Analysis And Design Of Trusted Network Connect Scheme Based On Tunneled EAP Method

As the computer technology and network technology developing, network security issues become more and more serious, that include computer viruses, Trojan, denial of service attacks, malicious software, hackers and other security problems. These threats result in the increasing investment and concerns about network and information security. In order to deal with so many external threats, corporate networks are generally deployed with the traditional means of security, including firewall systems, intrusion detection systems and others, which protect the enterprise network in some extent. But, in fact, only depending on the security device at the edge of network could not ensure the complete security of the enterprise network, as most of security incidents were caused by the malicious internal terminals of the corporate network. To resolve the security problems brought by the harmful internal endpoints, the main solution is deploying the network access control mechanism. There are three major industry standards for network access control framework. Trusted Network Connect (TNC) specified by Trusted Computing Group (TCG) is focused on by this thesis.In the first, security threats faced by current network, the existing network security technology, as well as the deficiency of the current network protection system were analyzed. Current network access control technologies, such as NAP, NAC and TNC were summarized. TNC architecture, including the entities, layers and interfaces was analyzed. Some related technical details of TNC Scheme, such as IEEE 802.1x protocol, Extensible Authentication Protocol, EAP authentication methods based on the tunnel and the RADIUS protocol were introduced. Three TNC Schemes based on tunneled EAP authentication methods, including PEAP, EAP-TTLS and EAP-FAST were designd, and the security of these three schemes were analyzed from different aspects.A TNC Schemes selection mechanism was designed after analyzed the differences and samenesses among PEAP, EAP-TTLS and EAP-FAST. Finally, implementation of Trusted Network Connect prototype system that complies with TNC Specification was discussed.To sum up, the work of this thesis could be summarized as followings: 1. A TNC scheme based on PEAP was designed, after discussed the principle of PEAP. Then the correctness, security, efficiency and practicality of the scheme were analyzed.2. A TNC scheme based on EAP-TTLS was designed, after discussed the principle of EAP-TTLS. Then the correctness, security, efficiency and practicality of the scheme were analyzed.3. A TNC scheme based on EAP-FAST was designed, after discussed the principle of EAP-FAST. Then the correctness, security, efficiency and practicality of the scheme were analyzed.4. A TNC Schemes selection mechanism was designed after analyzed the differences and samenesses among PEAP, EAP-TTLS and EAP-FAST.5. Implementation of Trusted Network Connect prototype system that complies with TNC Specification was discussed.At present, the network access devices increasingly support the 802.1x protocol and tunnel-based EAP authentication methods, which makes tunneled EAP methods-based TNC Schemes could widely applied, when the enterprise deploy the TNC authentication systems.