This document summarizes a thesis on designing a secure wireless enterprise network architecture for the Department of Defense. The thesis analyzed requirements for confidentiality, integrity and availability from DoD security directives. It also examined the built-in security mechanisms of the IEEE 802.11 wireless networking standard, including Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and 802.11i. To meet DoD requirements, the thesis proposed a defense-in-depth architecture with: 1) a segregated and secured wired network, 2) wireless infrastructure outside the wired network perimeter, and 3) end-to-end security extending from the wired to wireless networks. It also explored additional security techniques like virtual private
Complexity Versus Comprehendability: Simplifying Wireless SecurityOlivia Moran
This paper will follow the use of unsecured wireless networks in the city of Derry. Derry established a city wide open access network in 2008, thereby providing ideal conditions for the study of security issues pertaining to unsecured open access networks.
The paper will attempt to uncover the
reasoning behind the failure of individuals to take suitable security measures in light of threats that exist.
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
- The document summarizes a study that evaluated the security of wireless networks in Jordan through a process called "wardriving" where the researchers drove around with wireless network detection tools.
- The results found that the majority (79.52%) of wireless networks tested were unsecured and vulnerable. Most networks used either low levels of encryption (68.67%) or no encryption at all (11.45%).
- Nearly all networks broadcast the default SSID (92.17%), leaving them exposed to potential hackers since changing the SSID is a basic security precaution.
This document provides an overview of internet challenges in Iraq and potential solutions. It discusses Iraq's current internet infrastructure problems like outdated laws, poor backbone infrastructure, high bandwidth costs and few provider options. This results in low internet speeds and subscription rates. Technical solutions proposed include using licensed frequencies for fixed wireless access to increase speeds and ranges, and expanding wired fiber optic networks. The document also examines Iraq's autonomous system number which controls internet traffic flows and major providers. It recommends Iraq take steps to better control bandwidth, protect against cyberattacks, offer secure infrastructure and build internet exchange points to optimize local traffic.
Low-cost wireless mesh communications based on openWRT and voice over interne...IJECEIAES
Technology makes it easier for us to communicate over a distance. However, there are still many remote areas that find it difficult to communicate. This is due to the fact that communication infrastructure in some areas is expensive to build while the profit will be low. This paper proposes to combine voice over internet protocol (VoIP) over mesh network implemented on openWRT router. The routers are performing mesh functions. We set up a VoIP server on a router and enabled session initiation protocol (SIP) clients on other routers. Therefore, we only need routers as a means of communication. The experiment showed very good results, in the line-of-sight (LOS) condition, they are limited to reception distances up to 145 meters while in the non-lineof-sight (NLOS) condition, they are limited to reception distances up to 55 meters.
This document certifies that four students - Sumon Paul, MD. Arifur Rahman, MD. Jakir Hossain, and MD. Ariful Huq - from Stamford University successfully completed their honors project on "Implementation of WLAN Project" under the supervision of Tanbir Ibne Anower. The project focused on analyzing the technology within wireless networking and its characteristics.
Two industry trends are converging - 802.11ac and the need for personalizing user’s mobile experiences to deliver anytime, anywhere access without wreaking havoc on network operations and cost controls. This paper discuss two approaches for efficient WLAN design. Both let you integrate 802.11ac into your WLAN and help lay the foundation for future, high-speed technologies.
A WIRELESS NETWORK INFRASTRUCTURE ARCHITECTURE FOR RURAL COMMUNITIESijcsit
Wireless network implementation is a viable option for building network infrastructure in rural communities. Rural people lack network infrastructures for information services and socio-economic development. The aim of this study was to develop a wireless network infrastructure architecture for network services to rural dwellers. A user-centered approach was applied in the study and a wireless network infrastructure was designed and deployed to cover five rural locations. Data was collected and
analyzed to assess the performance of the network facilities. The results shows that the system had been performing adequately without any downtime with an average of 200 users per month and the quality of service has remained high. The transmit/receive rate of 300Mbps was thrice as fast as the normal Ethernet transmit/receive specification with an average throughput of 1 Mbps. The multiple output/multiple input
(MIMO) point-to-multipoint network design increased the network throughput and the quality of service experienced by the users.
The document summarizes a presentation on research challenges in networked systems. It discusses recommendations from an evaluation of ICT research in Norway, including better aligning research with industry needs. It also looks at past research topics from 2000 and potential future areas like cloud computing, cyber-physical systems, smart grids, and security. The presentation concludes that security issues will remain important and that energy efficiency is a grand challenge, requiring interdisciplinary collaboration to address complexity.
Complexity Versus Comprehendability: Simplifying Wireless SecurityOlivia Moran
This paper will follow the use of unsecured wireless networks in the city of Derry. Derry established a city wide open access network in 2008, thereby providing ideal conditions for the study of security issues pertaining to unsecured open access networks.
The paper will attempt to uncover the
reasoning behind the failure of individuals to take suitable security measures in light of threats that exist.
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
- The document summarizes a study that evaluated the security of wireless networks in Jordan through a process called "wardriving" where the researchers drove around with wireless network detection tools.
- The results found that the majority (79.52%) of wireless networks tested were unsecured and vulnerable. Most networks used either low levels of encryption (68.67%) or no encryption at all (11.45%).
- Nearly all networks broadcast the default SSID (92.17%), leaving them exposed to potential hackers since changing the SSID is a basic security precaution.
This document provides an overview of internet challenges in Iraq and potential solutions. It discusses Iraq's current internet infrastructure problems like outdated laws, poor backbone infrastructure, high bandwidth costs and few provider options. This results in low internet speeds and subscription rates. Technical solutions proposed include using licensed frequencies for fixed wireless access to increase speeds and ranges, and expanding wired fiber optic networks. The document also examines Iraq's autonomous system number which controls internet traffic flows and major providers. It recommends Iraq take steps to better control bandwidth, protect against cyberattacks, offer secure infrastructure and build internet exchange points to optimize local traffic.
Low-cost wireless mesh communications based on openWRT and voice over interne...IJECEIAES
Technology makes it easier for us to communicate over a distance. However, there are still many remote areas that find it difficult to communicate. This is due to the fact that communication infrastructure in some areas is expensive to build while the profit will be low. This paper proposes to combine voice over internet protocol (VoIP) over mesh network implemented on openWRT router. The routers are performing mesh functions. We set up a VoIP server on a router and enabled session initiation protocol (SIP) clients on other routers. Therefore, we only need routers as a means of communication. The experiment showed very good results, in the line-of-sight (LOS) condition, they are limited to reception distances up to 145 meters while in the non-lineof-sight (NLOS) condition, they are limited to reception distances up to 55 meters.
This document certifies that four students - Sumon Paul, MD. Arifur Rahman, MD. Jakir Hossain, and MD. Ariful Huq - from Stamford University successfully completed their honors project on "Implementation of WLAN Project" under the supervision of Tanbir Ibne Anower. The project focused on analyzing the technology within wireless networking and its characteristics.
Two industry trends are converging - 802.11ac and the need for personalizing user’s mobile experiences to deliver anytime, anywhere access without wreaking havoc on network operations and cost controls. This paper discuss two approaches for efficient WLAN design. Both let you integrate 802.11ac into your WLAN and help lay the foundation for future, high-speed technologies.
A WIRELESS NETWORK INFRASTRUCTURE ARCHITECTURE FOR RURAL COMMUNITIESijcsit
Wireless network implementation is a viable option for building network infrastructure in rural communities. Rural people lack network infrastructures for information services and socio-economic development. The aim of this study was to develop a wireless network infrastructure architecture for network services to rural dwellers. A user-centered approach was applied in the study and a wireless network infrastructure was designed and deployed to cover five rural locations. Data was collected and
analyzed to assess the performance of the network facilities. The results shows that the system had been performing adequately without any downtime with an average of 200 users per month and the quality of service has remained high. The transmit/receive rate of 300Mbps was thrice as fast as the normal Ethernet transmit/receive specification with an average throughput of 1 Mbps. The multiple output/multiple input
(MIMO) point-to-multipoint network design increased the network throughput and the quality of service experienced by the users.
The document summarizes a presentation on research challenges in networked systems. It discusses recommendations from an evaluation of ICT research in Norway, including better aligning research with industry needs. It also looks at past research topics from 2000 and potential future areas like cloud computing, cyber-physical systems, smart grids, and security. The presentation concludes that security issues will remain important and that energy efficiency is a grand challenge, requiring interdisciplinary collaboration to address complexity.
ANALYSIS AND MODELLING OF POWER CONSUMPTION IN IOT WITH VIDEO QUALITY COMMUNI...ijma
Internet of Things applications such as environmental monitoring and healthcare may involve multimedia
communications from IoT devices to humans for decision-making. Therefore, the quality of delivered
multimedia should be in good perceived quality. Higher video quality results into higher energy consumptions due to encoding and decoding processes and as a result, will affect the performance of IoT devices due to their inherent energy constraints. This paper presents the impact of video encoding
parameters as non-network parameters on the energy consumption of IoT devices. The experimental results from Cooja simulator show that the videos with high bitrates and low frame rates consume more power than videos with low bitrates and high frame rates. It was also found that video content type affects energy consumption. Finally, this paper proposes a power model that takes into account video parameters such as
bit rate, frame rate and content types. The proposed model can play a vital role in video quality adaptation in multimedia communication over IoT devices.
An analysis of a large scale wireless image distribution system deploymentConference Papers
This document describes two setups of a wireless image distribution system:
1. A setup using commercial network equipment like access points and an access controller, which supported over 125 connected devices and provided sufficient bandwidth for the system load during a conference.
2. A setup using a wireless mesh network of NICT NerveNet nodes, which provided a quick and easy setup but had room for improved performance based on analysis of the wireless backhaul links and connected devices. Both setups were tested and analyzed to evaluate network technologies for smart community applications.
PSIM: A TOOL FOR ANALYSIS OF DEVICE PAIRING METHODSIJNSA Journal
Wireless networks are a common place nowadays and almost all of the modern devices support wireless communication in some form. These networks differ from more traditional computing systems due to the ad-hoc and spontaneous nature of interactions among devices. These systems are prone to security risks, such as eavesdropping and require different techniques as compared to traditional security mechanisms. Recently, secure device pairing in wireless environments has got substantial attention from many researchers. As a result, a significant set of techniques and protocols have been proposed to deal with this issue. Some of these techniques consider devices equipped with infrared, laser, ultrasound transceivers or 802.11 network interface cards; while others require embedded accelerometers, cameras and/or LEDs, displays, microphones and/or speakers. However, many of the proposed techniques or protocols have not been implemented at all; while others are implemented and evaluated in a stand-alone manner without being compared with other related work [1]. We believe that it is because of the lack of specialized tools that provide a common platform to test the pairing methods. As a consequence, we designed such a tool. In this paper, we are presenting design and development of the Pairing Simulator (PSim) that can be used to perform the analysis of device pairing methods.
The Abstracted Network for Industrial InternetMeshDynamics
Widespread adoption of TCI/IP protocols over the last two decades appears on the surface to have created a lingua franca for computer networking. And with the emergence of IPv6 removing the addressing restrictions of earlier versions, it would appear that now every device in the world may easily be connected with a common protocol.
But three emerging factors are requiring a fresh look at this worldview. The first is the coming wave of sensors, actuators, and devices making up the Internet of Things (IOT). Although not yet widely recognized, it is beginning to be understood that a majority of these devices will be too small, too cheap, too dumb, and too copious to run the hegemonic IPv6 protocol. Instead, much simpler protocols will predominate (see below), which must somehow be incorporated into the IP networks of Enterprises and the Internet.
At the other end of the scale from these tiny devices are huge Enterprise networks, increasing movingly to the cloud for computing and communication resources. An important requirement of these Enterprises is the capacity to manage, control, and tune their networks using a variety of Software Defined Networking (SDN) technologies and protocols. These depend on computing resource at the edges of the network to manage the interactions.
The third element is a conundrum presented by the first two: Enterprises will be struggling with the need to bring vast numbers of simple IOT devices into their networks. Though many of these devices will lack computing and protocol smarts, the requirement will still remain to manage everything via SDN. Along with this, many legacy Machine-to-Machine (M2M) networks (such as those on the factory floor) present the same challenges as the IOT: simple and/or proprietary protocols operating in operational silos today that Enterprises desire to manage and tune with SDN techniques.
This document provides a brief review of recent works on various wireless networks and their integration. It first discusses different types of wireless networks including WLAN, WiMAX, satellites, and ad hoc networks. It then reviews recent studies on improving aspects of these individual networks such as MAC layer protocols, security, and frequency synthesizers. Finally, it summarizes research on integrating combinations of wireless networks like WLAN and WiMAX to improve quality of service, as well as integrating satellite networks to provide emergency communication or solve line of sight problems.
Internet of Things (IoT) plays a vital role in our
day to day life and normally used in our houses, in industry,
schools and in hospitals which implemented outside to manage
and control for taking report the changes in location prevent
from dangers and many more favorable things. Moreover all
other advantages can approach of big risks of privacy loss and
security issues. To protect the IoT devices, so many research
works have been measure to find those problems and locate a
best way to eradicate those risks or at least to reduce their effect
on the security and privacy requirement. Formation the concept
of device to device (D2D) communication technology, IoT plays
the information transfer from one end to another end as node of
interconnection. This paper examines the constraints and
security challenges posed by IoT connected devices and the
ability to connect, communicate with, and remotely manage an
incalculable number of networked, automated devices via the
Internet is becoming pervasive.
Wireless information management, a reviewAndrew Olsen
This document summarizes a review article about wireless information management. It begins by discussing the growing use of wireless systems in businesses and the challenges that arise in managing information from different wireless devices. It then examines popular wireless systems like BlackBerry and Bluetooth devices. Next, it outlines trends in wireless devices and networks such as the rise of 3G, WiFi, and Bluetooth. It also discusses challenges in securing wireless information and dealing with different standards. Finally, it stresses the importance of information managers preparing strategies to ensure the security, integrity and reliability of corporate information managed through wireless technologies.
Fragmentation of Data in Large-Scale System For Ideal Performance and SecurityEditor IJCATR
Cloud computing is becoming prominent trend which offers the number of significant advantages. One of the ground laying
advantage of the cloud computing is the pay-as-per-use, where according to the use of the services, the customer has to pay. At present,
user’s storage availability improves the data generation. There is requiring farming out such large amount of data. There is indefinite
large number of Cloud Service Providers (CSP). The Cloud Service Providers is increasing trend for many number of organizations and
as well as for the customers that decreases the burden of the maintenance and local data storage. In cloud computing transferring data to
the third party administrator control will give rise to security concerns. Within the cloud, compromisation of data may occur due to
attacks by the unauthorized users and nodes. So, in order to protect the data in cloud the higher security measures are required and also
to provide security for the optimization of the data retrieval time. The proposed system will approach the issues of security and
performance. Initially in the DROPS methodology, the division of the files into fragments is done and replication of those fragmented
data over the cloud node is performed. Single fragment of particular file can be stored on each of the nodes which ensure that no
meaningful information is shown to an attacker on a successful attack. The separation of the nodes is done by T-Coloring in order to
prohibit an attacker to guess the fragment’s location. The complete data security is ensured by DROPS methodology
Comparative Study of Optic Fibre and Wireless Technologies in Internet Connec...Editor IJCATR
Most of the activities going on in the world today demand information and data sharing in one form or the other.
Consequently, the Internet and its connectivity has gradually become a household concern. The connection to the Internet requires
physical transfer of signal (data/information) from one point to another. This can either be through physical medium (wire) or through
the air (wireless). This paper a comparative study of Fiber Optics and Wireless Technologies in Internet connectivity seeks to identify
which of the two technologies is better for signal transmission in terms of bandwidth utilization, performance, reliability, cost
effectiveness, resilience, and security. The study adopted the use of secondary sources for the sourcing of materials. A lot of journal
articles, research publications, testbooks, white papers and many more were critically studies and comparatively analysed. It was clear
that both media have hitches and challenges. The study showed that although initial cost of acquisition is an inhibitive factor for fibre
optic connection, unlimited bandwidth delivery and high Quality of Service (QoS) placed Fiber optics above wireless connectivity in
their overall performance.
