Älypuhelin kotiverkkojen luottamusankkurina

Kun tietoverkot kodeissa monimutkaistuvat, eivät kotikäyttäjät osaa tai halua enää ylläpitää niitä. Kotiverkkojen ylläpito ei eroa nykyisin paljon yritysympäristöistä. Käyttäjältä vaaditaan läsnäolo, tunnukset ja tietämys laitteiden operointiin. Näitä vaatimuksia täytyy soveltaa, jos ylläpito ulkoistettaisiin ja pääsy kotiverkkoihin sallittaisiin. Luotettava toimija on palkattava ja jaettava tälle tunnistautumiskeino sekä pääsy kohdelaitteelle ulkoa käsin. Tämä edellyttää ennakkotoimia ja tunnistautumisavainten jakelua. Käyttäjän älypuhelimessa toimiva sovellus toimii tässä luotettuna toimijana. Matkapuhelinliittymällään käyttäjä on jo osa luotettua tilaajarekisteriä, ja tätä ominaisuutta käytetään hyväksi työssä luottamuksen rakentajana. Matkapuhelintunnistuksena käytetään SIM-kortin tilaajatietoa EAP-menetelmällä. EAP-SIM-pohjaisen tunnistuksen toimivuus esitetään käyttöympäristössä, jossa on simuloitu SIM-kortti ja matkapuhelinoperaattori. Periaatteena on ollut käyttää olemassaolevia tekniikoita yhdistäen niitä uusiin alueisiin, kuten homenet-määritysten kotiverkkoihin ja edustajalle ulkoistettuun hallintaan. Tunnistus- ja valtuutustietojen välittämisen hoitaa WPA2 Enterprise RADIUS-ympäristössä. Välttääksemme monimutkaisuutta ja tarpeetonta hienorakeisuutta, käytämme yksinkertaista hallintaverkkomallia, jonka rajalla on kotiverkosta muuten erillään oleva älypuhelin. Tuloksena näytetään, että matkapuhelimella tehty tunnistautuminen luo luottamusankkurin ulkoisen edustajan ja kodin hallintaverkon välille avaten edustajalle hallintayhteyden kotikäyttäjän valvonnassa. SIM-tunnistuksen hyötyjä ovat vahva tunnistus ja laaja käyttäjäkanta. Haittoina ovat riippuvuus teleoperaattorista, käyttäjän identiteetin paljastumisen uhka ja ei-toivottu automaattinen tunnistautuminen.Today, home networks are complex, and the home owners do not necessarily want to administer all aspects of their networks. Configuring home network devices does not differ much from configuring enterprise devices. One needs access, credentials to login and knowledge to operate the device. If the configuration is outsourced to external parties and done remotely, those requirements need adaptation. Access to an end device from the outside must be provided, a trusted operator must be hired, and login credentials shared. For this purpose, some previously set provisioning and distribution of authentication keys is needed. In this work, an application running on a user's smartphone represents this trusted operator. The fact that the mobile phone subscribers already are part of a reliable infrastructure is used in the study as a trusted base. To benefit from the mobile identification, it is shown how the authentication and authorization are done using an extendable authentication profile (EAP) and a SIM card. A theory to use EAP-SIM authentication at home is presented, and to demonstrate that it works, a simulated testbed is built, tested, and analyzed. The idea is to reuse existing techniques by combining them with such new areas as homenet and delegated management. Authentication claims are transported with WPA2 Enterprise. To further avoid complexity and granularity, we only use a simple model of management network. As a result, we show that the smartphone authentication provides a trust anchor between a configuration agent and the home network. The home network management can be controlled via the smartphone while keeping the local phone user still in control. The benefits of using the SIM are that it is considered strong, and it has a large existing user base, while its disadvantages include dependency onto the mobile operator. Additionally, there remain challenges in keeping the SIM's identity private and in disabling unwanted re-authentications

