WO2006074853A1 - Procede et ensemble pour refuser des messages entrants, contenant une information d'identification non concordante, apres un controle d'acces base port - Google Patents

Procede et ensemble pour refuser des messages entrants, contenant une information d'identification non concordante, apres un controle d'acces base port Download PDF

Info

Publication number
WO2006074853A1
WO2006074853A1 PCT/EP2005/056963 EP2005056963W WO2006074853A1 WO 2006074853 A1 WO2006074853 A1 WO 2006074853A1 EP 2005056963 W EP2005056963 W EP 2005056963W WO 2006074853 A1 WO2006074853 A1 WO 2006074853A1
Authority
WO
WIPO (PCT)
Prior art keywords
port
identification information
network element
access
network
Prior art date
Application number
PCT/EP2005/056963
Other languages
German (de)
English (en)
Inventor
Oliver Veits
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2006074853A1 publication Critical patent/WO2006074853A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the invention relates to a method and arrangement for port-related access control of a network element at a multiple connection ports having access element, preferably a switch.
  • a network element or. Client receives access to a data network by transmitting identification and authentication information to an authentication server via an access element.
  • the authentication server checks the information of the network element and decides on access of the network element.
  • the access element is usually designed as a so-called "switch" or more generally as an access point.
  • a common access control method is known from the IEEE 802. Ix standard.
  • the 802. Ix standard provides a general method for authentication and authorization in data networks.
  • a network access is defined, which corresponds to a physical connection resp. Port on a local area network (LAN) or logical port as per the specifications for a wireless LAN or LAN.
  • WLAN complies with the well-known standard IEEE 802.11.
  • Authentication is performed at this network access by a so-called authenticator, which, in cooperation with the authentication server, checks the authentication information transmitted by the network element ("supplicant") and, if appropriate, allows or denies access to the network access offered by the authenticator.
  • the authentication server is designed, for example, according to the known RADIUS server protocols (Remote Authentication Dial-In User Service).
  • RADIUS is a client-server protocol used to authenticate users to dial-in connections to a computer network. This protocol is used, among other things, for central authentication of dial-up connections via modem, ISDN, VPN or wireless LAN.
  • An associated server service, the RADIUS server is used to authenticate network elements using databases in which the identification information of the respective network element, e.g. B. a MAC address of the network element (Media Access Control) and authentication information, eg. B. a password, are stored.
  • the following is a port-related access control of a
  • - the network element resp. Client or even supplicant that is to authenticate in the network
  • the authenticator or even authenticator in the access element which performs the authentication process with the network element
  • - the Authentication Server which provides the authenticator with the information required for authentication.
  • the IEEE 802. IX standard stipulates that two logical ports are assigned to a physical port.
  • the physical connection always routes the received packets to the so-called free port (uncontrolled port). Further .
  • the controlled port can only be reached after an authentication, which can be done via the free port.
  • a major drawback is the fact that access is based on a port. This means that a successfully authenticated network element is assigned a controlled port, which is also open for further third network elements after the authentication of a first network element, without these third network elements having to log in in accordance with the methods described above.
  • a so-called "session hijacking" can be used to attack another network element sending a message (disassociate message) to the successfully authenticated network element requesting it to terminate the connection.
  • the access element still keeps the controlled port open so that the attacker can gain access to the network without valid credentials.
  • Another possible attack is based on the attacker giving incorrect identification information, e.g. B. assign a MAC address that has not been officially assigned to it to maliciously gain access.
  • This attack is also referred to in the art as "MAC Address Spoofing". If a multiplicity of access requests with different MAC addresses identifying the source are sent to an access element, this leads to the fact that the MAC addresses can no longer - as intended - be stored in a MAC address table of the access element, since their capacity is exceeded after a certain number of stored entries. In the case of an access element configured as a switch, this usually leads to the in response messages sent to a switch logic to the respective MAC address are now directed to all ports of the switch due to the capacity overrun. This circumstance can be exploited by the attacker to record communication with other network elements, with the recorded
  • communication provides a basis for accepting authorized MAC addresses and disrupting the communication of other network elements or taking over their communication sessions.
