Enhancing Network Security Education with Research and Development Content
|
|
- Madeline Fitzgerald
- 8 years ago
- Views:
Transcription
1 Enhancing Network Security Education with Research and Development Content Mostafa Bassiouni Department of Elec. Eng. & Computer Science University of Central Florida Orlando, Florida USA Ratan Guha Department of Elec. Eng. & Computer Science University of Central Florida Orlando, Florida USA ABSTRACT Network Security (CNT 4403) is an undergraduate course offered for the IT and Computer Science majors at the University of Central Florida. In the recent offering of this course, we enhanced its teaching by adding research-oriented content. In this paper, we discuss our enhancement effort and give two examples. Through our research and graduate teaching, we identified important security aspects of the anycast technology that are overlooked by traditional textbooks on network security. We added content on anycast to give the undergraduate students better experience with emerging security applications. Similarly, we added content on the experimental Robust ECN protocol to give students exposure to new trends in combating malicious user behavior. Categories and Subject Descriptors K3.2 [Computers and Education]: Computer and Information Science Education, C.2.0 [Computer-Communication Networks]: General-Security and protection; C.2.2 [Computer- Communication Networks]: Network Protocols. General Terms Security, Experimentation. Keywords Computer Science Curriculum, Network Security, Research and Development. 1. INTRODUCTION In this paper, we describe our experience with teaching an undergraduate course on Networking Security and its enhancement by adding research-oriented content. The Networking Course is one of four security related courses offered to Computer Science and Information Technology undergraduate students. The other three courses are Security in Computing, Cryptography, and Secure Operating Systems. The four courses are carefully put together to advance the undergraduate student quickly from novice to subject matter expert in the field of information security. An NSF-supported project to enhance the four courses using a modular approach is underway. The goal of the NSF-funded project is to contribute positively to the development of a security-proficient workforce and help meet the increasing demand by the federal government, industry and academia for security administrators, counter-hacking professionals, and security researchers. The organization of the paper is as follows. In Section 2, we briefly describe the modular curricular approach, which is used for developing both undergraduate courses as well as faculty enhancement workshops. An outline of the Networking Security course is given in Section 3. In Section 4, we describe the enhancement that added material on the emerging anycast technology and its impact on security. The second enhancement that added material on the experimental Robust Explicit Congestion Notification protocol is presented in Section 5. The outcome and classroom experience are discussed in Section 6. The paper is concluded in Section THE MODULAR CURRICULAR APPROACH Our rationale for developing the curriculum modules is that the delivery system of technical materials should depend on the type and the background of the targeted audience. Since we are creating delivery systems for different groups, our approach is to gather technical information in a modularized fashion. Specifically, we developed several modules consisting of different technical materials relevant to computer and network security. The modules are then synthesized suitably to develop four courses in the area of information security and protection. These courses are: Security in Computing (CIS 3360), Cryptography and Information Security (CIS 3362), Secure Operating Systems and Administration (CIS 4361), and Network Security and Privacy (CNT 4403). Figure 1 shows the high level architecture of the modular approach. In this paper, we focus on the Network Security and Privacy course (CNT 4403) which we have taught once every year. We discuss our approach for enhancing the educational experience of students in this course by adding research and development content. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIGITE 11, October 20 22, 2011, West Point, New York, USA. Copyright 2011 ACM /11/10...$10.00.