Managing Access Control in Virtual Private Networks

Virtual Private Network technology allows remote network users to benefit from resources on a private network as if their host machines actually resided on the network. However, each resource on a network may also have its own access control policies, which may be completely unrelated to network access. Thus users� access to a network (even by VPN technology) does not guarantee their access to the sought resources. With the introduction of more complicated access privileges, such as delegated access, it is conceivable for a scenario to arise where a user can access a network remotely (because of direct permissions from the network administrator or by delegated permission) but cannot access any resources on the network. There is, therefore, a need for a network access control mechanism that understands the privileges of each remote network user on one hand, and the access control policies of various network resources on the other hand, and so can aid a remote user in accessing these resources based on the user\u27s privileges. This research presents a software solution in the form of a centralized access control framework called an Access Control Service (ACS), that can grant remote users network presence and simultaneously aid them in accessing various network resources with varying access control policies. At the same time, the ACS provides a centralized framework for administrators to manage access to their resources. The ACS achieves these objectives using VPN technology, network address translation and by proxying various authentication protocols on behalf of remote users

A Framework for Federated Two-Factor Authentication Enabling Cost-Effective Secure Access to Distributed Cyberinfrastructure

As cyber attacks become increasingly sophisticated, the security measures used to mitigate the risks must also increase in sophistication. One time password (OTP) systems provide strong authentication because security credentials are not reusable, thus thwarting credential replay attacks. The credential changes regularly, making brute-force attacks significantly more difficult. In high performance computing, end users may require access to resources housed at several different service provider locations. The ability to share a strong token between multiple computing resources reduces cost and complexity. The National Science Foundation (NSF) Extreme Science and Engineering Discovery Environment (XSEDE) provides access to digital resources, including supercomputers, data resources, and software tools. XSEDE will offer centralized strong authentication for services amongst service providers that leverage their own user databases and security profiles. This work implements a scalable framework built on standards to provide federated secure access to distributed cyberinfrastructure

Network Access Control: Disruptive Technology?

Network Access Control (NAC) implements policy-based access control to the trusted network. It regulates entry to the network by the use of health verifiers and policy control points to mitigate the introduction of malicious software. However the current versions of NAC may not be the universal remedy to endpoint security that many vendors tout. Many organizations that are evaluating the technology, but that have not yet deployed a solution, believe that NAC presents an opportunity for severe disruption of their networks. A cursory examination of the technologies used and how they are deployed in the network appears to support this argument. The addition of NAC components can make the network architecture even more complex and subject to failure. However, one recent survey of organizations that have deployed a NAC solution indicates that the \u27common wisdom\u27 about NAC may not be correct

Supporting authorize-then-authenticate for wi-fi access based on an electronic identity infrastructure

Federated electronic identity systems are increasingly used in commercial and public services to let users share their electronic identities (eIDs) across countries and providers. In Europe, the eIDAS Regulation and its implementation-the eIDAS Network-allowing mutual recognition of citizen’s eIDs in various countries, is now in action. We discuss authorization (before authentication), named also authorize-then-authenticate (AtA), in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State countries, via the eIDAS protocol, some personal attributes, upon successful authentication of a person in his home country. Service Providers in foreign countries typically use these attributes to implement authorization decisions for the requested service. We present a scenario where AtA is required, namely Wi-Fi access, in which the service provider has to implement access control decisions before the person is authenticated through the eIDAS Network with his/her national eID. The Wi-Fi access service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’ registration at service providers and is still subject to security attacks. The eIDAS Network supports different authentication assurance levels, thus it might be exploited for a more secure and widely available Wi-Fi access service to the citizens with no prior registration, by exploiting their national eIDs. We propose first a model that discusses AtA in eIDAS-based services, and we consider different possible implementation choices. We describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell captive portal supporting the eIDAS protocol. We discuss the problems encountered and the deploy-ment issues that may impact on the service acceptance by the users and its exploitation on large scale

Greenpass Client Tools for Delegated Authorization in Wireless Networks

Dartmouth\u27s Greenpass project seeks to provide strong access control to a wireless network while simultaneously providing flexible guest access; to do so, it augments the Wi-Fi Alliance\u27s existing WPA standard, which offers sufficiently strong user authentication and access control, with authorization based on SPKI certificates. SPKI allows certain local users to delegate network access to guests by issuing certificates that state, in essence, he should get access because I said it\u27s okay. The Greenpass RADIUS server described in Kim\u27s thesis [55] performs an authorization check based on such statements so that guests can obtain network access without requiring a busy network administrator to set up new accounts in a centralized database. To our knowledge, Greenpass is the first working delegation-based solution to Wi-Fi access control. My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work.My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work

