IPTV-Oriented Network Architecture

[EN] Although it emerged as a means to improve switching speed at the core network, MPLS has spread rapidly as a very !exible and robust solution for network providers to enable triple play services and reduce costs at the same time. As network complexity grows and a higher scalability is required to meet customer demands and give them the necessary Quality of Experience, more advanced features and functions must be included at the 'brains' of the network. To this end, a more automated and video delivery oriented path reservation mechanism based on RSVP-TE has been developed and tested in a lab environment with real-world ISP network equipment. We have added additional video intelligence capabilities to the network using Juniper routers and taking advantage of the JUNOS SDK for third-party developers. Finally, some measurements have been taken to validate our IPTV-oriented architecture, showing that it is possible to achieve a reasonably better bandwidth utilization by using the proposed video LSP reservation scheme.The work described in this paper was carried out with the support and network equipment of Juniper Network's Partner Solution Development Platform program.Murcia Olivares, V.; Delgado Calot, AP.; Arce Vila, P.; Guerri Cebollada, JC. (2011). IPTV-Oriented Network Architecture. Waves. 3(1):32-39. http://hdl.handle.net/10251/57651S32393

Android forensics: Automated data collection and reporting from a mobile device

As Android smartphones gain popularity, industry and government will face increasing pressure to integrate them into their environments. The implementation of these devices on an enterprise can save on costs and add capabilities previously unavailable; however, the organizations that incorporate this technology must be prepared to mitigate the associated risks. These devices can contain vast amounts of personal and work-related data that can impact internal investigations, including (but not limited to) those of policy violations, intellectual property theft, misuse, embezzlement, sabotage, and espionage. Physical access has been the traditional method for retrieving data useful to these investigations from Android devices, with the exception of some limited collection abilities in commercial mobile device management systems and remote enterprise forensics tools. As part of this thesis, a prototype enterprise monitoring system for Android smartphones was developed to continuously collect many of the data sets of interest to incident responders, security auditors, proactive security monitors, and forensic investigators. Many of the data sets covered were not found in other available enterprise monitoring tools. The prototype system neither requires root access privileges nor exploiting weaknesses in the Android architecture for proper operation, thereby increasing interoperability among Android devices and avoiding a spyware classification for the system. An anti-forensics analysis on the system was performed to identify and further strengthen areas vulnerable to tampering. The results of this research include the release of the first open-source Android enterprise monitoring solution of its kind, a comprehensive guide of data sets available for collection without elevated privileges, and the introduction of a novel design strategy implementing various Android application components useful for monitoring on the Android platform

Deliverable JRA1.1: Evaluation of current network control and management planes for multi-domain network infrastructure

This deliverable includes a compilation and evaluation of available control and management architectures and protocols applicable to a multilayer infrastructure in a multi-domain Virtual Network environment.The scope of this deliverable is mainly focused on the virtualisation of the resources within a network and at processing nodes. The virtualization of the FEDERICA infrastructure allows the provisioning of its available resources to users by means of FEDERICA slices. A slice is seen by the user as a real physical network under his/her domain, however it maps to a logical partition (a virtual instance) of the physical FEDERICA resources. A slice is built to exhibit to the highest degree all the principles applicable to a physical network (isolation, reproducibility, manageability, ...). Currently, there are no standard definitions available for network virtualization or its associated architectures. Therefore, this deliverable proposes the Virtual Network layer architecture and evaluates a set of Management- and Control Planes that can be used for the partitioning and virtualization of the FEDERICA network resources. This evaluation has been performed taking into account an initial set of FEDERICA requirements; a possible extension of the selected tools will be evaluated in future deliverables. The studies described in this deliverable define the virtual architecture of the FEDERICA infrastructure. During this activity, the need has been recognised to establish a new set of basic definitions (taxonomy) for the building blocks that compose the so-called slice, i.e. the virtual network instantiation (which is virtual with regard to the abstracted view made of the building blocks of the FEDERICA infrastructure) and its architectural plane representation. These definitions will be established as a common nomenclature for the FEDERICA project. Other important aspects when defining a new architecture are the user requirements. It is crucial that the resulting architecture fits the demands that users may have. Since this deliverable has been produced at the same time as the contact process with users, made by the project activities related to the Use Case definitions, JRA1 has proposed a set of basic Use Cases to be considered as starting point for its internal studies. When researchers want to experiment with their developments, they need not only network resources on their slices, but also a slice of the processing resources. These processing slice resources are understood as virtual machine instances that users can use to make them behave as software routers or end nodes, on which to download the software protocols or applications they have produced and want to assess in a realistic environment. Hence, this deliverable also studies the APIs of several virtual machine management software products in order to identify which best suits FEDERICA’s needs.Postprint (published version

