Network Access Control: Disruptive Technology?

Network Access Control (NAC) implements policy-based access control to the trusted network. It regulates entry to the network by the use of health verifiers and policy control points to mitigate the introduction of malicious software. However the current versions of NAC may not be the universal remedy to endpoint security that many vendors tout. Many organizations that are evaluating the technology, but that have not yet deployed a solution, believe that NAC presents an opportunity for severe disruption of their networks. A cursory examination of the technologies used and how they are deployed in the network appears to support this argument. The addition of NAC components can make the network architecture even more complex and subject to failure. However, one recent survey of organizations that have deployed a NAC solution indicates that the \u27common wisdom\u27 about NAC may not be correct

IP Mobility in Wireless Operator Networks

Wireless network access is gaining increased heterogeneity in terms of the types of IP capable access technologies. The access network heterogeneity is an outcome of incremental and evolutionary approach of building new infrastructure. The recent success of multi-radio terminals drives both building a new infrastructure and implicit deployment of heterogeneous access networks. Typically there is no economical reason to replace the existing infrastructure when building a new one. The gradual migration phase usually takes several years. IP-based mobility across different access networks may involve both horizontal and vertical handovers. Depending on the networking environment, the mobile terminal may be attached to the network through multiple access technologies. Consequently, the terminal may send and receive packets through multiple networks simultaneously. This dissertation addresses the introduction of IP Mobility paradigm into the existing mobile operator network infrastructure that have not originally been designed for multi-access and IP Mobility. We propose a model for the future wireless networking and roaming architecture that does not require revolutionary technology changes and can be deployed without unnecessary complexity. The model proposes a clear separation of operator roles: (i) access operator, (ii) service operator, and (iii) inter-connection and roaming provider. The separation allows each type of an operator to have their own development path and business models without artificial bindings with each other. We also propose minimum requirements for the new model. We present the state of the art of IP Mobility. We also present results of standardization efforts in IP-based wireless architectures. Finally, we present experimentation results of IP-level mobility in various wireless operator deployments.Erilaiset langattomat verkkoyhteydet lisääntyvät Internet-kykyisten teknologioiden muodossa. Lukuisten eri teknologioiden päällekkäinen käyttö johtuu vähitellen ja tarpeen mukaan rakennetusta verkkoinfrastruktuurista. Useita radioteknologioita (kuten WLAN, GSM ja UMTS) sisältävien päätelaitteiden (kuten älypuhelimet ja kannettavat tietokoneet) viimeaikainen kaupallinen menestys edesauttaa uuden verkkoinfrastruktuurin rakentamista, sekä mahdollisesti johtaa verkkoteknologioiden kirjon lisääntymiseen. Olemassa olevaa verkkoinfrastruktuuria ei kaupallisista syistä kannata korvata uudella teknologialla yhdellä kertaa, vaan vaiheittainen siirtymävaihe kestää tyypillisesti useita vuosia. Internet-kykyiset päätelaitteet voivat liikkua joko saman verkkoteknologian sisällä tai eri verkkoteknologioiden välillä. Verkkoympäristöstä riippuen liikkuvat päätelaitteet voivat liittyä verkkoon useiden verkkoyhteyksien kautta. Näin ollen päätelaite voi lähettää ja vastaanottaa tietoliikennepaketteja yhtäaikaisesti lukuisia verkkoja pitkin. Tämä väitöskirja käsittelee Internet-teknologioiden liikkuvuutta ja näiden teknologioiden tuomista olemassa oleviin langattomien verkko-operaattorien verkkoinfrastruktuureihin. Käsiteltäviä verkkoinfrastruktuureita ei alun perin ole suunniteltu Internet-teknologian liikkuvuuden ja monien yhtäaikaisten yhteyksien ehdoilla. Tässä työssä ehdotetaan tulevaisuuden langattomien verkkojen arkkitehtuurimallia ja ratkaisuja verkkovierailujen toteuttamiseksi. Ehdotettu arkkitehtuuri voidaan toteuttaa ilman mittavia teknologisia mullistuksia. Mallin mukaisessa ehdotuksessa verkko-operaattorin roolit jaetaan selkeästi (i) verkko-operaattoriin, (ii) palveluoperaattoriin ja (iii) yhteys- sekä verkkovierailuoperaattoriin. Roolijako mahdollistaa sen, että kukin operaattorityyppi voi kehittyä itsenäisesti, ja että teennäiset verkkoteknologiasidonnaisuudet poistuvat palveluiden tuottamisessa. Työssä esitetään myös alustava vaatimuslista ehdotetulle mallille, esimerkiksi yhteysoperaattorien laatuvaatimukset. Väitöskirja esittelee myös liikkuvien Internet-teknologioiden viimeisimmän kehityksen. Työssä näytetään lisäksi standardointituloksia Internet-kykyisissä langattomissa arkkitehtuureissa

Validation of the Security of Participant Control Exchanges in Secure Multicast Content Delivery

