Сетевая защита на базе технологий фирмы Cisco Systems. Практический курс : учебное пособие

Учебное пособие раскрывает вопросы практического применения методов и средств защиты информации в компьютерных сетях. В качестве платформы для построения защищенных сетей рассмотрены технологии и программно-аппаратные комплексы фирмы Cisco Systems. В пособии рассмотрены основные команды операционной системы Cisco IOS, вопросы администрирования маршрутизаторов и межсетевых экранов, способы обнаружения сетевых компьютерных атак на базе комплексов Cisco IDS Sensor и Cisco MARS. Основной акцент в пособии делается на практическое изучение материала, что реализуется благодаря применению технологии виртуальных машин и использованию в образовательном процессе программных эмуляторов аппаратуры фирмы Cisco Systems. Пособие будет полезно преподавателям, слушателям потоков повышения квалификации по направлению информационной безопасности, а также специалистам-практикам в области защиты компьютерной информации

Secure Network Access via LDAP

Networks need the ability to be access by secure accounts and users. The goal of this project is to configure and expand on LDAP configurations with considerations for AAA via TACACS+ and Radius for network equipment. This will provide adequate security for any given network in terms of access and prevent lose of access to devices which happens all to often with locally configured accounts on devices

IP-based virtual private networks and proportional quality of service differentiation

IP-based virtual private networks (VPNs) have the potential of delivering cost-effective, secure, and private network-like services. Having surveyed current enabling techniques, an overall picture of IP VPN implementations is presented. In order to provision the equivalent quality of service (QoS) of legacy connection-oriented layer 2 VPNs (e.g., Frame Relay and ATM), IP VPNs have to overcome the intrinsically best effort characteristics of the Internet. Subsequently, a hierarchical QoS guarantee framework for IP VPNs is proposed, stitching together development progresses from recent research and engineering work. To differentiate IP VPN QoS, the proportional QoS differentiation model, whose QoS specification granularity compromises that of IntServ and Diffserv, emerges as a potential solution. The investigation of its claimed capability of providing the predictable and controllable QoS differentiation is then conducted. With respect to the loss rate differentiation, the packet shortage phenomenon shown in two classical proportional loss rate (PLR) dropping schemes is studied. On the pursuit of a feasible solution, the potential of compromising the system resource, that is, the buffer, is ruled out; instead, an enhanced debt-aware mechanism is suggested to relieve the negative effects of packet shortage. Simulation results show that debt-aware partially curbs the biased loss rate ratios, and improves the queueing delay performance as well. With respect to the delay differentiation, the dynamic behavior of the average delay difference between successive classes is first analyzed, aiming to gain insights of system dynamics. Then, two classical delay differentiation mechanisms, that is,proportional average delay (PAD) and waiting time priority (WTP), are simulated and discussed. Based on observations on their differentiation performances over both short and long time periods, a combined delay differentiation (CDD) scheme is introduced. Simulations are utilized to validate this method. Both loss and delay differentiations are based on a series of differentiation parameters. Though previous work on the selection of delay differentiation parameters has been presented, that of loss differentiation parameters mostly relied on network operators\u27 experience. A quantitative guideline, based on the principles of queueing and optimization, is then proposed to compute loss differentiation parameters. Aside from analysis, the new approach is substantiated by numerical results

IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

Service management for multi-domain Active Networks

The Internet is an example of a multi-agent system. In our context, an agent is synonymous with network operators, Internet service providers (ISPs) and content providers. ISPs mutually interact for connectivity's sake, but the fact remains that two peering agents are inevitably self-interested. Egoistic behaviour manifests itself in two ways. Firstly, the ISPs are able to act in an environment where different ISPs would have different spheres of influence, in the sense that they will have control and management responsibilities over different parts of the environment. On the other hand, contention occurs when an ISP intends to sell resources to another, which gives rise to at least two of its customers sharing (hence contending for) a common transport medium. The multi-agent interaction was analysed by simulating a game theoretic approach and the alignment of dominant strategies adopted by agents with evolving traits were abstracted. In particular, the contention for network resources is arbitrated such that a self-policing environment may emerge from a congested bottleneck. Over the past 5 years, larger ISPs have simply peddled as fast as they could to meet the growing demand for bandwidth by throwing bandwidth at congestion problems. Today, the dire financial positions of Worldcom and Global Crossing illustrate, to a certain degree, the fallacies of over-provisioning network resources. The proposed framework in this thesis enables subscribers of an ISP to monitor and police each other's traffic in order to establish a well-behaved norm in utilising limited resources. This framework can be expanded to other inter-domain bottlenecks within the Internet. One of the main objectives of this thesis is also to investigate the impact on multi-domain service management in the future Internet, where active nodes could potentially be located amongst traditional passive routers. The advent of Active Networking technology necessitates node-level computational resource allocations, in addition to prevailing resource reservation approaches for communication bandwidth. Our motivation is to ensure that a service negotiation protocol takes account of these resources so that the response to a specific service deployment request from the end-user is consistent and predictable. To promote the acceleration of service deployment by means of Active Networking technology, a pricing model is also evaluated for computational resources (e.g., CPU time and memory). Previous work in these areas of research only concentrate on bandwidth (i.e., communication) - related resources. Our pricing approach takes account of both guaranteed and best-effort service by adapting the arbitrage theorem from financial theory. The central tenet for our approach is to synthesise insights from different disciplines to address problems in data networks. The greater parts of research experience have been obtained during direct and indirect participation in the 1ST-10561 project known as FAIN (Future Active IP Networks) and ACTS-AC338 project called MIAMI (Mobile Intelligent Agent for Managing the Information Infrastructure). The Inter-domain Manager (IDM) component was integrated as an integral part of the FAIN policy-based network management systems (PBNM). Its monitoring component (developed during the MIAMI project) learns about routing changes that occur within a domain so that the management system and the managed nodes have the same topological view of the network. This enabled our reservation mechanism to reserve resources along the existing route set up by whichever underlying routing protocol is in place

A Model for User Based IP Traffic Accounting

Nowadays, accounting, charging and billing users' network resource consumption are commonly used for the purpose of facilitating reasonable network usage, controlling congestion, allocating cost, gaining revenue, etc. In traditional IP traffic accounting systems, IP addresses are used to identify the corresponding consumers of the network resources. However, there are some situations in which IP addresses cannot be used to identify users uniquely, for example, in multi-user systems. In these cases, network resource consumption can only be ascribed to the owners of these hosts instead of corresponding real users who have consumed the network resources. Therefore, accurate accountability in these systems is practically impossible. This is a flaw of the traditional IP address based IP traffic accounting technique. This dissertation proposes a user based IP traffic accounting model which can facilitate collecting network resource usage information on the basis of users. With user based IP traffic accounting, IP traffic can be distinguished not only by IP addresses but also by users. In this dissertation, three different schemes, which can achieve the user based IP traffic accounting mechanism, are discussed in detail. The inband scheme utilizes the IP header to convey the user information of the corresponding IP packet. The Accounting Agent residing in the measured host intercepts IP packets passing through it. Then it identifies the users of these IP packets and inserts user information into the IP packets. With this mechanism, a meter located in a key position of the network can intercept the IP packets tagged with user information, extract not only statistic information, but also IP addresses and user information from the IP packets to generate accounting records with user information. The out-of-band scheme is a contrast scheme to the in-band scheme. It also uses an Accounting Agent to intercept IP packets and identify the users of IP traffic. However, the user information is transferred through a separated channel, which is different from the corresponding IP packets' transmission. The Multi-IP scheme provides a different solution for identifying users of IP traffic. It assigns each user in a measured host a unique IP address. Through that, an IP address can be used to identify a user uniquely without ambiguity. This way, traditional IP address based accounting techniques can be applied to achieve the goal of user based IP traffic accounting. In this dissertation, a user based IP traffic accounting prototype system developed according to the out-of-band scheme is also introduced. The application of user based IP traffic accounting model in the distributed computing environment is also discussed.Ein Modell für Nutzerbasiertes IP-Verkehr Accountin

Diseño De Red De Comunicación De Datos Para La Institución Educativa Privada Emilio Soyer Cabero Ubicado En El Distrito De Chorrillos, Lima, Perú

