A Secure and Efficient Communications Architecture for Global Information Grid Users via Cooperating Space Assets

With the Information Age in full and rapid development, users expect to have global, seamless, ubiquitous, secure, and efficient communications capable of providing access to real-time applications and collaboration. The United States Department of Defense’s (DoD) Network-Centric Enterprise Services initiative, along with the notion of pushing the “power to the edge,” aims to provide end-users with maximum situational awareness, a comprehensive view of the battlespace, all within a secure networking environment. Building from previous AFIT research efforts, this research developed a novel security framework architecture to address the lack of efficient and scalable secure multicasting in the low earth orbit satellite network environment. This security framework architecture combines several key aspects of different secure group communications architectures in a new way that increases efficiency and scalability, while maintaining the overall system security level. By implementing this security architecture in a deployed environment with heterogeneous communications users, reduced re-keying frequency will result. Less frequent re-keying means more resources are available for throughput as compared to security overhead. This translates to more transparency to the end user; it will seem as if they have a “larger pipe” for their network links. As a proof of concept, this research developed and analyzed multiple mobile communication environment scenarios to demonstrate the superior re-keying advantage offered by the novel “Hubenko Security Framework Architecture” over traditional and clustered multicast security architectures. For example, in the scenario containing a heterogeneous mix of user types (Stationary, Ground, Sea, and Air), the Hubenko Architecture achieved a minimum ten-fold reduction in total keys distributed as compared to other known architectures. Another experiment demonstrated the Hubenko Architecture operated at 6% capacity while the other architectures operated at 98% capacity. In the 80% overall mobility experiment with 40% Air users, the other architectures re-keying increased 900% over the Stationary case, whereas the Hubenko Architecture only increased 65%. This new architecture is extensible to numerous secure group communications environments beyond the low earth orbit satellite network environment, including unmanned aerial vehicle swarms, wireless sensor networks, and mobile ad hoc networks

