Q-ESP: a QoS-compliant Security Protocol to enrich IPSec Framework

IPSec is a protocol that allows to make secure connections between branch offices and allows secure VPN accesses. However, the efforts to improve IPSec are still under way; one aspect of this improvement is to take Quality of Service (QoS) requirements into account. QoS is the ability of the network to provide a service at an assured service level while optimizing the global usage of network resources. The QoS level that a flow receives depends on a six-bit identifier in the IP header; the so-called Differentiated Services code point (DSCP). Basically, Multi-Field classifiers classify a packet by inspecting IP/TCP headers, to decide how the packet should be processed. The current IPSec standard does hardly offer any guidance to do this, because the existing IPSec ESP security protocol hides much of this information in its encrypted payloads, preventing network control devices such as routers and switches from utilizing this information in performing classification appropriately. To solve this problem, we propose a QoS-friendly Encapsulated Security Payload (Q-ESP) as a new IPSec security protocol that provides both security and QoS supports. We also present our NetBSD kernel-based implementation as well as our evaluation results of Q-ESP

Defining categories to select representative attack test-cases

7 pagesRapport LAAS-CNRSTo ameliorate the quality of protection provided by intrusion detection systems (IDS) we strongly need more effective evaluation and testing procedures. Evaluating an IDS against all known and unknown attacks is probably impossible. Nevertheless, a sensible selection of representative attacks is necessary to obtain an unbiased evaluation of such systems. To help in this selection, this paper suggests applying the same approach as in software testing: to overcome the problem of an unmanageably large set of possible inputs, software testers usually divide the data input domain into categories (or equivalence classes), and select representative instances from each category as test cases. We believe that the same principle could be applied to IDS testing if we have a reasonable classification. In this paper we make a thorough analysis of existing attack classifications in order to determine whether they could be helpful in selecting attack test cases. Based on our analysis, we construct a new scheme to classify attacks relying on those attributes that appear to be the best classification criteria. The proposed classification is mainly intended to be used for testing and evaluating IDS although it can be used for other purposes such as incident handling and intrusion reporting. We also apply the Classification Tree Method (CTM) to select attack test cases. As far as we know, this is the first time that this method is applied for this purpose

Extending Firewall Session Table to Accelerate NAT, QoS Classification and Routing

security and QoS are the two most precious objectives for network systems to be attained. Unfortunately, they are in conflict, while QoS tries to minimize processing delay, strong security protection requires more processing time and cause packet delay. This article is a step towards resolving this conflict by extending the firewall session table to accelerate NAT, QoS classification, and routing processing time while providing the same level of security protection. Index Terms ? stateful packet filtering; firewall; session/state table; QoS; NAT; Routing

An Architecture for QoS-capable Integrated Security Gateway to Protect Avionic Data Network

International audienceWhile the use of Internet Protocol (IP) in aviation allows new applications and benefits, it opens the doors for security risks and attacks. Many security mechanisms and solutions have evolved to mitigate the ever continuously increasing number of network attacks. Although these conventional solutions have solved some security problems, they also leave some security holes. Securing open and complex systems have become more and more complicated and obviously, the dependence on a single security mechanism gives a false sense of security while opening the doors for attackers. Hence, to ensure secure networks, several security mechanisms must work together in a harmonic multi-layered way. In addition, if we take QoS requirements into account, the problem becomes more complicated and necessitates in-depth reflexions. In this paper, we present the architecture of our QoS-capable integrated security gateway: a gateway that highly integrates well chosen technologies in the area of network security as well as QoS mechanisms to provide the strongest level of security for avionic data network; our main aim is to provide both multi-layered security and stable performances for critical network applications

PolyOrBAC: a security framework for critical infrastructures

International audienceDue to physical and logical vulnerabilities, a critical infrastructure (CI) can encounter failures of various degrees of severity, and since there are many interdependencies between CIs, simple failures can have dramatic consequences on the users. In this paper, we mainly focus on malicious threats that might affect the information and communication system that controls the Critical Infrastructure, i.e., the Critical Information Infrastructure (CII). To address the security challenges that are specific of CIIs, we propose a collaborative access control framework called PolyOrBAC. This approach offers each organization taking part in the CII the capacity of collaborating with the other ones, while maintaining a control on its resources and on its internal security policy. The interactions between organizations participating in the CII are implemented through web services (WS), and for each WS a contract is signed between the service-provider organization and the service-user organization. The contract describes the WS functions and parameters, the liability of each party and the security rules controlling the interactions. At runtime, the compliance of all interactions with these security rules is checked. Every deviation from the signed contracts triggers an alarm, the concerned parties are notified and audits can be used as evidence for sanctioning the party responsible for the deviation. Our approach is illustrated by a practical scenario, based on real emergency actions in an electric power grid infrastructure, and a simulation test bed has been implemented to animate this scenario and experiment with its security issues

Sécurité des réseaux et infrastructures critiques

Les infrastructures et réseaux critiques commencent à s'ouvrir vers des architectures, protocoles et applications vulnérables. Ainsi, non seulement il est question de sécuriser ces applications (e.g., contre les attaques potentielles), mais il faut également justifier notre confiance dans les mécanismes de sécurité déployés. Pour cela, nous présentons PolyOrBAC, un cadriciel basé sur le modèle de contrôle d'accès OrBAC, les mécanismes de services Web ainsi que les contrats électroniques. Ensuite, nous préconisons l'utilisation de la Programmation Logique par Contraintes (PLC) pour détecter et résoudre les conflits éventuels dans la politique de sécurité. Au niveau de la mise en œuvre, nous proposons le protocole Q-ESP, notre amélioration d'IPSec qui assure à la fois des besoins de sécurité et de QoS. Enfin, nous présentons nos modèles et résultats de test et d'évaluation d'outils de sécurité notamment les Systèmes de Détection d'Intrusions (IDS)

ICT Systems Security and Privacy Protection: 29th IFIP TC 11 International Conference, SEC 2014 Marrakech, Morocco, June 2-4, 2014

International audienceBook Front Matter of AICT 42

Plant growth promoting rhizobacteria (PGPR) as green bioinoculants: Recent developments, constraints, and prospects

The quest for enhancing agricultural yields due to increased pressure on food production has inevitably led to the indiscriminate use of chemical fertilizers and other agrochemicals. Biofertilizers are emerging as a suitable alternative to counteract the adverse environmental impacts exerted by synthetic agrochemicals. Biofertilizers facilitate the overall growth and yield of crops in an eco-friendly manner. They contain living or dormant microbes, which are applied to the soil or used for treating crop seeds. One of the foremost candidates in this respect is rhizobacteria. Plant growth promoting rhizobacteria (PGPR) are an important cluster of beneficial, root-colonizing bacteria thriving in the plant rhizosphere and bulk soil. They exhibit synergistic and antagonistic interactions with the soil microbiota and engage in an array of activities of ecological significance. They promote plant growth by facilitating biotic and abiotic stress tolerance and support the nutrition of host plants. Due to their active growth endorsing activities, PGPRs are considered an eco-friendly alternative to hazardous chemical fertilizers. The use of PGPRs as biofertilizers is a biological approach toward the sustainable intensification of agriculture. However, their application for increasing agricultural yields has several pros and cons. Application of potential biofertilizers that perform well in the laboratory and greenhouse conditions often fails to deliver the expected effects on plant development in field settings. Here we review the different types of PGPR-based biofertilizers, discuss the challenges faced in the widespread adoption of biofertilizers, and deliberate the prospects of using biofertilizers to promote sustainable agriculture