Experimental Based Learning and Modeling of Computer Networksijtsrd
Computer network experts are in great demand these days. This study aims to examine the effectiveness of using Cisco Packet Tracer as a simulation tool. This development reflected significant importance for higher education institutions. It ensures that all students have ample networking assistances. The computer network needs consideration of theory and practice. Hence, Cisco packet tracer software is recommended to solve this difficulty. In this paper, design and simulation of a computer network with Cisco network packet tracer simulation software is illustrated. This software would normally not work deprived of a variety of configurations. So, essential steps and configurations of software are explained in this paper which is useful in network design. Extensive simulation results validate this model. Prof. Jayesh Rane | Prof. Sarang Kulkarni "Experimental Based Learning and Modeling of Computer Networks" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-3 , April 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30595.pdf Paper Url :https://www.ijtsrd.com/engineering/electronics-and-communication-engineering/30595/experimental-based-learning-and-modeling-of-computer-networks/prof-jayesh-rane
This study focuses on designing and implementing a local area network (LAN) using wireless bridges at Caragsacan Elementary School. A LAN connects computers within a limited area like a school, while bridges connect separate network segments wirelessly. The network will use a star topology with a wireless access point to seamlessly connect wired and wireless devices. The purpose is to effectively transfer data between school agencies using an existing wireless connection and database. The objectives are to create a wireless network between school offices using bridge devices, utilize an existing database to store and transmit documents, and access data across school offices and classrooms. The scope is limited to implementing the new network architecture in school offices during the 2021-2022 school year.
CHALLENGES IN SIGNIFICANT ADOPTION OF ACTIVE QUEUE MANAGEMENT IN THE PHILIPPI...ijmpict
In an increasingly digital world, a strong and robust internet infrastructure is paramount; this is
more so considering the context in which this paper was made: during the Severe Acute
Respiratory Syndrome — CoronaVirus 2 pandemic, colloquially known as COVID-19. With
major events around the world being moved to a virtual medium in light of the virus spreading
through respiratory droplets, the internet is increasingly utilized to compensate for productivity in
many fields, including but not limited to the academe and commercial — events that generally
can be held from the comfort of an individual’s home. Hence, the aforementioned need for a
robust internet is essential since any further disruptions will increase the losses of productivity
that have been incurred due to the global pandemic. This premise is given weight thanks to the
medium of these events: video conferencing applications such as Zoom have risen to prominence
thanks to the need for virtually distant conferences. In light of this, video conferencing is a
latency-sensitive application which requires that the latency of the internet is kept at a minimum
to avoid video and audio degradation. Additionally, latency-sensitive activities such as Voice
over IP (VoIP), Video Streaming, and Online Gaming are some of the other examples where
sudden increases in latency prove significantly detrimental. This phenomenon in internet
networks is known as bufferbloat; according to DSLReports, this is characterized as “the
undesirable latency caused by routers and cable/DSL modems buffering more data than
necessary.” One of the mitigations that is present thanks to the Institute of Electrical and
Electronics Engineers (IEEE) is Active Queue Management (AQM), characterized as the
management of data packets via proactively dropping packets before it exceeds the buffer,
preventing excessive latency thanks to heavy load. Therefore, this study seeks to examine the
reasons as to why AQM is noticeably absent in the Internet of Things: consumer electronics
space.
American Research Journal of Humanities & Social Science (ARJHSS) is a double blind peer reviewed, open access journal published by (ARJHSS).
The main objective of ARJHSS is to provide an intellectual platform for the international scholars. ARJHSS aims to promote interdisciplinary studies in Humanities & Social Science and become the leading journal in Humanities & Social Science in the world.
The document discusses local area networks (LANs) and their basic components. It describes that a LAN connects computers in a small area like a school or office building. The basic components of a LAN include hardware like computers, servers, switches and network interface controllers. Communication media can be wired cables or wireless. Network security policies aim to prevent unauthorized access and information misuse. An acceptable use policy outlines ethical user practices and responsibilities when using the network.
Protecting the movable Endeavor with Network-Based validation and Virtual Com...IOSR Journals
Abstract: A new security architecture for the mobile enterprise which uses network-based security and cloud
computing has been proposed in these paper. This newly proposed architecture is mainly for both simplifying
and enhancing the security of enterprises, and reinstates the currently disappearing security perimeter.
Keywords-cloud computing; cloud-based security; enterprise security architecture; mobile enterprise; networkbased
security; security.
The document is a project report submitted by four students at MIT College of Engineering in Pune for their Bachelor of Engineering degree. The project is called WiPAt, which stands for WiFi Positioning System for Attendance. The report describes developing a system that will automate the process of marking student attendance in a college by using the WiFi positioning capabilities of mobile devices and routers located throughout the campus. The system aims to reduce the time and effort required for manual attendance marking by faculty. The report includes sections on related work done in the area of WiFi positioning systems, the goals and technologies used in developing the WiPAt system, design documents for the system, and code snippets from the implementation.
The Assessments and Challenges of LED Generated Data Traffic using Li-Fi Tech...AM Publications
Internet today will be highly integrated with many aspects of our daily needs making it a corner stone in modern life. This dependency increased the demand on having internet services with higher Bandwidth, higher Bit Rates and lower Congestion problems. As a result, more and more applications will be widely realized for Internet based in the future, either in custom or dedicated fashion. As a result, the Light Fidelity (Li-Fi) technology - that is considered in this paper - refers to the technology that can transfer data in a faster reliable way; utilizing Light Emitted Diode (LED) bulb which is the source of illumination. The method of communication is through transfer data pulses instead of radio frequencies signals, thus providing an economic advantage by eliminating the need for complex wireless networks.
The document discusses how to set up a WiFi network for mobile devices in an office. Some key points include:
1. A WiFi network allows employees to easily share internet access and files from any device without wires.
2. Setting up the network requires installing a wireless router and ensuring all devices have a wireless adapter. Access points should be placed strategically to provide full coverage.
3. Network security is important, so the router should use a strong encryption standard like WEP or VPN to authenticate devices and protect data on the network.
Management information system chapter 7 telecommuniications the internet and ...Leng Kimlieng
1. The document discusses telecommunications, internet, and wireless technology. It covers the principal components of telecommunications networks, key networking technologies, types of networks, and principal wireless technologies and standards.
2. Specific topics covered include local area networks, wide area networks, internet protocols, internet architecture, internet services like email and web browsing, wireless standards like Bluetooth and Wi-Fi, and mobile technologies like 3G and 4G networks.
3. The document provides information on key digital networking technologies like client/server computing and packet switching as well as transmission media, internet protocols, wireless standards, and mobile cellular systems.
The Internet of Things IoT infuses our everyday life, e.g., in the area of health monitoring, wearables, industry, and home automation. It comprises devices that provide only limited resources, operate in stimulating network conditions, and are often battery powered. To embed these devices into the Internet, they are intended to operate standard events. Yet, these procedures occupy the majority of limited program memory resources. Thus, devices can neither add application logic nor apply safety updates or adopt optimizations for efficiency. This problem will further exacerbate in the future as the further ongoing infusion of smart devices in our environment demands for more and more functionality. To overcome limited functionality due to resource limitations, we show that not all functionality is required in parallel, and thus can be SPLIT in a feasible manner. This enables on demand loading of functionality outsourced as multiple modules to the significantly lesser controlled flash storage of devices. J. Gokul | S. Venkateshkumar "Smart Protocol Loading for the IoT" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-6 , October 2019, URL: https://www.ijtsrd.com/papers/ijtsrd29354.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/29354/smart-protocol-loading-for-the-iot/j-gokul
Peter Wood and his team analysed the results from a series of network penetration tests over the past two years, in a variety of sectors including banking, insurance and retail. They identified the most common vulnerabilities, how they can be exploited and the consequences for each business. This presentation demonstrates in detail how criminals can take advantages of these weaknesses and how you can secure your networks using straightforward techniques.
Innovative Marriage of Security and Performance in SOA Based Dynamic EnterprisesDr. Mehmet Yildiz
This presentation is about performance and security aspect of SOA (Service Oriented Architecture) in developing an end to end EA (Enterprise Architecture) for large organisations.
ANALYSIS AND MODELLING OF POWER CONSUMPTION IN IOT WITH VIDEO QUALITY COMMUNI...ijma
Internet of Things applications such as environmental monitoring and healthcare may involve multimedia
communications from IoT devices to humans for decision-making. Therefore, the quality of delivered
multimedia should be in good perceived quality. Higher video quality results into higher energy consumptions due to encoding and decoding processes and as a result, will affect the performance of IoT devices due to their inherent energy constraints. This paper presents the impact of video encoding
parameters as non-network parameters on the energy consumption of IoT devices. The experimental results from Cooja simulator show that the videos with high bitrates and low frame rates consume more power than videos with low bitrates and high frame rates. It was also found that video content type affects energy consumption. Finally, this paper proposes a power model that takes into account video parameters such as
bit rate, frame rate and content types. The proposed model can play a vital role in video quality adaptation in multimedia communication over IoT devices.
An analysis of a large scale wireless image distribution system deploymentConference Papers
This document describes two setups of a wireless image distribution system:
1. A setup using commercial network equipment like access points and an access controller, which supported over 125 connected devices and provided sufficient bandwidth for the system load during a conference.
2. A setup using a wireless mesh network of NICT NerveNet nodes, which provided a quick and easy setup but had room for improved performance based on analysis of the wireless backhaul links and connected devices. Both setups were tested and analyzed to evaluate network technologies for smart community applications.
PSIM: A TOOL FOR ANALYSIS OF DEVICE PAIRING METHODSIJNSA Journal
Wireless networks are a common place nowadays and almost all of the modern devices support wireless communication in some form. These networks differ from more traditional computing systems due to the ad-hoc and spontaneous nature of interactions among devices. These systems are prone to security risks, such as eavesdropping and require different techniques as compared to traditional security mechanisms. Recently, secure device pairing in wireless environments has got substantial attention from many researchers. As a result, a significant set of techniques and protocols have been proposed to deal with this issue. Some of these techniques consider devices equipped with infrared, laser, ultrasound transceivers or 802.11 network interface cards; while others require embedded accelerometers, cameras and/or LEDs, displays, microphones and/or speakers. However, many of the proposed techniques or protocols have not been implemented at all; while others are implemented and evaluated in a stand-alone manner without being compared with other related work [1]. We believe that it is because of the lack of specialized tools that provide a common platform to test the pairing methods. As a consequence, we designed such a tool. In this paper, we are presenting design and development of the Pairing Simulator (PSim) that can be used to perform the analysis of device pairing methods.
The Abstracted Network for Industrial InternetMeshDynamics
Widespread adoption of TCI/IP protocols over the last two decades appears on the surface to have created a lingua franca for computer networking. And with the emergence of IPv6 removing the addressing restrictions of earlier versions, it would appear that now every device in the world may easily be connected with a common protocol.
But three emerging factors are requiring a fresh look at this worldview. The first is the coming wave of sensors, actuators, and devices making up the Internet of Things (IOT). Although not yet widely recognized, it is beginning to be understood that a majority of these devices will be too small, too cheap, too dumb, and too copious to run the hegemonic IPv6 protocol. Instead, much simpler protocols will predominate (see below), which must somehow be incorporated into the IP networks of Enterprises and the Internet.
At the other end of the scale from these tiny devices are huge Enterprise networks, increasing movingly to the cloud for computing and communication resources. An important requirement of these Enterprises is the capacity to manage, control, and tune their networks using a variety of Software Defined Networking (SDN) technologies and protocols. These depend on computing resource at the edges of the network to manage the interactions.
The third element is a conundrum presented by the first two: Enterprises will be struggling with the need to bring vast numbers of simple IOT devices into their networks. Though many of these devices will lack computing and protocol smarts, the requirement will still remain to manage everything via SDN. Along with this, many legacy Machine-to-Machine (M2M) networks (such as those on the factory floor) present the same challenges as the IOT: simple and/or proprietary protocols operating in operational silos today that Enterprises desire to manage and tune with SDN techniques.
This document provides a brief review of recent works on various wireless networks and their integration. It first discusses different types of wireless networks including WLAN, WiMAX, satellites, and ad hoc networks. It then reviews recent studies on improving aspects of these individual networks such as MAC layer protocols, security, and frequency synthesizers. Finally, it summarizes research on integrating combinations of wireless networks like WLAN and WiMAX to improve quality of service, as well as integrating satellite networks to provide emergency communication or solve line of sight problems.
Internet of Things (IoT) plays a vital role in our
day to day life and normally used in our houses, in industry,
schools and in hospitals which implemented outside to manage
and control for taking report the changes in location prevent
from dangers and many more favorable things. Moreover all
other advantages can approach of big risks of privacy loss and
security issues. To protect the IoT devices, so many research
works have been measure to find those problems and locate a
best way to eradicate those risks or at least to reduce their effect
on the security and privacy requirement. Formation the concept
of device to device (D2D) communication technology, IoT plays
the information transfer from one end to another end as node of
interconnection. This paper examines the constraints and
security challenges posed by IoT connected devices and the
ability to connect, communicate with, and remotely manage an
incalculable number of networked, automated devices via the
Internet is becoming pervasive.
Wireless information management, a reviewAndrew Olsen
This document summarizes a review article about wireless information management. It begins by discussing the growing use of wireless systems in businesses and the challenges that arise in managing information from different wireless devices. It then examines popular wireless systems like BlackBerry and Bluetooth devices. Next, it outlines trends in wireless devices and networks such as the rise of 3G, WiFi, and Bluetooth. It also discusses challenges in securing wireless information and dealing with different standards. Finally, it stresses the importance of information managers preparing strategies to ensure the security, integrity and reliability of corporate information managed through wireless technologies.
Fragmentation of Data in Large-Scale System For Ideal Performance and SecurityEditor IJCATR
Cloud computing is becoming prominent trend which offers the number of significant advantages. One of the ground laying
advantage of the cloud computing is the pay-as-per-use, where according to the use of the services, the customer has to pay. At present,
user’s storage availability improves the data generation. There is requiring farming out such large amount of data. There is indefinite
large number of Cloud Service Providers (CSP). The Cloud Service Providers is increasing trend for many number of organizations and
as well as for the customers that decreases the burden of the maintenance and local data storage. In cloud computing transferring data to
the third party administrator control will give rise to security concerns. Within the cloud, compromisation of data may occur due to
attacks by the unauthorized users and nodes. So, in order to protect the data in cloud the higher security measures are required and also
to provide security for the optimization of the data retrieval time. The proposed system will approach the issues of security and
performance. Initially in the DROPS methodology, the division of the files into fragments is done and replication of those fragmented
data over the cloud node is performed. Single fragment of particular file can be stored on each of the nodes which ensure that no
meaningful information is shown to an attacker on a successful attack. The separation of the nodes is done by T-Coloring in order to
prohibit an attacker to guess the fragment’s location. The complete data security is ensured by DROPS methodology
Comparative Study of Optic Fibre and Wireless Technologies in Internet Connec...Editor IJCATR
Most of the activities going on in the world today demand information and data sharing in one form or the other.
Consequently, the Internet and its connectivity has gradually become a household concern. The connection to the Internet requires
physical transfer of signal (data/information) from one point to another. This can either be through physical medium (wire) or through
the air (wireless). This paper a comparative study of Fiber Optics and Wireless Technologies in Internet connectivity seeks to identify
which of the two technologies is better for signal transmission in terms of bandwidth utilization, performance, reliability, cost
effectiveness, resilience, and security. The study adopted the use of secondary sources for the sourcing of materials. A lot of journal
articles, research publications, testbooks, white papers and many more were critically studies and comparatively analysed. It was clear
that both media have hitches and challenges. The study showed that although initial cost of acquisition is an inhibitive factor for fibre
optic connection, unlimited bandwidth delivery and high Quality of Service (QoS) placed Fiber optics above wireless connectivity in
their overall performance.
Experimental Based Learning and Modeling of Computer Networksijtsrd
Computer network experts are in great demand these days. This study aims to examine the effectiveness of using Cisco Packet Tracer as a simulation tool. This development reflected significant importance for higher education institutions. It ensures that all students have ample networking assistances. The computer network needs consideration of theory and practice. Hence, Cisco packet tracer software is recommended to solve this difficulty. In this paper, design and simulation of a computer network with Cisco network packet tracer simulation software is illustrated. This software would normally not work deprived of a variety of configurations. So, essential steps and configurations of software are explained in this paper which is useful in network design. Extensive simulation results validate this model. Prof. Jayesh Rane | Prof. Sarang Kulkarni "Experimental Based Learning and Modeling of Computer Networks" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-3 , April 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30595.pdf Paper Url :https://www.ijtsrd.com/engineering/electronics-and-communication-engineering/30595/experimental-based-learning-and-modeling-of-computer-networks/prof-jayesh-rane
This study focuses on designing and implementing a local area network (LAN) using wireless bridges at Caragsacan Elementary School. A LAN connects computers within a limited area like a school, while bridges connect separate network segments wirelessly. The network will use a star topology with a wireless access point to seamlessly connect wired and wireless devices. The purpose is to effectively transfer data between school agencies using an existing wireless connection and database. The objectives are to create a wireless network between school offices using bridge devices, utilize an existing database to store and transmit documents, and access data across school offices and classrooms. The scope is limited to implementing the new network architecture in school offices during the 2021-2022 school year.
