无线安全网关访问控制系统的研究
|
摘要
近年来,无线局域网得到了迅速的发展,并且已应用到社会生活的各个方面。但是,无线局域网的开放性使其没有明确的边界,攻击者无需物理连接就能获取网络的相关信息并对其进行攻击,无线局域网的安全问题已经成为业界关心的重大问题。
本文首先介绍了无线局域网的发展历史,以及它的优缺点,并且还介绍了无线局域网所面临的安全威胁以及安全要求,同时分析了无线局域网标准IEEE802.11在安全方面存在的隐患,并且介绍了802.11i任务组提出的解决方案。
接下来,本文研究了IEEE802.1X协议,该协议作为一种基于端口的认证技术非常适用于无线局域网环境,可以很好地解决无线局域网在认证方面存在的问题。同时,本文还对Linux操作系统提供的Netfilter框架技术进行了研究,理解其工作原理,掌握其提供的强大的数据包过滤功能。
最后,结合实际应用中的需求,设计和实现了一套集成在无线安全网关中的访问控制系统。该访问控制系统提供了本地认证与远程认证两种认证方式,并采用了逻辑端口而非物理端口来实现对用户的接入控制。
In recent years, wireless local area networks (WLAN) have rapidly developed, and have been applied to many aspects of society and daily life. But, the opening transmission channel makes that there is no clear border in WLAN, and the intruder can get the information of WLAN and intrude it without physical connection. The security of WLAN has become a major issue in the industry.
Firstly, this thesis introduces the history of WLAN, its advantage and disadvantage, and analyzes threat and demand to it in security aspect. At the same time, this paper also analyzes IEEE802.11 protocol's weakness from security aspect, and introduces security scheme put forward by 802.11i task group.
Secondly, this article studies IEEE802.1X protocol, which is a kind of port-based authentication technique. This technique is so applicable to WLAN because it can solve the authentication problem in WLAN. In the meantime, this article also studies Netfilter technique provided by Linux operation system to understand its work principle and master its strong data packet filter function.
In the end, considering the actual application demands, we design and develop a set of access control system integrated into wireless security gateway. This system provides two authentication ways of local authentication and remote authentication, and uses a logical rather than physical port to achieve connection control to users.
本文首先介绍了无线局域网的发展历史,以及它的优缺点,并且还介绍了无线局域网所面临的安全威胁以及安全要求,同时分析了无线局域网标准IEEE802.11在安全方面存在的隐患,并且介绍了802.11i任务组提出的解决方案。
接下来,本文研究了IEEE802.1X协议,该协议作为一种基于端口的认证技术非常适用于无线局域网环境,可以很好地解决无线局域网在认证方面存在的问题。同时,本文还对Linux操作系统提供的Netfilter框架技术进行了研究,理解其工作原理,掌握其提供的强大的数据包过滤功能。
最后,结合实际应用中的需求,设计和实现了一套集成在无线安全网关中的访问控制系统。该访问控制系统提供了本地认证与远程认证两种认证方式,并采用了逻辑端口而非物理端口来实现对用户的接入控制。
In recent years, wireless local area networks (WLAN) have rapidly developed, and have been applied to many aspects of society and daily life. But, the opening transmission channel makes that there is no clear border in WLAN, and the intruder can get the information of WLAN and intrude it without physical connection. The security of WLAN has become a major issue in the industry.
Firstly, this thesis introduces the history of WLAN, its advantage and disadvantage, and analyzes threat and demand to it in security aspect. At the same time, this paper also analyzes IEEE802.11 protocol's weakness from security aspect, and introduces security scheme put forward by 802.11i task group.
Secondly, this article studies IEEE802.1X protocol, which is a kind of port-based authentication technique. This technique is so applicable to WLAN because it can solve the authentication problem in WLAN. In the meantime, this article also studies Netfilter technique provided by Linux operation system to understand its work principle and master its strong data packet filter function.
In the end, considering the actual application demands, we design and develop a set of access control system integrated into wireless security gateway. This system provides two authentication ways of local authentication and remote authentication, and uses a logical rather than physical port to achieve connection control to users.