Building Programmable Wireless Networks: An Architectural Survey

In recent times, there have been a lot of efforts for improving the ossified Internet architecture in a bid to sustain unstinted growth and innovation. A major reason for the perceived architectural ossification is the lack of ability to program the network as a system. This situation has resulted partly from historical decisions in the original Internet design which emphasized decentralized network operations through co-located data and control planes on each network device. The situation for wireless networks is no different resulting in a lot of complexity and a plethora of largely incompatible wireless technologies. The emergence of "programmable wireless networks", that allow greater flexibility, ease of management and configurability, is a step in the right direction to overcome the aforementioned shortcomings of the wireless networks. In this paper, we provide a broad overview of the architectures proposed in literature for building programmable wireless networks focusing primarily on three popular techniques, i.e., software defined networks, cognitive radio networks, and virtualized networks. This survey is a self-contained tutorial on these techniques and its applications. We also discuss the opportunities and challenges in building next-generation programmable wireless networks and identify open research issues and future research directions.Comment: 19 page

Intelligent Network Infrastructures: New Functional Perspectives on Leveraging Future Internet Services

The Internet experience of the 21st century is by far very different from that of the early '80s. The Internet has adapted itself to become what it really is today, a very successful business platform of global scale. As every highly successful technology, the Internet has suffered from a natural process of ossification. Over the last 30 years, the technical solutions adopted to leverage emerging applications can be divided in two categories. First, the addition of new functionalities either patching existing protocols or adding new upper layers. Second, accommodating traffic grow with higher bandwidth links. Unfortunately, this approach is not suitable to provide the proper ground for a wide gamma of new applications. To be deployed, these future Internet applications require from the network layer advanced capabilities that the TCP/IP stack and its derived protocols can not provide by design in a robust, scalable fashion. NGNs (Next Generation Networks) on top of intelligent telecommunication infrastructures are being envisioned to support future Internet Services. This thesis contributes with three proposals to achieve this ambitious goal. The first proposal presents a preliminary architecture to allow NGNs to seamlessly request advanced services from layer 1 transport networks, such as QoS guaranteed point-to-multipoint circuits. This architecture is based on virtualization techniques applied to layer 1 networks, and hides from NGNs all complexities of interdomain provisioning. Moreover, the economic aspects involved were also considered, making the architecture attractive to carriers. The second contribution regards a framework to develop DiffServ-MPLS capable networks based exclusively on open source software and commodity PCs. The developed DiffServ-MPLS flexible software router was designed to allow NGN prototyping, that make use of pseudo virtual circuits and assured QoS as a starting point of development. The third proposal presents a state of the art routing and wavelength assignment algorithm for photonic networks. This algorithm considers physical layer impairments to 100% guarantee the requested QoS profile, even in case of single network failures. A number of novel techniques were applied to offer lower blocking probability when compared with recent proposed algorithms, without impacting on setup delay time

Networking vendor strategy and competition and their impact on enterprise network design and implementation

