SSL Virtual Private Networks

Import 05/08/2014Táto diplomová práca sa zaoberá virtuálnymi privátnymi sieťami (VPN) typu SSL(Secure Socket Layer). Vysvetľuje ich princíp, popisuje technológiu využívanú pri tvorbe tohto typu VPN. Predstavuje vybrané návrhy a realizácie SSL VPN s implementáciou asymetrického smerovania a zrovnáva výhody a nevýhody ich použitia. Konfigurácie sú realizované na platformách Open source(Linux), MikroTik typu Site-to- Site a Remote Client postavené na protokole SSTP, ktorý je zapuzdrený s SSL/TLS vrstve. V ďalšej použitej platforme Cisco je konfigurácia prevedená pomocou grafického rozhrania SDM 2.5(Security Device Manager), ktorý konfiguráciu zjednodušuje a značne urýchľuje. Na platforme Cisco je realizácia prevedená v troch spôsoboch. A to typu Clientless, Thin-Client a Tunnel mode.This thesis talks about virtual private networks (VPN) type SSL (Secure Socket Layer). The paper explains its principle, describes the technology used for creation of such VPN type. Also it presents chosen drafts and realization of SSL VPN featuring the implementation of asymmetric routing together with comparison of its pros and cons. The configurations are done on platforms like Open source (Linux), MikroTik type Site-to- site and Remote Client which are all based on SSTP protocol that is encapsulated in SSL/TLS layer. In the next used Cisco platform, the configuration is done by the graphic interface SDM 2.5 (Security Device Manager), that makes the configuration more simple and faster. On Cisco platform the realization is done in three ways. Namely the type Clientless, Thin-Client and Tunnel mode.460 - Katedra informatikydobř

Open Source Solution of SSL Virtual Private Networks

Import 21/10/2013Bakalářská práce se zabývá bezplatným řešením SSL virtuálních privátních sítí a jejich realizaci pomocí softwaru spadající pod licenci open source. Zájemcům o výše uvedené téma nabízí informace o softwaru OpenVPN, historii, vývoji a možnostech jeho konfigurací s využitím různých metod zabezpečení přenášených dat. Součásti práce je uveden postup pro konfiguraci softwaru OpenVPN verze 2.2 se sílenými klíči a OpenVPN verze 2.2 s využitím SSL certifikátů. Uveden je také postup konfigurace mobilních zařízení fungující na operačních systémech Apple iOS 5.0 nebo vyšší a Android 4.0 nebo vyšší.The bachelors thesis deals with solution of SSL private virtual networks which is free of charge and its realization on software which goes to open source licence. The goal of this thesis is to offer an information about history, developement and possibilities of configuration OpenVPN system and possibilities of using different methods for protection of transmitted data, mainly for clients who are interested in this subject. The second part of the thesis is a proper process of configuration of OpenVPN version 2.2 software with pre-shared keys and OpenVPN verison 2.2 with SSL certificates. There is also a manual for mobile devices working on Apple iOS 5.0 or higher and Android 4.0 or higher.440 - Katedra telekomunikační technikyvelmi dobř

Examining security in mobile communication networks

Due to advanced technological developments, mobile phone and other wireless device usage is increasing rapidly. The contents of the multimedia messages may be very important and confidential. Such confidentiality needs to be protected. Any interference and/or interceptions in the communication process would bring reduced system usage and disgruntled stakeholders. This paper discusses the several aspects of security of The Global System for Mobile communication or Group Special Mobile (GSM). In addition it examines how GSM protects the data from interception by authentication, encryption, and ciphering. It furthermore considers some likely flaws in these security methods and suggests possible measures to curb the flaws

Investigating Issues in Mobile Network (In)Security

The provision of adaptive content to mobile wireless devices has increasingly become very pertinent. Mobile smart phones and other wireless device usage is increasing daily with ground breaking technological developments – in design, style, content and micro-chips performance. Transmission of data in such environments requires absolute security to protect the individual and content. Any interference and interceptions in the communication process would bring about reduce system usage and development benefits. And with the rapid development in global communication networks, the threat of security and in particular that of cellular telecommunication systems is real and highly dangerous. This paper presents Investigating Issues to evaluate the data security protection accorded by the global telecommunication systems against interception, using encryption, authentication, and ciphering. It will also attempt to discuss several issues of mobile wireless (in)security. In so doing, some security flaws in these approaches will be examined and some suggestions made

An agent-based framework for secure and privacy-preserving personalized information services