2 Curricular Modules Figure 1. Synthesis of courses from the curricular modules 3. THE NETWORK SECURITY COURSE In most IT programs, students take a variety of networking and security courses [7]. Network Security and Privacy (CNT 4403) is an undergraduate course offered in the Spring Semester by the Computer Science Division of our department. It attracts Information Technology and Computer Science majors, normally in the senior year. The course contents are assembled from the curricular modules on Cryptography, Computer Networks, and Security protocols. Two textbooks [3] and [6] are used in this course. Topics covered in this course include: Message Integrity and Authentication Digital Signature Entity Authentication Key Management Transport Layer Security Network Layer Security Security Application Layer Security Intrusion Detection and Firewalls Wireless LAN Security The course covers the details of major network-related security protocols including: SSL, TLS, IPSec, PGP, S/MIME, HTTPS, SSH, and i. In the most recent offering of this course, we enhanced the teaching of some of these protocols by adding research-oriented and current development contents. In this paper, we give two examples of the enhancement contents, namely, Anycast and Robust ECN (Explicit Congestion Notification). Anycast is used to enhance the teaching of standard security protocols, especially the IP Security (IPSec) protocol. We typically teach the design and implementation of Native and Proxy Anycast in an advanced graduate networking course using research articles such as [2]. Through our involvement in research and graduate teaching, we identified important security aspects of the anycast technology that are overlooked by traditional textbooks on network security. We introduced anycast in the undergraduate network security course to give students better experience about emerging applications of traditional security protocols such as IPSec. Similarly, we added teaching the experimental Robust ECN protocol to give the undergraduate students exposure to new trends in combating the malicious behavior of some TCP receivers. We discuss anycast in Section 4 and Robust ECN in Section ANYCAST SECURITY ISSUES Anycast is an important emerging technology whereby multiple distinct machines are allowed to have the same IP address. We first compare anycast to unicast, multicast and broadcast. In unicast, there is a one-to-one association between a network address and a network endpoint: each destination address uniquely identifies a single receiver endpoint. In broadcast and multicast, there is a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, to which all information is replicated. In anycast, there is also a one-tomany association between network addresses and network endpoints, but only one of the receiver endpoints is chosen at any given time to receive information from any given sender. Anycast is therefore designated as a one-to-any association between network addresses and network endpoints.
3 Anycast is usually implemented by using the BGP (Border Gateway Protocol) routing protocol to simultaneously announce the same destination IP address range from many different places on the Internet [1]. This causes packets addressed to destination addresses in this range to be routed to the "nearest" point on the network announcing the given destination IP address. Hijacker An important application of IP anycast is the Domain Name System (DNS) [4]. Some of the thirteen Internet root name servers are currently implemented as multiple hosts using anycast addressing. The A, C, F, I, J, K, L and M servers exist in multiple locations on different continents, using anycast address announcements to provide a decentralized service. Anycast has accelerated the deployment of physical root servers outside the United States. For example, the F-Root Name Server has an IP address Currently, the number of F-Root servers is 46 and increasing. All F-Root servers have the same IP address and receive DNS requests based on anycast. Anycast has allowed a single root name server to be implemented as a cluster of machines placed in different cities and countries. This has made denial of service (DoS) attacks on the root name servers more difficult and less harmful. We provide students with information on important historical attacks such as the 2002 DoS attack described below. On October 21, 2002, the Internet Domain Name System's root name servers sustained a denial of service attack. A coordinated DDoS (distributed denial of service) attack was launched and lasted more than one hour. All thirteen DNS root name servers were targeted simultaneously. This attack was unusual in that it was synchronized to take place against all thirteen root name servers simultaneously. Attack volume was approximately 50 to 100 Mbits/sec per root name server, yielding a total attack volume of approximately 900 Mbits/sec. The typical source for DDoS attacks is a large number of "drones", each sending only a small amount of traffic, using randomized source addresses. The impact of the attack was very noticeable and some root name servers were unreachable from many parts of the global Internet. Many valid queries were unable to reach some root name servers due to attack-related congestion effects, and thus went unanswered. 