20 research outputs found

    Novel architectures and strategies for security offloading

    Get PDF
    Internet has become an indispensable and powerful tool in our modern society. Its ubiquitousness, pervasiveness and applicability have fostered paradigm changes around many aspects of our lives. This phenomena has positioned the network and its services as fundamental assets over which we rely and trust. However, Internet is far from being perfect. It has considerable security issues and vulnerabilities that jeopardize its main core functionalities with negative impact over its players. Furthermore, these vulnerabilities驴 complexities have been amplified along with the evolution of Internet user mobility. In general, Internet security includes both security for the correct network operation and security for the network users and endpoint devices. The former involves the challenges around the Internet core control and management vulnerabilities, while the latter encompasses security vulnerabilities over end users and endpoint devices. Similarly, Internet mobility poses major security challenges ranging from routing complications, connectivity disruptions and lack of global authentication and authorization. The purpose of this thesis is to present the design of novel architectures and strategies for improving Internet security in a non-disruptive manner. Our novel security proposals follow a protection offloading approach. The motives behind this paradigm target the further enhancement of the security protection while minimizing the intrusiveness and disturbance over the Internet routing protocols, its players and users. To accomplish such level of transparency, the envisioned solutions leverage on well-known technologies, namely, Software Defined Networks, Network Function Virtualization and Fog Computing. From the Internet core building blocks, we focus on the vulnerabilities of two key routing protocols that play a fundamental role in the present and the future of the Internet, i.e., the Border Gateway Protocol (BGP) and the Locator-Identifier Split Protocol (LISP). To this purpose, we first investigate current BGP vulnerabilities and countermeasures with emphasis in an unresolved security issue defined as Route Leaks. Therein, we discuss the reasons why different BGP security proposals have failed to be adopted, and the necessity to propose innovative solutions that minimize the impact over the already deployed routing solution. To this end, we propose pragmatic security methodologies to offload the protection with the following advantages: no changes to the BGP protocol, neither dependency on third party information nor on third party security infrastructure, and self-beneficial. Similarly, we research the current LISP vulnerabilities with emphasis on its control plane and mobility support. We leverage its by-design separation of control and data planes to propose an enhanced location-identifier registration process of end point identifiers. This proposal improves the mobility of end users with regards on securing a dynamic traffic steering over the Internet. On the other hand, from the end user and devices perspective we research new paradigms and architectures with the aim of enhancing their protection in a more controllable and consolidated manner. To this end, we propose a new paradigm which shifts the device-centric protection paradigm toward a user-centric protection. Our proposal focus on the decoupling or extending of the security protection from the end devices toward the network edge. It seeks the homogenization of the enforced protection per user independently of the device utilized. We further investigate this paradigm in a mobility user scenario. Similarly, we extend this proposed paradigm to the IoT realm and its intrinsic security challenges. Therein, we propose an alternative to protect both the things, and the services that leverage from them by consolidating the security at the network edge. We validate our proposal by providing experimental results from prof-of-concepts implementations.Internet se ha convertido en una poderosa e indispensable herramienta para nuestra sociedad moderna. Su omnipresencia y aplicabilidad han promovido grandes cambios en diferentes aspectos de nuestras vidas. Este fen贸meno ha posicionado a la red y sus servicios como activos fundamentales sobre los que contamos y confiamos. Sin embargo, Internet est谩 lejos de ser perfecto. Tiene considerables problemas de seguridad y vulnerabilidades que ponen en peligro sus principales funcionalidades. Adem谩s, las complejidades de estas vulnerabilidades se han ampliado junto con la evoluci贸n de la movilidad de usuarios de Internet y su limitado soporte. La seguridad de Internet incluye tanto la seguridad para el correcto funcionamiento de la red como la seguridad para los usuarios y sus dispositivos. El primero implica los desaf铆os relacionados con las vulnerabilidades de control y gesti贸n de la infraestructura central de Internet, mientras que el segundo abarca las vulnerabilidades de seguridad sobre los usuarios finales y sus dispositivos. Del mismo modo, la movilidad en Internet plantea importantes desaf铆os de seguridad que van desde las complicaciones de enrutamiento, interrupciones de la conectividad y falta de autenticaci贸n y autorizaci贸n globales. El prop贸sito de esta tesis es presentar el dise帽o de nuevas arquitecturas y estrategias para mejorar la seguridad de Internet de una manera no perturbadora. Nuestras propuestas de seguridad siguen un enfoque de desacople de la protecci贸n. Los motivos detr谩s de este paradigma apuntan a la mejora adicional de la seguridad mientras que minimizan la intrusividad y la perturbaci贸n sobre los protocolos de enrutamiento de Internet, sus actores y usuarios. Para lograr este nivel de transparencia, las soluciones previstas aprovechan nuevas tecnolog铆as, como redes definidas por software (SDN), virtualizaci贸n de funciones de red (VNF) y computaci贸n en niebla. Desde la perspectiva central de Internet, nos centramos en las vulnerabilidades de dos protocolos de enrutamiento clave que desempe帽an un papel fundamental en el presente y el futuro de Internet, el Protocolo de Puerta de Enlace Fronterizo (BGP) y el Protocolo de Separaci贸n Identificador/Localizador (LISP ). Para ello, primero investigamos las vulnerabilidades y medidas para contrarrestar un problema no resuelto en BGP definido como Route Leaks. Proponemos metodolog铆as pragm谩ticas de seguridad para desacoplar la protecci贸n con las siguientes ventajas: no cambios en el protocolo BGP, cero dependencia en la informaci贸n de terceros, ni de infraestructura de seguridad de terceros, y de beneficio propio. Del mismo modo, investigamos las vulnerabilidades actuales sobre LISP con 茅nfasis en su plano de control y soporte de movilidad. Aprovechamos la separac莽贸n de sus planos de control y de datos para proponer un proceso mejorado de registro de identificadores de ubicaci贸n y punto final, validando de forma segura sus respectivas autorizaciones. Esta propuesta mejora la movilidad de los usuarios finales con respecto a segurar un enrutamiento din谩mico del tr谩fico a trav茅s de Internet. En paralelo, desde el punto de vista de usuarios finales y dispositivos investigamos nuevos paradigmas y arquitecturas con el objetivo de mejorar su protecci贸n de forma controlable y consolidada. Con este fin, proponemos un nuevo paradigma hacia una protecci贸n centrada en el usuario. Nuestra propuesta se centra en el desacoplamiento o ampliaci贸n de la protecci贸n de seguridad de los dispositivos finales hacia el borde de la red. La misma busca la homogeneizaci贸n de la protecci贸n del usuario independientemente del dispositivo utilizado. Adem谩s, investigamos este paradigma en un escenario con movilidad. Validamos nuestra propuesta proporcionando resultados experimentales obtenidos de diferentes experimentos y pruebas de concepto implementados.Postprint (published version

