Dynamic Policy-Based Network Management for a Secure Coalition Environment

This article reports the latest results of an R&D effort to develop a prototype implementation of a dynamic policy-based network management (PBNM) system that can be used to configure and manage a secure network for a coalition environment across an unsecured wide area network. The prototype, based on a distributed architecture, includes capabilities for policy creation and management, dynamic policy negotiation, and dynamic policy provisioning. The policy negotiation facilitates the rapid deployment of a coalition network while the dynamic policy provisioning automates the configuration and management of network services including firewalls, virtual private network connections, routing, quality of service (QoS), and domain name services. Such a PBNM system enhances an organization's ability to react to network incidents identified by a network situational awareness assessment. Although the focus of the current research is a military coalition environment, the system can be used in any distributed enterprise or collaborative environment     

Windows server 2003组策略运行机制分析研究

针对现行网络教材在Windows Server2003组策略方面讲解的不足和组策略在企业网络应用的重要性,结合活动目录和DNS提供的服务,通过对组策略的体系结构、组策略对象的结构和属性、客户端和服务器端的运行过程,从概念、服务组件、组件间的相互作用等方面进行了详细的分析研究,给出了组策略从编辑、管理及实施应用的运行机制,有利于网络管理员在企业网络中正确应用及维护组策略,实现大批量管理计算机和用户。     

A management and visualization framework for reconfigurable WDM optical networks

As the phenomenal advance in optical WDM networking technologies continues, optical WDM network equipment has been deployed not only in backbone networks, but also in regional, metropolitan, and access networks. It is widely believed that a major component of the next-generation Internet will be an IP-based optical network employing WDM. WDM wavelength routing and signaling have become an active research field, and dynamic and adaptive wavelength routing and assignment algorithms have been proposed. However, there is less work on reporting network control and management system implementation efforts over testbed WDM networks. This article presents a network management and visualization framework aimed at guiding the development of management applications for reconfigurable WDM optical networks. A layered framework architecture including element and network management and visualization is provided, and an object-based information model representing the WDM network is introduced. Functional components on reconfiguration, software agent, and network visualization services are presented, and important issues related to optical lightpath generation are discussed. A network visualization service also provides WDM control and management APIs to applications and access networks such as an IP network management system. To illustrate the usage of the framework, we share our experience in implementing the MONET network control and management system, and present network visualization views obtained from the MONET WDM network to highlight the framework features.     

基于VPN的视频监控系统建设

为了设计一个通用化网络视频监控平台,提供一套具有实时性、实用性、易操作性、高可靠性、可维护性的视频监控管理系统,文中结合一套专门为企业制作的远程数字监控系统,从VPN的基本原理、数字视频监控的组成、系统的配置及工作流程等几个方面,逐步阐述了一种实用的基于VPN的视频监控系统建设的架构,并对该系统架构的优势进行了总结说明。     

Policy-based management of content distribution networks

We present a policy-based architecture for the control and management of content distribution networks that form an overlay of caching proxies over an underlying physical network. The architecture extends the policy framework used for controlling network quality of service (QoS) and security to content distribution networks. The fundamental advantage of a policy-based framework is that it allows a machine-independent scheme for managing multiple devices from a single point of control. In this article we describe this architecture and demonstrate how it enables dynamic updates to content distribution policies. Furthermore, we analyze the impact of such dynamic distribution on the cost of content serving     

Adaptive connectivity management middleware for heterogeneous wireless networks

The trends of network convergence and mobile accessibility in the Internet are bringing new challenges to the connectivity management of end hosts. Concerning network convergence, the configuration of heterogeneous access networks should be taken into consideration. As for mobile accessibility, seamless handoff between diverse access points is a challenging issue. This article presents the design and implementation of connectivity management middleware (CMM), a channel-based architecture for context-aware connectivity management. This architecture can both provide network awareness to applications and manage network resources in an adaptive fashion. In the case of network awareness, the platform provides interfaces for applications to query network QoS and availability status, as well as subscribe connection events. As for adaptive resource management, channel-based transport services for seamless access switching and disconnection treatment are provided based on a policy mechanism. A prototype is implemented with which experiments were performed in a GPRS-WLAN integrated environment in order to demonstrate the operational correctness of the architecture. Performance metrics are measured and analyzed.     