CHALLENGES IN SIGNIFICANT ADOPTION OF ACTIVE QUEUE MANAGEMENT IN THE PHILIPPI...ijmpict
In an increasingly digital world, a strong and robust internet infrastructure is paramount; this is
more so considering the context in which this paper was made: during the Severe Acute
Respiratory Syndrome — CoronaVirus 2 pandemic, colloquially known as COVID-19. With
major events around the world being moved to a virtual medium in light of the virus spreading
through respiratory droplets, the internet is increasingly utilized to compensate for productivity in
many fields, including but not limited to the academe and commercial — events that generally
can be held from the comfort of an individual’s home. Hence, the aforementioned need for a
robust internet is essential since any further disruptions will increase the losses of productivity
that have been incurred due to the global pandemic. This premise is given weight thanks to the
medium of these events: video conferencing applications such as Zoom have risen to prominence
thanks to the need for virtually distant conferences. In light of this, video conferencing is a
latency-sensitive application which requires that the latency of the internet is kept at a minimum
to avoid video and audio degradation. Additionally, latency-sensitive activities such as Voice
over IP (VoIP), Video Streaming, and Online Gaming are some of the other examples where
sudden increases in latency prove significantly detrimental. This phenomenon in internet
networks is known as bufferbloat; according to DSLReports, this is characterized as “the
undesirable latency caused by routers and cable/DSL modems buffering more data than
necessary.” One of the mitigations that is present thanks to the Institute of Electrical and
Electronics Engineers (IEEE) is Active Queue Management (AQM), characterized as the
management of data packets via proactively dropping packets before it exceeds the buffer,
preventing excessive latency thanks to heavy load. Therefore, this study seeks to examine the
reasons as to why AQM is noticeably absent in the Internet of Things: consumer electronics
space.
American Research Journal of Humanities & Social Science (ARJHSS) is a double blind peer reviewed, open access journal published by (ARJHSS).
The main objective of ARJHSS is to provide an intellectual platform for the international scholars. ARJHSS aims to promote interdisciplinary studies in Humanities & Social Science and become the leading journal in Humanities & Social Science in the world.
The document discusses local area networks (LANs) and their basic components. It describes that a LAN connects computers in a small area like a school or office building. The basic components of a LAN include hardware like computers, servers, switches and network interface controllers. Communication media can be wired cables or wireless. Network security policies aim to prevent unauthorized access and information misuse. An acceptable use policy outlines ethical user practices and responsibilities when using the network.
Protecting the movable Endeavor with Network-Based validation and Virtual Com...IOSR Journals
Abstract: A new security architecture for the mobile enterprise which uses network-based security and cloud
computing has been proposed in these paper. This newly proposed architecture is mainly for both simplifying
and enhancing the security of enterprises, and reinstates the currently disappearing security perimeter.
Keywords-cloud computing; cloud-based security; enterprise security architecture; mobile enterprise; networkbased
security; security.
The document is a project report submitted by four students at MIT College of Engineering in Pune for their Bachelor of Engineering degree. The project is called WiPAt, which stands for WiFi Positioning System for Attendance. The report describes developing a system that will automate the process of marking student attendance in a college by using the WiFi positioning capabilities of mobile devices and routers located throughout the campus. The system aims to reduce the time and effort required for manual attendance marking by faculty. The report includes sections on related work done in the area of WiFi positioning systems, the goals and technologies used in developing the WiPAt system, design documents for the system, and code snippets from the implementation.
The Assessments and Challenges of LED Generated Data Traffic using Li-Fi Tech...AM Publications
Internet today will be highly integrated with many aspects of our daily needs making it a corner stone in modern life. This dependency increased the demand on having internet services with higher Bandwidth, higher Bit Rates and lower Congestion problems. As a result, more and more applications will be widely realized for Internet based in the future, either in custom or dedicated fashion. As a result, the Light Fidelity (Li-Fi) technology - that is considered in this paper - refers to the technology that can transfer data in a faster reliable way; utilizing Light Emitted Diode (LED) bulb which is the source of illumination. The method of communication is through transfer data pulses instead of radio frequencies signals, thus providing an economic advantage by eliminating the need for complex wireless networks.
The document discusses how to set up a WiFi network for mobile devices in an office. Some key points include:
1. A WiFi network allows employees to easily share internet access and files from any device without wires.
2. Setting up the network requires installing a wireless router and ensuring all devices have a wireless adapter. Access points should be placed strategically to provide full coverage.
3. Network security is important, so the router should use a strong encryption standard like WEP or VPN to authenticate devices and protect data on the network.
Management information system chapter 7 telecommuniications the internet and ...Leng Kimlieng
1. The document discusses telecommunications, internet, and wireless technology. It covers the principal components of telecommunications networks, key networking technologies, types of networks, and principal wireless technologies and standards.
2. Specific topics covered include local area networks, wide area networks, internet protocols, internet architecture, internet services like email and web browsing, wireless standards like Bluetooth and Wi-Fi, and mobile technologies like 3G and 4G networks.
3. The document provides information on key digital networking technologies like client/server computing and packet switching as well as transmission media, internet protocols, wireless standards, and mobile cellular systems.
The Internet of Things IoT infuses our everyday life, e.g., in the area of health monitoring, wearables, industry, and home automation. It comprises devices that provide only limited resources, operate in stimulating network conditions, and are often battery powered. To embed these devices into the Internet, they are intended to operate standard events. Yet, these procedures occupy the majority of limited program memory resources. Thus, devices can neither add application logic nor apply safety updates or adopt optimizations for efficiency. This problem will further exacerbate in the future as the further ongoing infusion of smart devices in our environment demands for more and more functionality. To overcome limited functionality due to resource limitations, we show that not all functionality is required in parallel, and thus can be SPLIT in a feasible manner. This enables on demand loading of functionality outsourced as multiple modules to the significantly lesser controlled flash storage of devices. J. Gokul | S. Venkateshkumar "Smart Protocol Loading for the IoT" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-6 , October 2019, URL: https://www.ijtsrd.com/papers/ijtsrd29354.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/29354/smart-protocol-loading-for-the-iot/j-gokul
Peter Wood and his team analysed the results from a series of network penetration tests over the past two years, in a variety of sectors including banking, insurance and retail. They identified the most common vulnerabilities, how they can be exploited and the consequences for each business. This presentation demonstrates in detail how criminals can take advantages of these weaknesses and how you can secure your networks using straightforward techniques.
Innovative Marriage of Security and Performance in SOA Based Dynamic EnterprisesDr. Mehmet Yildiz
This presentation is about performance and security aspect of SOA (Service Oriented Architecture) in developing an end to end EA (Enterprise Architecture) for large organisations.
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkataamiyadutta
This document summarizes security holes and vulnerabilities in corporate networks. It identifies two critical properties of systems: integrity and availability. It discusses how reducing the attack surface and protecting user computers are important for protecting corporate networks. The document then outlines several possible attack vectors that do not require administrator rights, including local attacks that get full access to user processes and domain attacks that allow access to network resources. Finally, it describes the typical stages an attack may progress through - gaining a foothold, analyzing the environment, and propagating malware - and identifies some common network vulnerabilities.
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...Tương Hoàng
This document is the master's thesis of Nadeem Ahmad and M. Kashif Habib submitted to Blekinge Institute of Technology. The thesis analyzes network security threats and vulnerabilities and develops a network security monitoring solution. It contains chapters on networks and protocols, security threats and attacks, countermeasures techniques and tools, security solutions, and simulation/testing results. The abstract indicates it will address questions about network security implementation and management and give an idea of the current state of network security.
This is a presentation for the paper "Governance of Information Security Elements inService-Oriented Enterprise Architecture" published in the proceedings of 10th International Symposium on Pervasive Systems, Algorithms, and Networks
This document provides an overview of key concepts in network communication, including:
- The three basic elements of communication are a message source, destination, and channel. Data is segmented for transmission and multiplexed across the network.
- Network devices include end devices like hosts/PCs and intermediary devices like switches and routers that direct data flow. Media like wires and wireless carry signals between devices.
- Models like OSI and TCP/IP organize the functions involved in network communication into logical layers to standardize protocols.
The document proposes a framework called the Information Systems Risk Assessment Framework (ISRAF) that takes a hierarchical, context-centric approach to comprehensive risk management. The framework addresses key aspects of risk assessment including preparation, conducting assessment, analyzing risks both qualitatively and quantitatively, communicating results, and maintaining an organization's risk posture over time. It provides guidance on the risk assessment process and applying the results across the risk management life cycle to support various organizational decisions.
accounting information systems romney 12th edition chapter 1 manual solutionIqbalFebriyanto
The document discusses key topics in accounting information systems, including:
- Organizations produce information only if its value exceeds costs, though sometimes information is mandated even if costly.
- Some criteria for useful information can be met simultaneously, while achieving one may require sacrificing others.
- An organization's business processes, lines of business, and culture all affect the design of its accounting information system.
- While innovative systems can transfer between companies, organizational culture differences make perfect transfers unrealistic.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
This document provides solutions to discussion questions and problems from chapters 1-5 of the textbook "Accounting Information Systems (13th Edition)" by Romney and Steinbart. It addresses topics such as the value of information, systems development techniques, relational databases, and computer fraud. The solutions describe key concepts, provide examples, and involve applying the material to hypothetical business scenarios and accounting systems. The document is intended to help students learn by reviewing answers to questions about AIS topics covered in the early chapters of the textbook.
The document presents two solutions for secure internet banking authentication - one based on short-time passwords using hardware security modules, and the other based on certificate-based authentication using smart cards. It discusses current authentication threats like offline credential stealing and online channel breaking attacks. Both proposed solutions offer strong security against these common attacks, with the certificate-based solution being highly attractive for the future due to changing legislation and potential widespread use of electronic IDs.
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
1. Formulate a testing plan with the client to identify systems to evaluate and the scope of testing allowed.
2. Remotely or locally access the target systems to find vulnerabilities by simulating common attacks.
3. Report any found vulnerabilities to the client along with recommendations on how to remedy security issues.
More and more IoT vulnerabilities are found and showcased at security events. From connected thermostats to power plants!
Insecurity became the favorite subject for creating catchy IoT headlines: "Connected killer toaster", "Fridges changed into spamming machines","Privacy concerns around connected home".
We will explore the five challenges one has to face when building a secure IoT solution:
- hardware security: how to avoid rogue firmwares and keep your security keys safe?
- upgrade strategy: you can't secure what you can't update!
- secure transport: no security without secure transports.
- security credentials distribution: how to distribute security keys to a fleet with millions of devices?
- cloud vulnerability mitigation, how to keep your fleet of devices safe from the next Heartbleed?
Current enterprise infrastructure provides solutions for handling application security but are they really matching the IoT challenge? Could running a PKI client on a low power wireless sensor node be an option?
Despite those difficulties, we will show how a modern IoT device management standard like Lightweight M2M with DTLS is the way for building a secur-first IoT solutions. It provides a solution for upgrading your device, distributing your security keys and comes with a full range of cryptography cipher suites, from PSK algorithm for very constrained devices to high level of security using X.509 certificates.
Furthermore for adding security to your solution we will present you ready to use opensource libraries for implementing secure IoT servers and devices. The way for quickly releasing your next catchy connected product.!
Ultimately we will showcase Wakaama and Leshan, the Eclipse IoT Lightweight M2M implementation maybe your next best friend in the troubled water of Internet-Of-Things security!
Network security threats are increasing as more people and devices connect to networks. The document identifies ten major network security threats: viruses and worms, Trojan horses, spam, phishing, packet sniffers, maliciously coded websites, password attacks, hardware loss and data fragments, shared computers, and zombie computers/botnets. Each threat is described and potential solutions are provided, such as using security software to block viruses, encryption to prevent packet sniffing, and intrusion prevention systems to counter botnets. Network security managers face ongoing challenges due to the variety of threats and lack of solutions for some issues like password attacks.
802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)Sunghun Kim
This document provides an overview and assessment of vulnerabilities in 802.11 wireless LAN (WLAN) technology. It describes the WLAN standards and security mechanisms such as Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA/WPA2). While WPA2 provides strong security, vulnerabilities still exist if security features are not properly enabled. The document recommends mandatory use of WPA2 with 802.1X authentication for all government WLANs and additional security measures like encryption for especially sensitive networks.
4 - Keeping your website comfy and secure.pdfAdmin621695
This document provides an overview of firewalls and how they can be used to improve security for systems connected to the Internet. It describes common Internet security problems and explains how firewalls address these issues by controlling network access and filtering traffic. The document then provides examples of different types of firewall configurations and considerations for developing firewall policies and administering firewall systems.
Latest Developments in WirelessNetworking and Wireless SecurityIOSR Journals
This document discusses recent developments in wireless networking and wireless security. It describes enhancements to wireless standards including 802.11ac which provides speeds up to 1 Gbps, 802.11n which provides speeds up to 600 Mbps, and research achieving speeds of 40 Gbps over 1 km. It also discusses DARPA's efforts to develop more resilient military wireless networks and Google's plans to expand wireless networks in developing areas. The document outlines various methods for securing wireless networks including using WPA2 encryption, changing default passwords, hiding the SSID, limiting DHCP assignments, and disabling remote administration.
Assessment to Delegate the Task to Cloud for Increasing Energy Efficiency of ...IRJET Journal
This document discusses assessing whether tasks on mobile phones should be offloaded to the cloud to improve energy efficiency. It presents a model where mobile devices can offload computationally intensive tasks to the cloud via wireless networks. An experiment is described that compares the energy consumption and time taken of a video conversion task performed locally on a mobile phone versus offloading the task or different parts of the task to a cloud. The results show that offloading the entire task to the cloud reduces energy consumption and processing time compared to performing the task locally on the mobile phone. The document concludes offloading tasks to the cloud can increase a mobile phone's energy efficiency and discusses areas for future work.
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSISIJNSA Journal
Like most advances, wireless LAN poses both opportunities and risks. The evolution of wireless networking in recent years has raised many serious security issues. These security issues are of great concern for this technology as it is being subjected to numerous attacks. Because of the free-space radio transmission in wireless networks, eavesdropping becomes easy and consequently a security breach may result in unauthorized access, information theft, interference and service degradation. Virtual Private Networks (VPNs) have emerged as an important solution to security threats surrounding the use of public networks for private communications. While VPNs for wired line networks have matured in both research and commercial environments, the design and deployment of VPNs for WLAN is still an evolving field. This paper presents an approach to secure IEEE 802.11g WLAN using OpenVPN, a transport layer VPN solution and its impact on performance of IEEE 802.11g WLAN.
Experimental analysis of channel interference in ad hoc networkijcsa
In recent times, the use of ad hoc networks is a common research area among a researcher. Designing an
efficient and reliable network is not easy task. Network engineer faces many problems at the time of
deploying a network such as interference; Signal coverage, proper location of access point etc. channel
interference in one of them which must be considered at the time of deploying WLAN indoor environments
because channel interference impacts the network throughput and degrade the network performance.
In this experiment, we design a two WLAN BSS1 and BSS2 and investigate the impact of interference on
nodes. BSS1 contains three FTP clients and BSS2 contains two FTP client and their jobs is to upload data
to FTP Server Initially, they are far from each other. BSS1 moves toward BSS2 and after some time at
particular position both BSSs overlaps to each other. When BSSs overlaps to each other interference is
high and decrease network performance and increase upload time.
This document provides an introduction to building a small wireless local area network (WLAN). It discusses different wireless technologies including wireless personal area networks (WPAN), WLANs, wireless metropolitan area networks (WMAN), and wireless wide area networks (WWAN). It focuses on WLAN standards including IEEE 802.11 protocols, network architectures, security aspects, advantages and disadvantages of wireless networks, and applications. The goal is to help readers understand architectural differences between wireless networks and how to build a small WLAN.
This document summarizes a student project on wireless network security. It provides an overview of IEEE 802.11 wireless networking standards including 802.11a, b, g, and n. It describes early security methods like WEP and its vulnerabilities. It then explains improved security standards like 802.11i and WPA/WPA2 that aimed to address weaknesses in WEP. The document also briefly discusses the Bluetooth standard and security methods like device pairing.
The document discusses wireless body area networks and wireless sensor networks. It describes the goals of the project which are to implement the Tate pairing and Weil pairing protocols, analyze their performance with respect to time and memory consumption, and implement the better performing one for security purposes. The document provides background on sensor network technology, including how sensors have evolved from large specialized systems to smaller low-power devices. It outlines some of the applications of wireless sensor networks.
