852 research outputs found

    Protection of LAN-wide, P2P interactions: a holistic approach

    Get PDF
    This article advocates the need of a holistic approach to protect LAN interactions and presents a solution for implementing it based on secure LAN (SLAN), a novel security architecture. SLAN uses the 802.1X access control mechanisms and is supported by a key distribution centre (KDC) built upon an 802.1X authentication server. The KDC is used, together with a new host identification policy and modified DHCP servers, to provide proper resource allocation and message authentication in DHCP transactions. The KDC is used to authenticate ARP transactions and to distribute session keys to pairs of LAN hosts, allowing them to set up arbitrary, LAN-wide peer-to-peer security associations using such session keys. We show how PPPoE and IPSec security associations may be instantiated and present a prototype implementation for IPSec

    Network Access Control: Disruptive Technology?

    Get PDF
    Network Access Control (NAC) implements policy-based access control to the trusted network. It regulates entry to the network by the use of health verifiers and policy control points to mitigate the introduction of malicious software. However the current versions of NAC may not be the universal remedy to endpoint security that many vendors tout. Many organizations that are evaluating the technology, but that have not yet deployed a solution, believe that NAC presents an opportunity for severe disruption of their networks. A cursory examination of the technologies used and how they are deployed in the network appears to support this argument. The addition of NAC components can make the network architecture even more complex and subject to failure. However, one recent survey of organizations that have deployed a NAC solution indicates that the \u27common wisdom\u27 about NAC may not be correct

    Greenpass RADIUS Tools for Delegated Authorization in Wireless Networks

    Get PDF
    Dartmouth\u27s Greenpass project extends how public key cryptography can be used to secure the wireless LAN with a RADIUS (Remote Authentication Dial In User Service) server that is responsible for handling authentication requests from clients (called supplicants in the 802.1x authentication model). This thesis describes the design and implementation of the authentication process of Greenpass, specifically what decisions are made in determining who is granted access and how a small modification of already existing protocols can be used to provide guest access in a way that better reflects how delegation of authority works in the real world. Greenpass takes advantage of the existing PKI to authenticate local Dartmouth users via X.509 identity certificates using EAP-TLS. We use the flexibility of SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure) authorization certificates to distribute the responsibility of delegating access to guests to certain authorized delegators, avoiding some of the necessary steps and paperwork associated with having a large centralized entity responsible for the entire institution. This thesis also discusses how our solution can be adapted to support different methods of guest delegation and investigates the possibility of eliminating the cumbersome central entity and administrative overhead traditionally associated with public key cryptography

    Regional Address Registries, Governance and Internet Freedom

    Get PDF
    Regional Internet Address Registries (RIRs) are private, nonprofit and transnational governance entities that evolved organically with the growth of the Internet to manage and coordinate Internet Protocol addresses. The RIR's management of Internet address resources is becoming more contentious and more central to global debates over Internet governance. This is happening because of two transformational problems: 1) the depletion of the IPv4 address space; and 2) the attempt to introduce more security into the Internet routing system. We call these problems "transformational" because they raise the stakes of the RIR's policy decisions, make RIR processes more formal and institutionalized, and have the potential to create new, more centralized control mechanisms over Internet service providers and users. A danger in this transition is that the higher stakes and centralized control mechanisms become magnets for political contention, just as ICANN's control of the DNS root did. In order to avoid a repeat of the problems of ICANN, we need to think carefully about the relationship between RIRs, governments, and Internet freedom. In particular, we need to shield RIRs from interference by national governments, and strengthen and institutionalize their status as neutral technical coordinators with limited influence over other areas of Internet governance

    Defining the Behavior of IoT Devices through the MUD Standard: Review, Challenges, and Research Directions

    Get PDF
    With the strong development of the Internet of Things (IoT), the definition of IoT devices' intended behavior is key for an effective detection of potential cybersecurity attacks and threats in an increasingly connected environment. In 2019, the Manufacturer Usage Description (MUD) was standardized within the IETF as a data model and architecture for defining, obtaining and deploying MUD files, which describe the network behavioral profiles of IoT devices. While it has attracted a strong interest from academia, industry, and Standards Developing Organizations (SDOs), MUD is not yet widely deployed in real-world scenarios. In this work, we analyze the current research landscape around this standard, and describe some of the main challenges to be considered in the coming years to foster its adoption and deployment. Based on the literature analysis and our own experience in this area, we further describe potential research directions exploiting the MUD standard to encourage the development of secure IoT-enabled scenarios

    PROTECTING PRINTERS FROM ROGUE DHCP SERVERS

    Get PDF
    In today’s world, securing devices from Malwares is a big concern. Even though IDS (Intrusion detection systems) are in place, it is hard to eliminate malwares completely in a network. A vulnerable device in a network can be attacked by a malware which can act as rogue DHCP server. It can move connected print device(s) out of network. This paper proposes a solution to handle rogue DHCP server and protect printers from simulated DHCP servers by malwares or misbehaving DHCP servers. Our idea is to implement a mechanism in printers which will provide an ability to protect themselves from rogue server(s) present in network

    Analysis and implementation of a security standard

    Get PDF
    This master's thesis describes the design and implementation of a security standard in a university research department. It has been developed in the framework of the ETSETB Master's Degree in Cybersecurity, in cooperation with the University of Barcelona. The work has consisted on several stages. First, an analysis of the vulnerabilities of the system has been performed. This diagnosis has been specially important, since the lack of cybersecurity protections in the department has lead to several hijacks and data losses throughout the years. Then, the report describes the application of all the security features that are considered essential in a company, covering as much elements as possible. Those include from devices' physical security, through software protection to employees training. The project will be mainly focused in the deployment of the main services found in an IT department with a brief cybersecurity training session for the employees at the end. The work developed in this master thesis will reinforce the security of all crucial services and will reduce the possibility of data loss
    • …
    corecore