    Novel architectures and strategies for security offloading

    No full text
    Internet has become an indispensable and powerful tool in our modern society. Its ubiquitousness, pervasiveness and applicability have fostered paradigm changes around many aspects of our lives. This phenomena has positioned the network and its services as fundamental assets over which we rely and trust. However, Internet is far from being perfect. It has considerable security issues and vulnerabilities that jeopardize its main core functionalities with negative impact over its players. Furthermore, these vulnerabilities驴 complexities have been amplified along with the evolution of Internet user mobility. In general, Internet security includes both security for the correct network operation and security for the network users and endpoint devices. The former involves the challenges around the Internet core control and management vulnerabilities, while the latter encompasses security vulnerabilities over end users and endpoint devices. Similarly, Internet mobility poses major security challenges ranging from routing complications, connectivity disruptions and lack of global authentication and authorization. The purpose of this thesis is to present the design of novel architectures and strategies for improving Internet security in a non-disruptive manner. Our novel security proposals follow a protection offloading approach. The motives behind this paradigm target the further enhancement of the security protection while minimizing the intrusiveness and disturbance over the Internet routing protocols, its players and users. To accomplish such level of transparency, the envisioned solutions leverage on well-known technologies, namely, Software Defined Networks, Network Function Virtualization and Fog Computing. From the Internet core building blocks, we focus on the vulnerabilities of two key routing protocols that play a fundamental role in the present and the future of the Internet, i.e., the Border Gateway Protocol (BGP) and the Locator-Identifier Split Protocol (LISP). To this purpose, we first investigate current BGP vulnerabilities and countermeasures with emphasis in an unresolved security issue defined as Route Leaks. Therein, we discuss the reasons why different BGP security proposals have failed to be adopted, and the necessity to propose innovative solutions that minimize the impact over the already deployed routing solution. To this end, we propose pragmatic security methodologies to offload the protection with the following advantages: no changes to the BGP protocol, neither dependency on third party information nor on third party security infrastructure, and self-beneficial. Similarly, we research the current LISP vulnerabilities with emphasis on its control plane and mobility support. We leverage its by-design separation of control and data planes to propose an enhanced location-identifier registration process of end point identifiers. This proposal improves the mobility of end users with regards on securing a dynamic traffic steering over the Internet. On the other hand, from the end user and devices perspective we research new paradigms and architectures with the aim of enhancing their protection in a more controllable and consolidated manner. To this end, we propose a new paradigm which shifts the device-centric protection paradigm toward a user-centric protection. Our proposal focus on the decoupling or extending of the security protection from the end devices toward the network edge. It seeks the homogenization of the enforced protection per user independently of the device utilized. We further investigate this paradigm in a mobility user scenario. Similarly, we extend this proposed paradigm to the IoT realm and its intrinsic security challenges. Therein, we propose an alternative to protect both the things, and the services that leverage from them by consolidating the security at the network edge. We validate our proposal by providing experimental results from prof-of-concepts implementations.Internet se ha convertido en una poderosa e indispensable herramienta para nuestra sociedad moderna. Su omnipresencia y aplicabilidad han promovido grandes cambios en diferentes aspectos de nuestras vidas. Este fen贸meno ha posicionado a la red y sus servicios como activos fundamentales sobre los que contamos y confiamos. Sin embargo, Internet est谩 lejos de ser perfecto. Tiene considerables problemas de seguridad y vulnerabilidades que ponen en peligro sus principales funcionalidades. Adem谩s, las complejidades de estas vulnerabilidades se han ampliado junto con la evoluci贸n de la movilidad de usuarios