A Platform for Safer and Smarter Networks

The number of devices connected to the Internet is growing exponentially. These devices include smartphones, tablets, workstations and Internet of Things devices, which offer a number of cost and time savings by automating routine tasks for the users. However, these devices also introduce a number of security and privacy concerns for the users. These devices are connected to small office/home-office (SOHO) and enterprise networks, where users have very little to no information about threats associated to these devices and how these devices can be managed properly to ensure user's privacy and data security. We proposed a new platform to automate the security and management of the networks providing connectivity to billions of connected devices. Our platform is low cost, scalable and easy to deploy system, which provides network security and management features as a service. It is consisted of two main components i.e. Securebox and Security and Management Service (SMS). Securebox is a newly designed Openflow enabled gateway residing in edge networks and is responsible for enforcing the security and management decisions provided by SMS. SMS runs a number of traffic analysis services to analyze user traffic on demand for Botnet, Spamnet, malware detection. SMS also supports to deploy on demand software based middleboxes for on demand analysis of user traffic in isolated environment. It handles the configuration update, load balancing and scalability of these middlebox deployments as well. In contrast to current state of the art, the proposed platform offloads the security and management tasks to an external entity, providing a number of advantages in terms of deployment, management, configuration updates and device security. We have tested this platform in real world scenarios. Evaluation results show that the platform can be efficiently deployed in traditional networks in an incremental manner. It also allows us to achieve similar user experience with security features embedded in the connectivity

Kotipalomuurien tietoturva

Tiivistelmä. Kotiverkko on herkkä kohde rikollisuudelle ja vakoilulle. Palomuuri on yksi keino suojata verkkoja virustorjuntaohjelmien ohella. Se on järjestelmä, joka sijaitsee kahden verkon rajalla ja kaiken liikenteen tulee kulkea sen läpi. Käyttäjä voi konfiguroida palomuuriin itse sopivia sääntöjä. Kotiverkon uhkia ovat madot, murtautumiset, haittaohjelmat ja palvelunestohyökkäykset. Työssä tutustuttiin erilaisiin palomuurityyppeihin ja tietoturva-aukkojen eli haavoittuvuuksien löytämiskeinoihin. Työssä testattiin pfSense-palomuuria kotikäytössä ja arvioitiin sen käytettävyyttä konfiguroimalla siihen erilaisia sääntöjä. Lisäksi etsittiin avoimia portteja oman asiakasohjelmiston avulla ja tutkittiin kotiverkon haavoittuvuuksia Nessus Essentials Vulnerability Scanner -ohjelmiston avulla. Tuloksissa huomattiin, että pfSense ei ole välttämättä helppokäyttöisin vaihtoehto kotikäyttäjälle, koska se vaatii käyttäjältä perehtymistä. Kotiverkosta ei löydetty kriittisiä haavoittuvuuksia. Työn kokeellisessa osassa selvitettiin, kuinka kotiverkkojen tietoturvaa voisi kehittää tehokkaasti ja ehkäistä mahdollisia uhkia parhaiten.Abstract. Home network is a sensitive target for criminality and spying. A firewall is one way to protect networks along with anti-virus software. It is a system that is located at the barrier of two networks and all the traffic must go through it. The user can configure suitable rules to the firewall oneself. Worms, intrusions, malware and DoS (Denial of Service)- attacks are threats to home network. In the thesis, we got familiar with different types of firewalls and ways to detect vulnerabilities. PfSense firewall was tested in home usage and its usability was estimated by configurating different rules for it. Additionally, open ports were searched with own client program and Nessus Essentials Vulnerability Scanner software. In the results, it was noted that pfSense is not necessarily the user friendliest alternative for a home user, because it requires familiarization. Critical vulnerabilities were not found in the home network. It was examined, how the security of home networks could be developed effectively and prevent possible threats in the best way

Ethical Hacking for IoT Security: A First Look into Bug Bounty Programs and Responsible Disclosure

The security of the Internet of Things (IoT) has attracted much attention due to the growing number of IoT-oriented security incidents. IoT hardware and software security vulnerabilities are exploited affecting many companies and persons. Since the causes of vulnerabilities go beyond pure technical measures, there is a pressing demand nowadays to demystify IoT "security complex" and develop practical guidelines for both companies, consumers, and regulators. In this paper, we present an initial study targeting an unexplored sphere in IoT by illuminating the potential of crowdsource ethical hacking approaches for enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.Comment: Pre-print version for conference publication at ICTRS 201