  • a known in the art under the term "LAN Management Policy Server” method which provides a network-wide assignment of MAC addresses on individual network segments, has the disadvantage that the authentication based solely on the MAC address of the operator and not after a authenticated server as in the IEEE 802. Ix protocol. As a result, any operator using a registered MAC address has access to the network. For a malicious operator or However, it is not difficult for an attacker to find out the MAC address of a network element assigned to him and then carry out the attack.
  • the object of the invention is to provide a method and an arrangement with which over the prior art safer access control with less restrictions is achieved.
  • a solution of the object is achieved with regard to its method aspect by a method having the features of patent claim 1 and with regard to its device aspect by a device having the features of patent claim 3.
  • an access element stores identification information of a network element which has already gained access.
  • a network element has then received access when it is released a connection port on the access element.
  • the stored identification information is then compared with the identification information of each message arriving at the released connection port, in particular the header of a data packet.
  • the MAC address of the network element can be used as identification information. If the identification information contained in the messages does not match the stored one, the incoming message is discarded.
  • An essential advantage of the method according to the invention and of the associated device results from the fact that only the network element previously registered with its identification information receives access to a shared connection port.
  • a change of the identification in the sense of a MAC address spoofing has the consequence that further messages of this network element are rejected and advantageously no load on the message traffic »behind « the access element, ie. H . within the network or in data exchange with the authentication server.
  • a previously described flooding of the MAC address table is prevented by the discarding of the message advantageously from the outset.
  • Another advantage of the method and the associated device according to the invention is that Only a relatively simple modification in the control logic of the access element requires. In particular, no modification of the authentication server is required.
  • a mobility of z. B. wirelessly supports data-exchanging network elements, as it does not require any restrictions with regard to a limited number of communication partners and their MAC addresses.
  • FIG. 1 shows a structure diagram for the schematic representation of a message exchange associated with an authentication of a network element CL to an authentication server SRV via an access element AP.
  • the following process steps associated with an exchange of messages are shown in the drawing with arrows and an associated numerical reference. With reference to these reference numerals, the method proceeds as follows:
  • the access element AP requests identification information from the network element CL.
  • the network element CL transmits its identification information to the access element AP in the form of a special IEEE 802. lx message in which the MAC address of the network element CL is entered as the source MAC address.
  • the open port information forwards the access element AP to the authentication server SRV.
  • Authentication of the network element CL is required by authentication server SRV. This requirement resp.
  • the authentication server SRV first sends »challenge « to the access element AP.
  • the network element CL forwards a response to the request to the access element AP.
  • This response contains the required authentication, for example a specific password or a correct encryption of a string contained in the request.
  • the response forwards the access element AP to the authentication server SRV.
  • the authentication server SRV checks the response. In the case of success, he sends a corresponding message to the access element AP. 9 The controlled port is released by the access element AP. In addition, he forwards the message to the network element CL.
  • the access element AP stores the identification information, for. B, the MAC address and / or the VLAN ID (Virtual LAN identification number) of the network element CL.
  • the access element AP stores the identification information, for. B, the MAC address and / or the VLAN ID (Virtual LAN identification number) of the network element CL.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de contrôle d'accès basé port d'un élément de réseau (CL) à un élément d'accès (AP) présentant plusieurs ports de connexion, une information d'identification et une information d'authentification de l'élément de réseau étant demandées (1, 5) et, si ces informations d'identification et d'authentification sont valides, un port de connexion étant libéré (9). Selon ladite invention, l'information d'identification de l'élément de réseau est mémorisée dans l'élément d'accès (2), des messages entrant après la libération du port de connexion étant refusés, si l'information d'identification contenue dans ces messages, en particulier une adresse MAC, ne concorde pas avec l'information d'identification mémorisée.
PCT/EP2005/056963 2005-01-14 2005-12-20 Procede et ensemble pour refuser des messages entrants, contenant une information d'identification non concordante, apres un controle d'acces base port WO2006074853A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102005001896 2005-01-14
DE102005001896.3 2005-01-14