Thesis (M.B.A.)--Massachusetts Institute of Technology, Sloan School of Management; and, (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science; in conjunction with the Leaders for Manufacturing Program at MIT, 2006.Includes bibliographical references (leaves 93-99).While a significant amount of literature exists that discuss platform strategies used by general IT vendors, less of it has to do with corporate networking technology vendors specifically. However, many of the same strategic principles that are used to analyze general IT vendors can also be used to analyze networking vendors. This paper extends the platform model that was developed by Michael Cusumano and Annabel Gawer to networking vendors, outlining the unique strategic aspects that the networking market possesses. The paper then reviews the strategy of the first dominant corporate datacom vendor, IBM, how it achieved its dominance, and how it lost it. The paper then discusses the strategies of various vendors who attempted to replace IBM as the dominant networking platform vendor and how they failed to do so. Finally, the paper discusses Cisco Systems, a vendor who did manage to achieve a level of dominance that parallels IBM's, and how that company has utilized its strategy to achieve and maintain its current dominance. Finally, Cisco's current strategic challenges are discussed. The impact of the strategies of the various vendors on the evolution of corporate networking is also discussed.by Ray Fung.S.M.M.B.A

Toward Automated Network Management and Operations.

Network management plays a fundamental role in the operation and well-being of today's networks. Despite the best effort of existing support systems and tools, management operations in large service provider and enterprise networks remain mostly manual. Due to the larger scale of modern networks, more complex network functionalities, and higher network dynamics, human operators are increasingly short-handed. As a result, network misconfigurations are frequent, and can result in violated service-level agreements and degraded user experience. In this dissertation, we develop various tools and systems to understand, automate, augment, and evaluate network management operations. Our thesis is that by introducing formal abstractions, like deterministic finite automata, Petri-Nets and databases, we can build new support systems that systematically capture domain knowledge, automate network management operations, enforce network-wide properties to prevent misconfigurations, and simultaneously reduce manual effort. The theme for our systems is to build a knowledge plane based on the proposed abstractions, allowing network-wide reasoning and guidance for network operations. More importantly, the proposed systems require no modification to the existing Internet infrastructure and network devices, simplifying adoption. We show that our systems improve both timeliness and correctness in performing realistic and large-scale network operations. Finally, to address the current limitations and difficulty of evaluating novel network management systems, we have designed a distributed network testing platform that relies on network and device virtualization to provide realistic environments and isolation to production networks.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/78837/1/chenxu_1.pd

A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities

The relentless and often haphazard process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge they face is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the single point of failure in an otherwise formidable defense. This means one of the biggest challenges in vulnerability management relates to prioritization. Given that so few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations that an organization can use to prioritize its vulnerability management strategy will offer significant improvements over what is currently realized using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We identify the data mining steps needed to acquire, standardize, and integrate publicly available cyber intelligence data sets into a robust knowledge graph from which stakeholders can infer business logic related to known threats. We tested our approach by identifying vulnerabilities in academic and common software associated with six universities and four government facilities. Ranking policy performance was measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% to 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The ROI of patching using our policies resulted in a savings in the range of 23.3% to 25.5% in annualized unit costs. Our results demonstrate the efficiency of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies. Additionally, our framework uses only open standards, making implementation and improvement feasible for cyber practitioners and academia

Privacy by (re)design: a comparative study of the protection of personal information in the mobile applications ecosystem under United States, European Union and South African law.

Doctoral Degree. University of KwaZulu-Natal, Durban.The dissertation presents a comparative desktop study of the application of a Privacy by Design (PbD) approach to the protection of personal information in the mobile applications ecosystem under the Children’s Online Privacy Protection Act (COPPA) and the California Consumer Protection Act (CCPA) in the United States, the General Data Protection Regulation (GDPR) in the European Union, and the Protection of Personal Information Act (POPIA) in South Africa. The main problem considered in the thesis is whether there is an ‘accountability gap’ within the legislation selected for comparative study. This is analysed by examining whether the legislation can be enforced against parties other than the app developer in the mobile app ecosystem, as it is theorised that only on this basis will the underlying technologies and architecture of mobile apps be changed to support a privacy by (re)design approach. The key research question is what legal approach is to be adopted to enforce such an approach within the mobile apps ecosystem. It describes the complexity of the mobile apps ecosystem, identifying the key role players and the processing operations that take place. It sets out what is encompassed by the conceptual framework of PbD, and why the concept of privacy by (re)design may be more appropriate in the context of mobile apps integrating third party services and products. It identifies the core data protection principles of data minimisation and accountability, and the nature of informed consent, as being essential to an effective PbD approach. It concludes that without strengthening the legal obligations pertaining to the sharing of personal information with third parties, neither regulatory guidance, as is preferred in the United States, nor a direct legal obligation, as created by article 25 of the GDPR, is adequate to enforce a PbD approach within the mobile apps ecosystem. It concludes that although a PbD approach is implied for compliance by a responsible party with POPIA, legislative reforms are necessary. It proposes amendments to POPIA to address inadequacies in the requirements for notice, and to impose obligations on a responsible party in relation to the sharing of personal information with third parties who will process the personal information for further, separate purposes

