A lightweight protection mechanism against signaling attacks in a SIP-based VoIP environment

The advent of Voice over IP (VoIP) has offered numerous advantages but, at the same time, it has introduced security threats not previously encountered in networks with a closed architecture like the Public Switch Telephone Networks (PSTN). One of these threats is that of signaling attacks. This paper examines the signaling attacks in VoIP environments based on the Session Initiation Protocol (SIP), focusing on the design of a robust lightweight protection mechanism against them. The proposed scheme introduces a new SIP header, namely the Integrity-Auth header, which is utilized for protecting the SIP-based VoIP services from signaling attacks while ensuring authenticity and integrity.     

A high availability internetwork capable of accommodating compromised routers

It is a myth the Internet has been designed to withstand a denial of service attack. At the BlackHat 2005 conference it was shown that potential attacks against routers are far from hypothetical. These attacks are about compromising the integrity of routers and hence the Internet. Current TCP/IP protocols, even including IPsec, do not have the resilience to deal with routers taken over by the adversary. Indeed, IPsec only provides point-to-point cryptography–hence if a point is compromised, it fails. We survey the research done in the area of how to communicate reliably and/or privately in the presence of different types of adversary, particularly denial of service attacks against nodes/routers. Evidently, if the adversary can control all nodes (routers) in the network, no solution exists. The nodes that can be attacked by the adversary can be described using a threshold, or by what is called an adversary structure. The types of network in question can be point-to-point or broadcast/multicast.     

Policy-based IPsec management

Security is vital to the success of e-commerce and many new valued-added IP services. As a consequence, IPsec is an especially important security mechanism in that it provides cryptographic-based protection mechanisms for IP packets. Moreover, in order for IPsec to work properly, security policies that describe how different IP packets are protected must be provisioned on all network elements that offer IPsec protection. Since IPsec policies are quite complex, manually configuring them on individual network elements is inefficient and therefore infeasible for large-scale IPsec deployment. Policy-based IPsec management strives to solve this problem: Policy-based management employs a policy server to manage a network as a whole; it translates business goals or policies into network resource configurations and automates these configurations across multiple different network elements. Policy-based IPsec management significantly simplifies the task of defining, deploying, and maintaining security policies across a network, thereby significantly simplifying large-scale IPsec deployment. This article describes the motivations, key concepts, and recent IETF developments for policy-based IPsec management. It then applies the key concepts to an example a IPsec VPN service provisioning and further describes an example of an IPsec policy server as well as experience gained from implementing such a server. Challenges facing policy-based IPsec management are also discussed.     

Scalability implications of virtual private networks

This article gives an overview of the most promising technologies for service providers to offer virtual private network services. The focus is on the analysis of the scalability implications of these virtual private network mechanisms on existing service provider backbone networks. Very often, when deploying VPN services, service providers will be confronted with a trade-off between scalability and security. VPNs that require site-to-site interconnectivity without strong (cryptographic) security can be deployed in a scalable way based on the network-based VPN model, as long as the interaction between the customer and provider routing dynamics are controlled. VPNs that require strong (end-to-end) cryptographic security should be deployed according to the CPE-based VPN model, using the available IPsec protocol suite     

IP返回跟踪DoS攻击的压缩边界采样算法

描述了IP返回跟踪DoS(拒绝服务)攻击中的压缩边界采样算法,并在保证后向兼容性的前提下对IP数据包头部进行修改。     

基于DDCT表的多副本完整性审计方案

在云存储环境下,云数据采用多副本存储已经成为一种流行的应用.针对恶意云服务提供商威胁云副本数据安全问题,提出一种基于DDCT（Dynamic Divide and Conquer Table）表的多副本完整性审计方案.首先引入DDCT表来解决数据动态操作问题,同时表中存储副本数据的块号、版本号和时间戳等信息;接下来为抵制恶意云服务商攻击,设计一种基于时间戳的副本数据签名认证算法;其次提出了包括区块头和区块体的副本区块概念,区块头存储副本数据基于时间戳识别认证的签名信息,区块体存放加密的副本数据;最后委托第三方审计机构采用基于副本时间戳的签名认证算法来审计云端多副本数据的完整性.通过安全性分析和实验对比,本方案不仅有效的防范恶意存储节点之间的攻击,而且还能防止多副本数据泄露给第三方审计机构.     