Virtual network function development for NG-PON Access Network Architecture

Dissertação de mestrado em Engenharia de Redes e Serviços TelemáticosThe access to Internet services on a large scale, high throughput and low latency has grown at a very high pace over time, with a growing demand for media content and applications increasingly oriented towards data consumption. This fact about the use of data at the edge of the network requires the Central Offices (CO) of telecommunication providers, to be pre pared to absorb these demands. COs generally offer data from various access methods, such as Passive Optical Network (PON) technologies, mobile networks, copper wired and oth ers. For each of these technologies there may be different manufacturers that support only their respective hardware and software solutions, although they all share different network resources and have management, configuration and monitoring tools (Fault, Configuration, Accounting, Performance, and Security management - FCAPS) similar, but being distinct and isolated from each other, which produces huge investment in Capital Expenditure (CAPEX) and Operational Expenditure (OPEX) and can cause barriers to innovation. Such panora mas forced the development of more flexible, scalable solutions that share platforms and net work architectures that can meet this need and enable the evolution of networks. It is then proposed the architecture of Software-Defined Network (SDN) which has in its proposal to abstract the control plane from the data plane, in addition to the virtualization of several Net work Function Virtualization (NFV). The SDN architecture allows APIs and protocols such as Openflow, NETCONF / YANG, RESTCONF, gRPC and others to be used so that there is communication between the various hardware and software elements that compose the net work and consume network resources, such as services AAA, DHCP, routing, orchestration, management or various applications that may exist in this context. This work then aims at the development of a virtualized network function, namely a VNF in the context of network security to be integrated as a component of an architecture guided by the SDN paradigm applied to broadband networks, and also adherent to the architecture OB-BAA promoted by the Broadband Forum. Such OB-BAA architecture fits into the initia tive to modernize the Information Technology (IT) components of broadband networks, more specifically the Central Offices. With such development, it was intended to explore the con cepts of network security, such as the IEEE 802.1X protocol applied in NG-PON networks for authentication and authorization of new network equipment. To achieve this goal, the development of the applications was based on the Golang language combined with gRPC programmable interfaces for communication between the various elements of the architec ture. Network emulators were initially used, and then the components were ”containerized” and inserted in the Docker and Kubernetes virtualization frameworks. Finally, performance metrics were analyzed in the usage tests, namely computational resource usage metrics (CPU, memory and network I/O), in addition to the execution time of several processes performed by the developed applications.O acesso aos serviços de Internet em larga escala, alto débito e baixa latência têm crescido em um ritmo bastante elevado ao longo dos tempos, com uma demanda crescente por conteúdos de media e aplicações cada vez mais orientadas ao consumo de dados. Tal fato acerca da uti lização de dados na periferia da rede, obriga a que os Central Offices (CO) dos provedores de telecomunicações estejam preparados para absorver estas demandas. Os CO geralmente re cebem dados de diversos métodos de acesso, como tecnologias Passive Optical Network (PON), redes móveis, cabladas em cobre, entre outros. Para cada uma destas tecnologias pode haver diferentes fabricantes que suportam somente suas respetivas soluções de hardware e software, apesar de todas compartilharem diversos recursos de rede e possuírem ferramentas de gestão, configuração e monitoração (Fault-management, Configuration, Accounting, Performance e Segurança - FCAPS) similares, mas serem distintas e isoladas entre si, o que se traduz em um enorme investimento em Capital Expenditure (CAPEX) e Operational Expenditure (OPEX) e pode causar barreiras à inovação. Tais panoramas forçaram o desenvolvimento de soluções mais flexíveis, escaláveis e que compartilhem plataformas e arquiteturas de redes que pos sam suprir tal necessidade e possibilitar a evolução das redes. Propõe-se então a arquitetura de redes definidas por software (Software-Defined Network - SDN) que tem em sua proposta abstrair o plano de controle do plano de dados, além da virtualização de diversas funções de rede (Network Function Virtualization - NFV). A arquitetura SDN possibilita que API’s e pro tocolos como Openflow, NETCONF/YANG, RESTCONF, gRPC e outros, sejam utilizados para que haja comunicação entre os diversos elementos de hardware e software que estejam a compor a rede e a consumir recursos de redes, como serviços de AAA, DHCP, roteamento, orquestração, gestão ou diversas outras aplicações que possam existir neste contexto. Este trabalho visa então o desenvolvimento de uma função de rede virtualizada nomeada mente uma (Virtual Network Function - VNF) no âmbito de segurança de redes a ser integrada como um componente de uma arquitetura orientada pelo paradigma de SDN aplicado a re des de banda larga, e aderente também à arquitetura OB-BAA promovida pelo Broadband Fo rum. Tal arquitetura OB-BAA se enquadra na iniciativa de modernização dos componentes de Tecnologia da Informação (TI) das redes de banda larga, mais especificamente dos Cen tral Offices. Com tal desenvolvimento pretende-se explorar conceitos de segurança de redes, como o protocolo IEEE 802.1X aplicado em redes NG-PON para autenticação e autorização de novos equipamentos de rede. Para atingir tal objetivo, utilizou-se desenvolvimento de aplicações baseadas na linguagem Golang aliado com interfaces programáveis gRPC para comunicação entre os diversos elementos da arquitetura. Para emular tais componentes, utilizou-se inicialmente emuladores de rede, e em um segundo momento os componentes foram ”containerizados” e inseridos nos frameworks de virtualização Docker e Kubernetes.Por fim, foram analisadas métricas de desempenho nos testes executados, nomeadamente métricas de utilização de recursos computacionais (CPU, memória e tráfego de rede), além do tempo de execução de diversos processos desempenhados pelas aplicações desenvolvidas