4.1 BGP Man-In-The-Middle (MITM) Attack Since anycast is implemented through BGP update messages, we expose the students to the basic idea of BGP Man-In-The-Middle (MITM) Attack. A BGP Update message from a BGP router announces a new route or withdraws a previously announced route. The BGP update process has the following vulnerability: all of Internet routing is based on trust; BGP routers can announce any IP address space they want and there is no mechanism in place to handle a node that goes rogue, basically there is no Internet police! The BGP MITM Attack Scenario is illustrated in Figure 2. An attacker (compromised BGP router) announces a currently used IP space that belongs to a legitimate entity (victim) located somewhere else on the Internet. This basically creates another anycast address for the legitimate entity. Legitimate traffic gets diverted to the hijacker and the victim can be effectively taken off the Internet. Victim Figure 2. BGP man-in-the-middle attack We provided students with information about two historical examples of BGP MITM Attack. Example 1: The YouTube address /22 used in February 2008 was hijacked by a badly configured announcement of the address /24 from a BGP router in Asia. In BGP, the most specific route to an IP address wins (the mask /24 is longer and more specific than /22). YouTube was globally unreachable for two hours. Example 2: In April 1997, a misconfigured router flooded Internet with incorrect advertisements announcing AS7007 as origin of best route to essentially the entire Internet. AS7007 became a major traffic sink and disrupted reachability to many networks for hours causing an Internet-wide blackout. 4.2 The Role of IPSec Protocol In order to minimize the risk of BGP man-in-the-middle attack, secure file transfer methods and strong authentication should be used for all BGP transfers. Running BGP over IPSec would protect it against MITM attacks. IPSec enables BGP peers to verify or detect BGP message integrity Peer entity authentication Replayed BGP messages
4 node deployed with the same address of the victim node DDOS ATTACK Victim Server node deployed with the same address of the victim node Figure 3. Mitigating denial of service (DoS) attack using anycast 4.3 DoS attack mitigation using anycast Anycast distribution of a service provides the opportunity for traffic to be handled closer to its source. Deploying anycast services on the Internet can be used to prevent or mitigate Denialof-Service (DoS) attacks. Figure 3 shows this approach for a Distributed DoS Attack. Multiple anycast sink nodes are deployed to collect the attack traffic generated from different attack sources. 5. ROBUST ECN Robust Explicit Congestion Notification, or Robust ECN, is an Experimental Protocol for the Internet community. Robust ECN is defined in Request for Comments 3540 [5]. Robust ECN is an optional addition to the Explicit Congestion Notification (ECN) protocol defined in RFC The Robust ECN protocol catches a misbehaving receiver with a high probability, and never implicates an innocent receiver. It is cheap in both per-packet overhead and processing requirements; it uses one single bit in the TCP FLAGS field. Robust ECN protects against attacks that sabotage the main congestion control mechanism of the Internet, namely, the TCP congestion control mechanism. Two forms of this type of attack are A TCP accelerator sends optimistic TCP acknowledgements to "fast start" the TCP session to a preset bandwidth quickly and maintain this bandwidth for the entire lifetime of the TCP session. A malicious TCP receiver conceals packet losses from the TCP sender. This causes the sender to transmit at high bandwidth for the entire lifetime of the TCP session. The TCP accelerator sends optimistic TCP acknowledgements, in which TCP segments are acknowledged before they have been received. Figure 4 shows the growth of the congestion transmission widow for an honest receiver and Figure 5 shows the comparable growth for a dishonest TCP accelerator.
