Managing Access Control in Virtual Private Networks

Virtual Private Network technology allows remote network users to benefit from resources on a private network as if their host machines actually resided on the network. However, each resource on a network may also have its own access control policies, which may be completely unrelated to network access. Thus users� access to a network (even by VPN technology) does not guarantee their access to the sought resources. With the introduction of more complicated access privileges, such as delegated access, it is conceivable for a scenario to arise where a user can access a network remotely (because of direct permissions from the network administrator or by delegated permission) but cannot access any resources on the network. There is, therefore, a need for a network access control mechanism that understands the privileges of each remote network user on one hand, and the access control policies of various network resources on the other hand, and so can aid a remote user in accessing these resources based on the user\u27s privileges. This research presents a software solution in the form of a centralized access control framework called an Access Control Service (ACS), that can grant remote users network presence and simultaneously aid them in accessing various network resources with varying access control policies. At the same time, the ACS provides a centralized framework for administrators to manage access to their resources. The ACS achieves these objectives using VPN technology, network address translation and by proxying various authentication protocols on behalf of remote users

Розробка та реалізація мережних протоколів. Навчальний посібник

Розробка та реалізація мережних протоколів важлива частина сучасної галузі знань, що необхідна для актуального забезпечення взаємозв’язку рівнів та різних технологій будь-якої локальної і глобальної мереж. Мережеві протоколи базуються на міжнародних стандартах, що забезпечують якісну взаємодію різних інноваційних технологій та різних елементів мережі. Вони складають семирівневу структуру, яка здійснює забезпечення вирішення інженерно-технічних питань та потребує постійно оновлювати, вдосконалювати та розробки нових протоколів, як правила взаємодії всіх складових глобальної мережі. Розробка та реалізація мережних протоколів потребує постійного розвитку та вдосконалення для надання абонентам високонадійних видів послуг з високошвидкісною передачею даних.The development and implementation of network protocols is an important part of the modern field of knowledge that is necessary for the actual interconnection of levels and different technologies of any local and global networks. Network protocols are based on international standards that ensure high-quality interaction of various innovative technologies and various network elements. They form a seven-tier structure that provides solutions to engineering and technical issues and requires constant updating, improvement and development of new protocols, as rules of interaction of all components of the global network. The development and implementation of network protocols requires constant development and improvement to provide subscribers with highly reliable types of services with high-speed data transmission.Разработка и реализация сетевых протоколов важная часть современной отрасли знаний, которая необходима для актуального обеспечения взаимосвязи уровней и различных технологий любой локальной и глобальной сетей. Сетевые протоколы базируются на международных стандартах, обеспечивающих качественное взаимодействие различных инновационных технологий и различных элементов сети. Они составляют семиступенчатая структуру, которая осуществляет обеспечение решения инженерно-технических вопросов и требует постоянно обновлять, совершенствовать и разрабатывать новые протоколы, как правила взаимодействия всех составляющих глобальной сети. Разработка и реализация сетевых протоколов требует постоянного развития и совершенствования для предоставления абонентам высоконадежных видов услуг по высокоскоростной передачей данных

The InfoSec Handbook

Computer scienc

The InfoSec Handbook

Computer scienc

A Migration Path from GSM to GSM/GPRS

The General Packet Radio service (GPRS) is a new non-voice (data) value added service that allows information to be sent and received across a mobile telephone networks. GPRS has evolved to cater to the mobile users by enabling them to access the internet world incessantly. It will provide a massive boost to mobile data communication. The aim of this thesis is to setup a migration path from GSM to GSM/GPRS service (2.5G). The focus is on real world migration plan that can be implemented on the existing infrastructure of MobiTel-Sudan network. The plan can be implemented into three phases, phase1 is to implement the GPRS in the center of Khartoum in which we focus, phase 2 in centre of Khartoum north and Omdurman, phase three is in the rest of Sudan. The plan takes into considerations economical factors as well as technical aspects. The migration path from GSM to GPRS requires additional packet switching nodes, software upgrade in the base station subsystem (BSS) and Core network. In phase1 we choose BSC3, BSC6 and MSC3/VLR3 which cover the center of Khartoum and located in Dar Elhatif to be connected with the SGSN and GGSN. As the mobility management plays a significant role in the GPRS such as routing area updates we suppose that BSC3&6 connected with SGSN will be in two routing area in Phase1 to avoid inter SGSN routing area updates, however in the following phases different forms of user mobility and their effects on the communication traffic can be will planned. The traffic in Erlang and hardware has been calculated from the traffic and hardware dimension reports of the network to accommodate the GPRS in these nodes. We use Ericsson SGSN, GGSN, and their specifications to be implemented in this phase In addition to access server and firewalls

