Secure Networking Using Mobile IP
|
|
- Erick Farmer
- 8 years ago
- Views:
Transcription
1 Secure Networking Using Mobile IP Alexandros Karakos and Konstantinos Siozios Democritus University of Thrace eepartment of Electrical and Computer Engineering GR Xanthi, GREECE Abstract. The increasing number of portable computers, combined with the requirement of non-stop connections to networks (Internet/Intranet), makes the provision of Internet mobility by Mobile IP important. The goal of Mobile IP protocol is to allow a Mobile host to send and receive packets, regardless of its current point of attachment to the Internet as well as to maintain communicative associations (such as TCP connections), even if the point of attachment changes during them. In order to meet these goals of location transparency and connection durability, each Mobile host has a permanent Home IP address that does not change. This static IP address enables conventional Internet hosts, which are unaware of mobility issues, to communicate with the Mobile host. 1 Introduction Nowadays networks are as closer to everyone as they have never been in the past, due to the dramatic increase of the available network bandwidth. Obviously, this situation makes the need of developing new techniques for computer connectivity crucial. The most important of them is the ability of a Mobile host,i.e. a host that can changes its physical location, to connect to different networks, without the need of making any manual change at the network settings. 1.1 System Goals The primary objective of our implementation of the Mobile IP protocol is to design a transparent protocol for the users, as they move from a network to another. In other words, it should not be required from the user to make manually any changes to the network configuration, so that the movement would not to affect the way that the Mobile host uses the network services. We also aim at some practical goals, less visible to the user. The protocol should provide security, as well as it should not limit the number of active Mobile hosts. Furthermore, there will be no change in existing IP routers or non-mobile hosts, although changes to the later are supposed to increase the efficiency. 1.2 Related Work Recently, many universities and companies all over the world have implemented the Mobile IP protocol for educational, and commercial purposes in a variety of operating systems, i.e., Linux, FreeBSD, Solaris, IOS and Microsoft Windows.
2 The various implementation differ in at least three areas. First of all in the way the Home Agent determines where the Mobile host is attached. Also, in the way an ordinary host sends data directly to the Mobile host s current point of attachment, avoiding the wasteful trip through the Home Agent. And finally, in the way the two previous mechanisms interact when the Mobile Host is moving to a new network. Apart from these differences, all these implementations are very interesting and have usefully features. In our opinion, the implementation of Mobile IP protocol designed at Stanford University (see is the most interesting of all known implementations the authors are aware of. This implementation allows the Mobile host to dynamically choose the level of mobility. that is desired for the different traffic flows. The implementation of Lancaster University (see lancs.ac.uk/mobileip/). is able to work without any problem with the IPv4 and IPv6. Furthermore, it includes the appropriate software for demonstrating real time Mobile applications with IPv6. The Sun Microsystems implementation is also very interesting, as it can work both in Solaris (running either on SPARC workstations or an Intel processors) and Linux systems (see Last but not the least, Ecutel (see their web site at faq.htm) has designed a system that provides dynamic IP routing, dynamic registration, IP forwarding, IP encapsulation, encryption, authentication, firewall and access control. 2 How Classic Mobile IP Works A classical IP router makes connections among networks by forwarding packets from a source to a destination endpoint according to the routing table. Such a table usually maintains the next-hop information for each destination IP address. INTERNET CORRESPONDENT HOST (S) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT 1 (FA1) MOBILE HOST (MH) Fig. 1. How a Mobile host communicates when it is away from its Home network. For this reason, the Mobile host in order to maintain transparent-layer connections while it changes its physical location, it has to keep the same IP address (Home IP address). This Home IP address could be a private or a registered IP and makes the Mobile host appear, as if is constantly able to receive data on its Home network.
