PERANCANGAN KEAMANAN JARINGAN AUTHENTICATION LOGIN HOTSPOT MENGGUNAKAN RADIUS SERVER DAN PROTOKOL EAP-TTLS PADA MIKROTIK DI IDOOP HOTEL

Idoop Hotel merupakan salah satu hotel yang terletak di kawasan Kota Mataram, Jalan Swaramahardika No.883, 83121. Idoop Hotel mulai beroperasi pada bulan Juni 2014. Idoop Hotel memiliki total 9 departement yang tergabung dalam jaringan back office dan operasional. Keseluruhan department berada dalam satu jaringan lokal yang dikelola oleh administrator jaringan pada hotel tersebut. Protocol Extensible Authentication Protocol-Tunelled Transport Layer Security (EAP-TTLS) melihat dari segi implementasi EAP-TTLS dirancang untuk memberikan kemudahan implementasi otentikasi dibandingkan dengan protocol EAP yang berbasis sertifikat digital. Implementasi EAP-TTLS hanya memerlukan sertifikat digital pada sisi authentication server, sedangkan sertifikat digital pada sisi client akan digantikan dengan menggunakan kombinasi username dan password. Kesimpulan yang diperoleh berdasarkan hasil pengujian yang dilakukan yaitu Penggunaan kombinasi username dan password untuk menggantikan sertifikat digital pada Extensible Authentication Protocol-Tunelled Transport Layer Security (EAP-TTLS) juga dapat meningkatkan mobilitas pengguna, karena pengguna tidak perlu menambahkan sertifikat digital untuk melakukan login ke hotspot. Authentikasi EAP-TTLS memiliki kemampuan yang lebih baik yang ditambahkan dengan enkripsi MD5 pada hotspot MikroTIK sehingga pengguna nyaman untuk melakukan login ke hotspot dan mempermudah karyawan IT dari Idoop Hotel untuk memanajemen pengguna dalam jumlah banyak

Pengamanan Jaringan Wireless LAN Dengan Protokol EAP-TTLS Dan Otentikasi MSCHAPv2 Pada Fakultas Ilmu Komputer UPN Veteran Jakarta

Penggunaan pada protokol WPA memiliki dua proses, antara lain adalah otentikasi serta enkripsi. Pada tingkat network dengan infrastuktur yang besar serta dengan lalu lintas network yang tinggi sama halnya dengan universitas, kantor perusahaan atau tempat umum lainnya yang menggunakan wireless LAN, proses otentikasi merupakan proses yang pertama kali yang dilakukan agar pengguna jaringan wireless LAN dapat mengakses jaringan internet. Maka dari itu, tidak hanya aman namun proses otentikasi bias beroperasi dengan cepat. Solusi dari penelitian ini adalah dengan menerapkan Protokol IEEE 802.1x EAP dengan Extensible Authentication Protocol – Tunneled Transport Layer Security (EAP-TTLS) untuk membuat secure tunnel (terowongan keamanan) dalam pertukaran kunci pada jaringan wireless, serta dengan inner authentication Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2). Luaran yang dihasilkan pada penelitian ini adalah membangun suatu keamanan pada jaringan wireless terpusat pada Fakultas Ilmu Komputer UPN Veteran Jakarta

Control de accesos y administración de recursos de RED mediante un servidor AAA en el GAD Municipal de Urcuquí usando software libre

El objetivo del presente documento es definir los requerimientos técnicos mínimos, necesarios para el control de acceso y administración de los recursos de red mediante un servidor AAA en la red de datos del GADMU.El proyecto planteado consiste en el diseño e implementación de un esquema de red que proporcione el servicio de Autenticación, Autorización y Auditoria (AAA) en el GAD Municipal San Miguel de Urcuquí, para el control de acceso y administración de recursos de red, empleando soluciones basadas en software libre. El fundamento teórico requerido para el desarrollo del sistema AAA inicia con el estudio de los principales métodos de autenticación EAP (TLS, TTLS y PEAP) soportados por el estándar IEEE 802.1x, el protocolo LDAP y RADIUS. En el segundo capítulo se identifican los perfiles de acceso de los usuarios a cada una de las aplicaciones y servicios de red del GAD Municipal San Miguel de Urcuquí, se crea además la política de seguridad para el sistema AAA. El tercer capítulo contiene el diseño de la infraestructura de red con servicio AAA (Autenticación, Autorización y Contabilidad), tomando en cuenta cada uno de los requerimientos establecidos en base al estudio y la política de seguridad desarrollada. En el cuarto capítulo se procede con la configuración de los equipos de red, la implementación del servidor AAA en el entorno virtual PROXMOX y las pruebas de aplicación ejecutadas en posibles escenarios que pudieran presentarse al momento de acceder al sistema. Finalmente, el quinto capítulo contiene el análisis Costo – Beneficio que determina la factibilidad económica del proyecto.Ingenierí