Performance evaluation of HIP-based network security solutions

Abstract. Host Identity Protocol (HIP) is a networking technology that systematically separates the identifier and locator roles of IP addresses and introduces a Host Identity (HI) name space based on a public key security infrastructure. This modification offers a series of benefits such as mobility, multi-homing, end-to-end security, signaling, control/data plane separation, firewall security, e.t.c. Although HIP has not yet been sufficiently applied in mainstream communication networks, industry experts foresee its potential as an integral part of next generation networks. HIP can be used in various HIP-aware applications as well as in traditional IP-address-based applications and networking technologies, taking middle boxes into account. One of such applications is in Virtual Private LAN Service (VPLS), VPLS is a widely used method of providing Ethernet-based Virtual Private Network that supports the connection of geographically separated sites into a single bridged domain over an IP/MPLS network. The popularity of VPLS among commercial and defense organizations underscores the need for robust security features to protect both data and control information. After investigating the different approaches to HIP, a real world testbed is implemented. Two experiment scenarios were evaluated, one is performed on two open source Linux-based HIP implementations (HIPL and OpenHIP) and the other on two sets of enterprise equipment from two different companies (Tempered Networks and Byres Security). To account for a heterogeneous mix of network types, the Open source HIP implementations were evaluated on different network environments, namely Local Area Network (LAN), Wireless LAN (WLAN), and Wide Area Network (WAN). Each scenario is tested and evaluated for performance in terms of throughput, latency, and jitter. The measurement results confirmed the assumption that no single solution is optimal in all considered aspects and scenarios. For instance, in the open source implementations, the performance penalty of security on TCP throughput for WLAN scenario is less in HIPL than in OpenHIP, while for WAN scenario the reverse is the case. A similar outcome is observed for the UDP throughput. However, on latency, HIPL showed lower latency for all three network test scenarios. For the legacy equipment experiment, the penalty of security on TCP throughput is about 19% compared with the non-secure scenario while latency is increased by about 87%. This work therefore provides viable information for researchers and decision makers on the optimal solution to securing their VPNs based on the application scenarios and the potential performance penalties that come with each approach.HIP-pohjaisten tietoliikenneverkkojen turvallisuusratkaisujen suorituskyvyn arviointi. Tiivistelmä. Koneen identiteettiprotokolla (HIP, Host Identity Protocol) on tietoliikenneverkkoteknologia, joka käyttää erillistä kerrosta kuljetusprotokollan ja Internet-protokollan (IP) välissä TCP/IP-protokollapinossa. HIP erottaa systemaattisesti IP-osoitteen verkko- ja laite-osat, sekä käyttää koneen identiteetti (HI) -osaa perustuen julkisen avainnuksen turvallisuusrakenteeseen. Tämän hyötyjä ovat esimerkiksi mobiliteetti, moniliittyminen, päästä päähän (end-to-end) turvallisuus, kontrolli-informaation ja datan erottelu, kohtaaminen, osoitteenmuutos sekä palomuurin turvallisuus. Teollisuudessa HIP-protokolla nähdään osana seuraavan sukupolven tietoliikenneverkkoja, vaikka se ei vielä olekaan yleistynyt laajaan kaupalliseen käyttöön. HIP–protokollaa voidaan käyttää paitsi erilaisissa HIP-tietoisissa, myös perinteisissä IP-osoitteeseen perustuvissa sovelluksissa ja verkkoteknologioissa. Eräs tällainen sovellus on virtuaalinen LAN-erillisverkko (VPLS), joka on laajasti käytössä oleva menetelmä Ethernet-pohjaisen, erillisten yksikköjen ja yhden sillan välistä yhteyttä tukevan, virtuaalisen erillisverkon luomiseen IP/MPLS-verkon yli. VPLS:n yleisyys sekä kaupallisissa- että puolustusorganisaatioissa korostaa vastustuskykyisten turvallisuusominaisuuksien tarpeellisuutta tiedon ja kontrolliinformaation suojauksessa. Tässä työssä tutkitaan aluksi HIP-protokollan erilaisia lähestymistapoja. Teoreettisen tarkastelun jälkeen käytännön testejä suoritetaan itse rakennetulla testipenkillä. Tarkasteltavat skenaariot ovat verrata Linux-pohjaisia avoimen lähdekoodin HIP-implementaatioita (HIPL ja OpenHIP) sekä verrata kahden eri valmistajan laitteita (Tempered Networks ja Byres Security). HIP-implementaatiot arvioidaan eri verkkoympäristöissä, jota ovat LAN, WLAN sekä WAN. Kaikki testatut tapaukset arvioidaan tiedonsiirtonopeuden, sen vaihtelun (jitter) sekä latenssin perusteella. Mittaustulokset osoittavat, että sama ratkaisu ei ole optimaalinen kaikissa tarkastelluissa tapauksissa. Esimerkiksi WLAN-verkkoa käytettäessä turvallisuuden aiheuttama häviö tiedonsiirtonopeudessa on HIPL:n tapauksessa OpenHIP:iä pirnempi, kun taas WAN-verkon tapauksessa tilanne on toisinpäin. Samanlaista käyttäytymistä havaitaan myös UDP-tiedonsiirtonopeudessa. HIPL antaa kuitenkin pienimmän latenssin kaikissa testiskenaarioissa. Eri valmistajien laitteita vertailtaessa huomataan, että TCP-tiedonsiirtonopeus huononee 19 ja latenssi 87 prosenttia verrattuna tapaukseen, jossa turvallisuusratkaisua ei käytetä. Näin ollen tämän työn tuottama tärkeä tieto voi auttaa alan toimijoita optimaalisen verkkoturvallisuusratkaisun löytämisessä VPN-pohjaisiin sovelluksiin

The Case for an Adaptive Integration Framework for Data Aggregation/Dissemination in Service-Oriented Architectures

Abstract The migration to Service Oriented Architectures (SOA

Development of future course content requirements supporting the Department of Defense's Internet Protocol verison 6 transition and implementation

