Preventing Distributed Denial-of-Service Attacks on the IMS Emergency Services Support through Adaptive Firewall Pinholing

Emergency services are vital services that Next Generation Networks (NGNs) have to provide. As the IP Multimedia Subsystem (IMS) is in the heart of NGNs, 3GPP has carried the burden of specifying a standardized IMS-based emergency services framework. Unfortunately, like any other IP-based standards, the IMS-based emergency service framework is prone to Distributed Denial of Service (DDoS) attacks. We propose in this work, a simple but efficient solution that can prevent certain types of such attacks by creating firewall pinholes that regular clients will surely be able to pass in contrast to the attackers clients. Our solution was implemented, tested in an appropriate testbed, and its efficiency was proven.Comment: 17 Pages, IJNGN Journa

YANG-Based Configuration Modeling - The SecSIP IPS Case Study

International audienceWe present our experience with the development of an XML-based configuration model for an Intrusion Prevention System (IPS) dedicated to the Session Initiation Protocol (SIP) used in voice over IP signaling. In previous works [AL-IM09, AL-NOMS10] we have presented the SecSIP framework, a prevention system for SIP-based networks, which adopts a rule-based approach for specifying preventions on SIP protocol activities to stop attacks exploiting known vulnerability before reaching their targets. The SecSIP framework relies on a proprietary language called VeTo to express the prevention rules. SecSIP uses a plain text configuration file in which specifications are authored and managed manually. While extending the deployment of the framework beyond our own lab, support for remote configuration was required. Given the promise of Netconf, we naturally turned our investigations towards this protocol and embraced the YANG data-modeling framework. In this paper we present the modeling result on the SecSIP configuration interface and share our experience with both YANG and Netconf. The first part of the paper is dedicated to the description of the data to be modeled, namely VeTo policies. The second part presents the Yang model built for VeTo policies and the Netconf framework put in place. Lessons learned during both modeling and coding phases are presented in a third part of the presentation. Finally some conclusions are given and future work is outlined

Interworking Architectures in Heterogeneous Wireless Networks: An Algorithmic Overview

The scarce availability of spectrum and the proliferation of smartphones, social networking applications, online gaming etc., mobile network operators (MNOs) are faced with an exponential growth in packet switched data requirements on their networks. Haven invested in legacy systems (such as HSPA, WCDMA, WiMAX, Cdma2000, LTE, etc.) that have hitherto withstood the current and imminent data usage demand, future and projected usage surpass the capabilities of the evolution of these individual technologies. Hence, a more critical, cost-effective and flexible approach to provide ubiquitous coverage for the user using available spectrum is of high demand. Heterogeneous Networks make use of these legacy systems by allowing users to connect to the best network available and most importantly seamlessly handover active sessions amidst them. This paper presents a survey of interworking architectures between IMT 2000 candidate networks that employ the use of IEFT protocols such as MIP, mSCTP, HIP, MOBIKE, IKEV2 and SIP etc. to bring about this much needed capacity

Delivering Live Multimedia Streams to Mobile Hosts in a Wireless Internet with Multiple Content Aggregators

We consider the distribution of channels of live multimedia content (e.g., radio or TV broadcasts) via multiple content aggregators. In our work, an aggregator receives channels from content sources and redistributes them to a potentially large number of mobile hosts. Each aggregator can offer a channel in various configurations to cater for different wireless links, mobile hosts, and user preferences. As a result, a mobile host can generally choose from different configurations of the same channel offered by multiple alternative aggregators, which may be available through different interfaces (e.g., in a hotspot). A mobile host may need to handoff to another aggregator once it receives a channel. To prevent service disruption, a mobile host may for instance need to handoff to another aggregator when it leaves the subnets that make up its current aggregator�s service area (e.g., a hotspot or a cellular network).\ud In this paper, we present the design of a system that enables (multi-homed) mobile hosts to seamlessly handoff from one aggregator to another so that they can continue to receive a channel wherever they go. We concentrate on handoffs between aggregators as a result of a mobile host crossing a subnet boundary. As part of the system, we discuss a lightweight application-level protocol that enables mobile hosts to select the aggregator that provides the �best� configuration of a channel. The protocol comes into play when a mobile host begins to receive a channel and when it crosses a subnet boundary while receiving the channel. We show how our protocol can be implemented using the standard IETF session control and description protocols SIP and SDP. The implementation combines SIP and SDP�s offer-answer model in a novel way

SecSip: A Stateful Firewall for SIP-based Networks

SIP-based networks are becoming the de-facto standard for voice, video and instant messaging services. Being exposed to many threats while playing an major role in the operation of essential services, the need for dedicated security management approaches is rapidly increasing. In this paper we present an original security management approach based on a specific vulnerability aware SIP stateful firewall. Through known attack descriptions, we illustrate the power of the configuration language of the firewall which uses the capability to specify stateful objects that track data from multiple SIP elements within their lifetime. We demonstrate through measurements on a real implementation of the firewall its efficiency and performance

Reflections on security options for the real-time transport protocol framework

The Real-time Transport Protocol (RTP) supports a range of video conferencing, telephony, and streaming video ap- plications, but offers few native security features. We discuss the problem of securing RTP, considering the range of applications. We outline why this makes RTP a difficult protocol to secure, and describe the approach we have recently proposed in the IETF to provide security for RTP applications. This approach treats RTP as a framework with a set of extensible security building blocks, and prescribes mandatory-to-implement security at the level of different application classes, rather than at the level of the media transport protocol

A personal distributed environment for future mobile systems

A Personal Distributed Environment (PDE) embraces a user-centric view of communications that take place against a backdrop of multiple user devices, each with its distinct capabilities, in physically separate locations. This paper provides an overview of a Personal Distributed Environment and some of the research issues related to the implementation of the PDE concept that are being considered in the current Mobile VCE work programme

MAGDA: A Mobile Agent based Grid Architecture

Mobile agents mean both a technology and a programming paradigm. They allow for a flexible approach which can alleviate a number of issues present in distributed and Grid-based systems, by means of features such as migration, cloning, messaging and other provided mechanisms. In this paper we describe an architecture (MAGDA – Mobile Agent based Grid Architecture) we have designed and we are currently developing to support programming and execution of mobile agent based application upon Grid systems