Network security

On the secure delivery of regular information

Sending bills or medical diagnosis through cleartext email has obvious security problems, but forcing users to log into every service provider webpage to download updates has major usability problems and doesn't scale. I propose a third alternative.

Enabling per-device traffic analysis with separate VLANs, 802.1x MAC based authentication, and OpenWRT

Why For analysing what devices do on a network - specifically the shared medium of a wireless LAN - just packet tracing based on IP address is often not sufficient. There are multicasts, the initial DHCP requests, and potentially other types of traffic not captured by that. Even MAC address based packet tracing is problematic given recent defaults of MAC address randomization e.g. on Android (default since Android 10, optional before).

Transparent Tor-ifying VLAN (separated WLAN SSID) with OpenWRT

Why Tor allows to anonymize Internet traffic through onion routing, typically via 3 separate hops. At INS, we run one of the fastest Tor exit nodes in Austria, and provide statistical data on its usage. For more details, please check those project websites. On my personal home network, I use Tor - among other reasons - to test various devices such as mobile phones, tablets, etc. with apps I do not necessarily trust, “smart home” / IoT style devices, or wearables.

Context authentication

[Finished Jan. 2008] Research into context-based device-to-device authentication.


[Finished Sept. 2014] Open source Ubiquitous Authentication Toolkit


[Finished Jan. 2008] Relative spatial positioning

Gibraltar firewall

[Finished/closed] A Linux firewall/UTM distribution with read-only root file system.

Design, Implementation, and Evaluation of Secure Communication for Line Current Differential Protection Systems over Packet Switched Networks

In this work we propose a secure communication concept for the protection of critical power supply and distribution infrastructure. Especially, we consider the line current differential protection method for modern smart grid implementations. This …

JKU Tor exit node

[Running] High-bandwidth Tor exit node at JKU/INS for research on use of anonymization


[Finished/stopped] A personal Dropbox replacement based on Git

IPsec/L2TP gateway for Android and iPhone clients on OpenWRT

How to set up an OpenWRT router/gateway as an IPsec/L2TP gateway for Andoid and iPhone clients The only “reasonable” (that is, not counting PPTP due to its known security issues) VPN protocol supported by default on non-rooted / non-jailbroken Android / iPhone phones as clients is the combination of IPsec and L2TP. Most probably, this was chosen due to its out-of-the-box support by newer Windows clients and MacOS/X as well.

Howto use Aladdin eToken under Linux

Introduction After some work on getting the Austrian Bürgerkarte to work under Linux, I have now decided to acquire some know-how about using more general smart cards under Linux. After some quick research, the Aladdin smart cards seem to be supported fairly well, so I ordered a bunch of different types. This page details how to make them work (my principal systems are running Debian or Ubuntu, but most should be applicable to any Linux distribution).

Howto combine Chillispot with OpenSwan on one machine

Imagine the following setting: there is some (possibly 802.11a/b/g wireless) network, which can range from a single access point to a complete backbone network of access points working together via WDS, or even a wired network infrastructure. This (W)LAN should serve two purposes: act as an open “hotspot” type network where users do not need any special client configuration to use it (other than maybe a username/password combination or some prepaid account) simultaneously allow registered/special users to use it for purposes that are not open to the first public group These are usually seen as two different use cases, and both are already in extensive use.

Squid filter patches

[Finished] Filtering patches for Squid proxy