5 Honest Receiver Figure 4. TCP slow start phase for honest receiver TCP Accelerator Figure 5. TCP slow start phase for dishonest accelerator
6 When Robust ECN is used, packet drops (losses) cannot be concealed from the sender. Packet drops could potentially be concealed by a faulty TCP implementation or a malicious receiver who wants to force the sender to operate at the maximum sending rate as shown in Figure 6. This could be an individual malicious user or a part of a wider congestion control attack. Packet Losses are concealed appreciated that this course covered relevant IT information and linked together many technologies covered in other courses. The students liked that the course went into the specifics of how various algorithms worked and presented topics by explaining it in a context of emerging research. 7. CONCLUSIONS In this paper, we discussed our enhancement effort to improve the teaching of an undergraduate course on Network Security. Through our research and graduate teaching, we identified important security aspects of the anycast technology that are overlooked by traditional textbooks on network security. We added content on anycast to give the undergraduate students better experience with emerging security applications. Similarly, we added content on the experimental Robust ECN protocol to give students exposure to new trends in combating malicious user behavior. The added materials were well received by the students. 7. ACKNOWLEDGMENTS This work has been partially supported by NSF Grant No Malicious Receiver Figure 6. Bandwidth abuse by malicious receiver 6. OUTCOME AND CLASSROOM EXPERIENCE The new materials on Anycast technology and Robust ECN have been well received by the students. The formal online evaluation conducted by the university during the last two weeks of classes for CNT 4403 showed good student reviews. The added materials are attributed to an observed improvement in the rating of certain categories compared to the evaluation of the same course in the previous year (Spring 2010). For example in the category of Learning materials, 53% of the students gave Excellent rating and 46% gave Very Good rating. In the category of Instructor interest in student learning, 75% of the students gave Excellent rating and 12.5% gave Very Good rating. In the category of Stimulation of interest in the course, 46% of the students gave Excellent rating and 46% gave Very Good rating. In the category of Facilitation of learning, 53% of the students gave Excellent rating and 40% gave Very Good rating. Written comments 8. REFERENCES [1] Abley, J. and Lindqvist, K Operation of Anycast Services. IETF Request for Comments: 4786 (December 2006). [2] Ballani, H. and Francis, P Towards a Global IP Anycast Service. Proceedings of the ACM SIGCOMM Conference (Philadelphia, PA, August 2005). [3] Forouzan, B Cryptography and Network Security, 1 st Edition, McGraw Hill (2008). [4] Hardie, T Distributing Authoritative Name Servers via Shared Unicast Addresses. IETF Request for Comments: 3258 (April 2002). [5] Spring, N., Wetherall, D. and Ely, D Robust Explicit Congestion Notification (ECN) Signaling with Nonces. IETF Request for Comments: 3540 (June 2003). [6] Stallings, W Cryptography and Network Security: Principles and Practice, 5 th Edition, Pearson-Prentice Hall (2011). [7] Stockman, M. and and Nyland, J A Teaching Pedagogy for Networking/System Administration Courses; Freshman through Senior Years. Proceedings of the 11th ACM SIGITE Conference on Information Technology Education (Midland, MI, October 2010), pp
CS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationPacket Level Authentication Overview
Packet Level Authentication Overview Dmitrij Lagutin, Dmitrij.Lagutin@hiit.fi Helsinki Institute for Information Technology HIIT Aalto University School of Science and Technology Contents Introduction
More informationWLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.
Wireless LAN Attacks and Protection Tools (Section 3 contd.) WLAN Attacks Passive Attack unauthorised party gains access to a network and does not modify any resources on the network Active Attack unauthorised
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationLink Layer and Network Layer Security for Wireless Networks
Link Layer and Network Layer Security for Wireless Networks Interlink Networks, Inc. May 15, 2003 1 LINK LAYER AND NETWORK LAYER SECURITY FOR WIRELESS NETWORKS... 3 Abstract... 3 1. INTRODUCTION... 3 2.
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationOutline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg
Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright
More informationTLS and SRTP for Skype Connect. Technical Datasheet
TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationA Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.
A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money
More informationSIP and VoIP 1 / 44. SIP and VoIP
What is SIP? What s a Control Channel? History of Signaling Channels Signaling and VoIP Complexity Basic SIP Architecture Simple SIP Calling Alice Calls Bob Firewalls and NATs SIP URIs Multiple Proxies
More informationNetwork Security. Mobin Javed. October 5, 2011
Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways
More informationBuilding Secure Network Infrastructure For LANs
Building Secure Network Infrastructure For LANs Yeung, K., Hau; and Leung, T., Chuen Abstract This paper discusses the building of secure network infrastructure for local area networks. It first gives
More informationLink Layer and Network Layer Security for Wireless Networks
White Paper Link Layer and Network Layer Security for Wireless Networks Abstract Wireless networking presents a significant security challenge. There is an ongoing debate about where to address this challenge:
More informationAshok Kumar Gonela MTech Department of CSE Miracle Educational Group Of Institutions Bhogapuram.