A multilayer IP security protocol for TCP performance enhancement in wireless networks

Transmission control protocol (TCP) performance enhancement proxy (PEP) mechanisms have been proposed, and in some cases widely deployed, to improve TCP performance in all-Internet protocol (IP) wireless networks. However, this technique is conflicted with IP-security (IPsec)-a standard IP security protocol that will make inroad into wireless networks. This paper analyzes the fundamental problem behind this conflict and develops a solution called multilayer IP-security (ML-IPsec). The basic principle is to use a multilayer protection model and a fine grain access control to make IP security protocols compatible with TCP PEP. It allows wireless network operators or service providers to grant base stations or wireless routers limited and controllable access to the TCP headers for performance enhancement purposes. Through careful design, implementation, and evaluation, we show that we can easily add ML-IPsec to existing IPsec software and the overhead is low. We conclude that ML-IPsec can help wireless networks provide both security and performance.     

Deploying Internet Protocol Security in satellite networks using Transmission Control Protocol Performance Enhancing Proxies

Applications that use the reliable Transmission Control Protocol (TCP) have a significant degradation over satellite links. This degradation is mainly a consequence of the congestion control algorithm used by standard TCP, which is not suitable for overcoming the impairments of satellite networks. To alleviate this problem, two TCP Performance Enhancing Proxies (PEPs) can be deployed at the edges of the satellite segment. Then these PEPs can use different mechanisms such as snooping, spoofing and splitting to achieve a better TCP performance. In general, these mechanisms require the manipulation of the Internet Protocol (IP) and TCP headers that generates a problem when deploying the standard IP security (IPsec) protocol. The security services that IPsec offers (encryption and/or authentication) are based on the cryptographic protection of IP datagrams, including the corresponding IP and TCP headers. As a consequence, these cryptographic protections of IPsec conflict with the mechanisms that PEPs use to enhance the TCP performance in the satellite link. In this article, we detail the reasons that cause this conflict, and we propose three different approaches to deploy IPsec in a scenario with TCP PEPs. Our proposals provide different trade‐offs between security and TCP performance in some typical scenarios that use satellite networks. Copyright © 2012 John Wiley & Sons, Ltd.     

IP VPN—基于IP网络的虚拟专用网

ＩＰ ＶＰＮ能为用户在ＩＰ网络之上构筑一个安全可靠、方便快捷的企业专用网络，并为企业节省资金。本文从ＩＰ ＶＰＮ的概念、分类、组建ＩＰ ＶＰＮ的隧道技术，以及在ＶＰＮ上传送的数据的安全性保证等几个方面介绍了ＩＰ ＶＰＮ技术。     

一种新的IPv6网络带宽测量方法

该文提出一种新的应用于IPv6网络的带宽测量方法PTTS(Packet Train Time Stamp)。源端主动向网络发送报文序列(Mh-L-Mt packets train),序列中负载报文反应网络流量特征,测试报文带有IPv6时间戳扩展报文头,逐跳记录路由器的当前时间,获得报文序列通过链路所花费时间,得到可用带宽。同时利用IPv6基本报文头中流标签字段定义测试流,确保报文列中测试报文和负载报文路径一致;利用流量类型字段,增设用于网络测量的测试级消除其与背景业务的相互影响。仿真证明,报文设计合理,测量方法可行。     

Real-time visualization of network attacks on high-speed links

This article shows that malicious traffic flows such as denial-of-service attacks and various scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting a packet using its source IP address, destination IP address, and the destination port in a 3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined with the fact that only three header fields per each packet need to be examined, a fast attack detection and classification algorithm can be devised.     