The document evaluates data drop performance in wireless LANs using Time-to-Live (TTL) and packet fragmentation. It simulates wireless network traffic with and without TTL/fragmentation using OPNET. The results show that using TTL and fragmenting large packets into smaller chunks significantly reduces data dropped compared to not using these techniques. Specifically, data drop is reduced when packets are fragmented into 1024 byte chunks and a TTL is applied, leading to higher throughput and less buffer overflow.
Improving the Wi-Fi in the Carrier Dome Feasibility ReportKunal Sharma
This feasibility report analyzes options to improve the slow Wi-Fi network performance in the Carrier Dome during large events. The current network is unable to handle the large load from crowds of attendees using Wi-Fi devices. Three options are considered: restructuring the current network, limiting video content data, or installing a new network system. Research methods included interviews, online research on stadium Wi-Fi, and testing at Manley Field House. Based on the criteria of cost, time, and providing a long-term solution, the report recommends involving a WLAN vendor to install a new network setup to improve performance for modern stadium needs.
Security Assessment Report and Business Continuity PlanChanaka Lasantha
The document summarizes a security investigation and analysis of a Wi-Fi hotspot infrastructure. It identifies key assets like outdoor access points and billing/database servers and outlines organizational vulnerabilities. Threat profiles are presented, including SQL injection and denial of service attacks targeting the billing system's web interface and database. The analysis aims to assess security practices and identify requirements to protect critical assets and sensitive user/network data from internal and external threats.
802.11 Wireless Networks The Definitive GuideAlicia Edwards
This document provides a summary of the book "802.11 Wireless Networks: The Definitive Guide" by Matthew Gast. The book is a practical guide for network administrators, architects, and security professionals to analyze and deploy wireless networks with confidence. It provides a full spectrum view of 802.11, from technical details of the specification to deployment, monitoring, and troubleshooting. The book has 18 chapters that cover topics such as an overview of 802.11 networks, the 802.11 MAC layer, security protocols, management operations, physical layers, installation on Windows and Linux, access points, network deployment, and performance tuning.
This document provides a summary of the book "802.11 Wireless Networks: The Definitive Guide" by Matthew Gast. The book is a practical guide for network administrators, architects, and security professionals to analyze and deploy wireless networks with confidence. It provides a full spectrum view of 802.11, from technical details of the specification to deployment, monitoring, and troubleshooting. The book has 18 chapters that cover topics such as an overview of 802.11 networks, the 802.11 MAC layer, security protocols, management operations, physical layers, installation on Windows and Linux, access points, network deployment, and performance tuning.
This document outlines a project to improve security and efficiency in mobile computing networks. It discusses issues like limited physical security of wireless networks and constrained bandwidth. The project will use mobile agents to distribute tasks across nodes, reducing unnecessary data transmission loads. Mobile agents can migrate between nodes as needed to complete tasks, without requiring constant client connection. This helps prevent increased workloads from network expansion. The document also lists benefits like increased productivity and flexibility from mobile computing. It proposes a key management and access control method for mobile agents to enhance security and performance efficiency.
This document provides a summary of Ian Johnston's qualifications and experience as a senior network engineer. It summarizes over 20 years of experience delivering network solutions, with a focus on next generation firewalls in recent years. It also lists relevant technical skills and experience managing teams and projects.
This document provides instructions and guidance for students completing an assignment for IT 241, an introductory course on wireless LAN technologies. It outlines several exercises for the student to complete over the course of multiple weeks, including identifying wireless technologies in different scenarios, comparing wireless networking standards, conducting a site survey of floor plans, designing a wireless network, and planning the implementation of a wireless network. The student is asked to research topics, analyze case studies, and develop presentations and written responses demonstrating their understanding of key concepts relating to wireless networking.
Due to an explosion of demand for high speed wireless
services such as wireless internet,email,stock quotes and cellular
video conferencing wireless communication has become one of the
important field in modern engineering.Wireless networks are broadly
classified into four different kinds such as wireless lans,satellite
networks,cellular networks and personal networks. In most of the
scenarios WLAN’s systems are based on single hop operation but in
now a day’s significant study has been done on WLAN’s with multihop
operation.In this research article we have studied the various
security issues of wlan especially with respect to bluetooth.wireless
local area networks are different from Wired networks in terms of
cost,security,high reliability,resource
sharing,scalability,communication media etc. One of the important
problem for wireless network is limited frequency spectrum. In now
a day’s wireless local area network consists of multiple stations that
coexist with in a limited geographic jurisdiction and share a common
wireless channel to communicate with each other.This research work
proposes a mathematical model based security issues of wlan by
investigating,design,implementation and performance analysis using
Digital Signal Processing(DSP) Space Time Processing.Space time
processing technology which uses more than one antennas
with an appropriate signaling and receiver methodology
provides a powerful tool for improving the performance of
WLAN’s.
Enterprise networking course work under NCC EducationMd. Mahbub Alam
The document outlines submission requirements for students, including attaching a statement confirming the work as their own and acknowledging assessment standards. Students must provide identification details and ensure assignments are submitted before the due date. Plagiarism is prohibited under the program's academic dishonesty policy.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A429868
1. NAVAL
POSTGRADUATE
SCHOOL
MONTEREY, CALIFORNIA
THESIS
Approved for public release: distribution is unlimited
WIRELESS NETWORK SECURITY: DESIGN
CONSIDERATIONS FOR AN ENTERPRISE NETWORK
by
Oh Khoon Wee
December 2004
Thesis Advisor: Karen Burke
Thesis Co-Advisor: Gurminder Singh
3. i
REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-
0188
Public reporting burden for this collection of information is estimated to average 1 hour per response,
including the time for reviewing instruction, searching existing data sources, gathering and maintaining
the data needed, and completing and reviewing the collection of information. Send comments regarding
this burden estimate or any other aspect of this collection of information, including suggestions for
reducing this burden, to Washington headquarters Services, Directorate for Information Operations and
Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of
Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503.
1. AGENCY USE ONLY (Leave
blank)
2. REPORT DATE
December 2004
3. REPORT TYPE AND DATES COVERED
Master’s Thesis
4. TITLE AND SUBTITLE: Wireless Network Security: Design
Considerations for an Enterprise Network
6. AUTHOR(S) Oh Khoon Wee
5. FUNDING NUMBERS
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
Naval Postgraduate School
Monterey, CA 93943-5000
8. PERFORMING
ORGANIZATION REPORT
NUMBER
9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES)
N/A
10. SPONSORING / MONITORING
AGENCY REPORT NUMBER
11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the
official policy or position of the Department of Defense or the U.S. Government.
12a. DISTRIBUTION / AVAILABILITY STATEMENT
Approved for public release: distribution is unlimited
12b. DISTRIBUTION CODE
13. ABSTRACT (maximum 200 words)
Since its introduction in 1999, the Institute of Electrical and Electronics Engineers (IEEE) 802.11
Wireless Local Area Network (WLAN) has become the de-facto standard for wireless networking,
providing convenient and low cost connectivity. Increasingly, enterprises are extending their networks
with 802.11-based WLANs to provide mobility and information-on-the-move for its employees.
However, the introduction of WLANs into enterprise networks has raised major concerns about security.
A poorly implemented WLAN introduces weaknesses in the enterprise network which can be exploited
by attackers, resulting in severe consequences for the enterprise.
This thesis was sponsored by the DoD to study the problem of designing a secure wireless architecture
for an enterprise network. The specific requirements for the enterprise network were based extensively
on DoD and the intelligence community’s security guidelines and policies. This thesis provides an in-
depth analysis into the 802.11 standard and measures how far the standard goes in meeting the
specific requirements of the enterprise network. This thesis presents a layered-defense architecture to
provide a scalable design for secure wireless networks. A prototype system utilizing XML to control the
flow of classified information in wireless networks is also presented.
15. NUMBER OF
PAGES
79
14. SUBJECT TERMS
802.11, WLAN, 802.11i, WEP, WPA, WIRELESS
16. PRICE CODE
17. SECURITY
CLASSIFICATION OF
REPORT
Unclassified
18. SECURITY
CLASSIFICATION OF THIS
PAGE
Unclassified
19. SECURITY
CLASSIFICATION OF
ABSTRACT
Unclassified
20. LIMITATION
OF ABSTRACT
UL
NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89)
Prescribed by ANSI Std. 239-18
5. iii
Approved for public distribution: distribution is unlimited
WIRELESS NETWORK SECURITY: DESIGN CONSIDERATIONS FOR AN
ENTERPRISE NETWORK
Oh Khoon Wee
Defense Science and Technology Agency, Singapore
B.Eng., Nanyang Technological University, 1998
Submitted in partial fulfillment of the
requirements for the degree of
MASTER OF SCIENCE IN COMPUTER SCIENCE
from the
NAVAL POSTGRADUATE SCHOOL
December 2004
Author: Oh Khoon Wee
Approved by: Karen Burke
Thesis Advisor
Gurminder Singh
Co-Advisor
Peter Denning
Chairman, Department of Computer Science
7. v
ABSTRACT
Since its introduction in 1999, the Institute of Electrical and Electronics
Engineers (IEEE) 802.11 Wireless Local Area Network (WLAN) has become the
de-facto standard for wireless networking, providing convenient and low cost
connectivity. Increasingly, enterprises are extending their networks with 802.11-
based WLANs to provide mobility and information-on-the-move for its employees.
However, the introduction of WLANs into enterprise networks has raised major
concerns about security. A poorly implemented WLAN introduces weaknesses in
the enterprise network which can be exploited by attackers, resulting in severe
consequences for the enterprise.
This thesis was sponsored by the DoD to study the problem of designing a
secure wireless architecture for an enterprise network. The specific requirements
for the enterprise network were based extensively on DoD and the intelligence
community’s security guidelines and policies. This thesis provides an in-depth
analysis into the 802.11 standard and measures how far the standard goes in
meeting the specific requirements of the enterprise network. This thesis presents
a layered-defense architecture to provide a scalable design for secure wireless
networks. A prototype system utilizing XML to control the flow of classified
information in wireless networks is also presented.
9. vii
TABLE OF CONTENTS
I. INTRODUCTION............................................................................................. 1
A. BACKGROUND ................................................................................... 1
B. SCOPE................................................................................................. 1
C. REQUIREMENTS OVERVIEW ............................................................ 2
D. DESIGN STRATEGY ........................................................................... 3
E. THESIS ORGANIZATION.................................................................... 5
II. REQUIREMENTS ........................................................................................... 7
A. DCID 6/9 “PHYSICAL SECURITY STANDARDS FOR
COMPARTMENTED INFORMATION FACILITIES”............................ 7
B. DCID 6/3 “PROTECTING SENSITIVE COMPARTMENTED
INFORMATION WITHIN INFORMATION SYSTEMS” ........................ 8
1. Level-of-Concern ..................................................................... 8
2. Protection Level..................................................................... 10
C. SPECIFIC REQUIREMENTS ............................................................. 11
D. REQUIREMENTS FOR AVAILABILITY ............................................ 12
III. IEEE 802.11: LINK SECURITY MECHANISMS........................................... 13
A. WIRED EQUIVALENT PRIVACY (WEP)........................................... 13
B. WEAKNESSES OF WEP................................................................... 15
1. Integrity .................................................................................. 16
2. Authentication........................................................................ 16
3. Confidentiality........................................................................ 16
C. IEEE 802.1X....................................................................................... 17
1. Principle of Operation ........................................................... 17
2. Extensible Authentication Protocol (EAP)........................... 19
D. WI-FI PROTECTED ACCESS............................................................ 20
1. Temporal Key Integrity Protocol (TKIP)............................... 20
2. Michael Message Integrity Check......................................... 21
E. IEEE 802.11I ...................................................................................... 22
1. Counter Mode with CBC-MAC Protocol (CCMP)................. 23
2. WRAP...................................................................................... 25
F. REQUIREMENTS MATRIX................................................................ 26
G. COMPARISON AND RECOMMENDATIONS.................................... 27
IV. ENTERPRISE ARCHITECTURE DESIGN ................................................... 29
A. OVERVIEW ........................................................................................ 29
B. VIRTUAL PRIVATE NETWORKS...................................................... 29
C. APPLICATION ENCRYPTION........................................................... 30
D. MULTI-FACTOR AUTHENTICATION................................................ 32
E. MONITORING .................................................................................... 32
F. DEVICE SECURITY........................................................................... 33
G. MEDIUM-BASED ACCESS CONTROL............................................. 34
1. Concept of Operation ............................................................ 35
2. Implementation and Design.................................................. 36
10. viii
3. Demonstration Program........................................................ 37
4. Limitations.............................................................................. 39
H. SUMMARY......................................................................................... 39
V. CONCLUSION.............................................................................................. 41
A. CONCLUSION ................................................................................... 41
B. RECOMMENDATIONS AND FURTHER WORK............................... 41
1. WLAN Security Test Bed....................................................... 41
2. Medium-based Access Control Prototype........................... 42
APPENDIX A. OVERVIEW OF IEEE 802.11 STANDARD ............................. 43
A. OVERVIEW ........................................................................................ 43
B. MODES OF OPERATION.................................................................. 44
C. COLLISION DETECTION AND AVOIDANCE ................................... 45
APPENDIX B. SOURCE CODES.................................................................... 47
A. CLIENT APPLICATION MODULE..................................................... 47
1. ContentGui.java ..................................................................... 47
2. GetMACAddress.java ............................................................ 50
3. HTTPFunctions.java .............................................................. 52
B. SERVER SIDE APPLICATIONS........................................................ 53
1. NetServer.java........................................................................ 53
2. Sample Content Page (Page.html) ....................................... 57
3. Output Page Generated for Client on Wireless Network.... 58
4. Output Page Generated for Client on Wired Network......... 59
LIST OF REFERENCES.......................................................................................... 61
INITIAL DISTRIBUTION LIST ................................................................................. 63
11. ix
LIST OF FIGURES
Figure 1. Design Strategy.................................................................................... 4
Figure 2. WEP Encryption Process ................................................................... 14
Figure 3. Overview of 802.1x Authentication Protocol
(from [Edney & Arbaugh 2004]).......................................................... 18
Figure 4. General EAP Message Flow in Authentication Process
(from [Edney & Arbaugh 2004]).......................................................... 19
Figure 5. AES Counter (CTR) Mode Encryption Process
(from [Kaufman 2002])........................................................................ 23
Figure 6. Message Integrity Check using CBC-MAC Computation.................... 24
Figure 7. Integration of VPN with Wireless Network Architecture...................... 30
Figure 8. PKI-based Infrastructure..................................................................... 31
Figure 9. Biometric Protected Device: HP IPAQ Pocket PC 5450 PDA
(from[PCWorld 2004])......................................................................... 33
Figure 10. Concept of Operations for Medium-Based Access Control ................ 35
Figure 11. Design Implementation....................................................................... 36
Figure 12, User Graphical Interface..................................................................... 38
Figure 13. View for User Connected Via the Wired Network ............................... 38
Figure 14. View for User Connected Via the Wireless Network........................... 39
Figure 15. WLAN Operating in Infrastructure Mode............................................. 44
Figure 16. WLAN Operating in Ad-Hoc Mode...................................................... 45
13. xi
LIST OF TABLES
Table 1. Summary of Key Indicators for Confidentiality, Integrity and
Availability for Various Levels-of-Concern [DCID 6/3 1999] ................. 9
Table 2. Selection Criteria for Protection Levels [DCID 6/3 1999].................... 10
Table 3. Specific Requirements for the Wireless Enterprise............................. 11
Table 4. Specifications of Key Parameters used in WEP................................. 15
Table 5. Comparison of WEP, WPA and IEEE 802.11i Security Protocols ...... 25
Table 6. Comparison of WEP, WPA and 802.11i Security Functions Versus
DCID requirements............................................................................. 27
Table 7. Comparison of existing 802.11 Protocols ........................................... 43
15. xiii
ACKNOWLEDGMENTS
I wish to express my gratitude to my thesis advisors Prof Karen Burke and
Prof Gurminder Singh for making this thesis possible. Thank you for your patient
guidance and invaluable advice. Special thanks also to my wife Mui Hua and my
daughter Hwee Shian for their love and support.
17. 1
I. INTRODUCTION
A. BACKGROUND
Since its introduction in 1999, the Institute of Electrical and Electronics
Engineers (IEEE) 802.11 Wireless Local Area Network (WLAN) has become the
de-facto standard for wireless networking, providing mobility and connectivity at
relatively low cost.
However, the key concern with the 802.11 WLANs has been security.
Wireless signals can travel long distances and are not bounded by physical
boundaries such as walls and perimeters. Since the Radio Frequency (RF)
spectrum is a shared medium, wireless signals can also be picked up by
unintended recipients such as potential attackers (with the right equipment). As
noted by [Borisov 2002], when wireless signals are sent across radio waves,
“interception and masquerading becomes trivial to anyone with a radio”. This
can compromise the confidentiality, availability and integrity of information in a
network.