de Internet y su limitado soporte. La seguridad de Internet incluye tanto la seguridad para el correcto funcionamiento de la red como la seguridad para los usuarios y sus dispositivos. El primero implica los desaf铆os relacionados con las vulnerabilidades de control y gesti贸n de la infraestructura central de Internet, mientras que el segundo abarca las vulnerabilidades de seguridad sobre los usuarios finales y sus dispositivos. Del mismo modo, la movilidad en Internet plantea importantes desaf铆os de seguridad que van desde las complicaciones de enrutamiento, interrupciones de la conectividad y falta de autenticaci贸n y autorizaci贸n globales. El prop贸sito de esta tesis es presentar el dise帽o de nuevas arquitecturas y estrategias para mejorar la seguridad de Internet de una manera no perturbadora. Nuestras propuestas de seguridad siguen un enfoque de desacople de la protecci贸n. Los motivos detr谩s de este paradigma apuntan a la mejora adicional de la seguridad mientras que minimizan la intrusividad y la perturbaci贸n sobre los protocolos de enrutamiento de Internet, sus actores y usuarios. Para lograr este nivel de transparencia, las soluciones previstas aprovechan nuevas tecnolog铆as, como redes definidas por software (SDN), virtualizaci贸n de funciones de red (VNF) y computaci贸n en niebla. Desde la perspectiva central de Internet, nos centramos en las vulnerabilidades de dos protocolos de enrutamiento clave que desempe帽an un papel fundamental en el presente y el futuro de Internet, el Protocolo de Puerta de Enlace Fronterizo (BGP) y el Protocolo de Separaci贸n Identificador/Localizador (LISP ). Para ello, primero investigamos las vulnerabilidades y medidas para contrarrestar un problema no resuelto en BGP definido como Route Leaks. Proponemos metodolog铆as pragm谩ticas de seguridad para desacoplar la protecci贸n con las siguientes ventajas: no cambios en el protocolo BGP, cero dependencia en la informaci贸n de terceros, ni de infraestructura de seguridad de terceros, y de beneficio propio. Del mismo modo, investigamos las vulnerabilidades actuales sobre LISP con 茅nfasis en su plano de control y soporte de movilidad. Aprovechamos la separac莽贸n de sus planos de control y de datos para proponer un proceso mejorado de registro de identificadores de ubicaci贸n y punto final, validando de forma segura sus respectivas autorizaciones. Esta propuesta mejora la movilidad de los usuarios finales con respecto a segurar un enrutamiento din谩mico del tr谩fico a trav茅s de Internet. En paralelo, desde el punto de vista de usuarios finales y dispositivos investigamos nuevos paradigmas y arquitecturas con el objetivo de mejorar su protecci贸n de forma controlable y consolidada. Con este fin, proponemos un nuevo paradigma hacia una protecci贸n centrada en el usuario. Nuestra propuesta se centra en el desacoplamiento o ampliaci贸n de la protecci贸n de seguridad de los dispositivos finales hacia el borde de la red. La misma busca la homogeneizaci贸n de la protecci贸n del usuario independientemente del dispositivo utilizado. Adem谩s, investigamos este paradigma en un escenario con movilidad. Validamos nuestra propuesta proporcionando resultados experimentales obtenidos de diferentes experimentos y pruebas de concepto implementados

    Offloading personal security applications to the Network Edge: a mobile user case scenario

    No full text
    This paper discusses some challenges that user mobility imposes over the user-centric protection model against security threats. This model is based on the idea of offloading the security applications from the end user device, and placing them in a trusted network node at the network's edge. Our research perspective is particularly centered around three interrelated mobility challenges, i) the allocation of the security applications 鈥渃lose鈥 to the user, i.e., on network nodes with enhanced processing capabilities, ii) seamless mobility with negligible disruption of ongoing network connections, and iii) dynamic orchestration and management with support of security applications migration. Based on our arguments, we expose the main requirements and trade-offs to be considered in the attempt to support mobility in such environment. We propose a flexible solution that leverages Software Defined Networking, Network Function Virtualization and Computing at the Network Edge to offer a seamless on-path security protection to mobile users. Our preliminary experiments' results considering a WiFi mobile user show that seamless security migration and mobility are feasible in a simple real scenario. Vertical mobility and more complex use cases scenarios are envisioned for future research.Peer Reviewe