Los proveedores de servicios ubicuos de próxima generación se enfrentan a una competencia cada vez mayor. En Para atraer y satisfacer a los clientes, estos servicios deben ofrecer un valor añadido, p. por entregando información personalizada de una manera fluida y multimodal. Personalizado Sin embargo, los servicios generan requisitos adicionales relacionados con la privacidad y la seguridad, que deben abordarse para que los servicios sean ampliamente aceptados. La habilidad diseñar, implementar y desplegar servicios de información personalizados de forma segura, La forma respetuosa con la privacidad y, al mismo tiempo, altamente eficiente se está convirtiendo en un éxito clave factor para los proveedores de servicios. Sin embargo, las arquitecturas actuales de desarrollo de servicios por lo general no cubren todos los aspectos relevantes del proceso de desarrollo del servicio, lo que resulta en una sobrecarga de desarrollo innecesaria por parte del proveedor de servicios. Presentamos un Framework de Serviceware basado en agentes que ayuda a los proveedores de servicios a desarrollar servicios de información personalizados, mejorando así la aceptación de los usuarios y reduciendo el tiempo de comercialización de las aplicaciones resultantes. Describimos la utilización de diferentes módulos del marco, que ofrecen funcionalidad para contexto consciente servicios en general, centrándose en el módulo de personalización, incluida la privacidad tecnologías de mejora. Además, presentamos el Smart Event Assistant, un aplicación prototípica para la planificación personalizada, fluida y ubicua de actividades de entretenimiento, que hemos implementado en base a este Serviceware Estructura.Providers of next-generation ubiquitous services are facing increasing competition. In order to attract and satisfy customers, these services must offer added value e.g. by delivering personalized information in a seamless and multi-modal way. Personalized services, however, bring about additional requirements related to privacy and security, which have to be addressed if the services are to become widely accepted. The ability to design, implement and deploy personalized information services in a secure, privacy-friendly and at the same time highly efficient way is becoming a key success factor for service providers. Nevertheless, current service development architectures usually fail to cover all relevant aspects of the service development process, resulting in an unnecessary development overhead on the side of the service provider. We introduce an agent-based Serviceware Framework assisting service providers in developing personalized information services, thus improving user acceptance and reducing the time-to-market of the resulting applications. We describe the utilization of different modules of the framework, which offer functionality for context-aware services at large, focusing on the module for personalization including privacy enhancing technologies. In addition, we present the Smart Event Assistant, a prototypical application for personalized, seamless and ubiquitous planning of entertainment activities, which we have implemented based on this Serviceware Framework

Security access to networks

Import 29/09/2010Cílem diplomové práce je teoretické shrnutí bezpečnostních mechanismů při přístupu do IT infrastruktury se zaměřením na stávající trend mobility pracovníků a jejich potřeby mít přístupná podniková data na služebních cestách i doma vzhledem k vzrůstajícímu významu tzv. práce z domu a dále se zaměřením na podnikové partnery vzhledem k zpřístupnění některých podnikových dat svým zákazníkům. V práci jsou popsány konkrétní systémy spojené se vzdáleným přístupem RAS (Remote Access Service) a také je zde věnována pozornost problematice hesel. Praktická část se zabývá konkrétní konfigurací SSL VPN na zařízení Juniper Network SA6500 a jeho ověření v praxi.Diploma work is focused mainly on theoretical describing of security mechanisms for accessing into IT infrastructure considering new trends in mobility of employees and on their need to use company datacenters remotely on business trips or from home offices. Regarding on-line business activities customers or trading partners require access to some company’s data and efficient security mechanisms are necessary to be employed. Particular systems associated with security of RAS (Remote Access Service) and login problems are defined as well. Practical part of this work describes configuration of SSL VPN on device Juniper Network SA6500 and its testing in praxis.Prezenční454 - Katedra telekomunikační technikyvelmi dobř

Towards the Development of Network Service Cost Modeling-An ISP Perspective

Accurate network costing provides insightful information to any ISP for better network planning, profits, and decision making. Developing precise cost models for communication network services has always been a challenge for Internet Service Providers (ISP) due to the complex nature of today’s advanced shared cloud and network infrastructure. Currently, developing and maintaining such cost models require significant effort and time for the network planners in an ISP. The proposed novel methodology reduces the development cycle time significantly for the cost model, which leads to the ISP’s operational cost savings. We also experimented with K-means clustering for grouping router costs in the study, which provided similar unit cost results. To prove the operational savings, we evaluated a quantitative example considering the current practice as well as our proposed methods. We considered three network services: IPVPN service, Transport Lease service, and High-Speed Internet service for the experiments. We conducted simulations, and estimated service unit costs to validate the accuracy and effectiveness of our proposed approaches. We have compared results from proposed strategies with the existing cost mechanism and computed the performance improvement cost gap for different network sizes. This cost gap (delta) exhibited that the difference between the service cost values is significantly negligible, which proved the efficiency of our cost model