Protection of Vulnerable Virtual machines from being compromised as zombies during DDoS attacks using a multi-phase distributed vulnerability detection & counter-attack framework Ashok Kumar Gonela MTech
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationSANE: A Protection Architecture For Enterprise Networks
Fakultät IV Elektrotechnik und Informatik Intelligent Networks and Management of Distributed Systems Research Group Prof. Anja Feldmann, Ph.D. SANE: A Protection Architecture For Enterprise Networks WS
More informationCS 356 Lecture 27 Internet Security Protocols. Spring 2013
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationPreventing Resource Exhaustion Attacks in Ad Hoc Networks
Preventing Resource Exhaustion Attacks in Ad Hoc Networks Masao Tanabe and Masaki Aida NTT Information Sharing Platform Laboratories, NTT Corporation, 3-9-11, Midori-cho, Musashino-shi, Tokyo 180-8585
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationLinux MDS Firewall Supplement
Linux MDS Firewall Supplement Table of Contents Introduction... 1 Two Options for Building a Firewall... 2 Overview of the iptables Command-Line Utility... 2 Overview of the set_fwlevel Command... 2 File
More informationA Novel Packet Marketing Method in DDoS Attack Detection
SCI-PUBLICATIONS Author Manuscript American Journal of Applied Sciences 4 (10): 741-745, 2007 ISSN 1546-9239 2007 Science Publications A Novel Packet Marketing Method in DDoS Attack Detection 1 Changhyun
More informationARP Storm Detection and Prevention Measures
456 ARP Storm Detection and Prevention Measures S.Vidya 1 and R.Bhaskaran 2 1 Department of Computer Science, Fatima College Madurai 626 018, Tamil Nadu, India 2 School of Mathematics, Madurai Kamaraj
More informationDenial of Service attacks: analysis and countermeasures. Marek Ostaszewski
Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationAttack Lab: Attacks on TCP/IP Protocols
Laboratory for Computer Security Education 1 Attack Lab: Attacks on TCP/IP Protocols Copyright c 2006-2010 Wenliang Du, Syracuse University. The development of this document is funded by the National Science
More informationChapter 4 Firewall Protection and Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.
More informationCOSC 472 Network Security
COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html
More informationRaritan Valley Community College Academic Course Outline. CISY 253 - Advanced Computer Networking
Raritan Valley Community College Academic Course Outline CISY 253 - Advanced Computer Networking I. Basic Course Information A. Course number and Title: CISY 253- Advanced Computer Networking (TCP/IP)
More informationCourse Outline: 6435- Designing a Windows Server 2008 Network Infrastructure
Course Outline: 6435- Designing a Network Infrastructure Learning Method: Instructor-led Classroom Learning Duration: 5.00 Day(s)/ 40 hrs Overview: This five-day course will provide students with an understanding
More informationVoice Over IP (VoIP) Denial of Service (DoS)
Introduction Voice Over IP (VoIP) Denial of Service (DoS) By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Denial of Service (DoS) is an issue for any IP network-based
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationCity University of Hong Kong. Information on a Course offered by Department of Electronic Engineering with effect from Semester A in 2012/2013
City University of Hong Kong Information on a Course offered by Department of Electronic Engineering with effect from Semester A in 01/013 Part I Course Title: Course Code: Course Duration: Cryptography
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationChapter 9. IP Secure
Chapter 9 IP Secure 1 Network architecture is usually explained as a stack of different layers. Figure 1 explains the OSI (Open System Interconnect) model stack and IP (Internet Protocol) model stack.
