An Assessment of Practical Hands-On Lab Activities in Network Security Management

With the advancement in technology over the past decades, networks have become increasingly large and complex. In the meantime, cyberattacks have become highly sophisticated making them difficult to detect. These changes make securing a network more challenging than ever before. Hence, it is critical to prepare a comprehensive guide of network security management for students assist them in becoming network security professionals. The objective of this paper is to introduce a variety of techniques related to network security management, such as Simple Network Management Protocol (SNMP), event management, security policy management, risk management, access control, and remote monitoring. With the usage of these techniques, malicious activities from outsiders and misuse by insiders can be effectively monitored and managed. A network learning environment is proposed for students to practice network security management experiments. In addition, hands-on lab exercises are suggested. These activities will help students become familiar with the operations of network security management and allow them to further apply practical skills to protect networks

Protecting SNMP Through MarketNet

As dependency on information technology becomes more critical so does the need for network computer security. Because of the distributed nature of networks, large-scale information systems are highly vulnerable to negative elements such as intruders and attackers. The types of attack on a system can be diverse and from different sources. Some of the factors contributing to creating an insecure system are the relentless pace of technology, the need for information processing, and the heterogeneity of hardware and software. In addition to these insecurities, the growth and success of e-commerce make networks a desirable target for intruders to steal credit card numbers, bank account balances, and other valuable information. This paper looks at two different security technologies, SNMP v3 and MarketNet, their architectures and how they have been developed to protect network resources and services, such as, internet applications, devices, and other services, against attacks

Location aware self-adapting firewall policies

Private access to corporate servers from Internet can be achieved using various security mechanisms. This article presents a network access control mechanism that employs a policy management architecture empowered with dynamic firewalls. With the existence of such an architecture, system and/or network administrators do not need to reconfigure firewalls when there is a location change in user settings, reconfiguration will be automatic and seamless. The proposed architecture utilizes dynamic firewalls, which adapt their policies according to user locations through the guidance of a policy server. This architecture is composed of a VPN client at user site, a domain firewall with VPN capabilities, a policy server containing a policy decision engine, and policy agents residing in dynamic firewalls, which map policy server decisions to firewall policy rules, at server site

{SoK}: {An} Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment

Today's Internet utilizes a multitude of different protocols. While some of these protocols were first implemented and used and later documented, other were first specified and then implemented. Regardless of how protocols came to be, their definitions can contain traps that lead to insecure implementations or deployments. A classical example is insufficiently strict authentication requirements in a protocol specification. The resulting Misconfigurations, i.e., not enabling strong authentication, are common root causes for Internet security incidents. Indeed, Internet protocols have been commonly designed without security in mind which leads to a multitude of misconfiguration traps. While this is slowly changing, to strict security considerations can have a similarly bad effect. Due to complex implementations and insufficient documentation, security features may remain unused, leaving deployments vulnerable. In this paper we provide a systematization of the security traps found in common Internet protocols. By separating protocols in four classes we identify major factors that lead to common security traps. These insights together with observations about end-user centric usability and security by default are then used to derive recommendations for improving existing and designing new protocols---without such security sensitive traps for operators, implementors and users

{SoK}: {An} Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment

Today's Internet utilizes a multitude of different protocols. While some of these protocols were first implemented and used and later documented, other were first specified and then implemented. Regardless of how protocols came to be, their definitions can contain traps that lead to insecure implementations or deployments. A classical example is insufficiently strict authentication requirements in a protocol specification. The resulting Misconfigurations, i.e., not enabling strong authentication, are common root causes for Internet security incidents. Indeed, Internet protocols have been commonly designed without security in mind which leads to a multitude of misconfiguration traps. While this is slowly changing, to strict security considerations can have a similarly bad effect. Due to complex implementations and insufficient documentation, security features may remain unused, leaving deployments vulnerable. In this paper we provide a systematization of the security traps found in common Internet protocols. By separating protocols in four classes we identify major factors that lead to common security traps. These insights together with observations about end-user centric usability and security by default are then used to derive recommendations for improving existing and designing new protocols---without such security sensitive traps for operators, implementors and users

