Selection of EAP-authentication methods in WLANs

IEEE 802.1X is a key part of IEEE802.11i. By employing Extensible Authentication Protocol (EAP) it supports a variety of upper layer authentication methods each with different benefits and drawbacks. Any one of these authentication methods can be the ideal choice for a specific networking environment. The fact that IEEE 802.11i leaves the selection of the most suitable authentication method to system implementers makes the authentication framework more flexible, but on the other hand leads to the question of how to select the authentication method that suits an organisation’s requirements and specific networking environment. This paper gives an overview of EAP authentication methods and provides a table comparing their properties. It then identifies the crucial factors to be considered when employing EAP authentication methods in WLAN environments. The paper presents algorithms that guide the selection of an EAP-authentication method for a WLAN and demonstrates their application through three examples

Mecanismos y estrategias de seguridad en redes Wi-Fi

En los últimos años, la utilización de las redes inalámbricas ha crecido de manera exponencial, principalmente, en lugares donde se opta por esta tecnología tanto para la transmisión de datos entre dispositivos inalámbricos, como para el acceso de estos al resto de la red o a Internet a través de protocolos como Bluetooth o Wi-Fi (Wireless Fidelity), por mencionar algunos. No obstante, cualquier tipo de red inalámbrica presenta riesgos ante un medio de transmisión tan observable como lo son las ondas de radio, lo que implica que la información viaje a través del aire de manera que cualquier individuo equipado con los dispositivos y conocimientos necesarios pueda interceptar la señal y analizarla. Sin embargo, obtener la señal no significa que pueda extraer la información, esto siempre y cuando se tomen las medidas necesarias para garantizar la seguridad de la información transmitida. Así, en este documento estamos interesados en la seguridad de las WLAN, por lo que, presentamos una descripción completa de los protocolos de seguridad para este tipo de redes, sus vulnerabilidades y estrategias para disminuir el porcentaje efectivo de ataques. Desde estrategias muy básicas y sencillas de implementar, hasta mecanismos más robustos y con un grado mayor de complejidad en su configuración e implementación. Finalmente, con base en lo anterior el usuario final sea capaz de determinar la mejor opción para brindar el grado de seguridad de la información requerido, para este tipo de redes

Token-based Fast Authentication for Wireless Network

Wireless Networks based on WIFI or WIMAX become popular and are used in many places as compliment network to wired LAN to support mobility. The support of mobility of clients, the continuous access anywhere and anytime make WLAN preferable network for many applications. However, there are some issues associated with the usage of WLAN that put some restriction on adapting this technology everywhere. These issues are related to using the best routing algorithm to achieve good performance of throughput and delay, and to securing the open access to avoid attacks at the physical and MAC layer. IEEE 802.1x, suggested a solution to address the security issue at the MAC layer and but there are varieties of implementations address this solution and they differ in performance. IEEE 802.1af tried to address other security issue remained at the MAC layer but it is still at early stage and need verification for easy deployment. In this paper a new technique for securing wireless network using fast token-based authentication has been invented to address the vulnerability inherited by the wireless network at the MAC layer using fast authentication process. This technique is based on an authentication server distributing a security token, public authentication key, and network access key parameter to eligible mobile client MCs during registration. All messages will be encrypted during registration using temporary derived token key, but it will use derived valid token key during authentication. Authenticated MCs will then use derived group temporal key generated from the network access parameter key to encrypt all messages exchanged over the wireless network. The token, the authentication key and the access network parameter key will be only distributed during registration. This makes the security parameters known only to authentication server, authenticator and MC. Hence, this technique will protect the wireless network against attack since attackers are unable to know the token and other security keys. Moreover, it will avoid the exchange of public keys during authentication such as the one used in other existing technologies, and consequently speedup the authentication phase which is very critical to wireless technologies

Diseño de sistema de seguridad a nivel de capa de enlace de datos en redes cableadas mediante el estándar IEEE 802.1X En La LAN de la Universidad Técnica del Norte