A security protocol for authentication of binding updates in Mobile IPv6.

Wireless communication technologies have come along way, improving with every generational leap. As communications evolve so do the system architectures, models and paradigms. Improvements have been seen in the jump from 2G to 3G networks in terms of security. Yet these issues persist and will continue to plague mobile communications into the leap towards 4G networks if not addressed. 4G will be based on the transmission of Internet packets only, using an architecture known as mobile IP. This will feature many advantages, however security is still a fundamental issue to be resolved. One particular security issue involves the route optimisation technique, which deals with binding updates. This allows the corresponding node to by-pass the home agent router to communicate directly with the mobile node. There are a variety of security vulnerabilities with binding updates, which include the interception of data packets, which would allow an attacker to eavesdrop on its contents, breaching the users confidentiality, or to modify transmitted packets for the attackers own malicious purposes. Other possible vulnerabilities with mobile IP include address spoofing, redirection and denial of service attacks. For many of these attacks, all the attacker needs to know is the IPv6 addresses of the mobile’s home agent and the corresponding node. There are a variety of security solutions to prevent these attacks from occurring. Two of the main solutions are cryptography and authentication. Cryptography allows the transmitted data to be scrambled in an undecipherable way resulting in any intercepted packets being illegible to the attacker. Only the party possessing the relevant key will be able to decrypt the message. Authentication is the process of verifying the identity of the user or device one is in communication with. Different authentication architectures exist however many of them rely on a central server to verify the users, resulting in a possible single point of attack. Decentralised authentication mechanisms would be more appropriate for the nature of mobile IP and several protocols are discussed. However they all posses’ flaws, whether they be overly resource intensive or give away vital address data, which can be used to mount an attack. As a result location privacy is investigated in a possible attempt at hiding this sensitive data. Finally, a security solution is proposed to address the security vulnerabilities found in binding updates and attempts to overcome the weaknesses of the examined security solutions. The security protocol proposed in this research involves three new security techniques. The first is a combined solution using Cryptographically Generated Addresses and Return Routability, which are already established solutions, and then introduces a new authentication procedure, to create the Distributed Authentication Protocol to aid with privacy, integrity and authentication. The second is an enhancement to Return Routability called Dual Identity Return Routability, which provides location verification authentication for multiple identities on the same device. The third security technique is called Mobile Home Agents, which provides device and user authentication while introducing location privacy and optimised communication routing. All three security techniques can be used together or individually and each needs to be passed before the binding update is accepted. Cryptographically Generated Addresses asserts the users ownership of the IPv6 address by generating the interface identifier by computing a cryptographic one-way hash function from the users’ public key and auxiliary parameters. The binding between the public key and the address can be verified by recomputing the hash value and by comparing the hash with the interface identifier. This method proves ownership of the address, however it does not prove the address is reachable. After establishing address ownership, Return Routability would then send two security tokens to the mobile node, one directly and one via the home agent. The mobile node would then combine them together to create an encryption key called the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides a validation to the mobile nodes’ location and proves its ownership of the home agent. Return Routability provides a test to verify that the node is reachable. It does not verify that the IPv6 address is owned by the user. This method is combined with Cryptographically Generated Addresses to provide best of both worlds. The third aspect of the first security solution introduces a decentralised authentication mechanism. The correspondent requests the authentication data from both the mobile node and home agent. The mobile sends the data in plain text, which could be encrypted with the binding key and the home agent sends a hash of the data. The correspondent then converts the data so both are hashes and compares them. If they are the same, authentication is successful. This provides device and user authentication which when combined with Cryptographically Generated Addresses and Return Routability create a robust security solution called the Distributed Authentication Protocol. The second new technique was designed to provide an enhancement to a current security solution. Dual Identity Return Routability builds on the concept of Return Routability by providing two Mobile IPv6 addresses on a mobile device, giving the user two separate identities. After establishing address ownership with Cryptographically Generated Addresses, Dual Identity Return Routability would then send security data to both identities, each on a separate network and each having heir own home agents, and the mobile node would then combine them together to create the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides protection against address spoofing as an attacker needs two separate ip addresses, which are linked together. Spoofing only a single address will not pass this security solution. One drawback of the security techniques described, however, is that none of them provide location privacy to hide the users IP address from attackers. An attacker cannot mount a direct attack if the user is invisible. The third new security solution designed is Mobile Home Agents. These are software agents, which provide location privacy to the mobile node by acting as a proxy between it and the network. The Mobile Home Agent resides on the point of attachment and migrates to a new point of attachment at the same time as the mobile node. This provides reduced latency communication and a secure environment for the mobile node. These solutions can be used separately or combined together to form a super security solution, which is demonstrated in this thesis and attempts to provide proof of address ownership, reachability, user and device authentication, location privacy and reduction in communication latency. All these security features are design to protect against one the most devastating attacks in Mobile IPv6, the false binding update, which can allow an attacker to impersonate and deny service to the mobile node by redirecting all data packets to itself. The solutions are all simulated with different scenarios and network configurations and with a variety of attacks, which attempt to send a false binding update to the correspondent node. The results were then collected and analysed to provide conclusive proof that the proposed solutions are effective and robust in protecting against the false binding updates creating a safe and secure network for all