This thesis studies the problem of designing a secure 802.11-based
wireless network architecture for an enterprise. The Department of Defense
(DoD) was the main sponsor for this study, and the design of the architecture is
based on requirements provided by the DoD and related intelligence agencies.
B. SCOPE
The thesis will answer the following questions, leading to the development
of a wireless enterprise architecture for the DoD network:
1. What are the requirements for the DoD enterprise system?
2. How do current wireless technologies, in particular the IEEE 802.11
standard, perform with respect to the specified requirements? Are
there areas of non-compliance that have to be addressed?
18. 2
3. What are other supporting technologies that can be applied to
better secure the network?
The specific security requirements for the DoD enterprise system were
studied and analyzed. Extensive research was conducted on the IEEE 802.11
standard, focusing on the security protocols that are built-in with the 802.11
security standard, namely the Wired Equivalent Privacy (WEP), Wireless
Protected Access (WPA) and the IEEE 802.11i protocols. These security
protocols were analyzed in detail, and examined for compliance to the
requirements for the enterprise network.
A key consideration in the design of the wireless enterprise architecture is
to be able to provide defense-in-depth for the network. [NIST 2002] recommends
that “the built-in security features of 802.11 (data link level encryption and
authentication protocols) be used as part of an overall defense-in-depth
strategy”. This thesis will look further into other security mechanisms and best
practices that can be built into a multi-layered defense mechanism for the
wireless network.
C. REQUIREMENTS OVERVIEW
The primary aim of this thesis is to design an enterprise architecture for
specific security requirements for Confidentiality, Integrity and Availability.
Since the DoD’s goal was to use this enterprise architecture in Sensitive
Compartmented Information Facilities (SCIF) or by organizations processing
intelligence information, the enterprise architecture must comply with the Director
of Central Intelligence Directives (DCID). The specific requirements that are used
in this thesis are found in the following documents:
• DCID 6/3 Manual, “Protecting Sensitive Compartmented
Information within Information Systems”
• DCID 6/9 Manual, “Physical Security Standards for Compartmented
Information Facilities”
19. 3
For this study, we assume that Level of Concern for Confidentiality to be
HIGH with Protection Level 1 required. The Levels of Concern for Integrity
and Availability are assumed to be MEDIUM. The highest level of data that will
be processed within the enterprise network is restricted to “UNCLASSIFIED For
Official Use Only”.
D. DESIGN STRATEGY
The strategy for the design of the enterprise architecture takes into
consideration the following factors. In the current state of the art in wireless
technology, wireless networks are less secure compared to wired networks and
the data throughput supported in wireless networks is also often significantly
lower. Based on the security and performance considerations, it is not practical to
design a pure wireless network system for the enterprise. Furthermore, most
enterprises already deploy extensive wired networks, and considerable effort has
been spent to secure these networks. This strategy proposes a hybrid solution in
which the wireless network is designed to extend the services of an existing
wired network. The key points of the strategy is illustrated in Figure 1 and
discussed below.
20. 4
Wired Network
Servers
Wireless Network
Provide End-to-End Protection
Access Point
Segregate and secure the Wired Network
Protect Wireless Link Layer
Communications
Figure 1. Design Strategy
1. Segregate and secure the wired network. This involves building a
strong defensive perimeter around the boundary of the wired network, and
hosting the mission critical computers and servers within the wired
network. Standard techniques such as using firewalls and intrusion
detection tools can be applied. Since the techniques to secure wired
networks are well known, they will not be further discussed in this report.
2. Deploy the wireless infrastructure outside the perimeter of the wired
network. This will prevent inherent weaknesses in WLAN security from
creating vulnerabilities in the defensive perimeter of the wired network.
3. Protect the RF links used to carry information from between access
points and the mobile device. The link has to be secured to protect
information and data that is transmitted over the airwaves. In this study,
we will focus on the link layer WEP, WPA and the 802.11i protocols.
4. Provide end to end security between hosts in the wired and
wireless networks. Note that link layer only protects data packets in transit
21. 5
over the RF medium. By providing end-to-end security, data in transit will
be protected over the wired and wireless networks.
E. THESIS ORGANIZATION
Chapter II provides an overview of the DCID specifications and an
analysis of the specific requirements that are applicable to the wireless network
architecture
Chapter III will focus on the protection of the wireless links between the
mobile nodes and the wireless infrastructure. This chapter provides a detailed
description of the key protocols used in 802.11 to provide link protection, namely
the WEP, WPA and the IEEE 802.11i protocols.
Chapter IV studies the security mechanisms that can be built over the
IEEE 802.11 standard to provide end-to-end protection, and provide a strong
layered-defense architecture for the network. This chapter also provides a
description of an access control prototype that can be used to control the flow of
sensitive information in the enterprise network.
Finally, Chapter V concludes the findings of this thesis, and provides
recommendations for subsequent research work in the area of wireless security.
23. 7
II. REQUIREMENTS
This chapter provides an overview of the requirements that were specified
for the enterprise architecture. The requirements were based extensively on the
Director Of Central Intelligence Agency Directives (DCID) 6/3 and 6/9
documents. This chapter focuses on the relevant requirements that are
applicable to the wireless network, and is not intended to provide a
comprehensive study of the abovementioned DCID documents. For additional
details, refer to [DCID 6/3 1999] and [DCID 6/9 2002].
A. DCID 6/9 “PHYSICAL SECURITY STANDARDS FOR
COMPARTMENTED INFORMATION FACILITIES”
The DCID 6/9 manual establishes the physical security standards to
govern the construction and protection of facilities for storing, processing and
discussing Sensitive Compartmented Information (SCI) which requires
extraordinary safeguards. The focus of DCID 6/9 is to provide physical
protection requirements for SCIFs, with the intention to prevent as well as detect
visual, acoustical, technical, and physical access by unauthorized persons.
Detailed specifications on the physical controls and the construction criteria
required for a SCIF are provided.
For the most part, the DCID 6/9 manual is concerned with the
construction and physical security of facilities that are used to house SCI. The
sections that are related to the use of wireless technologies are Annex D Part I
which provides guidelines on the use of electronic equipment in SCIFs, and
Annex G which covers the approval process required for the deployment of
wireless technologies in SCIFs.
24. 8
B. DCID 6/3 “PROTECTING SENSITIVE COMPARTMENTED
INFORMATION WITHIN INFORMATION SYSTEMS”
The DCID 6/3 manual provides policy guidance and requirements for the
protection of SCI stored or processed on an Information System (IS). An IS is
defined as any telecommunications and/or computer related equipment or
interconnected system or subsystems of equipment that is used in the
acquisition, storage, manipulation, management, movement, control, display,
switching, interchange, transmission, or reception of voice and/or data. DCID 6/3
applies to all United States Government departments and agencies, their
contractors and allied governments processing intelligence information.
The DCID 6/3 manual defines the concepts of Level of Concern and
Protection Level, and provides guidance on how to use these concepts to
determine the appropriate technical security requirements for confidentiality,
integrity and availability that each IS must meet.
1. Level-of-Concern
The DCID 6/3 manual defines Level-of-Concern as a rating assigned to an
IS. A separate Level-of-Concern is assigned for confidentiality, integrity and
availability, and this can be BASIC, MEDIUM, or HIGH.
The Level-of-Concern assigned to an IS for confidentiality is based on the
sensitivity of the information it maintains, processes, and transmits. By definition,
any system that processes intelligence information requires a HIGH Level-of-
Concern rating. MEDIUM and BASIC levels of concern are not applicable to
confidentiality, since any system that is accredited by the DCID 6/3 by definition
processes intelligence information. Since the architecture discussed in this paper
is accredited under the DCID 6/3 manual, it is assigned a HIGH confidentiality
Level-of-Concern.
The Level-of-Concern assigned to an IS for integrity is based on the
degree of resistance to unauthorized modifications. The Level-of-Concern
assigned to an IS for availability is based on the needed availability of the
25. 9
information maintained, processed and transmitted by the system for mission
accomplishment, and how much tolerance for delay is allowed.
Table 1 provides a summary of the indicators for Confidentiality, Integrity
and Availability for the various Levels-of-Concern.
Level of
Concern
Confidentiality
Indicators
Integrity Indicators Availability
Indicators
BASIC
Not applicable to DCID
6/3
Reasonable degree of
resistance required
against unauthorized
modification, or loss of
integrity will have an
adverse effect
Information must
be available with
flexible tolerance
for delay, or loss
of availability will
have an adverse
effect
MEDIUM
Not applicable to DCID
6/3
High degree of
resistance required
against unauthorized
modification, or bodily
injury might result from
loss of integrity, or loss
of integrity will have an
adverse effect on
organizational-level
interests.
Information must
be readily
available with
minimum
tolerance for
delay, or bodily
injury might result
from loss of
availability, or loss
of availability will
have an adverse
effect on
organizational-
level interests.
HIGH
All Information
protecting intelligence
sources, methods and
analytical procedures.
All Sensitive
Compartmented
Information
Very high degree of
resistance required
against unauthorized
modification, or loss of
life might result from loss
of integrity, or loss of
integrity will have an
adverse effect on
national-level interests,
or loss of integrity will
have an adverse effect
on confidentiality.
Information must
always be
available upon
request, with no
tolerance for
delay, or loss of
life might result
from loss of
availability, or loss
of availability will
have an adverse
effect on national
level interests, or
loss of availability
will have an
adverse effect on
confidentiality.
Table 1. Summary of Key Indicators for Confidentiality, Integrity and
Availability for Various Levels-of-Concern [DCID 6/3 1999]
26. 10
2. Protection Level
The DCID 6/3 manual defines Protection Level as an “indication of the
implicit level of trust that is placed in a system’s technical capabilities”. The
concept of Protection Level is applicable only to confidentiality. A Protection
Level is determined based on the classification and sensitivity of information
processed on the system, relative to the clearance(s), formal access approval(s)
and need-to-know of all direct and indirect users that receive information from the
IS without manual intervention and reliable human review.
The DCID 6/3 manual specifies 5 different Protection Levels, ranging from
PL1 to PL5, and the criteria for selecting the suitable Protection Levels for an IS
is shown in Table 2.
Protection Level Criteria
PL 1 An IS operates at Protection Level 1 when all users have all
required approvals for access to all information on the IS.
This means that all users have all required clearances,
formal access approvals, and the need to know for all
information on the IS.
PL 2 An IS operates at Protection Level 2 when all users have all
required formal approvals for access to all information on
the IS, but at least one user lacks administrative approval
for some of the information on the IS, This means that all
users have all required clearances and all required formal
access approvals, but at least one user lacks the need to
know for some of the information on the IS.
PL 3 An IS operates at Protection Level 3 when at least one user
lacks at least one required formal approval for access to all
information on the IS. This means that all users have all
required clearances, but at least one user lacks formal
access approval for some of the information on the IS.
PL 4 An IS operates at Protection Level 4 when at least one user
lacks sufficient clearance for access to some of the
information on the IS, but all users have at least a SECRET
clearance.
PL 5 An IS operates at Protection Level 5 when at least one user
lacks any clearance for access to some of the information
on the IS.
Table 2. Selection Criteria for Protection Levels [DCID 6/3 1999]
27. 11
C. SPECIFIC REQUIREMENTS
The broad requirements for specified by the DoD for the areas of
Confidentiality, Integrity and Availability are as follows:
Confidentiality: Level-of-Concern HIGH, Protection Level 1 (PL1)
Integrity: Level-of-Concern MEDIUM
Availability: Level-of-Concern MEDIUM
Based on the Level-of-Concern and Protection Level required, the policies
that are applicable to the design of the wireless enterprise architecture are
extracted. These are tabulated and shown in Table 3.
POLICY REFERENCE
CONFIDENTIALITY (Level of Concern: HIGH, PL1)
Data Storage
Information encrypted using NSA-approved encryption
mechanisms appropriate for the classification of stored
data
DCID 6/3 4.B.1.a(7)(d)
Data Transmission
Information distributed using NSA-approved encryption
mechanisms appropriate for the classification of the
information
DCID 6/3 4.B.1.a(8)(a)(3)
Identification and Authentication
An identification and authentication (I&A) management
mechanism that ensures a unique identifier for each
user and that associates that identifier with auditable
actions taken by the user
DCID 6/3 4.B.1.b(3)
Identification and Authentication
Access to the IS by privileged users who either reside
outside of the IS’s perimeter or whose communications
traverse data links(extranets, INTERNET, phone links)
that are outside of the IS’s perimeter shall require the
use of strong authentication (i.e., an I&A technique that
is resistant to replay attacks)
DCID 6/3 4.B.1.b(4)
INTEGRITY (Level of Concern: MEDIUM)
Protect against unauthorized modification/tampering of
data in transit over the wireless medium
Table 3. Specific Requirements for the Wireless Enterprise
28. 12
D. REQUIREMENTS FOR AVAILABILITY
The policies and requirements shown in Table 3 are focused on the areas
of confidentiality and integrity. For the area of Availability with MEDIUM level of
concern, the DCID 6/3 manual specifies that adequate processes and
procedures to allow for the restoration of a system in the event of a failure. DCID
6/3 also requires the implementation of “communications capability that provides
adequate communications to accomplish the mission when the primary
operations communications capabilities are unavailable” [DCID 6/3 1999, Section
6.B.2.a(4)].
The requirements for availability are addressed by providing sufficient
redundancy and back-ups in the wired and wireless networks. In fact, the
redundancy design should be focused on the wired domain, since this is where
the mission critical servers and computers will be located. On the wireless
domain, provide sufficient spare network capacity which can be activated in the
event of a network failure. Mission critical functionalities provided in the wireless
network should also be replicated in the wired network. These measures will
provide continued mission capability in the event of a failure in the wireless
domain.
29. 13
III. IEEE 802.11: LINK SECURITY MECHANISMS
This chapter examines the different link layer security protocols that are
provided in the IEEE 802.11 WLAN standard. (A simple overview of the 802.11
standard is provided in Appendix A). The purpose of these protocols is to protect
communications traveling over airwaves between mobile nodes and access
points, and prevent unauthorized access to information on the network.
In this chapter, we will first study the WEP protocol and look into its well-
publicized weaknesses. This will be followed by an analysis of the protocols that
were developed to replace WEP, specifically the IEEE 802.1x Port-Based
authentication, WPA and the IEEE 802.11i protocols. An evaluation and
comparison of these protocols will be made with respect to the requirements of
the enterprise network.
A. WIRED EQUIVALENT PRIVACY (WEP)
The IEEE 802.11 standard specifies a security standard known as WEP to
provide security for the wireless network. A detailed discussion on the WEP is
provided to give a better understanding of its limitations, and how these
limitations will eventually be remedied by the WPA and IEEE 802.11i protocols.
WEP was designed to provide security on the wireless network at a level
equivalent to wired networks. The 3 main security goals for WEP are: [Borisov
2002]:
• Confidentiality: Prevent eavesdropping by using an encryption
scheme based on the RC4 stream cipher.
• Access Control: Protect access to a wireless network
infrastructure by requiring users to demonstrate knowledge of a
shared secret key k (more commonly known as the WEP key). This
key is shared among all legitimate users of the WLAN network.
30. 14
• Data Integrity: To prevent tampering of the transmitted messages,
through a CRC-32 checksum.
Message, M CRC
Keystream = RC4(IV, k)
IV Ciphertext
XOR
Plaintext, P
Figure 2. WEP Encryption Process
A description of the encryption process used in WEP is shown in Figure 2.
We assume that the user has the correct secret key k to access the network. The
process to encrypt a user generated message M is as follows:
Step 1: A 32 bit Cyclic Redundancy Checksum (CRC) is computed for the
message M. The CRC is appended with message M to form the plaintext
message P.
Step 2: A RC4 keystream is generated using the secret key k and an
Initialization Vector (IV) as inputs. The IV is used to ensure that subsequent data
packets are encrypted with different keystreams, even though the same secret
key is used.
Step 3: The RC4 keystream is EXCLUSIVE-ORed (XOR) with the
plaintext message P, to generate the ciphertext C.
Step 4: The IV is concatenated with the ciphertext, and the entire frame is
transmitted. The IV is not encrypted and is transmitted in the clear.
Step 5: When the message frame arrives at the recipient (another host on
the wireless network also possessing the secret key k), the IV is extracted from
31. 15
the frame. The IV is used together with the shared secret key k to generate the
original RC4 keystream. The original plaintext P is then recovered by performing
an XOR of the ciphertext and keystream.
Step 6: The recipient host performs an integrity check by computing the
checksum for the received message, and comparing it with the received CRC
checksum. The message passes the integrity check if the 2 checksums are
identical. If the checksums are different, the message is considered to be
compromised and will be discarded.
