Improving the Security of Access to Network ...

22nd Internacionalna Naučno-Stručna Konferencija Informacione Tehnologije 2017

Improving the Security of Access to Network Resources Using the 802.1x Standard in Wired and Wireless Environments S. Kovačić, E. Đulić, and A. Šehidić  Abstract – Unauthorized access to network resources in a typical TCP/IP networks can be achieved in a simple way. When a user (attacker) accesses the local area network, he may initiate, knowingly or unknowingly, the attack on the servers, eavesdrop the network, activate various malicious programs or Denial of Service (Dos) attacks. 802.1x allows us to solve this problem in both the wireless and the wired environment. In the case of using 802.1x for access to the edge networks the network administrator can easily detect unauthorized access and for authorization is used a central authentication server. In order to use the standard 802.1x client and switch must have support for this standard. Key words — IEEE 802.1x, Security, Network.

I. INTRODUCTION

W

E are relying solely on the physical security of network access, to limit the possibility of eavesdropping the switched network environment. However, an unauthorized user can use the Address Resolution Protocol (ARP) redirect to trick switch and allow eavesdropping attack. In this way, an unauthorized user can access to computer networks of the institutions and attack network resources that are located in their corporate network, such as printers, internal web servers and other devices. Securing DHCP servers can partially solve this problem, but it does not mean that an unauthorized user cannot manually assign an unused IP address and execute the attack. Implementation of 802.1x in the network environment allows us to solve the above problems. Each user must perform authorization to access the network. IEEE 802.1x is a standard that is defined by the Institute of Electrical and Electronics Engineers (IEEE), which is designed to give us a port-based network access [1]. Port-based access control to network resources allows the system administrator to restrict unauthorized users access to LAN services. IEEE 802.1X standard defines the S. Kovačić, University Information Centre, "Džemal Bijedić" University of Mostaru, University Campus bb, 88104 Mostar, Bosnia and Herzegovina (phone: 387-36-281040; e-mail: [email protected]). E. Đulić, Faculty of Information Technologies, "Džemal Bijedić" University of Mostaru, University Campus bb, 88104 Mostar, Bosnia and Herzegovina (phone: 387-62-006391, e-mail: [email protected]). A. Šehidić, Faculty of Information Technologies, "Džemal Bijedić" University of Mostaru, University Campus bb, 88104 Mostar, Bosnia and Herzegovina (phone: 387-36-281164, e-mail: [email protected]).

architecture, protocols and functional elements that are used for authentication between the client and the switch port to which it is physically connected [1], [2]. II. ELEMENTS 802.1X ENVIRONMENT Because standard 802.1x provides Layer 2 (L2) access control using validation user or device which attempting to access the physical port, as they usually switch, access point or other network edge device. Basic 802.1x mechanism consists of three components, namely: supplicant, authenticator, and authentication server. Supplicant is a device client which trying to access network resources. Supplicant may be a desktop computer, Notebook, tablet, smartphone or other device that has a need for access to network resources. Authenticator represents a device that cuts supplicant request for access to network resources, it is frequently switch, access point or other network edge device. Authentication server compares the client (supplicant) ID with credentials that are stored in the database. If the credentials and supplements ID match, the client gets access to network resources. Port Access Entry (PAE) refers to a method of authentication algorithms and the associated physical port to the network devices. PAE represents the 802.1x logical component of the supplicant and authenticator that exchange EAP messages. Extensible Authentication Protocol (EAP) is used between the client and the authenticator. In depending on the type of media that is used to transfers EAP messages used other types of encapsulation. There are some methods of the encapsulation: ▪ EAP over LAN (EAPOL): This method of encapsulation is used for data transmission over LAN media such as Ethernet, FDDI or Token Ring. ▪ EAP over Wireless (EAPOW): This explains how the packets are encapsulated when over wireless networks [3]-[4]. 802.1x supports three types of authentication modes: single, single-secure or multiple. Single authentication mode allows only the first client to send a request for authentication, while the single-secure mode only one user can be authenticated and access to network resources other users cannot be authenticated until the first user completes its network session. Multiple mode is most often used when we need to on a physical port to connect more than

