Performance Evaluation of Network Security Protocols on Open Source and Microsoft Windows Platforms

Internet is increasingly being used to support collaborative applications such as voice and video-conferencing, replicated servers and databases of different types. Since most communication over the Internet involves the traversal of insecure open networks, basic security services such as data privacy, integrity and authentication are necessary. One of the levels of computer security is operating system security. This paper analyzes the limitations and behavioral patterns of security protocols across different platform. It compared the performance of security protocols in terms of authentication, encryption algorithm, cryptographic methods etc.; in order to determine which platform provides better support for security protocols. Network simulator tool was used to simulate different scenarios to show the performance of security protocols across two Operating System Platforms (Linux and Windows). Analysis of the simulation values of selected performance metrics of the security protocols, across both platforms, were evaluated. Results obtained showed comparable differences in the values of the performance parameters considered. For instance, IP processing delay of the Windows Client node was initially high (about 0.0125 milliseconds), but later decreases to about 0.0115 milliseconds, while the Linux Client node is constant at about 0.0115 milliseconds. Variations in the values of the performance parameters for both platforms, in both network scenarios are not significant enough to reflect a noticeable difference in the impacts of the network security protocols on the performance of the operating system platforms. Keywords: Open Source, IP Security, SSL, OPNET, Security Protocol, Operating System

A hybrid and cross-protocol architecture with semantics and syntax awareness to improve intrusion detection efficiency in Voice over IP environments

Includes abstract.Includes bibliographical references (leaves 134-140).Voice and data have been traditionally carried on different types of networks based on different technologies, namely, circuit switching and packet switching respectively. Convergence in networks enables carrying voice, video, and other data on the same packet-switched infrastructure, and provides various services related to these kinds of data in a unified way. Voice over Internet Protocol (VoIP) stands out as the standard that benefits from convergence by carrying voice calls over the packet-switched infrastructure of the Internet. Although sharing the same physical infrastructure with data networks makes convergence attractive in terms of cost and management, it also makes VoIP environments inherit all the security weaknesses of Internet Protocol (IP). In addition, VoIP networks come with their own set of security concerns. Voice traffic on converged networks is packet-switched and vulnerable to interception with the same techniques used to sniff other traffic on a Local Area Network (LAN) or Wide Area Network (WAN). Denial of Service attacks (DoS) are among the most critical threats to VoIP due to the disruption of service and loss of revenue they cause. VoIP systems are supposed to provide the same level of security provided by traditional Public Switched Telephone Networks (PSTNs), although more functionality and intelligence are distributed to the endpoints, and more protocols are involved to provide better service. A new design taking into consideration all the above factors with better techniques in Intrusion Detection are therefore needed. This thesis describes the design and implementation of a host-based Intrusion Detection System (IDS) that targets VoIP environments. Our intrusion detection system combines two types of modules for better detection capabilities, namely, a specification-based and a signaturebased module. Our specification-based module takes the specifications of VoIP applications and protocols as the detection baseline. Any deviation from the protocol’s proper behavior described by its specifications is considered anomaly. The Communicating Extended Finite State Machines model (CEFSMs) is used to trace the behavior of the protocols involved in VoIP, and to help exchange detection results among protocols in a stateful and cross-protocol manner. The signature-based module is built in part upon State Transition Analysis Techniques which are used to model and detect computer penetrations. Both detection modules allow for protocol-syntax and protocol-semantics awareness. Our intrusion detection uses the aforementioned techniques to cover the threats propagated via low-level protocols such as IP, ICMP, UDP, and TCP

Design and validation of a methodology for distributed relay service for NAT traversal in a peer-to-peer VoIP network

Voice-over-IP (VoIP) practices are widely diffused. The traditional and mostly deployed architecture is based on the IETF SIP protocol: User Agents connect to centralized servers (usually called SIP Proxies), which provide, among other features, user location service and call routing. On another side, the peer-to-peer paradigm has proven to be very scalable and have been widely accepted by the Internet community. This graduation thesis is going firstly to investigate the current protocols for doing VoIP and in particular the Session Initiation Protocol. Then peer-to-peer overlays are examined, devoting particular care to how integration with SIP can be made. Afterwards, the focus will move on Network Address Translation (NAT). NAT is largely employed in SOHO networks as well as in big networks installations, because it reduces the need of public IP addresses and is believed to increase network security. However it requires many protocols to be modified to work correctly. NAT traversal techniques will be analyzed, along with the issues that NAT creates for SIP and P2P protocols. In order to perform NAT traversal, a public rendez-vous point is needed. A methodology to build a distributed relay service over a pure peer-to-peer network will be proposed and validated by means of statistical analysis and simulation