Diseño e implementación de seguridad a.a.a (authentication authorization and accounting) en las redes wi-fi del gad municipal del cantón Mejía

This project was proposed to give a security solution for access control with base to the infrastructure Decentralized Autonomous Government of the “Mejía” Canton by means of the identity based on network services which is based on an AAA (Authentication Authorization and Accounting) server. Using the RADIUS free use protocol will be responsible for the authentication, authorization and accounting of wireless networks, due to the filtering of passwords that was evidenced anybody could have access as well as the networks were exposed and vulnerable. To which we apply the practical theoretical method for the abstraction and deduction of solutions and execute an analysis of the necessary qualities that the AAA server should count and put them in practice with an experimental model in which we have access control of wireless networks that gives us security in the network, since as it is possible to control the access to these, it was possible to safeguard and prevent the inappropriate use of the information, already implemented for the institution's employees access is through user’s credentials and filters by MAC address of the equipment, once the session is initiated roles and profiles for their work development. In this way the AAA server concept is formed, since this model offers alternative of protection in the network access, despite the existence of many alternatives that fulfill this function, an AAA server has the necessary conditions to fulfill this objective, the purpose was to implement a server with these features using free software for the server was an operating system centOS 7 and FreeRadius for RADIUS services with a web control panel and a wireless lan controller, all this gave us new alternatives to access the wireless network , benefiting not only the functionary but also the community in general, offering a more reliable environment in the DAG of the “Mejía” Canton, which was the main objective of this project. The Radius server offers control, monitoring, and administration. This assure the security of access to the wireless networks of the DAG of “Mejía” Canton, through a graphical interface that allows to the administrator monitors the network.Este proyecto fue propuesto para dar una solución de seguridad para el control de acceso con base a la infraestructura del GAD municipal del Cantón Mejía mediante la identidad basada en servicios de red la cual está basada en un servidor AAA (Authentication Authorization And Accounting / Autenticación Autorización y Contabilidad) utilizando el protocolo de libre uso RADIUS, este se encargara la autenticación, autorización y contabilidad o auditoria de las redes inalámbricas, debido a la filtración de contraseñas que se evidencio, cualquier persona podía tener acceso y las redes quedaban expuestas y vulnerables. Para lo cual aplicamos el método teórico practico para la abstracción y deducción de soluciones para realizar un análisis de las cualidades necesarias con las que debía contar el servidor AAA y ponerlas en práctica con un modelo experimental en el cual tenemos control de acceso de las redes inalámbricas lo que nos brinda seguridad en la red, ya que como es posible controlar el acceso a estas, fue posible resguarda y evitar el uso inadecuado de la información, ya implantado para los funcionarios de la institución el acceso es mediante credenciales de usuarios y filtros por MAC address del equipo, una vez ingresados tienen roles y perfiles para el desarrollo de su actividad laboral. Formándose el concepto de servidor AAA, ya que este modelo ofrece alternativas de protección en el acceso de una red, a pesar de la existencia de muchas alternativas que cumplen esta función, un servidor AAA cuenta con las condiciones necesarias para cumplir este objetivo, el fin era implementar un servidor con estas características utilizando software libre para el servidor fue un sistema operativo centOS 7 y FreeRadius para los servicios RADIUS con un panel de control web y un equipo wireless lan controller, todo esto nos brindó nuevas alternativas de acceso a la red inalámbrica, beneficiando no solo a los funcionarios sino a la comunidad en general, ofreciendo un ambiente más confiable en el GAD municipal del Cantón Mejía, El cual era el principal objetivo de este proyecto. El servidor Radius ofrece un control, monitoreo, y administración. Esto garantizo la seguridad en el acceso a las redes inalámbricas del GAD municipal del Cantón Mejía, mediante una interfaz gráfica que permite al administrador monitorear la red