Orchestrating Intelligent Network Operations in Programmable Networks

Peer reviewe

Defending Against IoT-Enabled DDoS Attacks at Critical Vantage Points on the Internet

The number of Internet of Things (IoT) devices continues to grow every year. Unfortunately, with the rise of IoT devices, the Internet is also witnessing a rise in the number and scale of IoT-enabled distributed denial-of-service (DDoS) attacks. However, there is a lack of network-based solutions targeted directly for IoT networks to address the problem of IoT-enabled DDoS. Unlike most security approaches for IoT which focus on hardening device security through hardware and/or software modification, which in many cases is infeasible, we introduce network-based approaches for addressing IoT-enabled DDoS attacks. We argue that in order to effectively defend the Internet against IoT-enabled DDoS attacks, it is necessary to consider network-wide defense at critical vantage points on the Internet. This dissertation is focused on three inherently connected and complimentary components: (1) preventing IoT devices from being turned into DDoS bots by inspecting traffic towards IoT networks at an upstream ISP/IXP, (2) detecting DDoS traffic leaving an IoT network by inspecting traffic at its gateway, and (3) mitigating attacks as close to the devices in an IoT network originating DDoS traffic. To this end, we present three security solutions to address the three aforementioned components to defend against IoT-enabled DDoS attacks