Transport of TCP/IP traffic over assured forwarding IP-differentiated services

The Internet is facing a twofold challenge: to increase network capacity in order to accommodate a steadily increasing number of users; to guarantee the quality of service for existing applications and for new multimedia applications requiring real-time network response. In order to meet these requirements, IETF is currently defining the differentiated service (DiffServ) architecture, which should offer a simple and scalable platform to guarantee differentiated QoS in the Internet. In the DiffServ domain, the assured forwarding service is designed to provide data applications with acceptable performance, overcoming the limits of the Internet's current best-effort service. Since data applications mostly rely on the TCP transport protocol, it is important to examine the interaction between the congestion avoidance and control mechanisms of TCP and assured forwarding. Our main purpose is to shed light on this interaction, and to show that, in the current DiffServ framework, poor performance of TCP traffic flows can result from the existing mismatch between the assured forwarding traffic conditioning procedures and the TCP congestion management. We propose a new adaptive packet marking policy to deal with congestion situations that may occur. We show that, with this policy, the provisioned rate for TCP flows can be achieved.     

Engineering workstations-managing network workstations

Standardized network management tools, which are a necessity as users mix and match equipment from different vendors, are examined. Among their applications are configuring and installing software on workstations, monitoring network and server performance, controlling remote workstations, detecting and fixing problems, and implementing security measures. The various standardization efforts underway are discussed     

NetCAPE: Enabling Seamless IMS Service Delivery across Heterogeneous Mobile Networks

An evolving wireless world is constantly providing users with a wider set of access technologies to choose from, each with different capabilities and properties. In this world, IMS as defined by 3GPP provides an enabling, standardized multimedia architecture that is access independent, hence, providing service convergence. This trend is accompanied by an increasing number of multimode terminals so that inter-access- system-service continuity gains relevance. This article presents the architectural framework of NetCAPE (networking context aware policy environment), which addresses the optimization of mobility management in such a heterogeneous environment while interacting with IMS applications to enable seamless service delivery across heterogeneous mobile networks; even as the mobility offered by the underlying network remains transparent to IMS applications. Although the focus is on 3GPP-based mobile networks, the framework also incorporates wired access technologies, hence, taking a further step toward fixed mobile convergence (FMC). First results are presented highlighting the improvements gained by applying NetCAPE concepts.     

Design and performance evaluation of active bandwidth brokers

With the arrivals of critical data transactions and multimedia applications, the needs of network services with different Quality of Service (QoS) guarantees increase rapidly. In order to ensure the delivery of information with a desired quality at the application layer, policy-based management (pbm) systems should be deployed at network service providers for configuring network devices properly. A policy-based management system is capable of resolving and enforcing policy rules in realizing end-to-end QoS for all kinds of network connections. In this paper, a novel design of policy-based management system based on active networks is proposed. Active network technology empowers network routers the ability to execute and move data and program code as needed. It is used in the proposed design (Active Bandwidth Broker architecture) to achieve the goals of system scalability and reliability. Moreover, policy control operations can be distributed among different active nodes. Thus, the architecture reduces the aggregate amount of policy control traffic in networks and expedites the response times on policy requests. Furthermore, the Policy Decision Point is a mobile agent that moves and avoids encountering network congestion situations. A system prototype has been constructed to implement the designed architecture. It has successfully demonstrated that the new design framework offers architecture flexibility, improves system reliability, and provides system scalability in handling a large number of service requests.     