Authenticated wireless roaming via tunnels : making mobile guests feel at home

In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection through which all service requests of the mobile device are sent to and answered directly by the home network. Such Wireless Roaming via Tunnels (WRT) others several (security) benefits but states also new security challenges on authentication and key establishment, as the goal is not only to protect the end-to-end communication between the tunnel peers but also the tunnel itself. In this paper we formally specify mutual authentication and key establishment goals for WRT and propose an efficient and provably secure protocol that can be used to secure such roaming session. Additionally, we describe some modular protocol extensions to address resistance against DoS attacks, anonymity of the mobile device and unlinkability of its roaming sessions, as well as the accounting claims of the foreign network in commercial scenarios

Validation of the Security of Participant Control Exchanges in Secure Multicast Content Delivery

In Content Delivery Networks (CDN), as the customer base increases, a point is reached where the capacity of the network and the content server become inadequate. In extreme cases (e.g., world class sporting events), it is impossible to adequately serve the clientele, resulting in extreme customer frustration. In these circumstances, multicast content delivery is an attractive alternative. However, the issue of maintaining control over the customers is difficult. In addition to controlling the access to the network itself, in order to control the access of users to the multicast session, an Authentication, Authorization and Accounting Framework was added to the multicast architecture. A successful authentication of the end user is a prerequisite for authorization and accounting. The Extensible Authentication Protocol (EAP) provides an authentication framework to implement authentication properly, for which more than thirty different available EAP methods exist. While distinguishing the multicast content delivery requirements in terms of functionality and security, we will be able to choose a smaller set of relevant EAP methods accordingly. Given the importance of the role of the ultimate chosen EAP method, we will precisely compare the most likely to be useful methods and eventually pick the Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST) framework as the most suitable one. Based on the work on receiver participant controls, we present a validation of the security of the exchanges that are required to ensure adequate control and revenue recovery

Securing Remote Access Inside Wireless Mesh Networks

Wireless mesh networks (WMNs) that are being increasingly deployed in communities and public places provide a relatively stable routing infrastructure and can be used for diverse carrier-managed services. As a particular example we consider the scenario where a mobile device initially registered for the use with one wireless network (its home network) moves to the area covered by another network inside the same mesh. The goal is to establish a secure access to the home network using the infrastructure of the mesh. Classical mechanisms such as VPNs can protect end-to-end communication between the mobile device and its home network while remaining transparent to the routing infrastructure. In WMNs this transparency can be misused for packet injection leading to the unnecessary consumption of the communication bandwidth. This may have negative impact on the cooperation of mesh routers which is essential for the connection establishment. In this paper we describe how to establish remote connections inside WMNs while guaranteeing secure end-to-end communication between the mobile device and its home network and secure transmission of the corresponding packets along the underlying multi-hop path. Our solution is a provably secure, yet lightweight and round-optimal remote network access protocol in which intermediate mesh routers are considered to be part of the security architecture. We also sketch some ideas on the practical realization of the protocol using known standards and mention extensions with regard to forward secrecy, anonymity and accounting

Integração do paradigma de captive portals com a arquitetura 802.1X

Mestrado em Engenharia de Computadores e TelemáticaIn a scenario where hotspot networks are increasingly being used, present and obtaining more subscribers, with the amount of sensitive information exchanged on this type of networks and with the variety of their users, which may not be trustworthy, there is a need of implementing security mechanisms that guarantee data confidentiality and integrity, as well as to guarantee that announced networks are genuine, avoiding rogue networks. Captive portals are portals provided by networks of this type where a user logs in; they are a greater risk as they imply the transmission of sensitive data on a nonstandardized way. This work explores the weaknesses of this paradigm and describes a solution that intends to suppress them, based on the 802.1X architecture. This solution consists on creating an EAP-compliant protocol in order to integrate an HTTP-based authentication within the 802.1X authentication framework.Num cenário em que as redes hotspot estão a ser progressivamente mais usadas e presentes e a obter mais subscritores, com a quantidade de informação sensível que neste tipo de redes é transmitida e com a variedade destes mesmos utilizadores que podem ser ou não de confiança, são necessários mecanismos de segurança que garantam a confidencialidade e integridade de dados, assim como garantir que redes anunciadas sejam autenticadas, evitando redes malignas. Os captive portals, portais providenciados por redes deste tipo onde se efetua log in, são ainda um maior risco pois implicam a transmissão de dados sensíveis de maneira não standard. Este trabalho explora as fraquezas deste paradigma e apresenta uma solução que pretende colmatá-las, baseada na arquitetura 802.1X. Esta solução passa por criar uma extensão do protocolo EAP a fim de poder integrar a autenticação via HTTP com o processo de autenticação do 802.1X

