Validation of the Security of Participant Control Exchanges in Secure Multicast Content Delivery

In Content Delivery Networks (CDN), as the customer base increases, a point is reached where the capacity of the network and the content server become inadequate. In extreme cases (e.g., world class sporting events), it is impossible to adequately serve the clientele, resulting in extreme customer frustration. In these circumstances, multicast content delivery is an attractive alternative. However, the issue of maintaining control over the customers is difficult. In addition to controlling the access to the network itself, in order to control the access of users to the multicast session, an Authentication, Authorization and Accounting Framework was added to the multicast architecture. A successful authentication of the end user is a prerequisite for authorization and accounting. The Extensible Authentication Protocol (EAP) provides an authentication framework to implement authentication properly, for which more than thirty different available EAP methods exist. While distinguishing the multicast content delivery requirements in terms of functionality and security, we will be able to choose a smaller set of relevant EAP methods accordingly. Given the importance of the role of the ultimate chosen EAP method, we will precisely compare the most likely to be useful methods and eventually pick the Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST) framework as the most suitable one. Based on the work on receiver participant controls, we present a validation of the security of the exchanges that are required to ensure adequate control and revenue recovery

IPv6 Network Mobility

Network Authentication, Authorization, and Accounting has been used since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?” Authorization asks, “What are you allowed to do?” And fi nally, accounting wants to know, “What did you do?” These fundamental security building blocks are being used in expanded ways today. The fi rst part of this two-part series focused on the overall concepts of AAA, the elements involved in AAA communications, and highlevel approaches to achieving specifi c AAA goals. It was published in IPJ Volume 10, No. 1[0]. This second part of the series discusses the protocols involved, specifi c applications of AAA, and considerations for the future of AAA

Securing Handover in Wireless IP Networks

In wireless and mobile networks, handover is a complex process that involves multiple layers of protocol and security executions. With the growing popularity of real time communication services such as Voice of IP, a great challenge faced by handover nowadays comes from the impact of security implementations that can cause performance degradation especially for mobile devices with limited resources. Given the existing networks with heterogeneous wireless access technologies, one essential research question that needs be addressed is how to achieve a balance between security and performance during the handover. The variations of security policy and agreement among different services and network vendors make the topic challenging even more, due to the involvement of commercial and social factors. In order to understand the problems and challenges in this field, we study the properties of handover as well as state of the art security schemes to assist handover in wireless IP networks. Based on our analysis, we define a two-phase model to identify the key procedures of handover security in wireless and mobile networks. Through the model we analyze the performance impact from existing security schemes in terms of handover completion time, throughput, and Quality of Services (QoS). As our endeavor of seeking a balance between handover security and performance, we propose the local administrative domain as a security enhanced localized domain to promote the handover performance. To evaluate the performance improvement in local administrative domain, we implement the security protocols adopted by our proposal in the ns-2 simulation environment and analyze the measurement results based on our simulation test

Classification of EAP methods and Some Major Attacks on EAP

This paper presents an overview of authentication protocol and analysis of Extensible Authentication Protocol (EAP) and its place in securing network. In general, authentication procedure adds extra messages to the original message flow and results in throughput reduction/ increase in processing time. Extensible Authentication Protocol (EAP) is a framework which aims to provide a flexible authentication for wireless networks. A number of specific widely used EAP methods are examined and evaluated for their advantages and susceptibility to types of attack. In addition, we evaluate how we communicate between two entities over the network

Design and Validation of Receiver Access Control in the Automatic Multicast Tunneling Environment

Standard IP multicast offers scalable point-to-multipoint delivery, but no control over who may send and who may receive the data stream. Participant Access Control has been developed by Islam and Atwood, but only for multicast-enabled network regions. Automatic Multicast Tunneling has been developed by the Internet Engineering Task Force. It extends the range of multicast data distribution to unicast-only network regions, but provides no Participant Access Control. We have designed the additional features that AMT must have, so that AMT has the necessary Participant Access Control at the receiver's end in the AMT environment. In addition, we have validated our design model using the AVISPA formal modeling tool, which confirms that the proposed design is secure

Network Access Control: Disruptive Technology?