In Content Delivery Networks (CDN), as the customer base increases, a point is reached where the capacity of the network and the content server become inadequate. In extreme cases (e.g., world class sporting events), it is impossible to adequately serve the clientele, resulting in extreme customer frustration. In these circumstances, multicast content delivery is an attractive alternative. However, the issue of maintaining control over the customers is difficult. In addition to controlling the access to the network itself, in order to control the access of users to the multicast session, an Authentication, Authorization and Accounting Framework was added to the multicast architecture. A successful authentication of the end user is a prerequisite for authorization and accounting. The Extensible Authentication Protocol (EAP) provides an authentication framework to implement authentication properly, for which more than thirty different available EAP methods exist. While distinguishing the multicast content delivery requirements in terms of functionality and security, we will be able to choose a smaller set of relevant EAP methods accordingly. Given the importance of the role of the ultimate chosen EAP method, we will precisely compare the most likely to be useful methods and eventually pick the Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST) framework as the most suitable one. Based on the work on receiver participant controls, we present a validation of the security of the exchanges that are required to ensure adequate control and revenue recovery

Inter-Domain Authentication for Seamless Roaming in Heterogeneous Wireless Networks

The convergence of diverse but complementary wireless access technologies and inter-operation among administrative domains have been envisioned as crucial for the next generation wireless networks that will provide support for end-user devices to seamlessly roam across domain boundaries. The integration of existing and emerging heterogeneous wireless networks to provide such seamless roaming requires the design of a handover scheme that provides uninterrupted service continuity while facilitating the establishment of authenticity of the entities involved. The existing protocols for supporting re-authentication of a mobile node during a handover across administrative domains typically involve several round trips to the home domain, and hence introduce long latencies. Furthermore, the existing methods for negotiating roaming agreements to establish inter-domain trust rely on a lengthy manual process, thus, impeding seamless roaming across multiple domains in a truly heterogeneous wireless network. In this thesis, we present a new proof-token based authentication protocol that supports quick re-authentication of a mobile node as it moves to a new foreign domain without involving communication with the home domain. The proposed proof-token based protocol can also support establishment of spontaneous roaming agreements between a pair of domains that do not already have a direct roaming agreement, thus allowing flexible business models to be supported. We describe details of the new authentication architecture, the proposed protocol, which is based on EAP-TLS and compare the proposed protocol with existing protocols

Wi-Fi Enabled Healthcare

Focusing on its recent proliferation in hospital systems, Wi-Fi Enabled Healthcare explains how Wi-Fi is transforming clinical work flows and infusing new life into the types of mobile devices being implemented in hospitals. Drawing on first-hand experiences from one of the largest healthcare systems in the United States, it covers the key areas associated with wireless network design, security, and support. Reporting on cutting-edge developments and emerging standards in Wi-Fi technologies, the book explores security implications for each device type. It covers real-time location services and emerging trends in cloud-based wireless architecture. It also outlines several options and design consideration for employee wireless coverage, voice over wireless (including smart phones), mobile medical devices, and wireless guest services. This book presents authoritative insight into the challenges that exist in adding Wi-Fi within a healthcare setting. It explores several solutions in each space along with design considerations and pros and cons. It also supplies an in-depth look at voice over wireless, mobile medical devices, and wireless guest services. The authors provide readers with the technical knowhow required to ensure their systems provide the reliable, end-to-end communications necessary to surmount today’s challenges and capitalize on new opportunities. The shared experience and lessons learned provide essential guidance for large and small healthcare organizations in the United States and around the world. This book is an ideal reference for network design engineers and high-level hospital executives that are thinking about adding or improving upon Wi-Fi in their hospitals or hospital systems

