Network Access Control: Disruptive Technology?

Network Access Control (NAC) implements policy-based access control to the trusted network. It regulates entry to the network by the use of health verifiers and policy control points to mitigate the introduction of malicious software. However the current versions of NAC may not be the universal remedy to endpoint security that many vendors tout. Many organizations that are evaluating the technology, but that have not yet deployed a solution, believe that NAC presents an opportunity for severe disruption of their networks. A cursory examination of the technologies used and how they are deployed in the network appears to support this argument. The addition of NAC components can make the network architecture even more complex and subject to failure. However, one recent survey of organizations that have deployed a NAC solution indicates that the \u27common wisdom\u27 about NAC may not be correct

TNC-UTM: A Holistic Solution to Secure Enterprise Networks

This paper presents TNC-UTM, a holistic solution to secure enterprise networks from gateway to endpoints. Just as its name suggested, the TNC-UTM solution combines two popular techniques TNC and UTM together by defining an interface between them that integrates their security capacity to provide efficiently network access control and security protection for enterprise network. Not only TNC-UTM provides the features of TNC and UTM, but also it achieves stronger security and higher performance by introducing intelligent configuration decisions and RBAC mechanism. Experiment demonstrated the superior advantages of the TNC-UTM solution

Using secure coprocessors to enforce network access policies in enterprise and ad hoc networks

Nowadays, network security is critically important. Enterprises rely on networks to improvetheir business. However, network security breaches may cause them loss of millions of dollars.Ad hoc networks, which enable computers to communicate wirelessly without the need forinfrastructure support, have been attracting more and more interests. However, they cannotbe deployed effectively due to security concerns.Studies have shown that the major network security threat is insiders (malicious orcompromised nodes). Enterprises have traditionally employed network security solutions(e.g., firewalls, intrusion detection systems, anti-virus software) and network access controltechnologies (e.g., 802.1x, IPsec/IKE) to protect their networks. However, these approachesdo not prevent malicious or compromised nodes from accessing the network. Many attacksagainst ad hoc networks, including routing, forwarding, and leader-election attacks, requiremalicious nodes joining the attacked network too.This dissertation presents a novel solution to protect both enterprise and ad hoc networksby addressing the above problem. It is a hardware-based solution that protects a networkthrough the attesting of a node's configuration before authorizing the node's access to thenetwork. Attestation is the unforgeable disclosure of a node's configuration to another node,signed by a secure coprocessor known as a Trusted Platform Module (TPM).This dissertation makes following contributions. First, several techniques at operatingsystem level (i.e., TCB prelogging, secure association root tripping, and sealing-free attestation confinement) are developed to support attestation and policy enforcement. Second, two secure attestation protocols at network level (i.e., Bound Keyed Attestation (BKA) andBatched Bound Keyed Attestation (BBKA)) are designed to overcome the risk of a man-inthe-middle (MITM) attack. Third, the above techniques are applied in enterprise networks todifferent network access control technologies to enhance enterprise network security. Fourth,AdHocSec, a novel network security solution for ad hoc networks, is proposed and evaluated. AdHocSec inserts a security layer between the network and data link layer of the networkstack. Several algorithms are designed to facilitate node's attestation in ad hoc networks,including distributed attestation (DA), and attested merger (AM) algorithm