Migração de ligações Wi-Fi não seguras para ligações seguras, após autenticação em captive portal

Atualmente a popularidade das comunicações Wi-Fi tem crescido, os utilizadores acedem a partir de vários dispositivos como telemóveis, tablets, computadores portáteis sendo estes utilizados por qualquer pessoa nos mais variados locais. Com esta utilização massiva por parte dos utilizadores surgiram os hotspots Wi-Fi públicos (em aeroportos, estações de comboios, etc) que permitem a ligação de clientes recorrendo a ligações wireless não seguras (ou abertas). Tais hotspots utilizam, após a ligação de um cliente, um captive portal que captura o tráfego IP com origem no cliente e o redireciona para uma página Web de entrada. A página Web permite ao cliente comprar tempo de acesso à Internet ou, caso já seja um cliente da empresa, autenticar-se para ter acesso à Internet. A necessidade da ligação aberta assenta na possibilidade do operador do hotspot vender acesso à Internet a utilizadores não conhecidos (caso contrário teria de fornecerlhes uma senha previamente). No entanto, fornecer um acesso à Internet wireless sem qualquer tipo de segurança ao nível físico permite que qualquer outro utilizador consiga obter informação sobre a navegação Web dos utilizadores ligados (ex.: escuta de pedidos DNS). Nesta tese pretende-se apresentar uma solução que estenda um dos atuais mecanismos de autenticação Wi-Fi (WPA, WPA2) para que permita, após autenticação em captive portal, a migração de uma ligação aberta para uma ligação segura.Nowadays, the popularity of Wi-Fi communications has grown because the users can access networks from multiple devices such as mobile phones, tablets, laptops and these being used by anyone in different places all over the world. With this massive use of technologies, Public Wi-Fi hotspots such as airports, train stations, etc. created allowing the connection through unsecured (or open) connections. After the connection with the client, these hotspots use a captive portal that captures the client IP traffic and redirects it to an particular Web page. The website allows customers to buy Internet access time or, if they already have credentials from that company, log-in and access the Internet. The need for open connection is based on the possibility of the hotspot operator to sell Internet accesses to unknown users (otherwise would have to provide them with a password previously). However, to provide a wireless access to the Internet without any kind of security at the physical level allows any user can get information about web browsing of connected users (eg.: listening DNS requests). This thesis is intend to provide a solution based on the extension of the current mechanisms for Wi-Fi authentication (WPA, WPA2) to allow, after an authentication in captive portal, to migrate from an open connection to a secure connection

Unified security frameworks for integrated WiMAX and optical broadband access networks

This dissertation proposes the integration of optical and Mobile Worldwide Interoperability for Microwave Access (WiMAX) broadband access networks in order to combine the strengths of optical and wireless technologies and converge them seamlessly. To protect the access network security, this dissertation has developed the design of unified security frameworks for the proposed integrated optical and WiMAX broadband access networks.Ethernet Passive Optical Networks (EPONs) offers a popular broadband access solution, providing high bandwidth and long transmission range to meet users' fast evolving needs. WiMAX provides a wireless broadband solution and it supports mobility. This dissertation proposes a WiMAX over EPON network architecture to provide optical bandwidth for the WiMAX base station (BS). The dissertation also presents a unified security framework for the proposed WiMAX over EPON architecture using public key infrastructure (PKI) and extensible authentication protocol (EAP). The security framework could achieve efficient system management, enhance the system security, and realize unified key management. Furthermore, the dissertation introduces three handover scenarios in the WiMAX over EPON network and describes the corresponding handover schemes based on a pre-authentication method and the communication framework of the ranging step. The proposed handover mechanisms can simplify and accelerate the handover process, compared to the standard WiMAX handover scheme, while keeping the handover procedure secure.Free Space Optics (FSO) provides a relatively flexible optical wireless solution to provide gigabit bandwidth to areas where fiber is costly or hard to deploy. This dissertation also proposes an integrated Mobile WiMAX and FSO broadband access network and presents a unified EAP-based security framework. The dissertation then evaluates and compares the performance of EAP-Transport Layer Security (EAP-TLS) and EAP-Tunneled Transport layer Security (EAP-TTLS) for the FSO-WiMAX network, and also evaluates the impact of the point-to-point FSO link. Measurements show that, compared to EAP-TLS, EAP-TTLS provides a more flexible, efficient, and secure way to protect the integrated FSO-WiMAX access network. Experiments conducted as part of investigation demonstrate that the point-to-point FSO link does not degrade the performance of EAP authentication in the integrated network