22nd Internacionalna Naučno-Stručna Konferencija Informacione Tehnologije 2017

one client device, but each device authenticates individually. As an authentication server commonly used RADIUS. This server provides secure authentication and a simple way can be connected with other identity databases within the organization, such as LDAP and Active Directory and use already existing user credentials. III. AUTHENTICATION PROCESS WITH 802.1X Client and switch or access point must support 802.1x, and this standard has to be turned on (enabled) before the start of the authentication process. Before any traffic on the network client must have successfully completed the process of authentication, including DHCP traffic. Before authentication, only the messages that are acceptable from the client is EAP messages and forwarded to the authentication server. The authenticator's PEA is set to uncontrolled stat, as shown in Figure 1: Before 802.1x authentication, in this status all other network services are disabled.

EAP-Request/Identity EAP-Responese/Identity

Radius-Access-Request

EAP-Request-Challenge (MD5)

Radius-Access-Challenge

EAP-Responese-Challenge (MD5)

Radius-Access-Request

Figure 1: Before 802.1x authentication After 802.1x client is turned on, it will execute the sending EAP messages to the switch or access points in the wireless environment. The network device (switch or access point) to forward client request to the authentication server. Authentication server shall verify access data that is received and send the response switch, which shall decide whether the port from which the message is addressed remain uncontrolled stat (access denied) or shall change in the controlled stat (access granted). If the authentication server with the message "access granted", then the port it is connected to the client to be changed to "controlled stat" and only after that shall enable network services as shown in Figure 2: After 802.1x authentication, otherwise the port will remain "uncontrolled stat", depending on the network equipment can be disabled.

EAPoL (allowed)

Port authorized

Radius-Access-Reject

EAP-Fail

Port unauthorized

EAPoL-Logoff

Authenticator

DHCP (allowed)

Radius-Access-Accept

EAP-Success

Port unauthorized

Figure 3: 802.1x Authentication message flow

Supplicant

Supplicant

EAPoL-Start

Authentication fail Authentication terminated

HTTP (not allowed)

Authentication Server

Authenticator

Supplicant

Authentication success

DHCP (not allowed) EAPoL (allowed)

access point to request identity from the supplicant. When the supplicant supplies its identity, the authenticator directly exchanges EAPOL to the supplicant until authentication succeeds or fails. In case that the authentication is successful, the port becomes authorized. If the authentication fails, the port becomes unauthorized. When the client does not need network any more, it sends EAPOL-Logoff packet to terminate its 802.1x session. In this case the port state will become unauthorized. The following in Figure 3: 802.1x Authentication message flow, shows the EAPOL exchange ping-pong chart.

HTTP (allowed)

Authenticator

IV. EAP MESSAGE FORMAT EAP over LAN (EAPoL) is an encapsulation technique used to protect communications between the client and the authenticator (switch or access point). EAPoL protects those communications that occur only before authentication. EAP methods define message format used for communication between supplicant and authentication server. Some of them, such as LEAP are not used commonly due their weakness. But there are some other strong EAP methods such as EAP-TLS, PEAP, and EAPTTLS. All these methods have a different way in order to protect the credentials sent from the supplicant to the authentication. Protected Extensible Authentication Protocol (PEAP) and variants of them are widely used. One of them named as PEAP-MSCHAPv2 is popular with Windows clients. EAP-TLS is used both client and server certificates, which were presented and approved at any time of communications. However, because certificates price for individuals and small organizations, EAP-TLS is not used frequently. EAP-TTLS creates a secure, encrypted tunnel through which the switch passes the EAP messages. In this case, the client-side certificates are optional, which has made this messages format very popular.