Security Implementation of Mission Control System for ESTCube-1 Satellite

Lühikokkuvõte ESTCube-1 on Eesti esimene satelliit ja ühtlasi onta ehitatud tervenisti üliõpilaste poolt. ESTCube-1 paljudestallsüsteemidest on üks osa missioonijuhtimissüsteemist (ingl. k.Mission Control System- MCS). Missioonijuhtimise tarkvara on modulaarne, moodulid võivad asuda erinevates serverites. Praeguses seadistusestöötab enamik moodulitest vaikimisi konfiguratsiooniseadetes ja mõnel juhul ei ole andmed piisavalt kaitstud – näiteks suhtlevad osad komponendidilma turvalise võrguühenduseta. Käesoleva töö eesmärk on süstemaatiliselt läheneda missioonijuhtimise süsteemi kui terviku turvalisusele ja leida lahendus senisest paremini turvatud süsteemi seadistamiseks. Töö koosneb järgnevatest sammudest:kirjeldada ESTCube-1 missioonijuhtimissüsteemi arhitektuuri, analüüsida kõikide süsteemi moodulite turvalahenduste võimalusi, rakendada leitud terviklahendus missioonijuhtimissüsteemi turvalahendustetestkeskkonnas, katsetadaja kontrollida süsteemi tööd uues seadistuses. Töös valitud lahendus võimaldab turvalisiühendusi erinevate moodulite vahel ja krüpteerib salvestatud andmed. Andmetele juurdepääsu saab piirata ka kasutajapõhiselt. Kokkuvõttes võib missioonijuhtimissüsteemi tarkvara panna tööle avatud ligipääsuga üle Interneti. Seni kasutatud lahendus tugines VPN ja SSH tunnelitele, mis on küll sobiliksüsteemi arenduseks, aga käesolev lahendus võimaldab süsteemile turvalise ligipääsu satelliidi opereerimise igapäevatöös. Võtmesõnad: ESTCube-1, Mission Control System, CubeSat, Hummingbird, Atlassian Crowd, Mongodb, Oracle 11g, Apache ActiveMQ, Jetty Web ServerAbstract: ESTCube-1 is Estonia’s first satellite project built by university students. ESTCube-1 Mission Control System (MCS) software is also developed as part of this educational project. Mission Control System is a modular system, comprised of various components in multiple servers, of which most of them are running on default or basic security configuration settings and in some cases, data is not protected well enough in the present state. Some of the components communicate over unsecured network thereby making its data vulnerable. As this thesis title “Security Implementation of Mission Control System for ESTCube-1 Satellite” implies, there is need for a systematic approach about the entire data security of the mission and my aim is to improve the security of ESTCube-1 Mission Control System. The following steps are taken in the thesis: establish a good understanding ESTCube-1 MCS architecture, understand the possibilities of security configurations of all used technologies, analyse the effect of a possible selection of security methods, implement the chosen solutions in a sandbox environment, test and verify the operating of the complete MCS with the implemented solution. The results shows security implementations done on the various components allows the connection between components are secure and data in motion are encrypted. Access to the data at rest are restricted, some are encrypted and only privileged users can gain access. Mission Control System accessibility over the Internet is more secure and access to the hardware tightened. In conclusion, the Mission Control System can certainly be accessed via the Internet securely as long as the user has valid certificates. Other access means are through other means like VPN and SSH Tunnelling. The original system configuration providedESTCube-1 MCS with just adequate security that would be befitting for a production environment, with the security solution found in current thesis, the system could be elevated for enterprise-level usage. Keywords: ESTCube-1, Mission Control System, CubeSat, Hummingbird, Atlassian Crowd, Mongodb, Oracle 11g, Apache ActiveMQ, Jetty Web Serve

Global interactions between firms and universities: Global Innovation Networks as first steps towards a Global Innovation System

This paper aims to broaden the horizon as well as to shed further light on the studies of interaction between firms and universities in a global context. Its starting point is thus a review of two different strands of the literature on innovation. First, the literature on interaction by Klevorick et al (1995) and Nelson (1993), and second, the more recent literature on Global Innovation Networks (GINs) by Ernst ( 2006) and The Economist Intelligence Unit ( 2007). These strands share a common problem: each has a blind spot in relation to the core focus of the other strand. The literature on interaction does not consider the international dimension in any depth, and the GINs literature does not integrate the university dimension adequately. This paper addresses the common weakness through a combination of the two approaches, searching for interactions between firms and universities globally. In doing so, the paper also puts forward a tentative framework on global interaction between firms and universities.interactions between firms and universities, National Innovation Systems, Global Innovation Networks.