Dynamic and adaptive detection method for flooding in wireless sensor networks

In recent years, wireless sensor networks (WSNs) have attracted an increasing attention in several fields. However, WSNs must be treated with significant challenges in their design due to their special characteristics such as limited energy, processing power, and data storage that make the energy consumption saving a real challenge. Also, regarding their distributed deployment in open radio frequency and lack of physical security, these networks are vulnerable and exposed to several attacks: passive eavesdropping, active attacks, and identity theft. In this paper, we propose a new method called accordion method to detect and apprehend denial of service attacks in WSNs. This approach is a dynamic and an adaptive method based on using clustering method which allows electing control nodes that analyze the traffic inside a cluster and send warnings to the cluster head whenever an abnormal behavior is suspected or detected. The proposed method relies on the analysis of the evolution of the threshold messages (alerts) sent in the cluster. The proposed method has been evaluated, and the obtained numerical results show its benefit compared with other detection methods.     

A new security model to prevent denial‐of‐service attacks and violation of availability in wireless networks

Wireless networks are deployed in many critical areas, such as health care centers, hospitals, police departments, and airports. In these areas, communication through the networks plays a vital role, and real‐time connectivity along with constant availability of the networks is highly important. However, one of the most serious threats against the networks availability is the denial‐of‐service attacks. In wireless networks, clear text form of control frames is a security flaw that can be exploited by the attackers to bring the wireless networks to a complete halt. To prevent the denial‐of‐service attacks against the wireless networks, we propose two distinct security models. The models are capable of preventing the attacks by detecting and discarding the forgery control frames belonging to the attackers. The models are implemented and evaluated under various experiments and trials. The results have proved that the proposed models significantly improve the security performance of the wireless networks. This gives advantage of safe communication that can substantially enhance the network availability while maintaining the quality of the network performance. Copyright © 2011 John Wiley & Sons, Ltd.     

无线网络中TCP与Ipsec的兼容性研究

针对有线网络设计的传输控制协议(TCP),在应用到无线环境中时存在许多不兼容问题,必须对TCP进行修改.目前人们提出了几种对TCP协议在无线网络环境下的改进方案,但是这些改进方案同IP安全协议(IPsec)存在一定的中突.文章分析了IPsec与TCP的改进方案之间的冲突问题,给出了4种解决方案:用传输层安全协议/安全套接层协议(TLS/SSL)代替IPsec、扩展封装安全载荷(ESP)协议、对TCP路径分段和修改IPsec的端到端保护模式,并分析了各方案的优缺点.     

基于FPGA的万兆网的IPsec ESP协议设计与实现

“Internet协议安全性(IPsec)”为IP层及其上层协议提供加解密和认证等安全服务。但对IPsec协议的处理已经成为高速网络实现的瓶颈。随着FPGA向着更大容量和更高速度方向发展,基于FPGA硬件实现的IPsec协议栈可以提供更高的网络性能。文中介绍了一种基于FPGA的万兆以太网IPsec ESP协议栈的设计,支持隧道模式和传输模式,具有抗重放能力。通过采用多级流水操作、多缓存乒乓操作、多进程并行处理等技术实现了万兆线速。     

Building an Application-Aware IPsec Policy System

As a security mechanism at the network-layer, the IP security protocol (IPsec) has been available for years, but its usage is limited to virtual private networks (VPNs). The end-to-end security services provided by IPsec have not been widely used. To bring the IPsec services into wide usage, a standard IPsec API is a potential solution. However, the realization of a user-friendly IPsec API involves many modifications on the current IPsec and Internet key exchange (IKE) implementations. An alternative approach is to configure application-specific IPsec policies, but the current IPsec policy system lacks the knowledge of the context of applications running at upper layers, making it infeasible to configure application-specific policies in practice. In this paper, we propose an application-aware IPsec policy system on the existing IPsec/IKE infrastructure, in which a socket monitor running in the application context reports the socket activities to the application policy engine. In turn, the engine translates the application policies into the underlying security policies, and then writes them into the IPsec security policy database (SPD) via the existing IPsec policy management interface. We implement a prototype in Linux (Kernel 2.6) and evaluate it in our testbed. The experimental results show that the overhead of policy translation is insignificant, and the overall system performance of the enhanced IPsec is comparable to those of security mechanisms at upper layers. Configured with the application-aware IPsec policies, both secured applications at upper layers and legacy applications can transparently obtain IP security enhancements.     