Network resource management for enterprise wide multimedia services

The support of broadband multimedia applications over an enterprise network poses a broad range of networking challenges for efficient resource management, intelligent switching, and access control for distributed information. We propose two server-based scheduling algorithms, with low computational complexity, to guarantee multimedia information synchronization at the destination, with minimum presentation delays and buffer requirements. We outline a communication framework, highlighting the issues and challenges faced by today's enterprise networks to support multimedia services. We describe the proposed connection establishment and resource allocation schemes in resource-constrained enterprise networks. The objective is to manage the limited resources of the network for maximum utilization. Towards this end we present a dynamic capacity allocation scheme to support connections for multiple users. Specifically, we show that the channel capacity allocation problem can be formulated as a quadratic programming problem. This allocation scheme is implemented at each intermediate switch to dynamically determine the capacity allocation. The effects of interswitch rate mismatch and network delay offset scheduling have also been incorporated in the management framework. In addition, we introduce the concept of route selection based on the requested network quality of service     

An automated policy-based management framework for differentiated communication systems

This paper presents a novel paradigm to approach the issue of autonomous policy-based management of wired/wireless differentiated communication systems. In contrast to existing management approaches which require static a priori policy configurations, policies are created dynamically. The proposed framework addresses the management issue from a new perspective through posing it as a problem of learning from current system behavior, while creating new policies at runtime in response to changing requirements. A hierarchical policy model is used to capture users and administrators' higher level goals into network level objectives. Given sets of network objectives and constraints, policies are assembled at runtime. The new approach gives more flexibility to users and applications to dynamically change their quality-of-service (QoS) requirements while maintaining a smooth delivery of QoS through network monitors feedback. Simulation results demonstrate the performance of the proposed work.     

TNC架构的应用研究

可信网络连接(TNC)是由60多家可信赖计算机组织TCG的成员共同开发的。TNC是基于完整性和认证性双重概念开发的,TNC架构提供了在不同网络环境中采集和交换端点完整性数据的通用框架。本文定义了TNC架构的基本元素,介绍了TNC与现有网络标准和设备的关系,并研究了如何在现有网络环境下应用TNC架构的问题。     

IMS中的网络域安全管理模型

本文提出了IMS中的网络域安全管理模型,分别介绍了IMS中的网络域安全管理结构、密钥管理和分配机制以及PKI结构。此模型引入的安全网关用以生成且管理以PKI结构为基础的密钥和证书。IPSec协议用来提供机密性和完整性保护。     

认知无线电网络中的自组织优化方法（英文）

Cognitive radio(CR) is regarded as a promising technology for providing a high spectral efficiency to mobile users by using heterogeneous wireless network architectures and dynamic spectrum access techniques.However,cognitive radio networks(CRNs)may also impose some challenges due to the ever increasing complexity of network architecture,the increasing complexity with configuration and management of large-scale networks,fluctuating nature of the available spectrum,diverse Quality-of-Service(QoS)requirements of various applications,and the intensifying difficulties of centralized control,etc.Spectrum management functions with self-organization features can be used to address these challenges and realize this new network paradigm.In this paper,fundamentals of CR,including spectrum sensing,spectrum management,spectrum mobility and spectrum sharing,have been surveyed,with their paradigms of self-organization being emphasized.Variant aspects of selforganization paradigms in CRNs,including critical functionalities of Media Access Control(MAC)- and network-layer operations,are surveyed and compared.Furthermore,new directions and open problems in CRNs are also identified in this survey.     