Publications (1)

Publication Number Publication Date
WO2006074853A1 true WO2006074853A1 (fr) 2006-07-20

Family

ID=35997516

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2005/056963 WO2006074853A1 (fr) 2005-01-14 2005-12-20 Procede et ensemble pour refuser des messages entrants, contenant une information d'identification non concordante, apres un controle d'acces base port

Country Status (1)

Country Link
WO (1) WO2006074853A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020032855A1 (en) * 2000-09-08 2002-03-14 Neves Richard Kent Providing secure network access for short-range wireless computing devices
US20030037163A1 (en) * 2001-08-15 2003-02-20 Atsushi Kitada Method and system for enabling layer 2 transmission of IP data frame between user terminal and service provider
US20030152035A1 (en) * 2002-02-08 2003-08-14 Pettit Steven A. Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules
EP1424807A1 (fr) * 2002-11-26 2004-06-02 Huawei Technologies Co., Ltd. Procédé de contrôle d'appartenance à un groupe de multidiffusion

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020032855A1 (en) * 2000-09-08 2002-03-14 Neves Richard Kent Providing secure network access for short-range wireless computing devices
US20030037163A1 (en) * 2001-08-15 2003-02-20 Atsushi Kitada Method and system for enabling layer 2 transmission of IP data frame between user terminal and service provider
US20030152035A1 (en) * 2002-02-08 2003-08-14 Pettit Steven A. Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules
EP1424807A1 (fr) * 2002-11-26 2004-06-02 Huawei Technologies Co., Ltd. Procédé de contrôle d'appartenance à un groupe de multidiffusion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"IEEE Standard for Local and metropolitan area networks - Port-based Network Access Control", IEEE STD 802.1X-2001, 14 June 2001 (2001-06-14), pages I - VIII,1, XP002270244 *

Similar Documents

Publication Publication Date Title
DE69833605T2 (de) Sichere virtuelle LANS
DE602004003518T2 (de) Verfahren und System zum legalen Abfangen von Paketvermittlungsnetzwerkdiensten
DE602004010519T2 (de) Fernzugriffs-vpn-aushandlungsverfahren und aushandlungseinrichtung
DE102014224694B4 (de) Netzwerkgerät und Netzwerksystem
DE60223951T2 (de) System, Apparat und Methode zur SIM basierten Authentifizierung und Verschlüsselung beim Zugriff auf ein drahtloses lokales Netz
DE60309652T2 (de) Verfahren zur Zugehörigkeitsverwaltung einer Mehrfachsendungsgruppe
DE69825801T2 (de) Vorrichtung und Verfahren zur Ermöglichung gleichranginger Zugangskontrolle in einem Netz
DE60209858T2 (de) Verfahren und Einrichtung zur Zugriffskontrolle eines mobilen Endgerätes in einem Kommunikationsnetzwerk
DE69923942T2 (de) Verfahren und System zur drahtlosen mobile Server und Gleichrangigendiensten mit Dynamische DNS Aktualisierung
DE602004011783T2 (de) Beschränkter WLAN-Zugriff für eine unbekannte Mobilstation
DE602004003568T2 (de) Netzzugangskontrolle für ein mit einem VPN-Tunnel verbundenes Endgerät
DE60206634T2 (de) Verfahren und System zur Authentifizierung von Benutzern in einem Telekommunikationssystem
EP1365620A1 (fr) Procédé pour le rattachement d'un terminal de communication dans un réseau de service (IMS)
DE102006060040B4 (de) Verfahren und Server zum Bereitstellen einer geschützten Datenverbindung
EP1743462A1 (fr) Dispositif pour la transmission de paquets sur la base de sessions
WO2010049138A1 (fr) Procédé pour établir des mécanismes de sécurité dans des réseaux maillés sans fil
WO2019224001A1 (fr) Dispositif, système et procédé d'exploitation d'un réseau défini par logiciel
EP1673921B1 (fr) Procédé de sécurisation du trafic de données entre un réseau de téléphonie mobile et un réseau ims
EP1721235B1 (fr) Systeme de communication et procede pour mettre a disposition un service de communication mobile
CN1527557A (zh) 一种桥接设备透传802.1x认证报文的方法
DE102023203519A1 (de) Sitzungsbasierter direkter Fernarbeitsspeicherzugriff
WO2006074853A1 (fr) Procede et ensemble pour refuser des messages entrants, contenant une information d'identification non concordante, apres un controle d'acces base port
DE102006040313B3 (de) Verfahren und Anordnung zur automatischen Konfiguration eines lokalen Funknetzwerkes
EP1776821B1 (fr) Systeme et procede de demande de communication fiable dans un systeme de communication comprenant des ordinateurs de communication reseau et des ordinateurs de commande de communication
EP1929741B1 (fr) Element d'acces et procede pour controler l'acces d'un element de reseau

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05825326

Country of ref document: EP

Kind code of ref document: A1

WWW Wipo information: withdrawn in national office

Ref document number: 5825326

Country of ref document: EP