Performance Analysis of IPv6 Transition Mechanisms over MPLS

 Exhaustion of current version of Internet Protocol version 4 (IPv4) addresses initiated development of next-generation Internet Protocol version 6 (IPv6). IPv6 is acknowledged to provide more address space, better address design, and greater security; however, IPv6 and IPv4 are not fully compatible. For the two protocols to coexist, various IPv6 transition mechanisms have been developed. This research will analyze a series of IPv6 transition mechanisms over the Multiprotocol Label Switching (MPLS) backbone using a simulation tool (OPNET) and will evaluate and compare their performances. The analysis will include comparing the end-to-end delay, jitter, and throughput performance metrics using tunneling mechanisms, specifically Manual Tunnel, Generic Routing Encapsulation (GRE) Tunnel, Automatic IPv4-Compatible Tunnel, and 6to4 Tunnel between Customer Edge (CE)-to-CE routers and between Provider Edge (PE)-to-PE routers. The results are then compared against 6PE, Native IPv6, and Dual Stack, all using the MPLS backbone. The traffic generated for this comparison are database access, email, File Transfer, File Print, Telnet, Video Conferencing over IP, Voice over IP, Web Browsing, and Remote Login. A statistical analysis is performed to compare the performance metrics of these mechanisms to evaluate any statistically-significant differences among them. The main objective of this research is to rank the aforementioned IPv6 transition mechanism and identify the superior mechanism(s) that offer lowest delay, lowest jitter, and highest throughput

Using Transcoding for Hidden Communication in IP Telephony

The paper presents a new steganographic method for IP telephony called TranSteg (Transcoding Steganography). Typically, in steganographic communication it is advised for covert data to be compressed in order to limit its size. In TranSteg it is the overt data that is compressed to make space for the steganogram. The main innovation of TranSteg is to, for a chosen voice stream, find a codec that will result in a similar voice quality but smaller voice payload size than the originally selected. Then, the voice stream is transcoded. At this step the original voice payload size is intentionally unaltered and the change of the codec is not indicated. Instead, after placing the transcoded voice payload, the remaining free space is filled with hidden data. TranSteg proof of concept implementation was designed and developed. The obtained experimental results are enclosed in this paper. They prove that the proposed method is feasible and offers a high steganographic bandwidth. TranSteg detection is difficult to perform when performing inspection in a single network localisation.Comment: 17 pages, 16 figures, 4 table

VoIP: Making Secure Calls and Maintaining High Call Quality

Modern multimedia communication tools must have high security, high availability and high quality of service (QoS). Any security implementation will directly impact on QoS. This paper will investigate how end-to-end security impacts on QoS in Voice over Internet Protocol (VoIP). The QoS is measured in terms of lost packet ratio, latency and jitter using different encryption algorithms, no security and just the use of IP firewalls in Local and Wide Area Networks (LAN and WAN). The results of laboratory tests indicate that the impact on the overall performance of VoIP depends upon the bandwidth availability and encryption algorithm used. The implementation of any encryption algorithm in low bandwidth environments degrades the voice quality due to increased loss packets and packet latency, but as bandwidth increases encrypted VoIP calls provided better service compared to an unsecured environment.Les eines modernes de comunicació multimèdia han de tenir alta seguretat, alta disponibilitat i alta qualitat de servei (QoS). Cap tipus d¿implementació de seguretat tindrà un impacte directe en la qualitat de servei. En aquest article s¿investiga com la seguretat d'extrem a extrem impacta en la qualitat de servei de veu sobre el Protocol d'Internet (VoIP). La qualitat de servei es mesura en termes de pèrdua de proporció de paquets, latència i jitter utilitzant diferents algoritmes d¿encriptació, sense seguretat i només amb l'ús de tallafocs IP en local i en xarxes d'àrea àmplia (LAN i WAN). Els resultats de les proves de laboratori indiquen que l'impacte general sobre el rendiment de VoIP depèn de la disponibilitat d'ample de banda i l'algorisme de xifrat que s'utilitza. La implementació de qualsevol algorisme de xifrat en entorns de baix ample de banda degrada la veu a causa de l'augment de la pèrdua de paquets i latència dels paquets de qualitat, però quan l'ample de banda augmenta les trucades de VoIP xifrades proporcionen un millor servei en comparació amb un entorn sense seguretat.Las herramientas modernas de comunicación multimedia deben tener alta seguridad, alta disponibilidad y alta calidad de servicio (QoS). Ningún tipo de implementación de seguridad tendrá un impacto directo en la calidad de servicio. En este artículo se investiga como la seguridad de extremo a extremo impacta en la calidad de servicio de voz sobre el Protocolo de Internet (VoIP). La calidad de servicio se mide en términos de pérdida de proporción de paquetes, latencia y jitter utilizando diferentes algoritmos de encriptación, sin seguridad y sólo con el uso de cortafuegos IP en local y en redes de área amplia (LAN y WAN). Los resultados de las pruebas de laboratorio indican que el impacto general sobre el rendimiento de VoIP depende de la disponibilidad de ancho de banda y el algoritmo de cifrado que se utiliza. La implementación de cualquier algoritmo de cifrado en entornos de bajo ancho de banda degrada la voz debido al aumento de la pérdida de paquetes y latencia de los paquetes de calidad, pero cuando el ancho de banda aumenta las llamadas de VoIP cifradas proporcionan un mejor servicio en comparación con un entorno sin seguridad

Micro protocol engineering for unstructured carriers: On the embedding of steganographic control protocols into audio transmissions

Network steganography conceals the transfer of sensitive information within unobtrusive data in computer networks. So-called micro protocols are communication protocols placed within the payload of a network steganographic transfer. They enrich this transfer with features such as reliability, dynamic overlay routing, or performance optimization --- just to mention a few. We present different design approaches for the embedding of hidden channels with micro protocols in digitized audio signals under consideration of different requirements. On the basis of experimental results, our design approaches are compared, and introduced into a protocol engineering approach for micro protocols.Comment: 20 pages, 7 figures, 4 table