Towards a network management solution for vehicular delay-tolerant networks

Vehicular networks appeared as a new communication solution where vehicles act as a communication infrastructure, providing data communications through vehicle-to-vehicle (V2V) or vehicle-to-infrastructure (V2I) communications. Vehicular Delay-Tolerant Networks (VDTNs) are a new disruptive network architecture assuming delay tolerant networking paradigm where there are no end-to-end connectivity. In this case the incial node transmits the data to a closed node, the data will be carried by vehicles, hop to hop until the destination. This dissertation focuses on a proposal of a network management solution, based standard protocol Simple Network Management Protocol (SNMP) to VDTN networks. The developed solution allows control a VDTN netowork through a Network Management System (NMS) with the objective to detect and, if it’s possible, anticipate, possible errors on network. The research methodology used was the prototyping. So, it was built a network management module to the laboratorial prototype, called VDTN@Lab. The system built include a MIB (Management Information Base) placed in all vehicular network nodes. The solution was built, demonstrated, validated and evaluated their performance, being ready for use.As redes veiculares foram desenhadas para permitir que os veículos possam transportar dados criando assim um novo tipo de redes, caracterizando-se por dois tipos de comunicação: comunicações veículo-para-veículo (V2V) ou comunicações veículo-parainfra-estrutura (V2I). Redes veiculares intermitentes (do Inglês Vehicular Delay-Tolerant Networks - VDTNs) surgiram como uma nova arquitectura de rede de dados onde os veículos são utilizados como infra-estruturas de comunicação. As VDTNs caracterizam-se por serem redes veiculares baseadas no paradigma de comunicações intermitentes. Nas redes VDTN não existe uma ligação permanente extremo a extremo entre o emissor e o receptor. Neste caso, o nó inicial transmite os dados para um nó que esteja junto dele e assim sucessivamente, os dados vão sendo transportados pelos veículos, salto a salto até ao destinatário final. Esta dissertação centra-se na proposta de uma solução de gestão de rede, baseada no protocolo estandardizado Simple Network Management Protocol (SNMP) para redes VDTN. A solução construída permite controlar uma rede VDTN através de um sistema de gestão de rede (do Inglês Network Management System - NMS) com o objectivo de detectar e, se possível antecipar, possíveis erros na rede. A metodologia de investigação utilizada foi a prototipagem. Assim, foi construído um módulo de gestão de redes para o protótipo laboratorial, chamado VDTN@Lab. O sistema construído inclui uma MIB (Management Information Base) que é colocada em todos os nós de uma rede veicular, tanto fixos como móveis. A solução foi construída, demonstrada, validade e avaliado o seu desempenho, estando assim pronta para ser utilizada

Role-based access control for xml enabled management gateways

Abstract. While security is often supported in standard management frameworks, it has been insufficiently approached in most deployment and research initiatives. In this paper we address the provisioning of a security "continuum" for management frameworks based on XML/SNMP gateways. We provide an in depth security extension of such a gateway using the Role Based Access Control paradigm and show how to integrate our approach within a broader XML-based management framework

Towards Automated Network Configuration Management

Modern networks are designed to satisfy a wide variety of competing goals related to network operation requirements such as reachability, security, performance, reliability and availability. These high level goals are realized through a complex chain of low level configuration commands performed on network devices. As networks become larger, more complex and more heterogeneous, human errors become the most significant threat to network operation and the main cause of network outage. In addition, the gap between high-level requirements and low-level configuration data is continuously increasing and difficult to close. Although many solutions have been introduced to reduce the complexity of configuration management, network changes, in most cases, are still manually performed via low--level command line interfaces (CLIs). The Internet Engineering Task Force (IETF) has introduced NETwork CONFiguration (NETCONF) protocol along with its associated data--modeling language, YANG, that significantly reduce network configuration complexity. However, NETCONF is limited to the interaction between managers and agents, and it has weak support for compliance to high-level management functionalities. We design and develop a network configuration management system called AutoConf that addresses the aforementioned problems. AutoConf is a distributed system that manages, validates, and automates the configuration of IP networks. We propose a new framework to augment NETCONF/YANG framework. This framework includes a Configuration Semantic Model (CSM), which provides a formal representation of domain knowledge needed to deploy a successful management system. Along with CSM, we develop a domain--specific language called Structured Configuration language to specify configuration tasks as well as high--level requirements. CSM/SCL together with NETCONF/YANG makes a powerful management system that supports network--wide configuration. AutoConf supports two levels of verifications: consistency verification and behavioral verification. We apply a set of logical formalizations to verifying the consistency and dependency of configuration parameters. In behavioral verification, we present a set of formal models and algorithms based on Binary Decision Diagram (BDD) to capture the behaviors of forwarding control lists that are deployed in firewalls, routers, and NAT devices. We also adopt an enhanced version of Dyna-Q algorithm to support dynamic adaptation of network configuration in response to changes occurred during network operation. This adaptation approach maintains a coherent relationship between high level requirements and low level device configuration. We evaluate AutoConf by running several configuration scenarios such as interface configuration, RIP configuration, OSPF configuration and MPLS configuration. We also evaluate AutoConf by running several simulation models to demonstrate the effectiveness and the scalability of handling large-scale networks