Mobility management across converged IP-based heterogeneous access networks

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University, 8/2/2010.In order to satisfy customer demand for a high performance “global” mobility service, network operators (ISPs, carriers, mobile operators, etc.) are facing the need to evolve to a converged “all-IP” centric heterogeneous access infrastructure. However, the integration of such heterogeneous access networks (e.g. 802.11, 802.16e, UMTS etc) brings major mobility issues. This thesis tackles issues plaguing existing mobility management solutions in converged IP-based heterogeneous networks. In order to do so, the thesis firstly proposes a cross-layer mechanism using the upcoming IEEE802.21 MIH services to make intelligent and optimized handovers. In this respect, FMIPv6 is integrated with the IEEE802.21 mechanism to provide seamless mobility during the overall handover process. The proposed solution is then applied in a simulated vehicular environment to optimize the NEMO handover process. It is shown through analysis and simulations of the signalling process that the overall expected handover (both L2 and L3) latency in FMIPv6 can be reduced by the proposed mechanism by 69%. Secondly, it is expected that the operator of a Next Generation Network will provide mobility as a service that will generate significant revenues. As a result, dynamic service bootstrapping and authorization mechanisms must be in place to efficiently deploy a mobility service (without static provisioning), which will allow only legitimate users to access the service. A GNU Linux based test-bed has been implemented to demonstrate this. The experiments presented show the handover performance of the secured FMIPv6 over the implemented test-bed compared to plain FMIPv6 and MIPv6 by providing quantitative measurements and results on the quality of experience perceived by the users of IPv6 multimedia applications. The results show the inclusion of the additional signalling of the proposed architecture for the purpose of authorization and bootstrapping (i.e. key distribution using HOKEY) has no adverse effect on the overall handover process. Also, using a formal security analysis tool, it is shown that the proposed mechanism is safe/secure from the induced security threats. Lastly, a novel IEEE802.21 assisted EAP based re-authentication scheme over a service authorization and bootstrapping framework is presented. AAA based authentication mechanisms like EAP incur signalling overheads due to large RTTs. As a result, overall handover latency also increases. Therefore, a fast re-authentication scheme is presented which utilizes IEEE802.21 MIH services to minimize the EAP authentication process delays and as a result reduce the overall handover latency. Analysis of the signalling process based on analytical results shows that the overall handover latency for mobility protocols will be approximately reduced by 70% by the proposed scheme