Figure 2: After 802.1x authentication

MAC Header 6

2

Destination Address

Source Address

Eth Type

1

1

2

Variable

4

V ersio n

However, if during boot-up, the client does not receive an EAP-request or identity frame from the authenticator, the client can initiate authentication process by sending an EAPOL-Start frame. This frame prompts the switch or

6

P acke t typ e

byte

P acke t Bod y Le ng th

Packet Body

FCS

Figure 4: EAP message frame

22nd Internacionalna Naučno-Stručna Konferencija Informacione Tehnologije 2017

V. BENEFITS OF 802.1X IMPLEMENTATION 802.1X is an IEEE standard originally published over many years ago and as a result it is supported almost today’s network infrastructure devices like managed switches, wireless access points and controllers, etc. Implementing of 802.1x standards offers many advantages in combination with the supported network technology, but there are some limitations or disadvantages. Some of advantages are: VLAN Assignment: This feature allows authorized users to join a pre-configured VLAN. This option allowing you to maintain the name-to-VLAN links to the server authentication. In this case, the authenticity using the 802.1x standard ports assigned to a VLAN based on user identity. Port Security: This option is used to set security port, and only specific the Media Access Control (MAC) address was enabled on a port, while all other addresses do not have access to the network. This eliminates the security risk that additional users have access to the switch without authentication. Guest VLAN: This feature allows users who try to connect to the network without 802.1x that their device are assigned to Guest VLAN. ACL Assignment: Access Control List (ACL) enables dynamic assignment of access control for each interfacebased 802.1x user authentication. This option allows certain users to be denied access to some of the network segments, such as servers, specific protocols or applications. Encryption of Wireless Keys: IEEE standard 802.1x enables encrypted communications over wireless networks using dynamic coding. In this case, the authentication server is responsible for providing keys on both sides Authenticator and supplicant to take advantage of the option dynamic WPA/WPA2 security [5]. Strong Authentication: This standard (802.1x) use EAPoL for advanced security mechanisms for user authentication. EAPoL uses a different mechanism to authenticate, which allow more flexible choice for the organization to implement the best solution for their environment. Secure Access Control: Network security is further enhanced with 802.1x authentication because it forces it to happen before you are allowed to access the network. All ports on switch or network access points on wireless can be configured to remain in the unauthorized state until successful authentication is completed. This helps to ensure that only authorized users and devices are allowed to access network resources. VI. HOW 802.1X CAN HELP IEEE 802.1x standard for port-based authentication is typically used in large networks, both wired and wireless, and is commonly used in the campus or enterprise networks.

A. Simplified management This protocol allows the use of certificates and/or user access credentials to authenticate access to network resources. This method is much easier to expand than other authentication methods such as pre-shared keys (PSK) wireless network. IEEE 802.1x standard allows the use of certificates (EAP-TLS) or user access credentials (EAP-MSCHAPv2). This is a good omen for system administrators, as it easily can be managed from one place. This standard can use the existing infrastructure like the Microsoft domain environment with users, passwords, groups which are located in Active Directory. In addition, it is possible to use open source services like OpenLDAP and FreeRADIUS in a network environment that provides user authentication process when accessing network resources. 802.1x is based on the mentioned database and that simplifies the deployment and administration of the system. B. Easier to use From a user perspective, this standard makes it easy to use, because when accessing network resources, the user is prompted to enter user credentials. This usually happens only once and never again you are not bothered until you change your password or certificate. The 802.1x authentication process on the user side is performed once, and after that the rest of the process occurs in the background, unlike captive portals that logged in once every several times. When using authentication with certificates, a device that authenticates presents itself to the authentication server, client and server present their certificates for verification devices. The entire process is invisible to the end user and allows the use of devices with the smoth process C. Supported device Almost all of the device on the market that have the ability to connect to wireless with support for 802.1x standard. Some printers and other devices can be excluded from using these types of authentication, but most recently supported 802.1x standard. Support for 802.1x can be found on all Windows OS, but MacOS this standard supports from their eighth generation. Most of the known Android and iOS mobile phones, tablets and other smart devices have native support for the IEEE 802.1x standard. D. Scalability In this case, we have possibility to manage users, certificates, devices and other profiles from one place, and simplified and automatically assign rolls to groups. E. Security As we speak, 802.1x authentication keys are exchanged between the device and the server to verify, and all the keys are individual and not shared like PSXs. In case, if you are using 802.1x authentication in conjunction with AES encryption ensures keys are well

