Evaluating and improving firewalls for ip-telephony environments

Firewalls are a well established security mechanism for providing access control and auditing at the borders between different administrative network domains. Their basic architecture, techniques and operation modes did not change fundamentally during the last years. On the other side new challenges emerge rapidly when new innovative application domains have to be supported. IP-Telephony applications are considered to have a huge economic potential in the near future. For their widespread acceptance and thereby their economic success they must cope with established security policies. Existing firewalls face immense problems here, if they - as it still happens quite often - try to handle the new challenges in a way they did with "traditional applications". As we will show in this paper, IP-Telephony applications differ from those in many aspects, which makes such an approach quite inadequate. After identifying and characterizing the problems we therefore describe and evaluate a more appropriate approach. The feasibility of our architecture will be shown. It forms the basis of a prototype implementation, that we are currently working on

IP-Telefonie und Firewalls, Probleme und Lösungen

Im Rahmen einer umfassenden Security-Policy stellen Firewall -Systeme eine wichtige Maßnahme zum Schutz eines privaten Netzes vor Angriffen aus dem Internet dar. Durch die Einführung neuer Applikationstypen, zu denen auch IP-Telefonie Applikationen gehören, ergeben sich neue Anforderungen denen ein Firewall-System gerecht werden muß. Diesen neuen Anforderungen werden existierende Firewall-Systeme nicht gerecht, weshalb IP-Telefonie Applikationen von Firewalls zur Zeit nicht zufriedenstellend unterstützt werden können. In diesem Beitrag werden wir zeigen, welche speziellen Probleme sich bei der Integration von IP-Telefonie Unterstützung in eine Firewall ergeben. Dazu werden wir ausgewählte, von einer Firewall zu unterstützenden Telefonieszenarien, erläutern, sowie ausgewählte vorhandene Firewall-Lösungen und ihre existierenden Beschränkungen beschreiben. Nachdem die Probleme identifiziert und klassifiziert sind, werden wir die daraus resultierenden Anforderungen, denen eine IP-Telefonie fähige Firewall gerecht werden muß, herleiten. Abschließend werden wir eine mögliche technische Umsetzung dieser Anforderungen, sowie den entsprechenden realisierten Prototypen beschreiben

Taxonomy of Technological IT Outsourcing Risks: Support for Risk Identification and Quantification

The past decade has seen an increasing interest in IT outsourcing as it promises companies many economic benefits. In recent years, IT paradigms, such as Software-as-a-Service or Cloud Computing using third-party services, are increasingly adopted. Current studies show that IT security and data privacy are the dominant factors affecting the perceived risk of IT outsourcing. Therefore, we explicitly focus on determining the technological risks related to IT security and quality of service characteristics associated with IT outsourcing. We conducted an extensive literature review, and thoroughly document the process in order to reach high validity and reliability. 149 papers have been evaluated based on a review of the whole content and out of the finally relevant 68 papers, we extracted 757 risk items. Using a successive refinement approach, which involved reduction of similar items and iterative re-grouping, we establish a taxonomy with nine risk categories for the final 70 technological risk items. Moreover, we describe how the taxonomy can be used to support the first two phases of the IT risk management process: risk identification and quantification. Therefore, for each item, we give parameters relevant for using them in an existing mathematical risk quantification model

TAXONOMY OF TECHNOLOGICAL IT OUTSOURCING RISKS: SUPPORT FOR RISK IDENTIFICATION AND QUANTIFICATION

The past decade has seen an increasing interest in IT outsourcing as it promises companies many economic benefits. In recent years, IT paradigms, such as Software-as-a-Service or Cloud Computing using third-party services, are increasingly adopted. Current studies show that IT security and data privacy are the dominant factors affecting the perceived risk of IT outsourcing. Therefore, we explicitly focus on determining the technological risks related to IT security and quality of service characteristics associated with IT outsourcing. We conducted an extensive literature review, and thoroughly document the process in order to reach high validity and reliability. 149 papers have been evaluated based on a review of the whole content and out of the finally relevant 68 papers, we extracted 757 risk items. Using a successive refinement approach, which involved reduction of similar items and iterative re-grouping, we establish a taxonomy with nine risk categories for the final 70 technological risk items. Moreover, we describe how the taxonomy can be used to support the first two phases of the IT risk management process: risk identification and quantification. Therefore, for each item, we give parameters relevant for using them in an existing mathematical risk quantification mode

First experiences with the implementation of the European standard EN 62304 on medical device software for the quality assurance of a radiotherapy unit

BACKGROUND: According to the latest amendment of the Medical Device Directive standalone software qualifies as a medical device when intended by the manufacturer to be used for medical purposes. In this context, the EN 62304 standard is applicable which defines the life-cycle requirements for the development and maintenance of medical device software. A pilot project was launched to acquire skills in implementing this standard in a hospital-based environment (in-house manufacture). METHODS: The EN 62304 standard outlines minimum requirements for each stage of the software life-cycle, defines the activities and tasks to be performed and scales documentation and testing according to its criticality. The required processes were established for the pre-existent decision-support software FlashDumpComparator (FDC) used during the quality assurance of treatment-relevant beam parameters. As the EN 62304 standard implicates compliance with the EN ISO 14971 standard on the application of risk management to medical devices, a risk analysis was carried out to identify potential hazards and reduce the associated risks to acceptable levels. RESULTS: The EN 62304 standard is difficult to implement without proper tools, thus open-source software was selected and integrated into a dedicated development platform. The control measures yielded by the risk analysis were independently implemented and verified, and a script-based test automation was retrofitted to reduce the associated test effort. After all documents facilitating the traceability of the specified requirements to the corresponding tests and of the control measures to the proof of execution were generated, the FDC was released as an accessory to the HIT facility. CONCLUSIONS: The implementation of the EN 62304 standard was time-consuming, and a learning curve had to be overcome during the first iterations of the associated processes, but many process descriptions and all software tools can be re-utilized in follow-up projects. It has been demonstrated that a standards-compliant development of small and medium-sized medical software can be carried out by a small team with limited resources in a clinical setting. This is of particular relevance as the upcoming revision of the Medical Device Directive is expected to harmonize and tighten the current legal requirements for all European in-house manufacturers