Diseñar el sistema de seguridad a nivel de capa de enlace de datos en redes cableadas mediante el estándar IEEE 802.1X en la LAN de la Universidad Técnica del Norte.El presente proyecto consiste en el diseño de un sistema de seguridad a nivel de capa de enlace de datos en redes cableadas mediante el estándar IEEE 802.1X en la LAN de la Universidad Técnica del Norte, el cual se lo desarrolla con el objetivo de aumentar el nivel de seguridad presente en la institución. El empleo de este protocolo permite asegurar que solo usuarios previamente validados puedan acceder a los servicios presentes en la red, dando seguridad en puertos. En primer lugar, se realiza un estudio del funcionamiento del estándar IEEE 802.1X y sus distintos métodos EAP de autenticación, con el fin de determinar cuál es el más idóneo para el diseño del sistema. A su vez, se detalla todos los elementos propios de un servidor AAA (Autenticación, Autorización, Contabilidad). Se efectúa un análisis de la situación actual de la red en la casona universitaria para identificar los switch con los que cuenta y a su vez establecer cuales soportan el estándar IEEE 802.1X. A continuación, se realiza el diseño del sistema teniendo en cuenta los switch en la capa de acceso y distribución presente en todas las dependencias. Finalmente, se levanta un servidor AAA y se realiza pruebas de funcionamiento en un ambiente controlado dentro de la infraestructura de red de la Facultad de Ingeniería en Ciencias Aplicadas. Este apartado demuestra que el diseño es ejecutable y se puede replicar dentro de cualquier ubicación de la Universidad

Enhancing wireless network security IEEE 802.1x

Wireless Local Area Networks (WLANs), widely prevalent in corporate environments, is a current giant leap in information technology. This new paradigm of communications has leverage over other ways of data transmission, because it enables businesses and corporate environments to operate in a fast, better and more profitable way. Through the use of always-on, always-connected and always-available content and applications, WLAN combines data connectivity with user mobility. The IEEE standard for wireless LAN is 802.11. The 802.11 is emerging as a significant aspect of Internetworking. Growing rapidly in the wireless local area network environment, 802.11s are easy to find, because wireless technology allows the network to go where wire cannot. This fact, however, raises a number of security concerns. The current security solutions offered on a private 802.11 network in a public setting are not sufficient to protect sensitive material, so other measures are needed to provide adequate protection for data passed over the air. Although encryption, authentication and authorization are the pillars of security, there are other techniques that can be used and implemented for network defense. Security concerns have evolved, because there are limitations and weaknesses in controlling access and there are flaws and vulnerabilities in WEP data encryption. These things add to the insecure nature of radio broadcast transmission. This study discusses some security models offered over wireless networks and integrates the security enhancement by combining some of the wired techniques such as adding Kerberos to the wireless security equation along with RADIUS for increased authentication and authorization so that compromising the network is a non-trivial task. Those models are designed to prevent unauthorized access to the network from outside the wireless network environment. While we can make intrusion difficult, we cannot prevent hackers with portable devices and scanners from intercepting data and gaining access to the network. If we want flexibility and mobility, we can have this, but not with total security. The 802.11 technology protection is not failsafe as long as there is technology that allows portable computing devices with scanners to gain access to the LAN or intercept data

Enhancements to Secure Bootstrapping of Smart Appliances

In recent times, there has been a proliferation of smart IoT devices that make our everyday life more convenient, both at home and at work environment. Most of these smart devices are connected to cloud-based online services, and they typically reuse the existing Wi-Fi network infrastructure for Internet connectivity. Hence, it is of paramount importance to ensure that these devices establish a robust security association with the Wi-Fi networks and cloud-based servers. The initial process by which a device establishes a robust security association with the network and servers is known as secure bootstrapping. The bootstrapping process results in the derivation of security keys and other connection parameters required by the security associations. Since the smart IoT devices often possess minimal user-interface, there is a need for bootstrapping methods with which the users can effortlessly connect their smart IoT devices to the networks and services. Nimble out-of-band authentication for Extensible Authentication Protocol (EAP-NOOB) is one such secure bootstrapping method. It is a new EAP authentication method for IEEE 802.1X/EAP authentication framework. The protocol does not assume or require any pre-configured authentication credentials such as symmetric keys or certificates. In lieu, the authentication credentials along with the user’s ownership of the device are established during the bootstrapping process. The primary goal of this thesis is to study and implement the draft specification of the EAP-NOOB protocol in order to evaluate the working of EAP-NOOB in real-world scenarios. During our implementation and testing of the initial prototype for EAP-NOOB, we discovered several issues in the protocol. In this thesis, we propose a suitable solution for each of the problems identified and also, verify the solutions through implementation and testing. The main results of this thesis work are various enhancements and clarifications to the EAP-NOOB protocol specification. The results consequently aid the standardisation of the protocol at IETF. We also design and implement several additional features for EAP-NOOB to enhance the user experience