Table 4 provides a summary of the various parameters used in the WEP
mechanism
PARAMETER PROPERTIES
Secret key, k (aka WEP key) 40 bits (used in early versions of WEP)
104 bits (current standard)
Initialization Vector, IV 24 bits
Integrity Checksum 32 bit CRC
Encryption Algorithm RC4 Stream Cipher
Table 4. Specifications of Key Parameters used in WEP
B. WEAKNESSES OF WEP
The WEP mechanism came under intense scrutiny over the past few
years due to its inherent security flaws. [Borisov 2002] demonstrated that WEP
falls short of achieving its security goals for confidentiality, integrity and access
control. Based on their research, WEP was found to be insecure due to improper
implementation of the RC4 algorithm and the use of the CRC 32 checksum for
data integrity. The key issues with WEP are summarized as follows:
32. 16
1. Integrity
The CRC 32 checksum does not provide strong message integrity. It was
shown that an attacker can modify the contents of a message packet as well as
the corresponding CRC-32 checksum even without knowing the secret
encryption key.
2. Authentication
The authentication mechanism used in WEP is a simple “challenge and
response” scheme based on whether a user has knowledge of a shared secret.
In the case of WEP, this shared secret is the WEP key that is shared among all
users of the wireless network. The problem with using WEP authentication is that
users cannot be individually identified and authenticated, since anyone with the
WEP key will be granted access.
Another issue with WEP is that it does not support mutual authentication.
Hence a user cannot challenge and authenticate a network access point, and
cannot be assured that it is connecting to a legitimate network.
3. Confidentiality
WEP does not protect confidentiality due to improper implementation of
the RC4 algorithm in the WEP protocol. Poor key management, as well as the
reuse of IV can allow attackers to break the WEP key if sufficient packets are
sniffed and collected off the airwaves. Once the WEP key is broken, decrypting
information carried on the wireless network becomes a trivial affair. Tools have
been developed that exploit the weaknesses in WEP and these can be freely
downloaded via the Internet. Examples of such tools are AirSnort (available at
http://airsnort.shmoo.com) and WEPCrack (available at
http://wepcrack.sourceforge.net).
33. 17
C. IEEE 802.1X
The IEEE 802.1x is a port based protocol that provides authentication and
authorization for both wired and wireless networks. It was included in the 802.11
standard to remedy the weaknesses in the authentication processes used in
WEP. IEEE 802.1x was ratified in Jun 2001, and is currently supported in many
802.11 cards and access points. (The full specification is available at
http://www.ieee802.org/1/pages/802.1x.html).
1. Principle of Operation
802.1x defines three entities in the authentication process [Edney and
Arbaugh 2004]:
• Supplicant - entity that wants to join a network i.e. a wireless client.
• Authenticator - entity that controls access to the network. In the
case of WLANs, this refers to an access point.
• Authentication server - entity that makes the authorization
decisions.
A general overview of the authentication process used in 802.1x is
illustrated in Figure 3.
34. 18
RADIO MAC
Network
Access
Authenticator
Authenticator
WIRELESS DEVICES
(SUPPLICANT) ACCESS POINT
AUTHENTICATION SERVER SECURITY DATABASE
Enterprise Network
Figure 3. Overview of 802.1x Authentication Protocol
(from [Edney & Arbaugh 2004])
In Figure 3, an authenticator is created together with a logical port for each
supplicant requesting access to the network. The authenticator controls access
to network resources by using manipulating logical switches within the access
point. By default, the logical switches are in the open position. A wireless device
has to submit credentials (such as user ID and a password) to the authenticator,
which in turn relays these messages to the authentication server. The
authentication server uses the credentials provided by the wireless device and
determines if access is to be granted. If access is granted, the logical switch
controlling the connection for that wireless device will be closed thereby enabling
access to the network.
35. 19
2. Extensible Authentication Protocol (EAP)
802.1x is intended to provide strong authentication, access control and
key management control, which is not provided in WEP. 802.1x is based on EAP
or more specifically EAP over Local Area Networks (EAPOL). EAP is general
messaging protocol that provides communications and message exchanges
between different parties in the authentication process. Note that EAP does not
specify the type of authentication method used. However, different authentication
methods have been implemented to work with EAP, including Kerberos,
public/private keys, as well as biometrics. For a full listing of EAP authentication
methods, refer to [Bersani 2004].
Start
Request Identity
Response Identity
Response Identity
Request 1
Request 1
Response 1
Response 1
Request n
Request n
Response n
Response n
SUPPLICANT
AUTHENTICATOR
AUTHENTICATIONSERVER
Success
Success
Figure 4. General EAP Message Flow in Authentication Process
(from [Edney & Arbaugh 2004])
The general authentication sequence using EAP is shown in Figure 4. A
supplicant starts the authentication process by sending an EAP-Start message to
the authenticator. On receiving the EAP-Start message, the authenticator
36. 20
responds with an EAP Request Identity message to determine the identity of the
supplicant. The supplicant follows up by sending its identify information using the
EAP Response Identity message which is forwarded by the authenticator to the
authentication server. The authentication server initiates a series of challenges to
the supplicant, which provides responses to each challenge. The authentication
server checks the responses received from the supplicant, and returns a
Success message to the authenticator if the responses are correct. On receiving
the Success message from the authentication server, the authenticator grants
access to the supplicant.
Most current applications use the EAP-TLS method (one of the EAP
methods) for authentication with an authentication server. EAP-TLS (EAP-
Tunneled Layer Security) uses a certificate-based mechanism to perform mutual
authentication and key exchange, and is generally considered to be the strongest
EAP method. Since EAP-TLS uses certificates, PKI must be supported in the
enterprise network. The authentication server is usually a RADIUS-based
server. However, 802.1x does not specify RADIUS as the default authentication
server, and other authentication servers can be used as long as the servers
support EAP.
D. WI-FI PROTECTED ACCESS
The Wi-Fi Protected Access (WPA) is a standards based, interoperable
security specification developed by the Wi-Fi Alliance. The goal of WPA is to
provide intermediary fixes to the vulnerabilities of WEP. Existing 802.11 network
equipment can be upgraded to WPA through software or firmware upgrades.
The key features of WPA are as follows:
1. Temporal Key Integrity Protocol (TKIP)
TKIP is designed to address WEP’s weaknesses in data encryption. As
discussed in the earlier sections, the current WEP implementation uses a static
shared secret key together with a short (24 bit) initialization vector to generate
the encryption keystream using the RC4 algorithm.
37. 21
TKIP continues to use the RC4 algorithm for data packet
encryption. However, unlike WEP which uses a static shared secret key, TKIP
uses a temporal key that is changed every 10000 packets. A longer 48 bit
initialization vector is also adopted to prevent the reuse of initialization vectors
over the life-time of a temporal key. These measures make it much more difficult
for potential attackers to break the TKIP key using existing WEP-breaking
techniques.
2. Michael Message Integrity Check
The Michael Message Integrity Check (MIC) is intended to provide
protection data in transit against unauthorized modifications or tampering. The
Michael algorithm uses a cryptographic digest of the original message as an
integrity checksum. This protects the integrity of data packets on the wireless
networks, since any attempt to modify packets will be detected.
However, one important consideration in the design of WPA was to be
able to operate on existing 802.11 devices with low CPU capacity. With the
constraints of CPU power, it is not feasible to design the Michael MIC to provide
the same level of security as other integrity checksums such as MD5. In view of
this weakness, TKIP implements additional countermeasures to work with the
Michael MIC. Specifically, when an access point detects two packets that have
failed the Michael algorithm on a particular temporal key, it will drop the
association, generate new keys and wait for a minute before creating a new
association to the host.
A concern with the TKIP countermeasures is that attackers can launch a
denial of service attack by flooding access points with messages that have
corrupted integrity checksums. This can result in repeated time-outs at the
access points (for up to one minute each time), and thereby deny legitimate
users from access to the network.
38. 22
However, this risk of a possible denial of service attack should be weighed
against the alternatives of WEP (which is fundamentally broken) or having no
security mechanism at all. In the latter cases, an attacker can gain unrestricted
access to the network and inflict damage while remaining undetected. In the case
of WPA, network monitoring tools can be programmed to look out for frequent
time-outs at access points which would indicate an active attack. This could
provide responsive detection and execution of contingency plans to contain an
attack.
E. IEEE 802.11I
The IEEE 802.11i standard was developed by the IEEE as a replacement
for the flawed WEP protocol. The protocol was recently ratified by IEEE in May
04, and first products supporting 802.11i are expected to be on the market in the
early part of 2005.
IEEE 802.11i is designed to be compatible with the WPA protocol. 802.11i
supports TKIP encryption and the Michael Message Integrity Check used in
WPA, as well as the 802.1x protocol for authentication. However, it should be
noted that TKIP is built around the flawed implementation of the RC4 encryption
algorithm in WEP, and is therefore considered to be an interim solution for
encryption security.
To counter the weaknesses in the RC4-based encryption, 802.11i
introduces 2 additional encryption protocols based on the FIPS-approved
Advanced Encryption Standard (AES) algorithm.
39. 23
1. Counter Mode with CBC-MAC Protocol (CCMP)
CCMP is the mandated encryption technique in the 802.11i standard. It
employs the AES algorithm using the CCM mode of operation. CCM utilizes the
Counter Mode (CTR) for data encryption and Cipher Block Chaining Message
Authentication Code (CBC-MAC) to ensure message authenticity and integrity.
CCMP uses the CTR mode in AES to encrypt data for transmission. The
basic mechanism for AES CTR mode encryption is shown in Figure 5 below.
IV IV+1 IV+2
K E K E K E
C1 C2 C3
M1 M2 M3
LEGEND
IV Initialization Vector
M Message Plaintext
C CipherText
One-time Pad
Logical OR Operator
Figure 5. AES Counter (CTR) Mode Encryption Process
(from [Kaufman 2002])
A 128 bit temporal key (K) together with a 48 bit IV is used to generate a
one-time pad using the AES algorithm (E). The IV is incremented after
generating each one-time pad. A logical OR operation is then performed with the
message plaintext and the corresponding one-time pad.
The advantage of using CTR mode is that it provides equivalent
encryption security compared with other AES modes but is computationally less
intensive. In CTR mode, the one-time pads can be pre-computed for a given
temporal key, and the encryption is a simple logical OR operation. Since chaining
is not employed in CTR mode, message packets can be decrypted independently
40. 24
of previous message packets. However, the encryption process will be weakened
if the same key and IV is used to encrypt different messages (this is the problem
faced in WEP). To tackle this, the temporal key has to be refreshed periodically
via the 802.1x protocol, and a longer 48 bit IV is used to prevent the IV collisions
over the active life time of each temporal key.
Header Payload
CBC-MAC
MIC
Encrypted
Figure 6. Message Integrity Check using CBC-MAC Computation
To provide data integrity, a message integrity check (MIC) is generated for
each message packet using CBC-MAC. This is illustrated in Figure 6. The MIC is
computed over the payload and the header, and the resulting MIC is appended.
Encryption is then applied over the payload and the MIC, while the header is sent
in the clear. Since the header is included in the computation of the MIC, any
unauthorized modification or corruption of the header will also be detected. This
prevents attackers from spoofing data packets on the network.
41. 25
2. WRAP
WRAP was the original AES-based proposal for 802.11i encryption. This
protocol is based on AES in the OCB (Output Feedback) mode. WRAP was
replaced by CCMP due to intellectual property rights issues, but it was kept in the
802.11i draft as some vendors had already implemented WRAP modules in their
hardware.
A summary of the key features of WEP, WPA and 802.11i is provided in
Table 5. (For details on the AES algorithm, refer to [FIPS197 2001])
Key Features WEP WPA 802.11i
Encryption
Algorithm
RC4 RC4 CCMP (using AES
CCM)
Key Size 40 or 104 bits 2 keys used
128 bits key for
encryption
64 bit key for
authenticity and
integrity checking
128 bits
Initialization
Vector
24 bit 48 bit 48 bit
Integrity Check 32 bit CRC Michael MIC CBC-MAC
Authentication and
Key Management
None EAP-based using
802.1x
EAP-based using
802.1x
Table 5. Comparison of WEP, WPA and IEEE 802.11i Security
Protocols
42. 26
F. REQUIREMENTS MATRIX
Table 6 provides a summary of WEP, WPA and 802.11i versus the
requirements specified in the DCID documents.
REQUIREMENTS WEP
(Compliant/Not
compliant)
WPA
(Compliant/Not
compliant)
IEEE 802.11i
(Compliant/Not
compliant)
CONFIDENTIALITY (Level of Concern: HIGH, PL1)
Data Storage
Information encrypted
using NSA-approved
encryption
mechanisms
appropriate for the
classification of stored
data
DCID 6/3
4.B.1.a(7)(d)
Not compliant Not compliant Compliant (a
minimal 128 bit key
length is required )
AES-encryption is
approved by the
Committee On
National Security
Systems, for
systems handling
information up to
SECRET
classification.
Data Transmission
Information distributed
using NSA-approved
encryption
mechanisms
appropriate for the
classification of the
information
DCID 6/3
4.B.1.a(8)(a)(3)
Not compliant Not compliant Compliant
Identification and
Authentication
An identification and
authentication (I&A)
management
mechanism that
ensures a unique
identifier for each user
and that associates
that identifier with
auditable actions
taken by the user
DCID 6/3
4.B.1.b(3)
Not compliant.
Does not provide
means to uniquely
identify a user
Compliant
802.1x mechanism
to provide unique
user identification
and authentication.
Compliant
802.1x mechanism
to provide unique
user identification
and authentication.
43. 27
Identification and
Authentication
Access to the IS by
privileged users who
either reside outside
of the IS’s perimeter
or whose
communications
traverse data
links(extranets,
INTERNET, phone
links) that are outside
of the IS’s perimeter
shall require the use
of strong
authentication (i.e., an
I&A technique that is
resistant to replay
attacks)
DCID 6/3
4.B.1.b(4)
Not compliant
Does not provide
strong
authentication
measures
Compliant
Strong
authentication can
be implemented
with 802.1x
Compliant
Strong
authentication can
be implemented
with 802.1x
INTEGRITY (Level Of Concern: MEDIUM)
Protect against
unauthorized
modification/tampering
of data in transit over
the wireless medium
Not compliant.
WEP integrity
checksum can be
tampered without
detection
Not Compliant
Concern over
denial of service
attack with Michael
MIC
Compliant
CBC-MAC integrity
check
Table 6. Comparison of WEP, WPA and 802.11i Security Functions
Versus DCID requirements
G. COMPARISON AND RECOMMENDATIONS
Comparing the performances of WPA, 802.11i and the WEP protocols in
Table 6, we observe that 802.11i is the only protocol that satisfies all the listed
requirements in the table. 802.11i adopts AES encryption which is approved by
the National Institute of Standards and Technology (NIST) for use in government
applications. More importantly, AES is approved by the National Security Agency
for use in protecting classified information up to the SECRET level [CNSS 2003],
provided that encryption keys of at least 128 bits are used. Furthermore, the
CBC-MAC integrity protection is not susceptible to denial-of-service attacks as
compared to the Michael implementation in WPA.
There are some issues that need to be considered when deciding to adopt
the 802.11i standard in the enterprise architecture. 802.11i requires additional
44. 28
hardware co-processors in order to support AES encryption, and these co-
processors are not available in current 802.11 NICs and access points. Hence,
extensive hardware upgrades/replacement is required to upgrade current
networks to 802.11i standard. However, 802.11i-compliant products are only
expected to emerge in the market in early 2005. In the meantime, it is
recommended that current 802.11 networks are upgraded to WPA standard
The recommendations with regards to 802.11i and WPA are as follows:
1. Evaluate and adopt 802.11i when it becomes available. 802.11i
currently provides the best security among the 802.11 security
protocols.
2. In the mean time, all wireless network equipment should be
updated to WPA standard. Current 802.11 network equipment can
be upgraded to WPA standard via a software or firmware upgrade.
3. When evaluating 802.11i products, verify that these support at least
128-bit encryption keys, which is the minimum key length required
for AES to be used in a network with SECRET classification.
802.11i products that support longer encryption keys (192-bits, 256-
bits etc) can be used in networks with classification of up to TOP
SECRET. It is useful also to verify that the different key lengths
can be selected to match the corresponding security classification
of the network.
4. Regardless of WPA or 802.11i, additional layers of defense should
be built over the link layer defense mechanism to provide enhanced
security. The next chapter will discuss some these additional
defense mechanisms that can be included in the wireless
architecture.