    Self-reliant detection of route leaks in inter-domain routing

    No full text
    Route leaks are among the several inter-domain routing anomalies that have the potential to cause large scale service disruptions on the Internet. The reason behind the occurrence of route leaks is the violation of routing policies among Autonomous Systems (ASes). There exist a few rudimentary solutions that can be used as a first line of defense, such as the utilization of route filters, but these palliatives become unfeasible in large domains due to the administrative overhead and the cost of maintaining the filters updated. As a result, a significant part of the Internet is defenseless against route leak attacks. In this paper, we examine the different types of route leaks and propose detection methodologies for improving the reliability of the routing system. Our main contributions can be summarized as follows. We develop a relatively basic theoretical framework, which, under realistic assumptions, enables a domain to autonomously determine if a particular route advertisement received from a neighbor corresponds to a route leak. Based on this, we propose three incremental methodologies, namely Cross-Path (CP), Benign Fool Back (BFB), and Reverse Benign Fool Back (R-BFB), for autonomously detecting route leaks. Our strength resides in the fact that these detection techniques solely require the analysis of control and data plane information available within the domain. We analyze the performance of the proposed route leak identification techniques both through real-time experiments as well as simulations at large scale. Our results show that the proposed detection techniques achieve high success rates for countering route leaks in different scenarios

    Key ingredients in an IoT recipe: fog computing, cloud computing, and more fog computing

    No full text
    This paper examines some of the most promising and challenging scenarios in IoT, and shows why current compute and storage models confined to data centers will not be able to meet the requirements of many of the applications foreseen for those scenarios. Our analysis is particularly centered on three interrelated requirements: 1) mobility; 2) reliable control and actuation; and 3) scalability, especially, in IoT scenarios that span large geographical areas and require real-time decisions based on data analytics. Based on our analysis, we expose the reasons why Fog Computing is the natural platform for IoT, and discuss the unavoidable interplay of the Fog and the Cloud in the coming years. In the process, we review some of the technologies that will require considerable advances in order to support the applications that the IoT market will demand.Atena

    Securing the LISP map registration process

    No full text
    The motivation behind the Locator/Identifier Separation Protocol (LISP) has shifted over time from routing scalability issues in the core Internet to a set of use cases for which LISP stands as a technology enabler. Among these are the mobility of physical and virtual appliances without breaking their TCP connections, seamless migration and fast deployments of IPv6, multihoming, and data-center applications. However, LISP was born without security, and therefore is susceptible to attacks in its control-plane. The IETF's LISP working group has recently started to work in this direction, but the protocol still lacks end-to-end mechanisms for securing the overall registration process on the mapping system. In this paper, we address this issue and propose a solution that counters the attacks. We have deployed LISP in a real testbed, and compared the performance of our proposal with current LISP implementations, in terms of both messaging and packet size overhead. Our preliminary results prove that our solution offers much higher security with minimum overhead.Atlant

    Torsion in road vehicles caused by surface irregularities Part 3

    No full text
    Translated from German (Automobiltech. Z. Nov 1957)SIGLEAvailable from British Library Document Supply Centre- DSC:9022.6(MIRA-Trans--44/88)T / BLDSC - British Library Document Supply CentreGBUnited Kingdo

    Diagnosis of route leaks among autonomous systems in the Internet

    No full text
    Border Gateway Protocol (BGP) is the defacto inter-domain routing protocol in the Internet. It was designed without an inherent security mechanism and hence is prone to a number of vulnerabilities which can cause large scale disruption in the Internet. Route leak is one such inter-domain routing security problem which has the potential to cause wide-scale Internet service failure. Route leaks occur when Autonomous systems violate export policies while exporting routes. As BGP security has been an active research area for over a decade now, several security strategies were proposed, some of which either advocated complete replacement of the BGP or addition of new features in BGP, but they failed to achieve global acceptance. Even the most recent effort in this regard, lead by the Secure Inter-Domain Routing (SIDR) working group (WG) of IETF fails to counter all the BGP anomalies, especially route leaks. In this paper we look at the efforts in countering the policy related BGP problems and provide an analytical insights into why they are ineffective. We contend a new direction for future research in managing the broader security issues in the inter-domain routing. In that light, we propose a naive approach for countering the route leak problem by analyzing the information available at hand, such as the RIB of the router. The main purpose of this paper was to position and highlight the autonomous smart analytical approach for tackling policy related BGP security issues. 漏 2014 IEEE.Peer Reviewe
    corecore