Network Access Control (NAC) implements policy-based access control to the trusted network. It regulates entry to the network by the use of health verifiers and policy control points to mitigate the introduction of malicious software. However the current versions of NAC may not be the universal remedy to endpoint security that many vendors tout. Many organizations that are evaluating the technology, but that have not yet deployed a solution, believe that NAC presents an opportunity for severe disruption of their networks. A cursory examination of the technologies used and how they are deployed in the network appears to support this argument. The addition of NAC components can make the network architecture even more complex and subject to failure. However, one recent survey of organizations that have deployed a NAC solution indicates that the \u27common wisdom\u27 about NAC may not be correct

Design and Validation of a Secured Tunnel in the Automatic Multicast Tunneling (AMT) Environment

IP multicasting is a communication mechanism in which data are communicated from a server to a set of clients who are interested in receiving those data. Any client can dynamically enter or leave the communication. The main problem of this system is that every client that is interested in receiving the multicast data has to be in a multicast enabled network. The Network Working Group at the Internet Engineering Task Force (IETF) has come up with a solution to this problem. They have developed a protocol named Automatic Multicast Tunneling (AMT). This protocol offers a mechanism to enable the unicast-only clients to join and receive multicast data from a multicast enabled region through an AMT tunnel, which is formed between the two intermediate participants named Gateway and Relay. However, AMT does not provide any Participant Access Control (PAC). Malla has designed an architecture for adding PAC at the receiver’s end in the AMT environment. His work is based on the assumption that the AMT tunnel is secure and the tunnel can recognize and pass the additional message types that his design requires. We have designed the solution to secure the AMT tunnel. We also defined the additional message types. Lastly, we validated our work using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to ensure that our design is secure

Inter-Domain Authentication for Seamless Roaming in Heterogeneous Wireless Networks

The convergence of diverse but complementary wireless access technologies and inter-operation among administrative domains have been envisioned as crucial for the next generation wireless networks that will provide support for end-user devices to seamlessly roam across domain boundaries. The integration of existing and emerging heterogeneous wireless networks to provide such seamless roaming requires the design of a handover scheme that provides uninterrupted service continuity while facilitating the establishment of authenticity of the entities involved. The existing protocols for supporting re-authentication of a mobile node during a handover across administrative domains typically involve several round trips to the home domain, and hence introduce long latencies. Furthermore, the existing methods for negotiating roaming agreements to establish inter-domain trust rely on a lengthy manual process, thus, impeding seamless roaming across multiple domains in a truly heterogeneous wireless network. In this thesis, we present a new proof-token based authentication protocol that supports quick re-authentication of a mobile node as it moves to a new foreign domain without involving communication with the home domain. The proposed proof-token based protocol can also support establishment of spontaneous roaming agreements between a pair of domains that do not already have a direct roaming agreement, thus allowing flexible business models to be supported. We describe details of the new authentication architecture, the proposed protocol, which is based on EAP-TLS and compare the proposed protocol with existing protocols

Information Security for BYOD in ABB

BYOD (Bring Your Own Device) is the future policy in companies that is going to replace the old UWYT (Use What You Are Told) way of thinking. This new policy has a lot of issues both security wisely and policy wisely that needs to get solved before we can fully implement this policy into larger companies. Thanks to large interest in the subject a lot of companies have already come up with solutions to this issue and started to use BYOD policy within their companies. The main target of this Master´s Thesis “Information Security for BYOD in ABB” was to create a working information security system for future BYOD policy use in ABB. For the Thesis we used six different test users with different portable devices and statuses and tried to create a policy that fits well with their job and fulfills the security requirements of ABB. We also discuss a little about cloud computing and how it is good to be included into the final solution for the BYOD security plan.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format