改进的HTTP摘要认证方案的设计与实现

由于现有的认证机制不能有效解决会话初始协议(SIP)消息传送时网络侦听的问题,因此SIP网络传输时存在易遭受异常消息攻击、数据包被侦听、密文被分析等诸多安全威胁.文章经比较分析、研究改进,应用一个并行多进程的SIP非法消息检测流程,扩展了SIP认证头域,引进了密文隐写系统,能有效保证应用层的安全.实验结果验证了该方案的有效性.     

Improved PNC Selection Criteria and Process for IEEE802.15.3 [Ad Hoc and Sensor Networks]

IEEE 802.15.3 is a standard that supports high data rate for wireless personal area networks. It implements a centralized topology for network monitoring and control. The centralized piconet coordinator (PNC) needs to be dynamically selected depending on a number of categories that measure its abilities as the most capable device compared to the surrounding devices in the network. This article presents an extension to the PNC selection criteria in IEEE 802.15.3 by modifying the reserved fields readily available in the standard to support user-centricity as well as other higher layer service dependent criteria. This article also develops the implementation process for the message header exchange between devices to support this new selection process. In addition, simulations are carried out that show the proof of concept of the manner in which this new criteria could be implemented in IEEE 802.15.3.     

High-Speed Prefix-Preserving IP Address Anonymization for Passive Measurement Systems

Passive network measurement and packet header trace collection are vital tools for network operation and research. To protect a user's privacy, it is necessary to anonymize header fields, particularly IP addresses. To preserve the correlation between IP addresses, prefix-preserving anonymization has been proposed. The limitations of this approach for a high-performance measurement system are the need for complex cryptographic computations and potentially large amounts of memory. We propose a new prefix-preserving anonymization algorithm, top-hash subtree-replicated anonymization (TSA), that features three novel improvements: precomputation, replicated subtrees, and top hashing. TSA makes anonymization practical to be implemented on network processors or dedicated logic at Gigabit rates. The performance of TSA is compared with a conventional cryptography based prefix-preserving anonymization scheme which utilizes caching. TSA performs better as it requires no online cryptographic computation and a small number of memory lookups per packet. Our analytic comparison of the susceptibility to attacks between conventional anonymization and our approach shows that TSA performs better for small scale attacks and comparably for medium scale attacks. The processing cost for TSA is reduced by two orders of magnitude and the memory requirements are a few Megabytes. The ability to tune the memory requirements and security level makes TSA ideal for a broad range of network systems with different capabilities     

A dual-mode energy efficient encryption protocol for wireless sensor networks

This paper presents a novel link-layer encryption protocol for wireless sensor networks. The protocol design aims to reduce energy consumption by reducing security related communication overhead. This is done by merging security related data of consecutive packets. The merging (or combining packets) based on simple mathematical operations helps to reduce energy consumption by eliminating the requirement to send security related fields in headers and trailers. We name our protocol as the Compact Security Protocol referred to as C-Sec. In addition to energy savings, the C-Sec protocol also includes a unique security feature of hiding the packet header information. This feature makes it more difficult to trace the flow of wireless communication, and helps to minimize the cost of defending against replay attacks. We performed rigorous testing of the C-Sec protocol and compared it with well-known protocols including TinySec, MiniSec, SNEP and Zigbee. Our performance evaluation demonstrates that the C-Sec protocol outperforms other protocols in terms of energy savings. We also evaluated our protocol with respect to other performance metrics including queuing delay and error probability.