Signaling alternatives in a wireless ATM network

The world of wireless telecommunications is rapidly changing. The capabilities of wireless networks are improving at a steady pace. This paper presents two possible protocols for implementing mobility for wireless users in an asynchronous transfer mode (ATM) network. The vision of the authors is of one “wireless ATM telecommunications network” that is capable of supporting a variety of today's applications with room to grow for advanced applications of the future. We first visit database architectures that can support mobility in a wireless ATM network. We then discuss one of two signaling architecture alternatives, the “overlay signaling”, for overlay support of mobile users in the ATM-based wireless telecommunications network. “Overlay signaling” aims at minimizing the modification needed to the existing ATM protocols. We then describe a native “migratory signaling” approach that further integrates wireless and wireline users into one global wireless ATM network at the expense of requiring some modifications to the existing ATM protocols. A performance analysis of the proposed signaling architecture alternatives is also presented. We conclude by pointing out some challenges in merging ATM with wireless telecommunications     

A general architecture for end-to-end performance management in heterogeneous QoS-networks

The paper starts with a short overview of a general framework for end-to-end performance management for heterogeneous telecommunication networks. The main focus lies on extensions of the connection-oriented architectures in order to integrate connectionless paradigms into the general management ideas. Three exemplary network management layer applications which have already been implemented into the test bed of the Institute of Broadband Communication at Vienna University of Technology, a closed loop MPLS provisioning, a network analysis tool using neural nets, and the management of the calculation of IP performance metrics validate the applicability of the architecture.     

Multi-domain architecture for policy management inumts ip multimedia subsystem

The Universal Mobile Telecommunications System (UMTS) offers IP-based multimedia applications and services with end-to-end Quality of Service (QoS) guarantee. The key component providing these services is the IP Multimedia Subsystem (IMS) that uses Service-Based Local Policy (SBLP) management for QoS control. To support end-to-end QoS, the UMTS IMS network should be scalable, reliable and flexible in policy deployment and enforcement, characteristics that are not found in single-domain policy architecture. A hybrid policy architecture is proposed, in which a hierarchical architecture is applied to the multi-domain environment in a single operator UMTS IMS network, while a peering architecture is employed in a multi-operator UMTS IMS network. The proposed multi-domain policy architecture potentially minimizes the session setup delay and policy exchange traffic while maximizing network scalability.     

物联网中信任管理机制(英)

Trust management has been proven to be a useful technology for providing security service and as a consequence has been used in many applications such as P2P,Grid,ad hoc network and so on.However,few researches about trust mechanism for Internet of Things(IoT) could be found in the literature,though we argue that considerable necessity is held for applying trust mechanism to IoT.In this paper,we establish a formal trust management control mechanism based on architecture modeling of IoT.We decompose the IoT into three layers,which are sensor layer,core layer and application layer,from aspects of network composition of IoT.Each layer is controlled by trust management for special purpose:self-organized,affective routing and multi-service respectively.And the final decision-making is performed by service requester according to the collected trust information as well as requester' policy.Finally,we use a formal semantics-based and fuzzy set theory to realize all above trust mechanism,the result of which provides a general framework for the development of trust models of IoT.     

A practical architecture for implementing end-to-end QoS in an IPnetwork

All critical elements now exist for implementing a QoS-enabled IP network. It can be built on commercially available platforms and then evolve by adopting emerging standards and technologies. This article describes a practical architecture for end-to-end QoS in an IP environment including incorporation of established, as well as developing, IP and QoS technologies. The article combines the IETF QoS mechanisms with the LAN aspects of QoS and QoS for VoIP-areas usually considered separately. Proposed solutions span across different technologies, e.g., preservation of IP-based classification in MPLS headers, identification of flows encrypted within IPSec during WAN handling, traffic shaping in the access to enable grooming diverse applications and VPNs in the WAN, and so on. VoIP receives special emphasis because of its unique features, such as call setup signaling and call admission control, rarely addressed in traditional IP QoS discussions. An attractive scenario for the IP QoS implementation is to provide a multiservice environment between large enterprise premises over a service provider's core network. A successful end-to-end realization of this service presumes well-defined interworking between the SP's and customers' networks. It will take place on several levels including IP signaling, VoIP setup and CAC, policy interworking, and exchange of billing information. The article recommends to establish SP's presence at the enterprise premises and to implement interworking entities such as the proposed QoS customer server and QoS network server