A transport-level proxy for secure multimedia streams

To provide a secure traversal service, firewalls need more than static packet filtering and application-level proxies. SOCKS (Secure sOCKets) is an application-independent transport-level proxy that offers user-level authentification and data encryption. An extended SOCKS UDP (user datagram protocol) binding model with appropriate socket calls is proposed to provide complete support for UDP-based multimedia streaming applications     

主动式网络安全监控系统的研究

一般通过在受保护主机上安全防火墙和入侵检测机制,或者在网络设备上设置访问控制技术来实现网络安全防护。该文主要讨论了主动式网络安全监控系统,在分析主动式网络监控系统设计基础上,针对企业网非法接入防范子系统采用的SNMP协议进行相关分析。     

主动式网络安全监控系统的研究

一般通过在受保护主机上安全防火墙和入侵检测机制,或者在网络设备上设置访问控制技术来实现网络安全防护。该文主要讨论了主动式网络安全监控系统,在分析主动式网络监控系统设计基础上．针对企业网非法接入防范子系统采用的SNMP协议进行相关分析。     

A hybrid multicast connectivity solution for multi-party collaborative environments

In multi-party collaborative environments, a group of users can share multiple media streams via IP multicasting. However, despite of the efficiency of IP multicast, it is not widely available and alternative application-layer multicast approaches are introduced. Application-layer multicast is advantageous, however, it incurs additional processing delays. In this paper, we present a new hybrid-style application-layer multicast solution that satisfies both network efficiency and easy deployment. We achieve this goal by connecting multicast islands through UDP tunnels employing UMTP (UDP multicast tunneling protocol). We also design a MPROBE protocol to remove multicast loop among multicast island in real Internet. We verify the feasibility of the proposed solution by implementing a prototype tool, AG Connector, that works on Access Grid multi-party collaborative environment.

On the use of open-source firewalls in ICS/SCADA systems

ABSTRACT

Firewalls are one of the most widely used security devices to protect a communications network. They help secure it by blocking unwanted traffic from entering or leaving the protected network. Several commercial vendors have extended their firewall capabilities to support SCADA protocols or designed SCADA-specific firewalls. Although open-source firewalls are used successfully in IT networks, their use in SCADA networks has not been properly investigated. In this research we investigate the major open-source firewalls for their use in SCADA networks and identify Linux iptables’ potential as an effective SCADA firewall. Iptables is a powerful open-source firewall solution available as part of most Linux distributions in use today. In general, use of iptables as a network-level firewall for SCADA systems has been limited to basic port and host filtering, without further inspection of control messages. We propose and demonstrate a novel methodology to use iptables as an effective firewall for SCADA systems. This is achieved by utilizing advanced iptables features that allow for dynamic inspection of packet data. It is noteworthy to mention that the proposed solution does not require any modification to the netfilter/iptables framework, making it possible to turn a Linux system into an effective SCADA firewall. The approach has been tested by defining filtering rules for the Modbus TCP protocol and validating its ability to defend against various attacks on the protocol.     

Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting

Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others into protocols that are deemed as safe or necessary, such as HTTP, SSH or even DNS, can bypass any network-boundary security policy, even those based on stateful packet inspection.In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application-layer protocol used as a tunnel is encrypted, such as in the case of SSH.     

Design of a Scalable Multicast Scheme With an Application-Network Cross-Layer Approach

This paper develops an efficient and scalable multicast scheme for high-quality multimedia distribution. The traditional IP multicast, a pure network-layer solution, is bandwidth efficient in data delivery but not scalable in managing the multicast tree. The more recent overlay multicast establishes the data-dissemination structure at the application layer; however, it induces redundant traffic at the network layer. We propose an application-oriented multicast (AOM) protocol, which exploits the application-network cross-layer design. With AOM, each packet carries explicit destinations information, instead of an implicit group address, to facilitate the multicast data delivery; each router leverages the unicast IP routing table to determine necessary multicast copies and next-hop interfaces. In our design, all the multicast membership and addressing information traversing the network is encoded with bloom filters for low storage and bandwidth overhead. We theoretically prove that the AOM service model is loop-free and incurs no redundant traffic. The false positive performance of the bloom filter implementation is also analyzed. Moreover, we show that the AOM protocol is a generic design, applicable for both intra-domain and inter-domain scenarios with either symmetric or asymmetric routing.     