2011-09-22 Minutes of the Executive Committee of the Academic Senate

Approved minutes of a meeting of the Executive Committee of the Academic Senate of the University of Dayto

Quantum Imaging with Incoherently Scattered Light from a Free-Electron Laser

The advent of accelerator-driven free-electron lasers (FEL) has opened new avenues for high-resolution structure determination via diffraction methods that go far beyond conventional x-ray crystallography methods. These techniques rely on coherent scattering processes that require the maintenance of first-order coherence of the radiation field throughout the imaging procedure. Here we show that higher-order degrees of coherence, displayed in the intensity correlations of incoherently scattered x-rays from an FEL, can be used to image two-dimensional objects with a spatial resolution close to or even below the Abbe limit. This constitutes a new approach towards structure determination based on incoherent processes, including Compton scattering, fluorescence emission or wavefront distortions, generally considered detrimental for imaging applications. Our method is an extension of the landmark intensity correlation measurements of Hanbury Brown and Twiss to higher than second-order paving the way towards determination of structure and dynamics of matter in regimes where coherent imaging methods have intrinsic limitations

The Changing Landscape for Stroke\ua0Prevention in AF: Findings From the GLORIA-AF Registry Phase 2

Background GLORIA-AF (Global Registry on Long-Term Oral Antithrombotic Treatment in Patients with Atrial Fibrillation) is a prospective, global registry program describing antithrombotic treatment patterns in patients with newly diagnosed nonvalvular atrial fibrillation at risk of stroke. Phase 2 began when dabigatran, the first non\u2013vitamin K antagonist oral anticoagulant (NOAC), became available. Objectives This study sought to describe phase 2 baseline data and compare these with the pre-NOAC era collected during phase 1. Methods During phase 2, 15,641 consenting patients were enrolled (November 2011 to December 2014); 15,092 were eligible. This pre-specified cross-sectional analysis describes eligible patients\u2019 baseline characteristics. Atrial fibrillation disease characteristics, medical outcomes, and concomitant diseases and medications were collected. Data were analyzed using descriptive statistics. Results Of the total patients, 45.5% were female; median age was 71 (interquartile range: 64, 78) years. Patients were from Europe (47.1%), North America (22.5%), Asia (20.3%), Latin America (6.0%), and the Middle East/Africa (4.0%). Most had high stroke risk (CHA2DS2-VASc [Congestive heart failure, Hypertension, Age  6575 years, Diabetes mellitus, previous Stroke, Vascular disease, Age 65 to 74 years, Sex category] score  652; 86.1%); 13.9% had moderate risk (CHA2DS2-VASc = 1). Overall, 79.9% received oral anticoagulants, of whom 47.6% received NOAC and 32.3% vitamin K antagonists (VKA); 12.1% received antiplatelet agents; 7.8% received no antithrombotic treatment. For comparison, the proportion of phase 1 patients (of N = 1,063 all eligible) prescribed VKA was 32.8%, acetylsalicylic acid 41.7%, and no therapy 20.2%. In Europe in phase 2, treatment with NOAC was more common than VKA (52.3% and 37.8%, respectively); 6.0% of patients received antiplatelet treatment; and 3.8% received no antithrombotic treatment. In North America, 52.1%, 26.2%, and 14.0% of patients received NOAC, VKA, and antiplatelet drugs, respectively; 7.5% received no antithrombotic treatment. NOAC use was less common in Asia (27.7%), where 27.5% of patients received VKA, 25.0% antiplatelet drugs, and 19.8% no antithrombotic treatment. Conclusions The baseline data from GLORIA-AF phase 2 demonstrate that in newly diagnosed nonvalvular atrial fibrillation patients, NOAC have been highly adopted into practice, becoming more frequently prescribed than VKA in Europe and North America. Worldwide, however, a large proportion of patients remain undertreated, particularly in Asia and North America. (Global Registry on Long-Term Oral Antithrombotic Treatment in Patients With Atrial Fibrillation [GLORIA-AF]; NCT01468701

Vulnerabilities and security limitations of current IP telephony systems

Within the traditional telephone system a certain level of quality and security has been established over the years. If we try to use IP Telephony systems as a core part of our future communication infrastructure (e.g. as classical PBX enhancement or replacement) continuous high availability, stable and error-free operation and the protection of the privacy of the spoken word are challenges, that definitely have to be met. Since manufacturers start deploying new end systems and infrastructure components rather fast now - a critical inspection of their security features and vulnerabilities is mandatory. The critical presentation of the theoretical background of certain vulnerabilities, testing and attacking tools and the evaluation results reveals, that well-known security flaws become part of implementations in the new application area again and the security level of a number of examined solutions is rather insufficient