An ontology-driven architecture for data integration and management in home-based telemonitoring scenarios

The shift from traditional medical care to the use of new technology and engineering innovations is nowadays an interesting and growing research area mainly motivated by a growing population with chronic conditions and disabilities. By means of information and communications technologies (ICTs), telemedicine systems offer a good solution for providing medical care at a distance to any person in any place at any time. Although significant contributions have been made in this field in recent decades, telemedicine and in e-health scenarios in general still pose numerous challenges that need to be addressed by researchers in order to take maximum advantage of the benefits that these systems provide and to support their long-term implementation. The goal of this research thesis is to make contributions in the field of home-based telemonitoring scenarios. By periodically collecting patients' clinical data and transferring them to physicians located in remote sites, patient health status supervision and feedback provision is possible. This type of telemedicine system guarantees patient supervision while reducing costs (enabling more autonomous patient care and avoiding hospital over flows). Furthermore, patients' quality of life and empowerment are improved. Specifically, this research investigates how a new architecture based on ontologies can be successfully used to address the main challenges presented in home-based telemonitoring scenarios. The challenges include data integration, personalized care, multi-chronic conditions, clinical and technical management. These are the principal issues presented and discussed in this thesis. The proposed new ontology-based architecture takes into account both practical and conceptual integration issues and the transference of data between the end points of the telemonitoring scenario (i.e, communication and message exchange). The architecture includes two layers: 1) a conceptual layer and 2) a data and communication layer. On the one hand, the conceptual layer based on ontologies is proposed to unify the management procedure and integrate incoming data from all the sources involved in the telemonitoring process. On the other hand, the data and communication layer based on web service technologies is proposed to provide practical back-up to the use of the ontology, to provide a real implementation of the tasks it describes and thus to provide a means of exchanging data. This architecture takes advantage of the combination of ontologies, rules, web services and the autonomic computing paradigm. All are well-known technologies and popular solutions applied in the semantic web domain and network management field. A review of these technologies and related works that have made use of them is presented in this thesis in order to understand how they can be combined successfully to provide a solution for telemonitoring scenarios. The design and development of the ontology used in the conceptual layer led to the study of the autonomic computing paradigm and its combination with ontologies. In addition, the OWL (Ontology Web Language) language was studied and selected to express the required knowledge in the ontology while the SPARQL language was examined for its effective use in defining rules. As an outcome of these research tasks, the HOTMES (Home Ontology for Integrated Management in Telemonitoring Scenarios) ontology, presented in this thesis, was developed. The combination of the HOTMES ontology with SPARQL rules to provide a flexible solution for personalising management tasks and adapting the methodology for different management purposes is also discussed. The use of Web Services (WSs) was investigated to support the exchange of information defined in the conceptual layer of the architecture. A generic ontology based solution was designed to integrate data and management procedures in the data and communication layer of the architecture. This is an innovative REST-inspired architecture that allows information contained in an ontology to be exchanged in a generic manner. This layer structure and its communication method provide the approach with scalability and re-usability features. The application of the HOTMES-based architecture has been studied for clinical purposes following three simple methodological stages described in this thesis. Data and management integration for context-aware and personalized monitoring services for patients with chronic conditions in the telemonitoring scenario are thus addressed. In particular, the extension of the HOTMES ontology defines a patient profile. These profiles in combination with individual rules provide clinical guidelines aiming to monitor and evaluate the evolution of the patient's health status evolution. This research implied a multi-disciplinary collaboration where clinicians had an essential role both in the ontology definition and in the validation of the proposed approach. Patient profiles were defined for 16 types of different diseases. Finally, two solutions were explored and compared in this thesis to address the remote technical management of all devices that comprise the telemonitoring scenario. The first solution was based on the HOTMES ontology-based architecture. The second solution was based on the most popular TCP/IP management architecture, SNMP (Simple Network Management Protocol). As a general conclusion, it has been demonstrated that the combination of ontologies, rules, WSs and the autonomic computing paradigm takes advantage of the main benefits that these technologies can offer in terms of knowledge representation, work flow organization, data transference, personalization of services and self-management capabilities. It has been proven that ontologies can be successfully used to provide clear descriptions of managed data (both clinical and technical) and ways of managing such information. This represents a further step towards the possibility of establishing more effective home-based telemonitoring systems and thus improving the remote care of patients with chronic diseases