45. 29
IV. ENTERPRISE ARCHITECTURE DESIGN
A. OVERVIEW
In the preceding chapter, we studied the WEP, WPA and 802.11i link layer
protocols provided in the IEEE 802.11 standard. In this chapter, we will look at
other security mechanisms and implementations that can be built on top of
802.11 link security to provide a strong, multi-layered defense architecture. The
objective of a multi-layered defense architecture is to provide defense in depth,
such that the failure of a particular defense mechanism will not compromise the
defenses of the entire network. It will also provide flexibility and scalability in the
design, whereby layers can be added or removed to suit the specific needs of a
particular network.
B. VIRTUAL PRIVATE NETWORKS
Virtual Private Networks (VPN) are commonly used by enterprises to allow
users to access enterprise network resources securely over a public network
infrastructure. In general, VPNs employ encryption and encapsulation techniques
to create a virtual tunnel that supports secure data communications over a non-
secure network. However the specific encryption and encapsulation methods
employed vary from vendor to vendor.
Most existing VPN implementations are based on the IPSec security
protocol. IPSec provides data encryption using the 3-DES encryption algorithm.
There are also VPN implementations that adopt AES and other encryption
algorithms. In the context of this thesis, a VPN implementation using AES
encryption (with at least 128 bit key) is recommended to satisfy the confidentiality
requirements of the enterprise system.
46. 30
Access Point
Wireless
DeviceVPN
Gateway
Enterprise Network
802.11 Link Security
VPN Tunnel
Figure 7. Integration of VPN with Wireless Network Architecture
Figure 7 illustrates the integration of VPNs for the typical wireless network.
A VPN gateway is deployed at the edge of the enterprise network, and all
wireless clients will have to connect via the VPN gateway in order to access the
enterprise network resources. A VPN tunnel is created from the VPN gateway,
through the wireless access point and terminating at the wireless client. Data
packets transmitted along this path will be protected by the VPN tunnel.
Implementing 802.11i link security will add additional protection along the tunnel
between the access point and the wireless device. Hence any attacker
attempting to infiltrate via the wireless network will have to break 2 strong layers
of defenses, the 802.11i link protection and the VPN tunnel.
C. APPLICATION ENCRYPTION
In applications that require higher levels of protection, the use of
encryption should be considered to protect the confidentiality and integrity of data
traveling from sender to receiver. While VPNs and 802.11 link security
mechanisms also apply encryption to data, they do not provide end-to-end
protection. As seen from Figure 1, data is encrypted by VPN and 802.11i when it
47. 31
travels between the VPN gateway and the wireless client terminal. However, data
traveling between the enterprise network and the VPN gateway is transmitted in
the clear.
To provide end-to-end protection, applications can encrypt data packets
before they are sent out into the network. At the receiving end, the encrypted
data will have to be successfully decrypted before the data can be processed.
While the encryption and decryption processes are relatively straightforward, the
complexity of encryption schemes is in the generation, distribution and
management of keys used in the encryption process. Currently, Public Key
Infrastructure (PKI) is commonly used in INTERNET and enterprise applications
for data encryption and key management. PKI provides strong encryption, as well
as strong authentication through digital signing. However, the drawback of PKI is
complexity, and it requires the installation of Certificate Authorities (CAs) and
other PKI infrastructure in the network.
Access Point
Wireless
DeviceVPN
Gateway
Enterprise Network
802.11 Link Security
VPN TunnelEncrypted Data
PKI Certificate
Authority
Application
Server
Figure 8. PKI-based Infrastructure
Figure 8 shows the integration of a PKI-based encryption scheme into the
wireless architecture. A PKI Certificate Authority is installed within the enterprise
network to support the generation of PKI certificates to users in the network.
Using this infrastructure, the application server and the wireless device can
48. 32
encrypt their data and communicate securely end-to-end. The concept of
defense in depth is again demonstrated since the encrypted data packets will be
further protected by the VPN tunnel and 802.11i mechanisms as they travel
between the VPN gateway and the wireless client.
D. MULTI-FACTOR AUTHENTICATION
To provide strong authentication protection, consider the use of multi-
factor authentication. Multi-factor authentication adds strength to current
authentication mechanisms by adding the attributes of “something you have” to
the traditional “something you know” (i.e. passwords) schemes. Examples
include smart cards and biometric authentication (e.g. fingerprints or cornea
scans).
E. MONITORING
A network monitoring tool should be deployed in the enterprise
architecture to monitor and analyze traffic that flows through the wireless
network. Deploying a monitoring system is critical for timely detection of probes
and attacks, as well as to look out for rogue access points.
Rogue access points are unauthorized access points that are installed in a
network. Rogue access points present a risk to the network because they can
open up back-door channels for attackers to infiltrate and attack the network.
Attackers can also set up access points to masquerade as a legitimate network.
When a user attempts to connect to these spoofed networks, the attacker could
collect valuable information such as passwords and authenticating materials
which is sent by the unsuspecting client.
There are a number of companies that provide monitoring and intrusion
detection tools for wireless networks, such as AirDefense, NetworkChemistry and
Red-M.
49. 33
F. DEVICE SECURITY
As computing devices become smaller and more portable, the probability
that such devices will be stolen or lost increases substantially. The loss of a
device can compromise the security of the enterprise network, since encryption
keys and classified information may have been stored on the device.
One potential solution is to apply biometric security, such as fingerprint
scanning and recognition onto the mobile devices. An example of a mobile
device employing biometric security is the HP IPAQ Pocket PC 5450 shown in
Figure 9.
Figure 9. Biometric Protected Device: HP IPAQ Pocket PC 5450 PDA
(from[PCWorld 2004])
Biometric protection provides significant improvements to mobile device
security. When incorporated with security applications, different levels of
protection can be provided to suit the needs of different operating environments.
This is an area that should be further investigated. For example, the PDA can be
programmed to block access to files stored on the PDA if proper credentials are
not supplied, and an administrator is then required to unlock those files. In
environments where the loss of the PDA could result in severe operational
consequences (such as in a tactical environment), the PDA could even be
50. 34
programmed to erase all its memory and disks contents via a hard reset in the
event of multiple unsuccessful logins.
G. MEDIUM-BASED ACCESS CONTROL
In most traditional systems, the decision to grant or deny access to
classified information is typically based on user access rights. However, user
access rights do not provide the fine grained controls that may be required by the
enterprise’s security policy, such as restricting access to classified information
from the wireless network.
This section describes an access control mechanism that controls
access to information, based on the access medium (i.e. wired or wireless
network). This prototype system extends the proof-of concept demonstrator
developed in [Nandram 2004]. [Nandram 2004] proposes the use of Extensible
Markup Language (XML) tags to differentiate the contents in a particular
document based on their security classifications. Based on the user’s access
rights and the type of access medium, only the relevant sections within the
document will be extracted and served to the users.
The concept demonstrator developed in [Nandram 2004] uses the source
IP address to determine if the medium of access was a wired or wireless
network. However, an IP based scheme requires a segregation of the wireless
and wired subnets. An alternative method of determining the medium of access
is to use the Medium Access Control (MAC) address. The MAC address is
unique to individual networks cards and can be used to identify if it is a wired or
wireless network card.
51. 35
1. Concept of Operation
The concept of operation for the prototype access control mechanism is
shown in Figure 10.
Security Database
Authorised Addresses Lookup Table
MAC_ADDR Domain
MAC_1 Wired
MAC_2 Wireless
Rules
Wired UNCLASS FOUO
Wireless UNCLASS
Wireless Client
Address: MAC_2
Information
Server
Submit Request + MAC_1
Submit Request + MAC_2
Figure 10. Concept of Operations for Medium-Based Access Control
In Figure 10, the security database look-up table contains the MAC
addresses of all authorized network interface cards, as well as the type of the
card, i.e. a wired or wireless network card. It also contains the highest security
classification of information that the different domains are authorized to carry. In
this example, the wired network can carry information up to “UNCLASSIFIED
FOR OFFICIAL USE ONLY”, and the wireless network can carry up to
“UNCLASSIFIED” information.
When a client requests information from the information server, it has to
provide its MAC address to the information server along with the request. On
receiving the MAC address, the information server will query the look-up table in
the security database to derive information on the medium of access and the
classification of information that can be sent. In this illustration, the wireless client
will get information content that is rated “UNCLASSIFIED”, and if the same client
were to request for the same information on the wired network, the client will
receive information content that is rated “UNCLASSIFIED FOR OFFICIAL USE
ONLY”. In the event that a submitted MAC address is not found in the security
database, the client will be denied information from the server.
52. 36
2. Implementation and Design
The classes that were implemented for the demonstrator are shown in
Figure 11. All software modules implemented were developed using Java.
HTTPFunctions NetServerContentGUI
BrowserStarter
GetMACAddress
POST Request “http:… + MAC Address
RESPONSE: HTTP Link
MACList.dat
MAC Address
Access Medium Type
Page.html
CLIENT APPLICATION SERVER APPLICATION
Figure 11. Design Implementation
The design involved software applications on the client end and at the
server. For the client application, the key classes are:
• ContentGUI : Provides the graphical user interface for users to
invoke requests
• GetMACAddress: Provides functionality to extract the MAC address
of the client terminal
• HTTPFunctions: Provide methods to post and receive HTTP
requests from the server. A request for a resource is concatenated
with the client terminal’s MAC address when it is sent to the server.
The response that is expected from the server is a HTML link to the
requested resource
• BrowserStarter: Used to invoke a browser window to display the
returned contents from the server
53. 37
On the server application, the key classes and files are:
• MACList.dat: This is a simple file that contains a list of registered
MAC addresses, and the type of card (i.e. wired or wireless) that is
associated with each MAC address
• NetServer: This is a servlet application that listens for requests from
users. NetServer extracts out the MAC address of the requesting
user and checks it against MACList.dat to determine if the user is
on the wired or wireless network. The NetServer class accesses a
pre-stored webpage (page.html), and extracts out the relevant
contents for the user.
• XMLParser: This class was not implemented due to time and
resource constraints. In the current prototype, the parsing was
performed by the NetServer servlet.
The source codes for the various classes are listed in Appendix B.
3. Demonstration Program
The Graphical User Interface (GUI) implemented in the ContentGUI class
is shown in Figure 12 . The ContentGUI class provides the interface to allow a
user to connect to the server and request for pages stored on the server. In this
case, the program connects to the NetServer servlet using HTTP function calls,
and appends the user terminal’s MAC address to the HTTP POST request when
the SUBMIT button is pressed.
54. 38
Figure 12, User Graphical Interface
Upon receiving a request, the server will generate the requested
information on a web page and return a HTTP link. Invoking the OPEN button will
open the web page for viewing on the default web browser the link for browsing
by invoking the OPEN button.
Figure 13 shows the view of a web page generated for a user accessing
the server via the wired network. In this example, he will be able to see
information that is classified up to “UNCLASSIFIED FOR OFFICIAL USE ONLY”.
Figure 13. View for User Connected Via the Wired Network
55. 39
Figure 14 shows the view of the web page generated for a user accessing
via the wireless network. In this case, the user is only able to access information
up to “UNCLASSIFIED” level.
Figure 14. View for User Connected Via the Wireless Network
4. Limitations
In the current prototype, the MAC address is sent to the information server
without encryption. This raises a concern that the MAC address can be spoofed
and used to gain unauthorized access to the information server. A potential
attacker could easily capture the data packets traveling between the client and
the server using a simple packet analyzer. Since the MAC address is not
encrypted, the attacker could easily extract the MAC address from the captured
packets, and modify or replace it with another MAC address. Encryption should
therefore be considered to protect the MAC address and prevent spoofing or
unauthorized modification.
H. SUMMARY
This chapter outlined a layered-defense strategy that can be adopted to
secure the enterprise wireless network. This includes adopting the 802.11i link
security protocol, and building additional layers of defense such as including
VPNs, encryption and strong authentication. This chapter also recommended the
56. 40
installation of monitoring tools to monitor the wireless network for suspicious
activities and for rogue access points, as well as physical security for mobile
devices. Lastly a prototype medium-based access control mechanism was
implemented to provide fine grained control of the information that can be
accessed from the wireless network.
57. 41
V. CONCLUSION
A. CONCLUSION
Wireless networks offer the benefits of mobility to the enterprise, but could
become a security concern if not properly secured. While wireless networks are
inherently less secure then wired networks, a proper security implementation can
protect the wireless network sufficiently for it to be used in the enterprise
environment.
In this thesis, we studied the problem of implementing a wireless
enterprise architecture that meets the specific needs of a DoD enterprise
network. A thorough review of the technologies and security implementations
pertaining to wireless networks was conducted. The research culminated in the
proposal of a layered defense architecture that integrates the various technical
solutions into a cohesive defensive mechanism for the enterprise network. The
architecture builds on the link layer security mechanisms provided by the IEEE
802.11 standard, and adds additional layers of protection such as VPN and
encryption to protect data in transit over the enterprise network. A policy control
mechanism was developed that allows a network administrator to control the flow
of sensitive information to and from the wireless network.
B. RECOMMENDATIONS AND FURTHER WORK
This thesis provides a basic architecture for implementing a secure WLAN
network for DoD specified applications. There is significant room for
improvements and additional research. Future work in the following areas is
recommended
1. WLAN Security Test Bed
With the conceptual design of the wireless architecture in place, the next
step will be to implement the architecture on a test bed system. This system will
be useful for testing and evaluating the effectiveness of the various mechanisms
proposed in the architecture.
58. 42
2. Medium-based Access Control Prototype
There are limitations in the current prototype of the medium-based access
control system. The current prototype does not provide encryption to protect the
MAC address information submitted by the client terminals. Furthermore, the
XML framework proposed in [Nandram 2004] was not implemented due to
resource and time constraints. Further work is required to develop this tool into a
useful access control mechanism. These include
• Integrate application encryption features described in Chapter 4
into the prototype system. This will add security to the
communications between the client terminal and the information
server.
• Integrate the XML framework into the current prototype. Instead of
implementing the file conversion at the servlet application, an XML
parser can be used to extract the relevant information from a
document and serve it to the client.
• Additional decision rules can be included to further improve on the
usefulness of the current prototype. A possible area is to integrate
RF-ID tags which track the location of the client terminal in the
premises of the enterprise. Based on the location of the client
terminal, information with the appropriate security clearance will be
sent to that client. This will be useful in enforcing policies which
restrict the flow of classified information only in certain rooms or
areas in the enterprise.
59. 43
APPENDIX A. OVERVIEW OF IEEE 802.11 STANDARD
A. OVERVIEW
The IEEE 802.11 standard was first introduced in 1997 to provide wireless
networking over limited ranges. The original 802.11 standard operated in the 900
MHz range and provided data rates of up to 2 Mbps. IEEE has since introduced a
number of extensions to the 802.11 standard, notably 802.11a, 802.11b,
802.11g. A comparison of the different 802.11 protocols is shown below in Table
7.
802.11a 802.11b 802.11g
Frequency Band 5GHz UNII 2.4GHz ISM 2.4 GHz ISM
Modulation
Scheme
OFDM DSSS DSSS or OFDM
Number of Data
Channels
12 3 3
Data Rate (Max) 54 Mbps 10 Mbps 54 Mbps
Range 50 m 100 m 100 m
Interoperability 802.11a only Compatible with
802.11g
Compatible with
802.11b (however,
performance will
degrade to
802.11b level)
Table 7. Comparison of existing 802.11 Protocols
802.11b is currently the most widely accepted standard among the three
standards. The 802.11g was recently ratified in 2003 and is expected to gain a
foothold in the market when products supporting 802.11g are released on the
market.
60. 44
B. MODES OF OPERATION
The IEEE 802.11 standard defines 2 basic modes of operations for
wireless networking: infrastructure and ad-hoc mode.
In the infrastructure mode, wireless computer terminals communicate with
each other via a wireless access point (AP). The AP coordinates the WLAN and
controls the data communications between the wireless terminals. It also
provides a bridge between the wired and the wireless network. A typical WLAN
system operating in the infrastructure mode is shown in Figure 15 .
PDA with Wireless
Network Card
WLAN enabled
Laptop
PDA with Wireless
Network Card
Access Point
Server
Workstations
Workstations
Figure 15. WLAN Operating in Infrastructure Mode
In the ad-hoc mode, the wireless computer terminals communicate directly
with each other without the use of an access point. This mode is also commonly
known as peer-to-peer mode. The ad-hoc mode provides a simple and easy way
for wireless terminals to exchange information without requiring an infrastructure
network. A typical ad-hoc network setup is shown in Figure 16.
61. 45
PDA with Wireless
Network Card
PDA with Wireless
Network Card
WLAN enabled
Laptop
WLAN enabled
Laptop
Figure 16. WLAN Operating in Ad-Hoc Mode
C. COLLISION DETECTION AND AVOIDANCE
The 802.11 standard uses the Carrier Sense Multiple Access with
Collision Avoidance (CSMA/CA) protocol to resolve collisions during
transmissions. Collisions occur when 2 or more terminals transmit simultaneously
while operating in the same channel.