Análisis de prestaciones de los protocolos de autenticación remota RADIUS y TACACS+ en infraestructura de comunicaciones corporativas.

La presente investigación tuvo como objetivo analizar las prestaciones de los protocolos de autenticación remota RADIUS y TACACS Plus en infraestructura de comunicaciones corporativas, la infraestructura corporativa posee problemas con el manejo de sus redes debido a que existe un desconocimiento y brechas de inseguridad, principalmente en redes WLAN por lo que se pretende realizar estudios de las características y prestaciones de los protocolos RADIUS y TACACS Plus, diseñar el ambiente de prueba para validar la prestación de cada protocolo utilizando un ambiente Open Source, evaluar y verificar el adecuado funcionamiento de los protocolos seleccionados para establecer parámetros de comparación y elaborar una propuesta de guía técnica para la implementación de autenticación remota en infraestructuras corporativas, por cualquier vía, se puede mejorar y precautelar la integridad y seguridad de los clientes. Para confirmar la necesidad de implementar mecanismos de autenticación en las redes inalámbricas, se realizó una encuesta a los administradores de varias empresas públicas de Riobamba tales como: Corporación Nacional de Telecomunicaciones (CNT) Empresa Pública (Riobamba), Consejo Provincial de Chimborazo y la Municipalidad de Riobamba, para verificar si los administradores conocen sobre la existencia de los protocolos RADIUS o TACACS Plus se obtuvo como resultados que tan solo CNT Riobamba tiene conocimiento y utilizan protocolos de autenticación remota y control de acceso en su infraestructura. Llegando a la conclusión de que la mejor característica posee TACACS Plus debido a que brinda mejores beneficios de seguridad.The objective of this research was to analyze the features of authentication protocols RADIUS AND TACACS Plus in corporate communication infrastructure. The corporate infraestrucutre has problems with the management of this networks because there is a lack of knowledge and insecurity gaps, mainly in WLAN networks so it is intended to carry out studies of the characteristics and performance of the Protocols Radius and Tacacs Plus, design the test environment to validate the performance of each protocol using an Open Source environment, evaluate and verify the proper functioning of the protocols selected to establish comparison parameters and to develop a technical guide proposal for the implementation of remote authentication in corporate infrastructure, by any means, it is possible to improve and precaution the integrity and security of the clients. To confirm the need to implement authentication mechanisms in wireless networks, a survey was conducted to the administrators of several public companies of Riobamba such as: CNT EP (Riobamba), Provincial Council of Chimborazo and the Municipality of Riobamba, to verify if the administrators know about the existence of the protocols RADIUS or TACACS Plus was obtained as results that only CNT EP Riobamba has knowledge and use protocols of remote authentication and access control in its infrastructure.Concluding that the best features have TACACS Plus because it provides better security benefits