3 When a Mobile host attached a Foreign network, a new address (care-of address) is assigned to it [2]. Usually the care-of address is a private IP address and changes whenever the Mobile host moves to a new network, in order to save registered IP s. In this case, the Mobile host has two IP addresses, a registered and a private one. Figure 1 illustrates the basic architecture of the Mobile IP protocol. Here the Home and the Foreign Agent belongs to different networks and they are responsible for providing mobility extensions to the Mobile host. The Mobile host is a computer that has a registered IP address at the Home network, where the Home Agent is also located, but now it is connected to Internet through Foreign Agent [9]. When the Correspondent host (S) sends for the first time a packet to the Mobile host, it does not know if the destination host is stationary or not. So, it uses simple IP routing to forward the packet to the Mobile s host Home network, where it is received from the Home Agent. Then the Home Agent in turn, checks the packet to find out if the host with this target IP address is currently attached to this network or not. If the destination host is a local host, the packet is delivered to it through classic IP routing. Otherwise, the Home Agent uses IP in IP encapsulation in order to tunnel [8, 7], the packet at the network to which the Mobile host is currently attached. There, the packet is received from the Foreign Agent and after its decapsulation, is delivered to the Mobile host. This indirect routing through the Home Agent causes unnecessary overhead to the network sources. On the other hand, when the Mobile host sends a packet, in most cases it uses normal IP routing to forward it directly to its destination, without first bypassing the Mobile s host Home network. 3 Routing Optimization To overcome the problem of indirect routing, networks that support the Mobile IP must be able to perform Routing Optimization [5]. With this technique, when the Correspondent host (S), sends for the first time a packet addressed to the Mobile host, the packet is delivered by the way that described above. Then, the Home Agent informs the Correspondent host (S) about the Mobile host s current point of attachment, in order to send future packets directly to the network that the Mobile host is connected, without bypass the Home Agent. Figure 2 illustrates what happens when the Mobile host moves from one network with (FA1) to another with (FA2). In that case, in order to keep the connections alive, the (FA1) has to forward the incoming packets from (S) to (FA2), where the Mobile host is currently attached. At the same time the (FA1), informs the Home Agent about the Mobile host s movement to the new network [1]. Next, the Home Agent sends a message to the (S) that informs it about the change that happened, so that the last one will be able to send future packets addressed to the Mobile host, directly to its new point of attachment. After that, the network returns to a stable state again. This forwarding technique is working properly when all the networks belong to the same administrative domain, so that the connections to be trusted. But in real world, Mobile IP has to work in an environment of independent networks, protected by firewalls. This means, that some packets may not be delivered [4], even among
4 INTERNET CORRESPONDENT HOST (S) FOREIGN AGENT 1 (FA1) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT 2 (FA2) MOBILE HOST (MH) Fig. 2. What happens when the Mobile host change its point of attachment. Agents (for example between Home and Foreign Agent) due to the firewall policy, which discards the connections. In this case, a possible solution is shown in figure 3. INTERNET CORRESPONDENT HOST (S) FOREIGN AGENT 1 (FA1) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT 2 (FA2) MOBILE HOST (MH) Fig. 3. What happens when Foreign Agent (FA1) is not able to communicate with Foreign Agent (FA2). When the Mobile host move s to a new network, the (FA1) either does not know where the Mobile host is now attached, or it can not forward the packet to that network. So, in order not to discard the connection, it sends the packet to the Home network, where the Home Agent after looking up its database, finds out the new network where the Mobile host is now attached and forwards the packet directly there. In addition to that, the Home Agent informs and the (S) about the new point of attachment of the Mobile host. 4 Central Administrative Server Most of the problems that described above could be prevented by using the Central Administrative Server (CAS), which uses a database for tracking some critical information about the hosts that are involved in the Mobile IP protocol (Home and Foreign Agents, Mobile hosts, e.t.c.). Thus, it tracks the ethernet hardware address (MAC address), the PIN code, and the IP of the Mobile host at Home and at Foreign network
5 as well as the current point of attachment for any Mobile host. Moreover, the CAS would keep a log-file of the connections (successful or not) of the Mobile hosts. This logfile will also include information about attacks from or to every host (Mobile or immovable). Finally, it would keep some statistics about the connections. For example, duration, data speed transmission (upload and download) and how often the Mobile host changes its point of attachment. By using this information, the CAS is able to improve the mechanisms for routing optimization and security, compared with the classical Mobile IP protocol. This is possible, because the network administrators have all the necessary data in order to protect their system in the best possible way. The whole system also works properly at a local network which is not even connected to the Internet. To implement it, one of the hosts of the local network acts as the CAS, serving the whole network (and all the subnetworks). However, it is even better to have more than one CAS, that mirrors each other in order the system to be more reliable. As an extension of the Mobile IP protocol, any Mobile host could represent a Mobile Network, which in turn serves many Mobile hosts. 