A pragmatic approach toward securing inter-domain routing

Internet security poses complex challenges at different levels, where even the basic requirement of availability of Internet connectivity becomes a conundrum sometimes. Recent Internet service disruption events have made the vulnerability of the Internet apparent, and exposed the current limitations of Internet security measures as well. Usually, the main cause of such incidents, even in the presence of the security measures proposed so far, is the unintended or intended exploitation of the loop holes in the protocols that govern the Internet. In this thesis, we focus on the security of two different protocols that were conceived with little or no security mechanisms but play a key role both in the present and the future of the Internet, namely the Border Gateway Protocol (BGP) and the Locator Identifier Separation Protocol (LISP). The BGP protocol, being the de-facto inter-domain routing protocol in the Internet, plays a crucial role in current communications. Due to lack of any intrinsic security mechanism, it is prone to a number of vulnerabilities that can result in partial paralysis of the Internet. In light of this, numerous security strategies were proposed but none of them were pragmatic enough to be widely accepted and only minor security tweaks have found the pathway to be adopted. Even the recent IETF Secure Inter-Domain Routing (SIDR) Working Group (WG) efforts including, the Resource Public Key Infrastructure (RPKI), Route Origin authorizations (ROAs), and BGP Security (BGPSEC) do not address the policy related security issues, such as Route Leaks (RL). Route leaks occur due to violation of the export routing policies among the Autonomous Systems (ASes). Route leaks not only have the potential to cause large scale Internet service disruptions but can result in traffic hijacking as well. In this part of the thesis, we examine the route leak problem and propose pragmatic security methodologies which a) require no changes to the BGP protocol, b) are neither dependent on third party information nor on third party security infrastructure, and c) are self-beneficial regardless of their adoption by other players. Our main contributions in this part of the thesis include a) a theoretical framework, which, under realistic assumptions, enables a domain to autonomously determine if a particular received route advertisement corresponds to a route leak, and b) three incremental detection techniques, namely Cross-Path (CP), Benign Fool Back (BFB), and Reverse Benign Fool Back (R-BFB). Our strength resides in the fact that these detection techniques solely require the analytical usage of in-house control-plane, data-plane and direct neighbor relationships information. We evaluate the performance of the three proposed route leak detection techniques both through real-time experiments as well as using simulations at large scale. Our results show that the proposed detection techniques achieve high success rates for countering route leaks in different scenarios. The motivation behind LISP protocol has shifted over time from solving routing scalability issues in the core Internet to a set of vital use cases for which LISP stands as a technology enabler. The IETF's LISP WG has recently started to work toward securing LISP, but the protocol still lacks end-to-end mechanisms for securing the overall registration process on the mapping system ensuring RLOC authorization and EID authorization. As a result LISP is unprotected against different attacks, such as RLOC spoofing, which can cripple even its basic functionality. For that purpose, in this part of the thesis we address the above mentioned issues and propose practical solutions that counter them. Our solutions take advantage of the low technological inertia of the LISP protocol. The changes proposed for the LISP protocol and the utilization of existing security infrastructure in our solutions enable resource authorizations and lay the foundation for the needed end-to-end security