More informationA SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS
A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS *Dr Umesh Sehgal, #Shalini Guleria *Associate Professor,ARNI School of Computer Science,Arni University,KathagarhUmeshsehgalind@gmail.com
More informationCS5490/6490: Network Security- Lecture Notes - November 9 th 2015
CS5490/6490: Network Security- Lecture Notes - November 9 th 2015 Wireless LAN security (Reference - Security & Cooperation in Wireless Networks by Buttyan & Hubaux, Cambridge Univ. Press, 2007, Chapter
More informationSecurity in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity
Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration
More informationProtocol Rollback and Network Security
CSE 484 / CSE M 584 (Spring 2012) Protocol Rollback and Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,
More informationAnalysis of Automated Model against DDoS Attacks
Analysis of Automated Model against DDoS Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of Information and Communication Sciences Macquarie
More informationDoS: Attack and Defense
DoS: Attack and Defense Vincent Tai Sayantan Sengupta COEN 233 Term Project Prof. M. Wang 1 Table of Contents 1. Introduction 4 1.1. Objective 1.2. Problem 1.3. Relation to the class 1.4. Other approaches
More informationTomás P. de Miguel DIT-UPM. dit UPM
Tomás P. de Miguel DIT- 15 12 Internet Mobile Market Phone.com 15 12 in Millions 9 6 3 9 6 3 0 1996 1997 1998 1999 2000 2001 0 Wireless Internet E-mail subscribers 2 (January 2001) Mobility The ability
More informationCYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE
CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE Due to the encouraging feedback this series of articles has received, we decided to explore yet another type of cyber intrusionthe Man In The Middle (MITM)
More informationLecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationRoute Discovery Protocols
Route Discovery Protocols Columbus, OH 43210 Jain@cse.ohio-State.Edu http://www.cse.ohio-state.edu/~jain/ 1 Overview Building Routing Tables Routing Information Protocol Version 1 (RIP V1) RIP V2 OSPF
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationComparing Two Models of Distributed Denial of Service (DDoS) Defences
Comparing Two Models of Distributed Denial of Service (DDoS) Defences Siriwat Karndacharuk Computer Science Department The University of Auckland Email: skar018@ec.auckland.ac.nz Abstract A Controller-Agent
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationA Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract
A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract Wireless Mobile ad-hoc network (MANET) is an emerging technology and have great strength to be applied
More informationHow To Write A Transport Layer Protocol For Wireless Networks
Chapter 9: Transport Layer and Security Protocols for Ad Hoc Wireless Networks Introduction Issues Design Goals Classifications TCP Over Ad Hoc Wireless Networks Other Transport Layer Protocols Security
More informationHow To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa
Defenses against Distributed Denial of Service Attacks Adrian Perrig, Dawn Song, Avi Yaar CMU Internet Threat: DDoS Attacks Denial of Service (DoS) attack: consumption (exhaustion) of resources to deny
More informationBREAKING HTTPS WITH BGP HIJACKING. Artyom Gavrichenkov R&D Team Lead, Qrator Labs ag@qrator.net
BREAKING HTTPS WITH BGP HIJACKING Artyom Gavrichenkov R&D Team Lead, Qrator Labs ag@qrator.net ABSTRACT OVERVIEW OF BGP HIJACKING GLOBAL AND LOCAL HIJACKING HIJACKING A CERTIFICATE AUTHORITY MITIGATIONS
More informationReview: Lecture 1 - Internet History
Review: Lecture 1 - Internet History late 60's ARPANET, NCP 1977 first internet 1980's The Internet collection of networks communicating using the TCP/IP protocols 1 Review: Lecture 1 - Administration
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationChapter 8 Router and Network Management
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by
More informationSecure Use of the New NHS Network (N3): Good Practice Guidelines
Programme NPFIT Document Record ID Key Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0003.01 Prog. Director Mark Ferrar Status Approved Owner Tim Davis Version 1.0 Author Phil Benn Version
More informationMobility (and philosophical questions about names and identity) David Andersen CMU CS 15-744. The problem
Mobility (and philosophical questions about names and identity) David Andersen CMU CS 15-744 The problem How to support mobile users What do we mean by support? Make it easy and convenient to effectively
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationInternet Protocol version 4 Part I
Internet Protocol version 4 Part I Claudio Cicconetti International Master on Information Technology International Master on Communication Networks Engineering Table of Contents
More informationDDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée
DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan Dusée Scope High volume DDoS attacks Electronic payment systems Low bandwidth requirements: 5 from account X to
More informationClassification of Firewalls and Proxies
Classification of Firewalls and Proxies By Dhiraj Bhagchandka Advisor: Mohamed G. Gouda (gouda@cs.utexas.edu) Department of Computer Sciences The University of Texas at Austin Computer Science Research
More informationSHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper
SHARE THIS WHITEPAPER On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper Table of Contents Overview... 3 Current Attacks Landscape: DDoS is Becoming Mainstream... 3 Attackers Launch
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More informationAPNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationOLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
More informationITL BULLETIN FOR JANUARY 2011
ITL BULLETIN FOR JANUARY 2011 INTERNET PROTOCOL VERSION 6 (IPv6): NIST GUIDELINES HELP ORGANIZATIONS MANAGE THE SECURE DEPLOYMENT OF THE NEW NETWORK PROTOCOL Shirley Radack, Editor Computer Security Division
More informationComplete Protection against Evolving DDoS Threats
Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationChapter 8 Network Security
[Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network
More informationDraft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications
Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationWAN Traffic Management with PowerLink Pro100
Whitepaper WAN Traffic Management with PowerLink Pro100 Overview In today s Internet marketplace, optimizing online presence is crucial for business success. Wan/ISP link failover and traffic management
More informationSOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall
SOFTWARE ENGINEERING 4C03 Computer Networks & Computer Security Network Firewall HAO WANG #0159386 Instructor: Dr. Kartik Krishnan Mar.29, 2004 Software Engineering Department of Computing and Software
More informationTunnel Broker System Using IPv4 Anycast
Tunnel Broker System Using IPv4 Anycast Xin Liu Department of Electronic Engineering Tsinghua Univ. lx@ns.6test.edu.cn Xing Li Department of Electronic Engineering Tsinghua Univ. xing@cernet.edu.cn ABSTRACT
More informationSkoot Secure File Transfer
Page 1 Skoot Secure File Transfer Sharing information has become fundamental to organizational success. And as the value of that information whether expressed as mission critical or in monetary terms increases,
More informationDNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org
DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be
More informationWireless Sensor Networks Chapter 14: Security in WSNs
Wireless Sensor Networks Chapter 14: Security in WSNs António Grilo Courtesy: see reading list Goals of this chapter To give an understanding of the security vulnerabilities of Wireless Sensor Networks
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationTesting Network Security Using OPNET
Testing Network Security Using OPNET Agustin Zaballos, Guiomar Corral, Isard Serra, Jaume Abella Enginyeria i Arquitectura La Salle, Universitat Ramon Llull, Spain Paseo Bonanova, 8, 08022 Barcelona Tlf:
More informationRouter Security - Approaches and Techniques You Can Use Today
Router Security - Approaches and Techniques You Can Use Today Neal Ziring System and Network Attack Center Information Assurance Directorate National Security Agency 1 Introduction and Outline GOAL: Define
More informationANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE
ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE ANATOMY OF A DDOS ATTACK AGAINST THE DNS INFRASTRUCTURE The Domain Name System (DNS) is part of the functional infrastructure of the Internet and
More informationDesigning a Windows Server 2008 Network Infrastructure
Designing a Windows Server 2008 Network Infrastructure MOC6435 About this Course This five-day course will provide students with an understanding of how to design a Windows Server 2008 Network Infrastructure
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationAt dincloud, Cloud Security is Job #1
At dincloud, Cloud Security is Job #1 A set of surveys by the international IT services company, the BT Group revealed a major dilemma facing the IT community concerning cloud and cloud deployments. 79
More informationDual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationVulnerabili3es and A7acks
IPv6 Security Vulnerabili3es and A7acks Inherent vulnerabili3es Less experience working with IPv6 New protocol stack implementa3ons Security devices such as Firewalls and IDSs have less support for IPv6
More information