say the least, inconvenient in organizations that have a large wireless deployment and error prone since not every access point may be covered. Furthermore, WSA can only provide a snapshot of an enterprise's wireless network security stance. Continuous monitoring is something we consider crucial for todays wireless installations, where the security of an enterprise's Intranet may be easily compromised by a single incorrectly configured or rogue access point.

Distributed Wireless Security Auditor

Continuous monitoring is exactly the problem that our Distributed Wireless Security Auditor (DWSA) addresses: it provides an ongoing autonomic assessment of the security configuration of access points in an enterprise and reports the physical location of these wireless access points.

Instead of an administrator with a single copy of WSA examining the wireless system, we harness the power of all the wireless clients in the organization. Each client runs a stripped down version of WSA that periodically reports its view of the wireless network to a back-end server in an anonymous fashion. This view consists of all the access points that the client detected along with their security configuration. The back-end server verifies this observation against a list of known and valid access points.

If the server detects an unknown access point or one with a security configuration violation, the server computes the physical location of the offending access point using the signal strength observed by the client and the locations of some known valid access points through a process of tri-lateration. The physical location of the access point together with the violation is then reported to the administrator.

To summarize, among DWSA key features are:
  • Real-time (24 by 7) monitoring of the 802.11 wireless network
  • Harness  the availability of wireless clients. DWSA does not require special hardware to monitor the network, it takes advantage of the wireless clients that are already present in the infrastructure.
  • Clients report back their view of the wireless network (access points, clients) to a central server for verification.
  • Central server detects violations (for example, rogue access points) and determines their location by means of tri-lateration.
    •

DWSA in Action

Here is an example of DWSA in action. In this test we have 4 known access points and 6 clients that report their findings back to a central server. 
The following image is a view of the main DWSA server console (click on the image to see the real size image) . These are the aggregated reports from the wireless clients. The reports are checked against a user-defined security policy and the background color shows compliance (green), violation (red), or insufficient information (yellow).

Main console display

While centralized reporting is nice it is not particularily useful. It simply reports to the operator that somewhere on the premise something is wrong. This is why we have focussed on physically locating access points.
The image below shows the location window of the DWSA server. The operator selects an access point and then uses the location window to determine its locations. The green spheres are the known access points, the blue spheres are the reporting clients and the red sphere is the selected access point. The popup window is a summary of the selected access point and shows which policy items triggered its report.

Location view

Of course, you can zoom around the building to get a better view of the wireless clients and access points.

Rotated location view

Current Status

We have built a prototype DWSA system. It uses a specialized version of WSA that runs on the client and periodically, every minute, examines the wireless network for a couple of seconds and anonymously reports its view to the back-end server.  This version of WSA is transparent to the user of the client and does not interfere with normal operation.

In case of a violation, the back-end server generates a report consisting of a map of the building with the location of the offending access point and the reason. We currently achieve a location accuracy of approximately 6 feet.

DWSA runs on Linux, Windows 2000 and Windows XP.  We are working with various IBM product groups but no final product plans have been made yet.

DWSA was developed jointly by IBM Research and the IBM PC Division.


 Privacy | Legal | Contact | IBM Home | Research Home | Project List | Research Sites | Page Contact ----------------------------------->