News

Viruses, and peer-to-peer are the killers of WiFi LANs - Cheeseman

If I tell you that a software developer showed up in Amsterdam this year with 83 viruses on a laptop, you might understand why last year's TechEd had a wireless network that fell over. This year, it's working. What changed? "We are trapping the viruses," is the easy answer

It's never been done before, according to Andy Cheeseman, Events Systems Manager for Microsoft EMEA.

"We're looking for virus traffic signatures. We have written a little application which interfaces with Microsoft Internet Security and Acceleration Server, ISA. It shows us which packets are typical of the sort of data that virus infections generate."

Yes, one virus can bring down a WiFi access point. "It generates enough traffic that as the user moves past the AP, it brings it down. The only solution is to kick that client off."

Cheeseman logged traffic from last year's Barcelona wireless network. At that time, it was the biggest public WLAN ever deployed and from it, he says, he was able to detect signatures of viruses in a way that couldn't be done, or hadn't been done before. "With the system we have this year, I capture all a user's ID data in one logon. You log onto the TechEd network, and it authenticates your machine for the WLAN at the same time. It captures the MAC address; after that, I know who you are."

And this year, he found - and isolated - fifteen machines with virus infections. Incredibly, one of those machines had 83 viruses on it. "Frankly, I have no idea how it was working at all," admitted Cheeseman. "But this year, we are two and a half times bigger than any WLAN network Microsoft has ever deployed in Europe before."

Virus traffic is not the only problem. The other hazard is background wireless noise - the so-called "noisy pub" syndrome. There is just too much wireless transmission, and it swamps the ether. But that can be easily cured, by "good wireless neighbours" habits, said Cheeseman.

"What we're telling all wireless users to do, is set their machines to work in 'infrastructure mode' only. If we don't have them trying to set up peer-to-peer connections, the system works; if they do, it causes real problems. There are 4,500 wireless client machines here. We're seeing peak traffic of 38 megabits of data per second; anything else just swamps it."

And of course, the result is that in the exhibitor area, the network becomes a notwork. "It's just pants," admitted Cheeseman, "and there's nothing I can do bout it, except ask the exhibitors to restrict their on-stand wireless to channel six. They don't, of course."

Proxim, which provides the wireless hardware for the giant exhibition - 6,500 software developers - has deployed 100 tri-standard access points, each doing 802.11a, 11b and 11g protocols. Cheeseman has turned off the 11g functions, to reduce the traffic at 2.4 GHz. The result is a successful wireless network

To make it work, the feature that tracks rogue clients is surprisingly simple. "The traffic we're concerned with is the worm traffic; Sasser, Bagel, and the like. We analysed last year's logs, and identified what traffic signatures they generate."

This year, the program Cheeseman wrote gets the packets from ISA Server. It dumps the packets - 2,000 a second - to a text file, and then searches through that database, sampling about a third of the total packets, and plotting the signatures.

"We don't have access to the machines, is the problem. They aren't our machines. if this was a corporate network, we'd have policies that allowed us to scan their machines and remove the viruses. But here, we can't do that; so we have to work around the problem," said Cheeseman.

Finally, the lesson is a sobering one. If that high a proportion of professional software developers can be wandering around with infected PCs, it's going to be a long time before the typical PC user is properly protected.