A framework for secure mobile computing in healthcare

Mobile computing is rapidly becoming part of healthcare’s electronic landscape, helping to provide better quality of care and reduced cost. While the technology provides numerous advantages to the healthcare industry, it is not without risk. The size and portable nature of mobile computing devices present a highly vulnerable environment, which threaten the privacy and security of health information. Since these devices continually access possibly sensitive healthcare information, it is imperative that these devices are considered for security in order to meet regulatory compliance. In fact, the increase in government and industry regulation to ensure the privacy and security of health information, makes mobile security no longer just desirable, but mandatory. In addition, as healthcare becomes more aware of the need to reinforce patient confidence to gain competitive advantage, it makes mobile security desirable. Several guidelines regarding security best practices exist. Healthcare institutions are thus faced with matching the guidelines offered by best practices, with the legal and regulatory requirements. While this is a valuable question in general, this research focuses on the aspect of considering this question when considering the introduction of mobile computing into the healthcare environment. As a result, this research proposes a framework that will aid IT administrators in healthcare to ensure that privacy and security of health information is extended to mobile devices. The research uses a comparison between the best practices in ISO 17799:2005 and the regulatory requirements stipulated in HIPAA to provide a baseline for the mobile computing security model. The comparison ensures that the model meets healthcare specific industry requirement and international information security standard. In addition, the framework engages the Information Security Management System (ISMS) model based on the ISO 27000 standard. The framework, furthermore, points to existing technical security measurers associated with mobile computing. It is believed that the framework can assist in achieving mobile computing security that is compliant with the requirements in the healthcare industry

A framework for secure mobile computing in healthcare

Mobile computing is rapidly becoming part of healthcare’s electronic landscape, helping to provide better quality of care and reduced cost. While the technology provides numerous advantages to the healthcare industry, it is not without risk. The size and portable nature of mobile computing devices present a highly vulnerable environment, which threaten the privacy and security of health information. Since these devices continually access possibly sensitive healthcare information, it is imperative that these devices are considered for security in order to meet regulatory compliance. In fact, the increase in government and industry regulation to ensure the privacy and security of health information, makes mobile security no longer just desirable, but mandatory. In addition, as healthcare becomes more aware of the need to reinforce patient confidence to gain competitive advantage, it makes mobile security desirable. Several guidelines regarding security best practices exist. Healthcare institutions are thus faced with matching the guidelines offered by best practices, with the legal and regulatory requirements. While this is a valuable question in general, this research focuses on the aspect of considering this question when considering the introduction of mobile computing into the healthcare environment. As a result, this research proposes a framework that will aid IT administrators in healthcare to ensure that privacy and security of health information is extended to mobile devices. The research uses a comparison between the best practices in ISO 17799:2005 and the regulatory requirements stipulated in HIPAA to provide a baseline for the mobile computing security model. The comparison ensures that the model meets healthcare specific industry requirement and international information security standard. In addition, the framework engages the Information Security Management System (ISMS) model based on the ISO 27000 standard. The framework, furthermore, points to existing technical security measurers associated with mobile computing. It is believed that the framework can assist in achieving mobile computing security that is compliant with the requirements in the healthcare industry