This thesis will focus on academia, specifically the Naval Postgraduate School, and its requirement to implement an education program that allows facilitators to properly inform future students on the gradual implementation of Internet Protocol version 6 (IPv6) technology while phasing out Internet Protocol version 4 (IPv4) from the current curriculum as the transition to IPv6 progresses. The DoD's current goal is to complete the transition of all DoD networks from IPv4 to IPv6 by fiscal year 2008. With this deadline quickly approaching, it is imperative that a plan to educate military and DoD personnel be implemented in the very near future. It is my goal to research and suggest a program that facilitators can use that will show the similarities, changes, advantages, and challenges that exist for the transition.http://archive.org/details/developmentoffut109452743US Marine Corps (USMC) author.Approved for public release; distribution is unlimited.Approved for public release; distribution is unlimited

IPv6 tactical network management

Current and emerging technologies and equipment, such as unmanned aerial vehicles, ground sensors, networked radios, operator-worn sensor vests, and nanotechnology applications offer warfighters unprecedented command and control and information detection capabilities, yet the use of this technology has not been fully realized. The current protocol, IPv4, is incapable of providing enough addresses due to a depletion of IPv4 address space. IPv6, however, offers unprecedented network support for tactical-level sensor and communications assets in terms of increased address space, Quality of Service (QoS), flexibility, and security. The Department of Defense is transitioning from IPv4 to IPv6 in order to capitalize on IPv6's expanded capabilities. However, one unresolved area is proper IPv6 network management. Currently, the majority of the configuration and operational knowledge is in the mind of a very few individuals. The expertise currently available must be developed for application by the tactical network manager operating out on the edge of the network, in order to properly administer both an IPv4/IPv6 dual stacked network during the phased protocol transition and a purely native IPv6 network. Second, IPv6 features a robust Quality of Service (QoS) capability previously unavailable through IPv4, which requires research to determine the optimum configuration to support the warfighter's diverse requirements.http://archive.org/details/ipvtacticalnetwo109454574Outstanding ThesisUS Marine Corps (USMC) author.Approved for public release; distribution is unlimited

Airborne Network Optimization with Dynamic Network Update

Modern networks employ congestion and routing management algorithms that can perform routing when network routes become congested. However, these algorithms may not be suitable for modern military Mobile Ad-hoc Networks (MANETs), more specifically, airborne networks, where topologies are highly dynamic and strict Quality of Service (QoS) requirements are required for mission success. These highly dynamic networks require higher level network controllers that can adapt quickly to network changes with limited interruptions and require small amounts of network bandwidth to perform routing. This thesis advocates the use of Kalman filters to predict network congestion in airborne networks. Intelligent agents can make use of Kalman filter predictions to make informed decisions to manage communication in airborne networks. The network controller designed and implement in this thesis will take in the current and predicted queue size values to make intelligent network optimization decisions. These decisions will enhance the overall network throughput by reducing the number of dropped packets when compared with current static network and MANET protocols

An analysis of the risk exposure of adopting IPV6 in enterprise networks

The IPv6 increased address pool presents changes in resource impact to the Enterprise that, if not adequately addressed, can change risks that are locally significant in IPv4 to risks that can impact the Enterprise in its entirety. The expected conclusion is that the IPv6 environment will impose significant changes in the Enterprise environment - which may negatively impact organisational security if the IPv6 nuances are not adequately addressed. This thesis reviews the risks related to the operation of enterprise networks with the introduction of IPv6. The global trends are discussed to provide insight and background to the IPv6 research space. Analysing the current state of readiness in enterprise networks, quantifies the value of developing this thesis. The base controls that should be deployed in enterprise networks to prevent the abuse of IPv6 through tunnelling and the protection of the enterprise access layer are discussed. A series of case studies are presented which identify and analyse the impact of certain changes in the IPv6 protocol on the enterprise networks. The case studies also identify mitigation techniques to reduce risk