Cisco TrustSec käyttöönotto JYVSECTEC-ympäristössä

Opinnäytetyön toimeksiantajana toimi Jyväskylä Security Technology (JYVSECTEC)-hanke, joka toimii Jyväskylän ammattikorkeakoulun tiloissa. JYVSECTEC kehittää ja ylläpitää kyberturvallisuuden kehitysympäristöä tutkimus, kehitys ja koulutuskäyttöön. Tavoitteena työssä oli toteuttaa identiteettipohjainen tietoturva-ratkaisu käyttäen hyväksi Cisco TrustSec-komponentteja. Työ koostui suunnittelu-, testaus- ja todennusosioista sekä ohjeesta ympäristöä tulevaisuudessa hyödyntäville. Työn verkkoympäristö koostui Cisco Systemsin laitteista, jotka tukivat TrustSec-toiminnallisuuksia. Näitä laitteita olivat mm. C3750X- ja C3560X-kytkimet, ASA-palomuuri, sekä WLC 2504. Pääkomponenttina työssä toimi Cisco Identity Services Engine (ISE), jolla hallinnoitiin mm. verkkoon pääsyä autentikoimisen ja valtuuttamisen muodossa. Ympäristössä hyödynnettiin SGA-arkkitehtuuria, johon sisältyi mm. verkkolaitteiden välinen NDAC-autentikointi, liikenteen merkkaamista SGT/SXP-menetelmillä, palomuurin SGFW-ominaisuuden testaamista ja päätelaitteiden autentikoimista 802.1X-protokollalla. Päätelaitteen ja kytkimen välillä toteutettiin myös L2-tason salaus 802.1AE (MACsec)-protokollan avulla. Samaa salausta käytettiin myös kytkinten välillä NDAC-autentikoinnin päätteeksi. Opinnäytetyön tuloksena syntyi ympäristö, jossa tutkittiin useita TrustSec-ominaisuuksia. Tulevaisuudessa ympäristöä voidaan hyödyntää jatkokehityksessä ja koulutuspalveluissa.The Bachelor's thesis was assigned by Jyväskylä Security Technology (JYVSECTEC) project which operates in the JAMK University of Applied Sciences (JAMK) environment. JYVSECTEC develops and maintains closed cyber security infrastructure for research, development and training-services. Goal of the thesis was to create identity-based network solution by using components of Cisco Trusted Security (TrustSec). Thesis conducted from design, testing- and verifying parts along with creating a manual for future use. The network environment in the thesis included TrustSec-capable devices manufactured by Cisco Systems, among others C3750X and C3560X switches, ASA-5515X firewall and WLC 2504. The main component was Cisco Identity services Engine (ISE) which was used to handle mainly policies in terms of authentication and authorization in network. The environment utilized SGA architecture which included authenticating network devices with NDAC procedure, handling traffic with SGT/SXP and testing firewall SGFW feature. The endpoints were authenticated with 802.1X protocol by using EAP-FAST chaining method. After authentication the L2 link between endpoint and switch was secured with 802.1AE (MACsec) protocol. The same encryption was also used between switches. The result of the thesis is a network environment including several TrustSec components. The solutions and features were tested and verified. In future the environment will be used in training services and further development

Federated identity architecture of the european eID system

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments

A Technical and Market study for WiMAX

Worldwide Interoperability for Microwave Access (WiMAX) is a broadband wireless technology based on IEEE 802.16-2004 and IEEE 802.16e-2005. This thesis is a study of WiMAX technology and market. The background of WiMAX development is introduced and opportunities and challenges for WiMAX are analyzed in the beginning. Then the thesis focuses on an overview of WiMAX technology, which addresses the physical layer, MAC layer and WiMAX network architecture. The deployment status is investigated in the fourth chapter. Both product development situation and market status are discussed in this section. In the last chapter, the future development trend of WiMAX is addressed

Implementação de serviços em ambientes multi-access edge computing

Driven by the visions of the 5th Generation of Mobile Networks (5G), and with an increasing acceptance of software-based network technologies, such as Network Function Virtualization (NFV) and Software Defined Networks (SDN), a transformation in network infrastructure is presently taking place, along with different requirements in terms of how networks are managed and deployed. One of the significantly changes is a shift in the cloud computing paradigm, moving from a centralized cloud computing towards the edge of the network. This new environment, providing a cloud computing platform at the edge of the network, is referred to as Multi-Acess Edge Computing (MEC). The main feature of MEC is to provide mobile computing, network control and storage to the network edges, enabling computation-intensive and latency-critical applications targeting resource-limited mobile devices. In this thesis a MEC architecture solution is provided, capable of supporting heterogeneous access networks, to assist as a platform for service deployment. Several MEC use case scenarios are evaluated on the proposed scheme, in order to attest the advantages of a MEC deployment. Results show that the proposed environment is significantly faster on performing compute-intensive applications, mainly due to lower end-to-end latency, when compared to traditional centralized cloud servers, translating into energy saving, and reduced backhaul traffic.Impulsionados pelas visões da quinta geração de redes móveis, e com uma crescente aceitação das tecnologias de redes baseadas em software, tais como funções de redes virtualizadas (NFV) e redes definidas por software (SDN), encontramo-nos perante uma transformação na infraestrutura nas redes de telecomunicações, assim como no modo como estas são geridas e implementadas. Uma das alterações mais significativas é a mudança no paradigma de computação na cloud, passando de uma implementação centralizada para uma ramificada na direção das extremidades da rede. Este novo ambiente, que possibilita uma plataforma de computação na extremidade da rede, é denominado de Multi-Access Edge Computing (MEC). A principal característica do MEC é fornecer computação móvel, armazenamento e recursos de rede na extremidade da rede, permitindo que terminais móveis com recursos limitados tenham acesso a aplicações exigentes em termos de latência e computação. Na presente tese, é apresentada uma solução de arquitetura MEC, que suporta ligações a redes de acesso heterogéneas, servindo de plataforma para a implementação de serviços. Alguns cenários MEC foram aplicados e avaliados na plataforma proposta, de forma a demonstrar as vantagens da implementação MEC. Os resultados demonstram que a plataforma proposta é significativamente mais rápida na execução computação intensiva, maioritariamente devido à baixa latência, quando comparado com os tradicionais datacenters centralizados, resultando numa poupança de energia e redução de tráfego no backhaul.Mestrado em Engenharia Eletrónica e Telecomunicaçõe