22nd Internacionalna Naučno-Stručna Konferencija Informacione Tehnologije 2017

protected from being hacked. If your wireless network supports CoA is possible to block access to the network in the case of a change their credentials or certificates after having logged. The user will be automatically disconnected from the network. The attributes that are used during authentication, which come from the authentication server can be used to join certain rules to the user, such as Student, Staff, Guest and the like. This allows us to rules and properly wireless solution can be applied network access rules. This is commonly known as Role Based Access Control (RBAC). F. Federation Wireless scalability is a challenge and decentralized environments where many groups and departments run their own network or manage their accounts. Centralizing services to solve the problem is not always possible, and often can be undesirable. Even highly decentralized groups can develop a scalable, secure wireless network infrastructure via 802.1x and Radius. The only additional components required in addition to those required for standard 802.1x is a trust relationship between the RADIUS server and the core management of the relationship of trust and routing application for authorization. The resulting collection of loosely connected network is often called a federation. Federated network consisting of several networks of countries that share some level of trust, but the network member retains its administrative control. VII. ATTACKS IN 802.1X ENVIRONMENT The availability of wireless networks is much higher to attacker then access to wired networks. For this reason, wireless networks have more possibilities to attack. IEEE 802.1x standard provides us a strong authentication protocol, but because of its disadvantages in practice is much more used in wireless environment than wired networks [6], [7]. Some of attacks in wireless environment: 802.1x RADIUS Cracking: This attack method attempts to brute force to discover the secret key for 802.1x access request to authentication server, to use evil twin access point. Evil Twin Access Point is a method of presenting as one authorized access point. This access pont is lure for the users. 802.1x EAP Replay: In this case, the hacker performs recording 802.1x Extensible Authentication Protocols (e.g. EAP identity, successful and unsuccessful attempts to access) for later iterations. This method uses a wireless captures and injection tools between client and access point.

802.1x RADIUS Replay: In this case, attacker trying captures authentication server Access-Accept or Reject messages for later replay. 802.1X Password Guessing: This attack used a captured identity, repeatedly trying 802.1x authentication to try to hit a user's password. 802.1x EAP-Start Flood: This attack use flooding an access point with EAP-Start messages to consume resources or crash the target. 802.1x EAP-of-Death: This attack sends incorrect 802.1x EAP Identity response that causes a crash on some access points. VIII. CONCLUSION In today's enterprise networks, security is the biggest challenge for all companies, cloud operators and other institutions. One of the big problems in building computer systems represents limitation unauthorized access to network resources, and avoiding errors in the implementation of computer systems and network resources. IEEE 802.1x standard is preferred as a unique way to protect access to resources and can be used for the wired and wireless networks. As we talk about, 802.1x can solve problems access to the edge networks and network administrator can easily detect unauthorized access and for authorization from a central authentication server. In order to use the standard 802.1x client and switch must have support for this standard. This standard can use the existing infrastructure like the Microsoft domain environment with users, passwords, groups which are located in Active Directory or other directory services such as LDAP or RADIUS. Wireless networks have more possibilities to attack. IEEE 802.1x standard provides us a strong authentication protocol, but because of its disadvantages in practice is much more used in wireless environment than wired networks. REFERENCES [1] [2] [3] [4] [5] [6] [7]

IEEE 802.1x Standard, Port-Based Network Access Control, http://standards.ieee.org/getieee802/download/802.1X-2010.pdf 802.1X and NAC: Best Practices for Effective Network Access Control M. Younus, "Wired 802.1x security", SANS Institute, 2000.-2005. P. Ding, J. Holliday, A. Celik, Improving the security of wireless LANs by managing 802.1x disassociation, 2004 N. Hermaduanti, I. Riadi, Automation framework for rogue access point mitigation in ieee 802.1X-based WLAN, 2016 S. H. Ahmadpanah, A. J. Chashmi, A. Ameri, WLAN Security and Applied Research in 802.1x Protocol, 2016 S. Behal, K. Kumar, Characterization and Comparison of DDoS Attack Tools and Trac Generators - A Review, 2016