El presente trabajo de investigación lleva por título “DISEÑO DE RED DE COMUNICACIÓN DE DATOS PARA LA INSTITUCIÓN EDUCATIVA PRIVADA EMILIO SOYER CABERO UBICADA EN EL DISTRITO DE CHORRILLOS, LIMA, PERÚ”, para optar el título de Ingeniero Electrónico y Telecomunicaciones, presentado por el alumno Jhaset Raúl Ortega Cubas. En primer lugar se aborda la realidad problemática observada relacionada con la importancia y necesidad de diseñar una Red de Comunicación de Datos con el fin de dotar a la Institución Educativa Privada Emilio Soyer Cabero de un sistema de transmisión de información mediante la comunicación de todos los dispositivos de red que ésta maneje para ventaja de los trabajadores, docentes y alumnos. La estructura que hemos seguido en este proyecto se compone de 3 capítulos. El primer capítulo comprende el planteamiento del problema, el segundo capítulo el desarrollo del marco teórico y el tercer capítulo corresponde al desarrollo del diseño

Estudo e implementação de uma infraestrutura de FCAPS na rede da Universidade do Porto

A dimensão dos recursos aplicacionais suportados pelas redes de comunicação desencadeia dificuldades de resposta que se traduzem no controlo, administração e monitorização, de modo a proporcionar elevados níveis de disponibilidade e qualidade dos serviços prestados. Assim, nos dias de hoje, torna-se cada vez mais importante reduzir os desafios operacionais, os quais, do ponto de vista da gestão e manutenção de uma rede de dados, compreendem a diminuição do tempo de inatividade desta, pois o contrário resultará em perdas de produtividade. Nesta circunstância, a gestão de rede proficiente e de alto desempenho, caracteriza-se num fator diferenciador crítico para todos os utilizadores de rede.N/

Implementation of realistic scenarios for ground truth purposes

Mestrado em Engenharia Electrónica e TelecomunicaçõesA segurança em redes de telecomunicações é um tópico que desde sempre gerou preocupação em todos os meios (instituições, empresas e outros) que utilizam estas redes. Novas ameaças ou mutações de ameaças já existentes surgem a uma elevada velocidade e os meios disponíveis parecem não ser suficientes para uma detecção positiva das mesmas. As respostas actuais para combater estas ameaças baseiam-se numa análise em tempo real do tráfego ou num treino prévio que muitas vezes tem que ser supervisionado por um ser humano que, dependendo da sua experiência na área pode estar a criar uma falha de segurança no sistema sem se aperceber do sucedido. Novas técnicas surgem para uma detecção eficaz de muitos ataques ou anomalias. No entanto, estas técnicas devem ser testadas de modo a validar o seu correcto funcionamento e, nesse sentido, são precisos fluxos de tráfego gerados na rede que possam ser utilizados sem comprometer a confidencialidade dos utilizadores e que obedeçam a critérios préestabelecidos. Com esta dissertação pretende-se constituir um conjunto de dados fiável e o mais abrangente possível de um conjunto de cenários realistas de rede, através da emulação em ambiente controlado de diferentes topologias, diferentes serviços e padrões de tráfego. Um outro objectivo fundamental deste trabalho passa por disponibilizar os dados obtidos à comunidade científica de modo a criar uma base de dados uniforme que permita avaliar o desempenho de novas metodologias de detecção de anomalias que venham a ser propostas. ABSTRACT: Security in telecommunication networks is a topic that has caused a lot of worries to network users (institutions, enterprises and others). New threats or mutations of existing ones appear at a very fast rate and the available solutions seem not to be enough for a positive detection of these threats. The solutions that are nowadays used to fight these threats require the realtime analysis of the network traffic or have to be previously trained. Most of the times, this training has to be supervised by a human being that, depending on his experience, can create a security breach in the system without knowing it. New techniques have been proposed in order to more efficiently detect many security attacks or threats. However, these techniques need to be tested in order to validate their correct functioning and, in order to do that, network traffic flows that can be used without compromising the users confidentiality and that obey to a pre-established criteria are needed. This dissertation intends to establish a set of trustworthy data as extensive as possible from a set of realistic network scenarios. Network emulation techniques will be used in a controlled environment, building different network topologies, with different services and traffic patterns. Another main objective of this work it is to make all this obtained data available to the scientific community in order to create a uniform data base that will allow the performance evaluation of new anomaly detection methodologies that can be proposed in the future