论文信息 - Securing Wireless Local Area Networks with GoC PKI

Securing Wireless Local Area Networks with GoC PKI

Abstract : Defence R&D Canada led a project in which a wireless virtual private networking (VPN) architecture was set up in a test bed in the Network Information Operation (NIO) lab for 802.11/a/b/g communications. The goal of this initial work was to aid in developing a security policy for use of wireless local area networks (WLAN) in government enterprise networks. This report presents the results of follow-on work that leverages the Government of Canada (GoC) Public Key Infrastructure (PKI) technology for strong authentication of wireless users as well VPN users. The solution presented herein relies on the latest wireless security protocols to secure the wireless link and includes an Internet Protocol Security (IPsec) based VPN to achieve a greater level of assurance for more sensitive GoC network environments. The work focuses on the establishment and protection of digital identities, mutual authentication, authorization, data privacy and integrity, as well as wireless network policy management and dissemination. We conclude that the Wi-Fi Protected Access 2 (WPA2) when operating in enterprise mode and combined with GoC PKI issued certificates and wireless network policy managed through Windows group policies, is an acceptable solution for providing authenticated/secure WLAN access to GoC protected environments. We also conclude that layering IPsec security on top of WPA2 adds complexity without providing additional assurance against unauthorized WLAN access. While testing the proposed solution, difficulties were encountered integrating the IPsec VPN component of the wireless VPN within an enterprise Microsoft Windows environment.

J. Spagnolo | D. Cayer | D. Cayer | J. Spagnolo

[1] Stephen Farrell,et al. Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP) , 2005, RFC.

[2] Larry J. Blunk,et al. PPP Extensible Authentication Protocol (EAP) , 1998, RFC.

[3] Bernard Aboba,et al. Extensible Authentication Protocol (EAP) , 2004, RFC.

[4] Dan Harkins,et al. The Internet Key Exchange (IKE) , 1998, RFC.

[5] Stephen T. Kent,et al. Security Architecture for the Internet Protocol , 1998, RFC.

[6] Glen Zorn,et al. Protected EAP Protocol (PEAP) Version 2 , 2004 .

[7] Dan Simon,et al. PPP EAP TLS Authentication Protocol , 1999, RFC.

[8] Randall J. Atkinson,et al. IP Encapsulating Security Payload (ESP) , 1995, RFC.

[9] W. Douglas Maughan,et al. Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[10] Kurt D. Zeilenga. Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes , 2003, RFC.

[11] Allan C. Rubens,et al. Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[12] Hugo Krawczyk,et al. A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[13] Stephen Farrell,et al. Internet X.509 Public Key Infrastructure Certificate Management Protocols , 1999, RFC.

[14] Glen Zorn,et al. Point-to-Point Tunneling Protocol (PPTP) , 1999, RFC.