Embed Size (px)
Citation preview
COMMUNICATION SYSTEMS, NETWORKS AND DIGITAL SIGNAL PROCESSINGFifth International Symposium
19-21 July, 2006, Patras, Greece
Security in Wireless Networks: The FlexiNET Approach
G. Kostopoulos1, C. Kavadias2,
C. Chrysoulas3, S. Denazis4, O. Koufopavlou5
Electrical and Computer Engineering Department,University of Patras, GREECE
{gkostop1, cchrys3, sdena4, odysseas5}@ee.upatras.grTELETEL S.A, 124, Kifisias Avenue, Athens, GREECE,
E-mail: [email protected]
21/07/2006, Patras, Greece CSNDSP 2006
Outline
FlexiNET Architecture Security Overview User Case Scenario AAA Proxy Module Authentication Scenarios
21/07/2006, Patras, Greece CSNDSP 2006
FlexiNET Architecture
The FlexiNET network architecture consists mainly of node instances, communication buses and data repositories .
The FlexiNET UMTS Access Node (FUAN) provides to the FlexiNET interfaces, functions such as switching/routing control, access to applications data & service logic, etc. The FUAN complements existing access nodes (RNC, BSC) of UMTS networks.
The FlexiNET WLAN Access Node (FWAN) acts as both a services access gateway (user authentication, service authorization, service discovery, etc.), and connection gateway between WLAN infrastructures and the FlexiNET WAN.
The FlexiNET Data Gateway Node (DGWN) acts as the Gateway between the generic SAN infrastructures and the FlexiNET Network Architecture allowing for the realisation of the data-centric FlexiNET services approach.
The Generic Applications Interface Bus is the central and most important mechanism for the interconnection of the FlexiNET instances.
The FlexiNET Applications Server (FLAS) is the physical entity, which hosts the logic of the applications that the FlexiNET network architecture provides.
21/07/2006, Patras, Greece CSNDSP 2006
FlexiNET Architecture
The FlexiNET UMTS Access Node (FUAN) provides to the FlexiNET interfaces, functions such as switching/routing control, access to applications data & service logic, etc. The FUAN complements existing access nodes (RNC, BSC) of UMTS networks.
The FlexiNET WLAN Access Node (FWAN) acts as both a services access gateway (user authentication, service authorization, service discovery, etc.), and connection gateway between WLAN infrastructures and the FlexiNET WAN
The FlexiNET Data Gateway Node (DGWN) acts as the Gateway between the generic SAN infrastructures and the FlexiNET Network Architecture allowing for the realisation of the data-centric FlexiNET services approach
The Generic Applications Interface Bus is the central and most important mechanism for the interconnection of the FlexiNET instances
The FlexiNET Applications Server (FLAS) is the physical entity, which hosts the logic of the applications that the FlexiNET network architecture provides
21/07/2006, Patras, Greece CSNDSP 2006
Security Overview
FWAN Architecture
21/07/2006, Patras, Greece CSNDSP 2006
Security Overview
The necessary entities that are responsible for the security in FlexiNET’s Wireless LAN node are the FWAN module and the FLAS Server.
A user will access the FWAN through an access point using either a laptop or a mobile phone.
The FWAN is responsible for authenticating native and roaming users through the FLAS using the AAA proxy module.
The Dynamic Service Deployment module must be deployed on the FWAN before boot-up.
The bootstrap process is responsible for booting up the FWAN with the AAA proxy module.
FLAS is the physical entity, which hosts the logic of the services that the FlexiNET network architecture provides. These services are called from other entities remotely and executed locally.
FLAS provides services either to the other FlexiNET node instances or to Third Party applications servers. These services are exposed as Web Services via the Generic Applications Interface Bus
21/07/2006, Patras, Greece CSNDSP 2006
User Case Scenario
The FlexiNET Wireless Access Node supports two different kinds of authentication scenarios.
The Login/Password scenario and the SIM based authentication scenario. Both scenarios have been deployed upon EAP and RADIUS protocols.
The entities that are involved in the Authentication Scenarios are the following:
– Client– Authenticator– AAA Proxy – FLAS
21/07/2006, Patras, Greece CSNDSP 2006
AAA Proxy Architecture
21/07/2006, Patras, Greece CSNDSP 2006
AAA Proxy Module
The AAA Proxy is comprised of the following components:
– the Web Services Server, – the Translator, – the Parser and – the User Manager.
The Data Holders which the AAA Module includes are the EAP Packet Formats holder, the EAP Packet holder and the User State holder
The AAA proxy module:– forwards the authentication packets to the FLAS Server,– encapsulates the EAP packets into XML messages that are
passed over Web services and vice versa, to authenticate and authorize the user
21/07/2006, Patras, Greece CSNDSP 2006
Login/Password Authentication Scenario
21/07/2006, Patras, Greece CSNDSP 2006
SIM based Authentication Scenario
WLANUE
APEAP Authenticator
WLAN Connection Establishment
EAP Request Identity
EAP Response Identity(NAI based on a temp. identifier or IMSI)
AAA Proxy
Radius Access Request
Radius Access ChallengeEAP Request/ SIM Start
EAP Response/ SIM StartRadius Access Request
FLAS
Forwarding the IMSI to the FLAS through a generic Web Service
Radius Access ChallengeEAP Request/ SIM
Challenge
Computation of Kc, SRES GSM
triplets
EAP Response/ SIM Challenge [Kc, SRES]
Radius Access Request
Radius Access AcceptEAP Success
Send to the FLAS the concatenated parameters Kc, SRES
Forwarding Function that contains RAND
Authentication Triplets check
WLAN user profile check
Encapsulation-decapsulation EAP
in RADIUS
Procedures taking place into the AAA Proxy
Boolean Response from FLASAuthentication= Yes or No
21/07/2006, Patras, Greece CSNDSP 2006
Conclusions
In this paper we present an alternative architecture providing authentication using Web Services for the exchange of authentication material.
Using the proposed method we achieve to authenticate the user independently of its type.
The user does not have to choose the authentication method. The system by itself, through the AAA Proxy, controls the security mechanism that has to be used for each user using the same infrastructure for each case.
21/07/2006, Patras, Greece CSNDSP 2006
Thank You for Your Attention !
