Every network needs to have a secure login method for any user to feel comfortable so that any confidential information available in the network is kept secured. In order to maintain security in the network, network administrators need to consider what level of security can be provided. To achieve a high level of security network administrators needs to know the cost for the deployment, which includes is any additional equipment required in the existing security setup.
Port based access control (802.1x) can be used to authenticate users, which requires one or more authentication methods to establish high level of security. It is necessary to evaluate the performance of widely used EAP methods for wired and wireless networks and compare the results for both the networks to check if any additional delay occurs, if one particular protocol can be implemented for both wired and wireless networks and if the EAP methods are capable of handling heavy loads.
For RQ1 results in Table 4.1 and Table 4.2, the authentication time and total processing time of EAP-MD5 is less compared to other protocols but it is vulnerable to many attacks and it is not secured as shown in the Table 2.2. The better protocol is one which provides good security and performance on the network. EAP-PEAP, EAP- TTLS and EAP-TLS are secure protocols, but TLS is more secure than EAP-TTLS and EAP-PEAP. The reason for EAP-TLS to be more secure is that it provides client- server certificate exchange in the authentication process whereas in EAP-TTLS and EAP-PEAP requires only server side certificate exchange.
The experiment performed in wired scenario is similar to the work done by [8]. A switch is used as authenticator in [8] and in this paper a router is used. The experiment performed by [8] is in personal computer, whereas we performed the experiment using laptops. Figure 7.1 and Figure 7.2 shows the comparison of our wired network results and experimental result of [8]. The comparison results of authentication time and total processing time has shown little variation and the variation might have occurred due to change in authenticator device or might be due to the change in supplicant and authentication server devices, as in [8] PCs were used but in our work laptops were used. 0 0.05 0.1 0.15 0.2 0.25 0.3 MD5 TTLS-PAP TTLS-CHAP TTLS- MSCHAPv2 PEAP-MSCHAPv2 This work Previous work
0 0.05 0.1 0.15 0.2 0.25 0.3
MD5 TTLS-PAP TTLS-CHAP TTLS-MSCHAPv2 PEAP-MSCHAPv2
This work Previous work
Figure 7.2: Total Processing Time in comparison to work done by [8]
For RQ2 results in Table 4.3 and Table 4.4, the processing time and authentication time of EAP-MD5 shows smaller time. The EAP TLS takes higher authentication time and processing time. The reason for EAP TLS to have higher time may be due to two way certificate exchange. EAP-TTLS and EAP-PEAP provides moderate authentication time and processing time as it has only one way certificate exchange.
From Table 4.1 and Table 4.3 the authentication time for different EAP methods in wired network is seen to be comparatively less than wireless network. As 30 samples were collected for each EAP method to check the variation obtained, standard deviation was calculated for 30 samples. The standard deviation results shows less variation.
From Table 4.2 and Table 4.4 it is seen that the total processing time for wired network provides better performance as compared to wireless network. The reason for the delay might be due to flow of packets wirelessly. As mentioned above the standard deviation for each EAP method for total processing time was seen to have less variation.
To check if different EAP methods are scalable with number of users in wireless network, a scalability experiment was conducted, where 10 users were asked to login simultaneously into the network. From Table 5.1 the results of Scalability experiment indicates even if number of users tries to login simultaneously the variation in the results seems to be negligible for both authentication time and total processing time.
From the information given by the companies, PEAP-MSCHAPv2 is the protocol they use. The results for authentication time in wired network, PEAP-MSCHAPv2 takes 0.2532 seconds to authenticate, whereas in wireless network it takes 0.3278 seconds. PEAP-MSCHAPv2 is not a considerably secure protocol in comparison to EAP-TLS, but due to implementation complexities, deployment charges and low maintenance cost it has become highly popular among network administrators. We think that EAP-TLS is the more secure protocol as compared to the other protocol in this study, if high level of security needs to be achieved.
the network security provided by BTH network administrator. Approximately 22% of the questioned students regard the network security provided by BTH isn’t secured. The responses also indicate that the majority of the students are willing to wait more time to get higher security when connecting to the network.
7.1
Assessment
• There may be some impact of Wireshark in the measurement; the packet
may not reach Wireshark at the same time as it reaches the supplicant. Few packets may get lost and might not reach the Wireshark itself. Hence every successful login packets must be counted, and the number of packets received same for all.
• The results are calculated manually there may be little variation in each
sample time as compared to automated system. We feel that the variation between the samples obtained in manual and automated system may have little variation which can be negligible.