In the CSMA/CA protocol, any terminal that wishes to transmit information
is required to sense the medium for any activity. If the medium is busy, the
terminal will wait for a period of time before attempting to transmit again. If the
medium is free, the source terminal transmits a Request-to-Send (RTS) packet to
the destination terminal. On receiving the RTS packet, the receiver terminal will
sense the medium and respond with a Clear-to-Send (CTS) packet if the medium
is free. The source terminal will start data transmission only when the CTS is
received successfully. All other terminals that receive the RTS and CTS
messages will defer any transmissions on the medium.
63. 47
APPENDIX B. SOURCE CODES
A. CLIENT APPLICATION MODULE
1. ContentGui.java
//******************************************************
// Name: ContentGui.java
// Purpose: This class implements the GUI portion of the
// Client Application Module
// Arguments: None
// Output: None
//******************************************************
import java.lang.*; // Fundamental class for Java programs
import java.net.*; // For socket
import java.io.*; // For IOException and Input/OutputStream
import java.util.*;
import java.awt.*; // Containing classes for user interfaces
import java.awt.event.*;
import javax.swing.*; // For GUI programming
public class ContentGUI extends JFrame implements ActionListener{
//Text Fields for Server URL, Port Number, Local MAC Address, returned
URL
static private JTextField jtfServerURL, jtfPortNum, jtfMAC, jtfURL;
// Buttons "Submit" - to submit request to server
// Buttin "Open" - to open returned URL link in a new web browser
private JButton jbtSubmit, jbtOpen;
static final int LEFT = 0;
static final int CENTER = 1;
static final int RIGHT = 2;
// default string values for the test fields
static final String strServerURL =
"http://131.120.10.153:8080/servlet/NetServer";
static final String strPortNum = "8080";
static final String DELIMITER = "%";
64. 48
public ContentGUI () {
setTitle("Content Management Panel");
//**************************************************************
// Create the panels
//**************************************************************
JPanel p1 = new JPanel();
p1.setLayout(new FlowLayout(LEFT));
p1.add(new JLabel("Server URL"));
p1.add(jtfServerURL = new JTextField(strServerURL));
JPanel p2 = new JPanel();
p2.setLayout(new FlowLayout(LEFT));
p2.add(new JLabel("Server Port"));
p2.add(jtfPortNum = new JTextField(strPortNum));
p2.add(new JLabel("MAC Address"));
p2.add(jtfMAC = new JTextField(12));
JPanel p3 = new JPanel();
p3.setLayout(new FlowLayout(LEFT));
p3.add(jbtSubmit = new JButton("Submit"));
JPanel p4 = new JPanel(new BorderLayout());
p4.add(p1, BorderLayout.NORTH);
p4.add(p2, BorderLayout.CENTER);
p4.add(p3, BorderLayout.SOUTH);
JPanel p5 = new JPanel();
p5.setLayout(new FlowLayout(LEFT));
p5.add(new JLabel("Status"));
p5.add(jtfURL = new JTextField(20));
JPanel p6 = new JPanel();
p6.setLayout(new FlowLayout(LEFT));
p6.add(jbtOpen = new JButton("Open"));
jbtOpen.setEnabled(false);
//Register listeners
jbtSubmit.addActionListener(this);
jbtOpen.addActionListener(this);
65. 49
//**************************************************************
// Add panels to the frame
//**************************************************************
getContentPane().setLayout(new BorderLayout());
getContentPane().add (p4, BorderLayout.NORTH);
getContentPane().add (p5, BorderLayout.CENTER);
getContentPane().add (p6, BorderLayout.SOUTH);
}
public static void main(String[] args) throws IOException {
ContentGUI frame = new ContentGUI();
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
frame.pack();
frame.setVisible(true);
String strMAC;
GetMacAddress gMac = new GetMacAddress();
strMAC = gMac.getMac();
jtfMAC.setText(strMAC);
}
public void actionPerformed(ActionEvent e){
String strSubmitURL, strData, strReply;
String actionCommand = e.getActionCommand();
HTTPFunctions hConn = new HTTPFunctions();
//Handle button events
if(e.getSource() instanceof JButton){
if ("Submit".equals(actionCommand)){
strSubmitURL = jtfServerURL.getText();
strData = jtfMAC.getText();
try{
strReply = hConn.PostRequest(strSubmitURL, strData);
if (strReply.compareToIgnoreCase("Invalid MAC Address")== 0)
jtfURL.setText(strReply);
else{
jtfURL.setText(strReply);
jbtOpen.setEnabled(true);
}
}catch(Exception err){}
}
if ("Open".equals(actionCommand)){
66. 50
String str = jtfURL.getText();
try{
BrowserStarter bb = new BrowserStarter();
bb.openURL("http://131.120.10.153/out.html");
jbtOpen.setEnabled(false);
}catch(Exception err){}
}
}
}
} // end class
2. GetMACAddress.java
//******************************************************
// Name: GetMacAddress.java
// Purpose: Class that retrieves the MAC address of the
// local host terminal
// Arguments: None
// Output: Returns MAC address as a string
//******************************************************
import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.*;
import java.util.*;
public class GetMacAddress {
public GetMacAddress(){} //constructor
public String getMac(){
String []cmd = {"cmd.exe","/c","ipconfig /all"};
String output = "";
String MAC_Address = "";
try {
Process ps = Runtime.getRuntime().exec(cmd);
int ptr = 0;
InputStream in;
in = new BufferedInputStream(ps.getInputStream());
StringBuffer buffer = new StringBuffer();
while( (ptr = in.read()) != -1 ) {
buffer.append((char)ptr);
}
output = buffer.toString();
StringTokenizer st = new StringTokenizer(output,"n");
int i=1;
String line="";
//String MAC_Address = "";
68. 52
3. HTTPFunctions.java
//*********************************************************************
//Name: HTTPFunctions.java
//Purpose: Provide methods for applications to invoke HTTP Post
and Get functions
//*********************************************************************
import java.net.*;
import java.io.*;
import java.util.*;
public class HTTPFunctions {
public HTTPFunctions(){} //constructor
public String PostRequest( String strURL, String data) throws
MalformedURLException, IOException, IllegalStateException
{
// generic function to send a post request to the server.
String strOut = "";
URL url = new URL(strURL);
HttpURLConnection connection = (HttpURLConnection)url.openConnection();
connection.setRequestMethod("POST");
connection.setDoOutput(true);
PrintWriter out = new PrintWriter(connection.getOutputStream());
out.print(data);
out.close();
BufferedReader in = new BufferedReader(new
InputStreamReader(connection.getInputStream()));
//Read the return text only if the response is OK
if (connection.getResponseCode() == HttpURLConnection.HTTP_OK)
{
String line;
while ((line = in.readLine()) != null)
{
strOut = line;
}
}
in.close();
return(strOut);
}
}
69. 53
B. SERVER SIDE APPLICATIONS
1. NetServer.java
// ***************************************************************
// Name: NetServer.java
// Purpose: Implements a servlet application that accepts HTTP
// Post requests from clients
// This servlet extracts out the MAC address that is
// appended with the HTTP post request
// Based on the MAC address, the servlet extracts out
// the relevant information from the template information
// file page.html and stores the relevant content in
// new HTML file out.html
// The client is returned the URL link to out.html
//****************************************************************
import java.lang.*;
import java.util.*;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class NetServer extends HttpServlet {
//GetMacType gType = new GetMacType();
private String processData(char[] inData) {
String s = new String(inData);
StringBuffer sb = (new StringBuffer(s)).reverse();
return sb.toString();
}
public String Extract(String CLASSIFICATION , String File_Name){
BufferedReader infile = null;
FileReader frs = null;
FileWriter fws = null;
PrintWriter out = null;
String strTemp;
try {
frs = new FileReader( File.separator + "var" + File.separator +
"www" + File.separator + "html" +
File.separator + File_Name);
infile = new BufferedReader(frs);
fws = new FileWriter( File.separator + "var" + File.separator +
"www" + File.separator+ "html" +
File.separator + "out.html");
out = new PrintWriter(fws);
boolean blnWriteCurrentLine = true;
70. 54
while ((strTemp = infile.readLine()) != null)
{
// gets rid of the <low> and </low> tags
if
((strTemp.trim().startsWith("<low>"))||(strTemp.trim().startsWith("</lo
w>")))
strTemp = infile.readLine();
// Removes high classification content if Access right is
low
if (strTemp.trim().startsWith("<high>")){
if(CLASSIFICATION.compareToIgnoreCase("low")==0)
blnWriteCurrentLine = false;
if(CLASSIFICATION.compareToIgnoreCase("high")==0)
blnWriteCurrentLine = true;
String str = "";
strTemp = infile.readLine();
do{
str = str + strTemp;
strTemp = infile.readLine();
}while(!(strTemp.trim().startsWith("</high>")));
strTemp = str;
//while (!(strTemp.trim().startsWith("</high>"))){
//strTemp = infile.readLine();
//}
}
if (blnWriteCurrentLine)
out.println(strTemp);
blnWriteCurrentLine = true;
}
}
catch(FileNotFoundException ex){}
catch(IOException ex){}
finally{
try {
if (frs !=null) frs.close();
if (fws !=null) fws.close();
}catch(IOException ex){}
}
return("");
}
71. 55
public String getMACType(String MAC_ADDR , String File_Name){
BufferedReader infile = null;
FileReader frs = null;
StringTokenizer st;
String strTemp;
String strType = "UNK";
String strMac;
int intType = 0;
int IntCount = 0;
try {
frs = new FileReader(File.separator + File_Name);
infile = new BufferedReader(frs);
while ((strTemp = infile.readLine()) != null)
{
st = new StringTokenizer(strTemp, "t");
strMac = st.nextToken();
System.out.println(strMac);
if (strMac.compareToIgnoreCase(MAC_ADDR)==0)
{
strType = st.nextToken();
break;
}
}
}
catch(FileNotFoundException ex){}
catch(IOException ex){}
finally{
try {
if (frs !=null) frs.close();
}catch(IOException ex){}
}
return (strType);
}
// used to test this servlet.
public void doGet(HttpServletRequest request,
HttpServletResponse response) throws IOException, ServletException {
PrintWriter out = response.getWriter();
response.setContentType("text/plain");
out.write("The NetServer Servlet is working");
out.flush();
}
72. 56
//**
// * Respond to a POST request for the content produced by
// * this servlet.
// *
// * @param request The servlet request we are processing
// * @param response The servlet response we are producing
// *
// * @exception IOException if an input/output error occurs
// * @exception ServletException if a servlet error occurs
// *//
public void doPost(HttpServletRequest request,HttpServletResponse
response) throws IOException, ServletException {
Date date = new Date();
BufferedReader reader = request.getReader();
char inData[] = new char[request.getIntHeader("Content-Length")];
reader.read(inData, 0, inData.length);
StringBuffer sb = new StringBuffer();
sb.append("NetServer Servletr");
sb.append(date.toString() + "r");
sb.append(new String(inData) + "r");
String strMAC = new String(inData);
String strVal = getMACType(strMAC, "MACList.dat");
if (strVal.compareToIgnoreCase("WIRELESS")==0)
{strVal = Extract("low", "page.html");
sb.append("http://131.120.10.153/out.html" + "r");
}else if (strVal.compareToIgnoreCase("WIRED")==0)
{strVal = Extract("high", "page.html");
sb.append("http://131.120.10.153/out.html" + "r");
}else
sb.append("Invalid MAC Address" + "r");
response.setContentType("text/plain");
response.setContentLength(sb.length());
PrintWriter out = response.getWriter();
out.write(sb.toString());
out.flush();
}
}
73. 57
2. Sample Content Page (Page.html)
<html>
<head>
<title> Demonstration of Content Re-direction</title>
</head>
<body bgcolor=white>
<center><b>Information Classification</b></center>
<high>
UnClassified For Official Use Only
<ol type=A>
<li> Section A
<li> This section contains UNCLASSFIED FOUO Information
<li> You should not be able to access this section if accessing
via WLAN
</ol>
</high>
<low>
UnClassified
<ul type=square>
<li> Section B
<li> This section contains UNCLASSIFIED Information
<li> You should be able to access this section from wired and
WLAN
</ul>
</low>
<high>
UnClassified For Official Use Only
<ol type=A>
<li> Section C
<li> This section contains UNCLASSIFIED FOUO Information
<li> You should not be able to access this section if accessing
via WLAN
</ol>
</high>
<low>
UnClassified
<ul type=square>
<li> Section D
<li> This section contains UNCLASSIFIED Information
<li> You should be able to access this section from wired and
WLAN
</ul>
</low>
</body>
</html>
74. 58
3. Output Page Generated for Client on Wireless Network
<html>
<head>
<title> Demonstration of Content Re-direction</title>
</head>
<body bgcolor=white>
<center><b>Information Classification</b></center>
UnClassified
<ul type=square>
<li> Section B
<li> This section contains UNCLASSIFIED Information
<li> You should be able to access this section from wired and
WLAN
</ul>
UnClassified
<ul type=square>
<li> Section D
<li> This section contains UNCLASSIFIED Information
<li> You should be able to access this section from wired and
WLAN
</ul>
</body>
</html>
75. 59
4. Output Page Generated for Client on Wired Network
<html>
<head>
<title> Demonstration of Content Re-direction</title>
</head>
<body bgcolor=white>
<center><b>Information Classification</b></center>
UnClassified For Official Use Only
<ol type=A>
<li> Section A
<li> This section contains UNCLASSFIED FOUO Information
<li> You should not be able to access this section if accessing
via WLAN
</ol>
UnClassified
<ul type=square>
<li> Section B
<li> This section contains UNCLASSIFIED Information
<li> You should be able to access this section from wired and
WLAN
</ul>
UnClassified For Official Use Only
<ol type=A>
<li> Section C
<li> This section contains UNCLASSIFIED FOUO Information
<li> You should not be able to access this section if accessing
via WLAN
</ol>
UnClassified
<ul type=square>
<li> Section D
<li> This section contains UNCLASSIFIED Information
<li> You should be able to access this section from wired and
WLAN
</ul>
</body>
</html>
77. 61
LIST OF REFERENCES
[NIST 2002] Tom Karygiannis and Les Owens. “Wireless Network Security-
802.11, Bluetooth and Handheld Devices”. Special Publication 800-48, National
Institute of Standards and Technology, sections 1 – 3, Nov 2002.
[DCID 6/3 1999] Director of Central Intelligence Agency Directive No 6/3.
“Protecting Sensitive Compartmented Information within Information Systems.”,
Central Intelligence Agency, Jun 1999.
[DCID 6/9 2002] Director of Central Intelligence Agency Directive No 6/9.
“Physical Security Standards for Sensitive Compartmented Information
Facilities”, Central Intelligence Agency, 18 Nov 2002.
[Bersani 2004] Bersani, “EAP Shared Key Methods: A Tentative Synthesis of
Those Proposed So Far” http://ietfreport.isoc.org/idref/draft-bersani-eap-
synthesis-sharedkeymethods/ date accessed 26 Nov 2004, Internet Engineering
Task Force, April 2004.
[Borisov 2002] Nikita Borisov, Ian Goldberg, David Wagner, “ Intercepting
Mobile Communications: The Insecurity of 802.11-Draft”.
http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf] date accessed 23 Sep
2004.
[Edney & Arbaugh 2004] Jon Edney and William A. Arbaugh. “Real 802.11
Security, WiFi Protected Access and 802.11i”. Addison Wesley 2004.
[FIPS 197 2001] Federal Information Processing Standards Publication 197,
“Announcing the Advanced Encryption Standard (AES)”,
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, date accessed 26 Nov
2004.
[CNSS 2003] “CNSS Policy No. 15, Fact Sheet No. 1 National Policy on the
Use of the Advanced Encryption Standard (AES) to Protect National Security
Systems and National Security Information”,
http://www.nstissc.gov/Assets/pdf/fact%20sheet.pdf date accessed 26 Nov 2004,
CNSS, Jun 2003.
[Kaufman 2002] Charlie Kaufman, Radia Perlman and Mike Speciner. “Network
Security, Private Communications in a Public World”, 2nd
Edition, p 104, Prentice
Hall, 2002.
79. 63
INITIAL DISTRIBUTION LIST
1. Defense Technical Information Center
Ft. Belvoir, Virginia
2. Dudley Knox Library
Naval Postgraduate School
Monterey, California
3. Professor Karen Burke
Naval Postgraduate School
Monterey, California
4. Professor Gurminder Singh
Naval Postgraduate School
Monterey, California
5. Oh Khoon Wee
Defense Science & Technology Agency (DSTA)
Singapore