基于IP多播的多点会议中的视音频同步

基于IP多播的多点会议中,视音频的同步至关重要,而IP技术本身的延迟特性以及UDP传输协议的不可靠性,使得同步的解决存在一定的难度,针对设计的一套基于IP多播的多点会议系统,分析了其中的视音频同步的设计思想和实现过程,可靠传输情况下两点之间通信的简化模型,针对UDP传输协议的不可靠性和实际中的多点通信的情况,提出了改进措施,并经实际验证,达到了良好的使用效果。     

基于IP组播的网络多媒体教学系统的设计与实现

IP组播是IP领域的最新技术，它为网络实时多媒体传输和批量数据传输提供了解决方法。设计并实现了一个基于IP组播的纯软件的网络多媒体教学系统，该系统能保证传输流的服务质量，能有效地拓展会话节点的规模。     

CORBA防火墙安全技术研究

传统防火墙通过保护网络入口点防止未授权的访问，这并不适用于CORBA在Internet上使用的IIOP协议，因此OMG提出CORBA防火墙安全性，旨在提供控制IIOP透过防火墙通信的标准方式，允许外部有控制地访问CORBA对象。文章介绍了CORBA分布式系统及防火墙，CORBA防火墙相对于传统防火墙的特殊问题，详细阐述了CORBA系统中的解决方案，对TCP防火墙、SOCKS防火墙，GIOP代理防火墙的运行机制进行了分析。     

SOCKS5的身份证机构

ＳＯＣＫＳ５是一种身份认证型防火墙协议,为在ＴＣＰ和ＵＤＰ领域里的客户机／服务器程序方便而安全地利用网络服务提供了强身份认证机制。讨论了该协议,分析其工作流程及所采用的技术特色,并对其优缺点进行概括。     

An Evaluation of VoIP Traversal of Firewalls and NATs within an Enterprise Environment

Recent advances in PBX architecture and multimedia communication protocols are pushing the current boundaries of IP telephony in enterprise networks. Two key barriers to this evolution are firewalls and NATs. While these devices play a pivotal role in protecting and managing network resources they also inhibit the sending and receiving of voice and video over the data network. Many different solutions for firewall and NAT traversal either currently exist or are being proposed by standard bodies, vendors and research institutions. Each initiative addresses different issues relating to security and interoperability within existing network infrastructures. This paper will examine all proposed solutions and determine which solution will enable IP telephony traversal of firewalls and NATs most advantageously in an enterprise network.     

On Bandwidth-Efficient Overlay Multicast

In this paper, we propose a new multicast delivery mechanism for bandwidth-demanding applications in IP networks. Our mechanism, referred to as multiple-destination overlay multicast (MOM), combines the advantages of IP multicast and overlay multicast. We formulate the MOM routing problem as an optimization problem. We then design an algorithm based on Lagrangian relaxation on our formulation and propose a distributed protocol based on the algorithm. For network operators, MOM consumes less network bandwidth than both IP multicast and overlay multicast. For users, MOM uses less interface bandwidth than overlay multicast.     

On Metrics to Distinguish Skype Flows from HTTP Traffic

Skype is a Voice over IP (VoIP) Internet application that is gaining huge popularity in recent years. A key point to Skype popularity is its capability to dynamically adapt itself to operate behind firewalls or network proxies. A common way adopted by Skype to delude these network devices is to use port 80, normally expected to comprise HTTP traffic. In this paper, we propose metrics and investigate statistical tests intended to clearly distinguish Skype flows from HTTP traffic. We validate our study using real-world experimental datasets gathered at a commercial Internet Service Provider (ISP). Our experimental results suggest that the proposed methodology may be seen as a promising building block towards a system to detect general protocol anomalies in HTTP traffic.     