Practical Encryption Gateways to Integrate Legacy Industrial Machinery

Future industrial networks will consist of a mixture of old and new components, due to the very long life-cycles of industrial machines on the one hand and the need to change in the face of trends like Industry 4.0 or the industrial Internet of things on the other. These networks will be very heterogeneous and will serve legacy as well as new use cases in parallel. This will result in an increased demand for network security and precisely within this domain, this thesis tries to answer one specific question: how to make it possible for legacy industrial machines to run securely in those future heterogeneous industrial networks. The need for such a solution arises from the fact, that legacy machines are very outdated and hence vulnerable systems, when assessing them from an IT security standpoint. For various reasons, they cannot be easily replaced or upgraded and with the opening up of industrial networks to the Internet, they become prime attack targets. The only way to provide security for them, is by protecting their network traffic. The concept of encryption gateways forms the basis of our solution. These are special network devices, that are put between the legacy machine and the network. The gateways encrypt data traffic from the machine before it is put on the network and decrypt traffic coming from the network accordingly. This results in a separation of the machine from the network by virtue of only decrypting and passing through traffic from other authenticated gateways. In effect, they protect communication data in transit and shield the legacy machines from potential attackers within the rest of the network, while at the same time retaining their functionality. Additionally, through the specific placement of gateways inside the network, fine-grained security policies become possible. This approach can reduce the attack surface of the industrial network as a whole considerably. As a concept, this idea is straight forward and not new. Yet, the devil is in the details and no solution specifically tailored to the needs of the industrial environment and its legacy components existed prior to this work. Therefore, we present in this thesis concrete building blocks in the direction of a generally applicable encryption gateway solution that allows to securely integrate legacy industrial machinery and respects industrial requirements. This not only entails works in the direction of network security, but also includes works in the direction of guaranteeing the availability of the communication links that are protected by the gateways, works to simplify the usability of the gateways as well as the management of industrial data flows by the gateways

Establishing security and privacy policies for an on-line auction

The current Enterprise Resource Planning (ERP) project is a proposal to use business-to-business electronic commerce to provide a means of developing markets for end-of-life products and their components. The objective is to develop a science and technology base for a scalable and secure hub for reverse logistics e-commerce in which users can buy and sell used or surplus products, components, and materials as well as provide a service for disposing of them responsibly. A critical part of the project is the design of security architecture, as well as security and privacy policies for the project\u27s on-line electronic marketplace. Security for the auction website should focus on three concerns: prevention, detection, and response. Prevention consists of four basic characteristics of computer security: authentication, confidentiality, integrity, and availability. We will also analyze some of the vulnerabilities and common attacks of sites on the web, and ways to defend against them. Detection involves several approaches to monitor traffic on the internal network and log the activities of users. This is important to provide forensic evidence when a site is compromised. Detection, however, is useless without some type of response, either through patching new-found security holes, contacting vendors to report security weaknesses and new viruses, or contacting local and federal agencies to assist in closing those holes or bringing violators to justice. We will look at these issues, as well as trust in auctions - allowing buyers and sellers to determine if a user if trustworthy or not - and automatic schemes for preventing a fraudulent user from exploiting that trust

Tietoturvalliset tietoliikenneyhteydet yritysympäristössä

Diplomityössä käsitellään tietoliikenneverkkojen ja yhteyksien tietoturvallisuutta yritysympäristössä. Aihealuetta tarkastellaan esimerkkiyrityksenä olevan ABB Oy:n näkökulmasta. Tutkimuksen tavoitteena on luoda yleinen konsepti tietoturvallisten tietoliikenneyhteyksien luomiseen ABB Oy:n ja kolmansien osapuolien tietojärjestelmien välille. Konsepti kattaa liiketoimintayksiköiden merkittävimmät käyttötarpeet sekä noudattaa ABB:n yhtymänlaajuisia tietoturvavaatimuksia. Tutkimuksessa käytettävä aineisto koostuu yhtymän tietoturvavaatimuksista, aihealueesta aiemmin tehdyistä selvityksistä ja tutkimuksista sekä yrityksessä tehtävästä tarvekartoituksesta. Tarvekartoitus toteutetaan haastattelututkimuksena ja sen tavoitteena on tunnistaa liiketoimintayksiköiden olemassa olevat käyttötarpeet. Työn lopputuloksena laadittiin asetetut tavoitteet täyttänyt yleinen malli tietoliikenneyhteyksien muodostamiseen yhtiön ja kolmansien osapuolien välille. Luodun mallin ja siinä määriteltyjen palvelukonseptien avulla voidaan saavuttaa merkittäviä resurssisäästöjä ja parannuksia tietoliikenneverkon tietoturvaan.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format