IEEE 802.1X 미지원 장비의 인증기능 설계 및 구현

Abstract

최근 스마트폰, 태블릿 및 무선랜 사용이 급격히 증가하고 있고 모바일 기기의 사용이 개인에서 기업으로까지 확대되고 있다. 이런 시장의 흐름에 발맞춰 기업에서도 언제, 어디서나 모바일 단말기를 이용하여 외부에서도 회사 업무를 가능하게 하는 모바일오피스 환경 구축이 증가하고 있다. 그러나 모바일 세상이 가져온 편리성과 네트워크 인프라의 증가는 보안적인 면에서는 취약점과 위협 요소를 증가시켰다. 이에 대한 해결책으로 인증 및 보안을 강화하기 위하여 기업에서는 무선 네트워크 환경을 중심으로 IEEE 802.1X 프레임워크 사용이 확대되고 있다. 802.1X는 물리적인 포트 기반 인증 및 네트워크 접근 제어 기술로 기존의 IP 기반 인증 방식보다 강화된 보안을 제공한다. 그러나 아직도 802.1X를 지원하지 않는 네트워크 장비로 인해 강력한 인증 및 보안을 적용할 수 없어 보안 취약점이 존재하고 이에 대한 해결 방안이 필요한 상황이다. 본 논문에서는 이러한 문제점을 해결하기 위한 방안으로 802.1X 미지원 환경에서도 인증이 가능한 인증 proxy 서버를 설계하고 구현하였다. 인증 proxy 서버는 PC 환경에서는 802.1X 인증 기능을 제공하고, 단말에 클라이언트 agent를 설치할 수 없는 프린터와 VoIP 전화기는 MAC 인증 기능을 지원한다. 인증 및 데이터 패킷 처리를 위해서는 packet forwarding 기능을 커널 메모리에 구현하여 빠른 패킷 트래픽 처리가 가능하다. 마지막으로 결론에서는 제안된 인증 proxy 서버의 성능 검증을 위해 인증시간 및 데이터처리량에 대한 실험을 하였다. 기존 802.1X 지원 장비의 인증시간과 비교 했을 때 제안된 방법의 인증시간 저하는 없었고, 데이터 패킷 처리량의 지연도 없는 것을 실험을 통해 확인할 수 있었다. 제안된 방식은 802.1X 인증 및 MAC 인증을 지원하여 강화된 인증 및 보안을 제공할 뿐만 아니라, 한대의 서버로 여러 대의 802.1X 미지원 장비와 물리적으로 연결되고 인증을 가능하도록 하여 802.1X 미지원 장비를 새로운 장비로 교체하는 비용보다 경제적인 방안을 제시하였다는데 의의가 있다.| Recently the mobile network infrastructure where mobile devices such as smartphones, tablet PCs are to access to the wireless LANs has been penetrating enterprise network environment in the form of mobile office. Mobile office enables employees to continue their work regardless of time and place out of the company using their mobile devices. However the mobile network infrastructure on the one hand has brought convenience working environment, but on the other hand it is true that the exposure of security vulnerability and threat has been increased. One of the ways to solve this problem is to reinforce the authentication by means of expanding the use of IEEE 802.1X framework. Although the IEEE 802.1X authentication framework, which provides a more secure way of authentication due to port-based access control than the existing IP-based one, has been widely adopted as an authentication method for enterprise network systems, currently there still exists many other office network equipments such as printer, IP telephone, some network switch etc that can hardly be authenticated via the IEEE 802.1X framework. In this thesis we design the authentication proxy server to deal with those network devices uncovered by IEEE 802.1X framework. In particular our authentication proxy server is implemented in a way that: 1) it authenticates personal device such as PC, notebook, etc. by means of user credentials (id and password), and 2) the network devices to where IEEE 802.1X supplicant agent application can not be easily installed are supposed to be authenticated via their MAC addresses. In order to deal with rapid transaction of authentication packet data we also implement the packet forwarding function in the kernel level. Finally, test were performed to validate the effectiveness and performance of the authentication proxy server. According to experiment results, there is no degradation and delay compare with previous IEEE 802.1X supported devices data packet throughput and response time. Authentication proxy server provides enhanced authentication and security with IEEE 802.1X authentication and MAC authentication. It is more cost-effective ways than replace to new equipments because it can cover multiple IEEE 802.1X unsupported devices.; Recently the mobile network infrastructure where mobile devices such as smartphones, tablet PCs are to access to the wireless LANs has been penetrating enterprise network environment in the form of mobile office. Mobile office enables employees to continue their work regardless of time and place out of the company using their mobile devices. However the mobile network infrastructure on the one hand has brought convenience working environment, but on the other hand it is true that the exposure of security vulnerability and threat has been increased. One of the ways to solve this problem is to reinforce the authentication by means of expanding the use of IEEE 802.1X framework. Although the IEEE 802.1X authentication framework, which provides a more secure way of authentication due to port-based access control than the existing IP-based one, has been widely adopted as an authentication method for enterprise network systems, currently there still exists many other office network equipments such as printer, IP telephone, some network switch etc that can hardly be authenticated via the IEEE 802.1X framework. In this thesis we design the authentication proxy server to deal with those network devices uncovered by IEEE 802.1X framework. In particular our authentication proxy server is implemented in a way that: 1) it authenticates personal device such as PC, notebook, etc. by means of user credentials (id and password), and 2) the network devices to where IEEE 802.1X supplicant agent application can not be easily installed are supposed to be authenticated via their MAC addresses. In order to deal with rapid transaction of authentication packet data we also implement the packet forwarding function in the kernel level. Finally, test were performed to validate the effectiveness and performance of the authentication proxy server. According to experiment results, there is no degradation and delay compare with previous IEEE 802.1X supported devices data packet throughput and response time. Authentication proxy server provides enhanced authentication and security with IEEE 802.1X authentication and MAC authentication. It is more cost-effective ways than replace to new equipments because it can cover multiple IEEE 802.1X unsupported devices.