Ohjelmoitava saumaton moniliitettävyys

Our devices have become accustomed to being always connected to the Internet. Our devices from handheld devices, such as smartphones and tablets, to our laptops and even desktop PCs are capable of using both wired and wireless networks, ranging from mobile networks such as 5G or 6G in the future to Wi-Fi, Bluetooth, and Ethernet. The applications running on the devices can use different transport protocols from traditional TCP and UDP to state-of-the-art protocols such as QUIC. However, most of our applications still use TCP, UDP, and other protocols in a similar way as they were originally designed in the 1980s, four decades ago. The transport connections are a single path from the source to the destination, using the end-to-end principle without taking advantage of the multiple available transports. Over the years, there have been a lot of studies on both multihoming and multipath protocols, i.e., allowing transports to use multiple paths and interfaces to the destination. Using these would allow better mobility and more efficient use of available transports. However, Internet ossification has hindered their deployment. One of the main reasons for the ossification is the IPv4 Network Address Translation (NAT) introduced in 1993, which allowed whole networks to be hosted behind a single public IP address. Unfortunately, how this many-to-one translation should be done was not standardized thoroughly, allowing vendors to implement their own versions of NAT. While breaking the end-to-end principle, the different versions of NATs also behave unpredictably when encountering other transport protocols than the traditional TCP and UDP, from forwarding packets without translating the packet headers to even discarding the packets that they do not recognize. Similarly, in the context of multiconnectivity, NATs and other middleboxes such as firewalls and load balancers likely prevent connection establishment for multipath protocols unless they are specially designed to support that particular protocol. One promising avenue for solving these issues is Software-Defined Networking (SDN). SDN allows the forwarding elements of the network to remain relatively simple by separating the data plane from the control plane. In SDN, the control plane is realized through SDN controllers, which control how traffic is forwarded by the data plane. This allows controllers to have full control over the traffic inside the network, thus granting fine-grained control of the connections and allowing faster deployment of new protocols. Unfortunately, SDN-capable network elements are still rare in Small Office / Home Office (SOHO) networks, as legacy forwarding elements that do not support SDN can support the majority of contemporary protocols. The most glaring example is the Wi-Fi networks, where the Access Points (AP) typically do not support SDN, and allow traffic to flow between clients without the control of the SDN controllers. In this thesis, we provide a background on why multiconnectivity is still hard, even though there have been decades worth of research on solving it. We also demonstrate how the same devices that made multiconnectivity hard can be used to bring SDN-based traffic control to wireless and SOHO networks. We also explore how this SDN-based traffic control can be leveraged for building a network orchestrator for controlling and managing networks consisting of heterogeneous devices and their controllers. With the insights provided by the legacy devices and programmable networks, we demonstrate two different methods for providing multiconnectivity; one using network-driven programmability, and one using a userspace library, that brings different multihoming and multipathing methods under one roof.Nykyisin kaikki käyttämämme laitteet ovat käytännössä aina yhteydessä Internettiin. Laitteemme voivat käyttää useita erilaisia yhteystapoja, mukaanlukien sekä langallisia, että langattomia verkkoja, kuten Wi-Fi ja mobiiliverkkoja. Kuitenkin laitteemme käyttävät pääsääntöisesti edelleen tietoliikenneprotokollia, jotka suunniteltiin alunperin 1980-luvulla. Tällöin laitteet pystyivät viestimään suoraan toistensa kanssa ilman, että välissä oli verkkolaitteita, jotka piilottivat osia verkosta taakseen. Tämä näkyy protokollien suunnittelussa siten, että jokaisella yhteydellä on määritetyt lähde- ja kohdeosoitteet. Nykyisin laitteemme käyttävät edelleen samaa yhteysparadigmaa, vaikka ne voisivat niputtaa yhteen useampia tietoliikenneyhteyksiä. Tällöin saisimme paremmin käyttöön verkon tarjoaman suorituskyvyn ja muut ominaisuudet. Vuosien saatossa on kehitetty erilaisia monitie (eng. multipath) ja moniyhteys (eng. multihoming) tietoliikenneprotokollia, joiden avulla laitteet pystyvät käyttämään useampia polkuja verkon yli kohteeseensa. Nämä protokollat eivät kuitenkaan ole vielä yleistyneet, sillä kaikki verkkolaitteet eivät tue niitä. Emme myöskään pysty vaikuttamaan kuin ainoastaan epäsuorasti siihen, mitä yhteyttä laitteemme käyttävät. Yksi ratkaisu on tähän ottaa käyttöön ohjelmallisesti määritetyt verkot (eng. Software-Defined Networking, SDN). SDN on paradigma, jonka avulla verkkoihin voidaan tuoda älykkyyttä ja mahdollistaa mm. tehokkaampi liikenteen reititys verkoissa. Tämän väitöskirjatutkimuksen tarkoituksena on käsitellä moniliitettävyyden ongelmia ja ratkaisuja. Tutkimus valottaa miksi moniliitettävyys on edelleen hankala toteuttaa, sekä esittelee kaksi tekniikkaa toteuttaa moniliitettävyys. Ensimmäinen tekniikka soveltaa ohjelmallisesti määritettyjä verkkoja käyttäen hyväkseen väitöskirjan aikana tehtyä tutkimusta, ja toinen tekniikka kerää saman katon alle useita erilaisia monitie- ja moniyhteysprotokollia yhdeksi moniliitettävyyskirjastoksi. Väitöskirjassa esitellään myös kaksi menetelmää tuoda ohjelmallisesti määritetyt verkot laitteisiin, joita ei ole suunniteltu niitä silmällä pitäen. Näiden menetelmien avulla voidaan hallita ja tuoda uusia ominaisuuksia jo olemassa oleviin verkkoihin. Väitöskirjassa esitellään myös koneoppimista soveltava älykäs järjestelmä, joka havaitsee ja poistaa automaattisesti haavoittuvia laitteita verkosta

A Novel Zero-Trust Framework to Secure IoT Communications

The phenomenal growth of the Internet of Things (IoT) has highlighted the security and privacy concerns associated with these devices. The research literature on the security architectures of IoT makes evident that we need to define and formalize a framework to secure the communications among these devices. To do so, it is important to focus on a zero-trust framework that will work on the principle premise of ``trust no one, verify everyone'' for every request and response. In this thesis, we emphasize the need for such a framework and propose a zero-trust communication model that addresses security and privacy concerns of devices with no operating system or with a real-time operating system. The framework provides an end-to-end security framework for users and devices to communicate with each other privately. A common concern is how to implement high-end encryption algorithm within the limited resources of an IoT device. We demonstrated that by offloading the data and process heavy operation like audit management to the gateway we were able to overcome this limitation. We built a temperature and humidity sensor and were able to implement the framework and successfully evaluate and document its efficient operations. We defined four areas for evaluation and validation, namely, security of communications, memory utilization of the device, response time of operations, and cost of its implementation, and for each, we defined a threshold to evaluate and validate our findings. The results are satisfactory and are documented