引文
[1] 牛伟,郭世泽。无线局域网。北京:人民邮电出版社,2003:1-2
[2] 刘乃安。无线局域网(WLAN)—原理、技术与应用。西安:西安电子科技大学出版社,2004:1-2,386-388,420-421,433-434
[3] 钟章队。无线局域网。北京:科学出版社,2004:1-3
[4] 汪海洋,杨龙祥。谈无线局域网。现代通信,2001年第8期:9-10
[5] [美]Jim Geier著。王群,李馥娟译。无线局域网。北京:人民邮电出版社,2001:5-7,24-26
[6] [英]乔恩.爱德尼,[美]威廉·阿尔保著。周正等译。无线局域网安全务实-WPA与802.11i,人民邮电出版社,2006:47-49,51-60,87-91
[7] 刘小花,张凤。无线局域网安全技术分析。广西通信技术。2004年第2期:24-25
[8] 黄敏,鲜明,肖顺平。对WLAN安全机制的攻击研究。网络安全技术与应用。2003年第12期:25-28
[9] 马建峰,朱建明。无线局域网安全—方法与技术。北京:机械工业出版社,2005:25-28
[10] Sean Whalen. Analysis of WEP and RC4 Algorithms. http://www.chocobospore.org.March,2002
[11] Nikita Borisov, IanGoldberg, David Wagner. Intercepting Mobile Communications The Insecurity of 802.11
[12] 曹秀英 耿嘉 沈平。无线局域网安全系统。北京:电子工出版社,2004:31-32,40-41,71-72,85-86
[13] 聂武超,张彦兴。802.1X认证技术分析。华为技术报,2002年第2期:26-28
[14] 王璐,曹秀英。EAP协议及其应用。通信技术。2002年第七期:30-34
[15] 802.1X Authentication. http://msdn.microsoft.com/library/default.asp
[16] C.Rigney. Willens, A.Rubens, W.Simpson. “Remote Authentication Dial In User Service (RADIUS)”, RFC2865, June2000:23-26
[17] B.Aboba, D.Simon, Microsoft. PPP EAP TLS Authentication Protocol, IETF RFC2716, OCT1999:8-10
[18] 刘少兵,麦永浩,周德新。802.1X协议在无线局域网接入点中的实现。计算机与现代化,2004年第11期:57-60
[19] Wireless LAN Security Interoperability Lab. What are Your EAP Authentication Options. Whitpapers, 2002:1-4
[20] 王曼珠,周亮。基于RADIUS/EAP的WLAN认证机器安全性分析。西安:电子科技大学学报。2005,34(2):169-171
[21] C, Rigney et al.,“RADIUS Extensions”, Network Working Group RFC2869, Jun2000:32-36
[22] Dierks, Tim, Christopher Allen. The TLS Protocol Version 1.0.IETF RFC2246.1999.1
[23] 胡安磊,周大水,李大兴。Linux中Netfilter/iptables的应用研究。计算机应用软件,2004,10:30-32
[24] 聂钢。基于Netfilter的IP包过滤技术。信息技术,2004,10:16-18
[25] 岳新。Linux2.4内核下基于Netfilter框架可扩展性研究与实现。哈尔滨理工大学,2005:23
[2] 刘乃安。无线局域网(WLAN)—原理、技术与应用。西安:西安电子科技大学出版社,2004:1-2,386-388,420-421,433-434
[3] 钟章队。无线局域网。北京:科学出版社,2004:1-3
[4] 汪海洋,杨龙祥。谈无线局域网。现代通信,2001年第8期:9-10
[5] [美]Jim Geier著。王群,李馥娟译。无线局域网。北京:人民邮电出版社,2001:5-7,24-26
[6] [英]乔恩.爱德尼,[美]威廉·阿尔保著。周正等译。无线局域网安全务实-WPA与802.11i,人民邮电出版社,2006:47-49,51-60,87-91
[7] 刘小花,张凤。无线局域网安全技术分析。广西通信技术。2004年第2期:24-25
[8] 黄敏,鲜明,肖顺平。对WLAN安全机制的攻击研究。网络安全技术与应用。2003年第12期:25-28
[9] 马建峰,朱建明。无线局域网安全—方法与技术。北京:机械工业出版社,2005:25-28
[10] Sean Whalen. Analysis of WEP and RC4 Algorithms. http://www.chocobospore.org.March,2002
[11] Nikita Borisov, IanGoldberg, David Wagner. Intercepting Mobile Communications The Insecurity of 802.11
[12] 曹秀英 耿嘉 沈平。无线局域网安全系统。北京:电子工出版社,2004:31-32,40-41,71-72,85-86
[13] 聂武超,张彦兴。802.1X认证技术分析。华为技术报,2002年第2期:26-28
[14] 王璐,曹秀英。EAP协议及其应用。通信技术。2002年第七期:30-34
[15] 802.1X Authentication. http://msdn.microsoft.com/library/default.asp
[16] C.Rigney. Willens, A.Rubens, W.Simpson. “Remote Authentication Dial In User Service (RADIUS)”, RFC2865, June2000:23-26
[17] B.Aboba, D.Simon, Microsoft. PPP EAP TLS Authentication Protocol, IETF RFC2716, OCT1999:8-10
[18] 刘少兵,麦永浩,周德新。802.1X协议在无线局域网接入点中的实现。计算机与现代化,2004年第11期:57-60
[19] Wireless LAN Security Interoperability Lab. What are Your EAP Authentication Options. Whitpapers, 2002:1-4
[20] 王曼珠,周亮。基于RADIUS/EAP的WLAN认证机器安全性分析。西安:电子科技大学学报。2005,34(2):169-171
[21] C, Rigney et al.,“RADIUS Extensions”, Network Working Group RFC2869, Jun2000:32-36
[22] Dierks, Tim, Christopher Allen. The TLS Protocol Version 1.0.IETF RFC2246.1999.1
[23] 胡安磊,周大水,李大兴。Linux中Netfilter/iptables的应用研究。计算机应用软件,2004,10:30-32
[24] 聂钢。基于Netfilter的IP包过滤技术。信息技术,2004,10:16-18
[25] 岳新。Linux2.4内核下基于Netfilter框架可扩展性研究与实现。哈尔滨理工大学,2005:23