A policy-based approach to wireless LAN security management

Wireless Ethernet (or Wi-Fi) security management is a challenging area of increased interest due to the widespread deployment of Wireless LANs (WLANs) and their well-known vulnerabilities to various types of attacks, as well as stringent scalability requirements in the dynamic wireless domain. Until the adoption of the latest security standards is complete, users and network assets on deployed WLANs, such as 802.11a/b/g networks, need to be protected from existing security threats without depending on the latest features. In addition, while new standards can protect the unauthorized use of network resource for outsiders, they do not deal with the misuse or misbehaviors by insiders. In this paper we present a hierarchically distributed policy-based system architecture and prototype implementation for WLAN security management. The architecture includes a central policy engine that validates policies and computes new configuration settings for network elements when access policies are violated, distributed wireless domain policy managers with consistent local policy autonomy that coordinate dedicated local monitors so as to monitor and control multi-vendor WLAN access points (APs). The local monitors include wireless intrusion detection modules and wireless AP interface adaptors. Although in this paper we focus on wireless security aspects, the overall architecture can be applied to end-to-end security management of wireline and wireless networks.