多层IPSec协议优化研究

目前有许多对传输层和应用层协议进行性能增强的技术,但由于网络层安全协议对其负载实施保护后,其相关信息就不便获取。已有的多层IPSec协议在提供网络层安全的同时还可以使用这些性能增强技术,缺陷是效率降低和结构复杂化。分析了多层IPSec协议自身存在的一些问题并且提出了优化的方法,通过实验证明了其优化效果明显。     

网络通信中TCP/IP协议安全隐患研究

TCP/IP协议本身存在许多安全缺陷,使网络通信受到IP地址欺骗、ARP欺骗、ICMP攻击、TCP SYN Flood、DNS攻击等。本文深入研究了TCP/IP协议中存在的安全隐患,并针对这些漏洞给出了相应的防范和改进措施。     

组播协议在OPNET中的建模与仿真

该文以IP组播技术为重点,结合网络仿真软件OPENT Modeler,分析该软件环境下IP组播网络的建模机制,包括参考标准、组的管理、支持的应用、组播路由协议的选择,节点加入组播组与发送源发送组播数据的流程。以校园网视频会议和FTP传输应用为例,构建网络仿真模型,一方面比较单播与组播方式下的网络性能,分析了视频流量的发送情况、视频会议分组的端到端延时,FTP传输的响应时间,骨干网络点到点链路吞吐量;另一方面比较了组播方式采用共享树机制和由共享树切换到最短路径树在网络性能上的改进,包括分组延迟的降低、汇合点路由器上拥塞发生的减少等。同时,也对无线移动通信网络环境下的组播技术提出更多需要考虑的因素。     

Software-Defined Multicast for Over-the-Top and Overlay-based Live Streaming in ISP Networks

The increasing amount of over-the-top (OTT) live streams and the lack of global network layer multicast support poses challenges for a scalable and efficient streaming over the Internet. Content Delivery Networks (CDNs) help by delivering the streams to the edge of almost every Internet Service Provider (ISP) network of the world but usually also end there. From there on, the streams are to be delivered to the clients using IP unicast, although an IP multicast functionality would be desirable to reduce the load on CDN nodes, transit links, and the ISP infrastructure. IP multicast is usually not available due to missing control and management features of the protocol. Alternatively, Peer-to-Peer (P2P) mechanisms can be applied to extend the overlay multicast functionality of the CDN towards the clients. Unfortunately, P2P only improves the situation for the CDN but makes it more challenging for the ISP as even more unicast flows are generated between clients inside and outside the ISP network. To tackle this problem, a Software-Defined Networking-based cross-layer approach, called Software-Defined Multicast (SDM), is proposed in this paper, enabling ISPs to offer network layer multicast support for OTT and overlay-based live streaming as a service. SDM is specifically tailored towards the needs of P2P-based video stream delivery originating from outside the ISP network and can easily be integrated with existing streaming systems. Prototypical evaluations show significantly improved network layer transmission efficiencies when compared to other overlay streaming mechanisms, down to a level as low as for IP multicast, at linearly bounded costs.     

基于DMSP共享的移动多播方案

RBMoM是一种综合了IETF的移动IP协议中远程加入和双向隧道两种基本方法、综合性能较优的移动多播协议。文中通过分析RBMoM移动多播协议中存在的问题,提出了DMSP共享机制,基于此机制实现了一个高效的移动多播方案。该方案有效地减少了网络中的多播通信量并降低了多播树的维护代价,却没有给多播数据传输带来太大的延迟。     

端到端IP组播技术及其在PIS中的应用

针对IP组播在网络层中使用UDP协议不能有效保证数据可靠传输的问题,提出一种高效、稳定的在端系统间保证数据可靠传输系统。使用CRC-32、端到端差错恢复和端到端拥塞控制等关键技术。该技术成功应用于沈阳地铁乘客资讯系统(PIS)。测试结果表明,该系统保持IP组播技术节省带宽资源、提高数据传输效率等优点,保证了数据的可靠传输。