5 Improving Dynamic Registration When a Mobile host moves to a new location, it has first of all to determine if the network supports the Mobile IP protocol. The most common way to find this out is to broadcast an encrypted hello message. Unfortunately, this action may not be permitted to anyone, as if any host will be able to send broadcast messages to the whole network without any control, then it would put the system into a security risk. To overcome this problem, when the Mobile host is connected to a new network a temporary special IP address is assigned to it, for a very small time period. With this IP, the Mobile host sends the encrypted hello message directly to the CAS, acknowledging that it has been connected to a new network. When the CAS receives the acknowledge, it tries to find an appropriate IP for the Mobile host. In the next paragraph we describe how the remote network assign the IP to our Mobile host. Firstly, the CAS checks its database to find out if the Mobile host has access to that Foreign network. This check is based on the hardware address of the Mobile host s ethernet card as well as on the Mobile s host encryption key. The key is an encrypted message that differs from host to host and is described briefly bellow. There is a possibility for this key not to be valid. This occurs when the Mobile host has no access to the system, i.e. it has not a key, and tries to get access by using a random or a stolen key. When the CAS face such a case, it blocks the access to that Mobile host (specific MAC address) and updates its database about this attack. If the database contains two (or more) records pointing to different hosts but with the same MAC address or encryption key, then this means that one of the records is not true. The CAS, in order to protect the network, refuses immediately the connection to both Mobile hosts and requests from them to update their encryption keys. Then it informs all the Agents (Home and Foreign) that an attack from a specific Mobile host has been attempted. Moreover, it advises them not to provide access again to this host, until the CAS recalls the warning. At same time, it updates its database about
6 the attack and expects to receive a message with the new keys from the Mobile hosts. On the other hand, if the results of the check that made by the CAS are clear, the Foreign Agent is informed to grand access to the Mobile host. Of course, it makes sense that the Foreign network, and consequently the Foreign Agent, have its own security policy. This means that even though the Mobile host has granted access to the Foreign network by the CAS, it is possible this connection to be refused by the local firewall just because its own security police. In this case, the Foreign Agent informs the CAS about this refusal, so that if in the future this Mobile host tries to connect again to the same Foreign network, the access will be blocked directly from the CAS. If this policy rule changes, then a message is sent from the Foreign Agent to CAS in order to stop blocking the connection. If the previous step has been passed without a connection problem, the Foreign Agent gives an IP address to the Mobile host to use it as long as the host is connected to this network. When the Mobile host takes the new IP address, it sends a message to the CAS in order to update its database. Finally, the CAS informs the Home Agent of the Mobile host about where to forward future packets that are addressed to the specific Mobile host. 5.1 Handoff Mechanism Every Agent of the system (Home or Foreign) periodically sends an encrypted heartbeat message, which is received from all the hosts that are successfully connected to the same administrative domain. The use of this message is to determine if all the Mobile hosts are still connected to the same network. When a Mobile host receives such a message, it replies immediately with a new encrypted message that includes its identity and a timestamp. By the time this reply arrives to the Agent during a specific time period, the Agent recognizes that the Mobile host is still connected to the local network. If the Agent does not receive such a reply in a reasonable time span, it assumes that the Mobile host is still connected to the local network. This assumption is based on the fact that the Mobile host has not send any message to the Agent expressing its will to disconnect. Thus, the Agent expects another heartbeat message, to clarify the situation. If the Agent does not receive again a reply from the specific Mobile host, it informs the CAS to update its database, and to block the packets that are addressed to this Mobile host in order to reduce network load. On the other hand, when the Mobile host leaves its network to visit a new one, a message is sent from the Foreign Agent to the CAS, reporting that the Mobile host is disconnected from this network. At the same time, the Agent removes the route related to this Mobile host from its routing table. By receiving this message, the CAS updates its database and informs the Mobile s host Home Agent to block all the packets addressed to the Mobile host until it is connected again successfully to a new network (or to the same, if the Mobile host returns back). All the mechanism that takes place during the Mobile s host movement from a network to another is shown in figure 4.
7 INTERNET CORRESPONDENT HOST (S) CENTRAL ADMINISTRATIVE SERVER (CAS) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT (FA) MOBILE HOST (MH) Fig. 4. The mechanism that take place when the Mobile host moves to a new network. 6 How CAS Improves Routing Optimization In this section we examine what happens when the host S wants to send a packet to the Mobile host. The host S probably does not know if the target host is immovable or mobile. It only knows the Mobile host s IP address at the Home network, so it send the packet there. When the Home Agent receives the packet, it contacts the CAS to find out if this host S is responsible for attacks to known networks. If the answer is affirmative, the CAS warns the Home Agent either to discard the connection or to monitor it. Otherwise, the packet tunneled to the Mobile host s current Foreign network. Next, the Home Agent informs the host S that the Mobile host has a new IP address, so that future packets will be sent directly to the Mobile host without first bypass the Home Agent. However, it is sometimes desirable for the Mobile host not to advertise its current point of attachment. For instance, the Mobile host may not want to receive packets that comes from a certain Corresponder host S. In this case, it sends a special encrypted message to the Foreign Agent informing it about this. The Agent with in turn first notifies the CAS to update its database about this choose and then informs the Home Agent, that when this host S sends again a packet to the Mobile host, the Home Agent not forward it. Also, the Home Agent should not inform any more the host S about the Mobile s host current point of attachment. Furthermore, this implementation of the Mobile IP protocol, if is supported in both the host S and the Foreign network, it could be used to help combined networks to handle situations of network congestion with the minimum cost for them. To achieve in this, the Foreign Agent should be able to make a decision about when the Foreign network is going to be in congestion. When something like this is going to happen, the correspond Agent informs the CAS to find out a backup network. This network should be close enough to the Foreign network and must support this extension of the Mobile IP protocol. When the CAS finds a backup network, informs the host S not to send packets to the congested network, but instead to forward them to the backup network. When the congestion is passed by, the packets moved from the backup network to the Mobile s host current point of attachment. Finally, when the Mobile host is at the Home network, it is important that its performance should be
8 approximately the same as if it was an immovable host. This ensures that the extensions of the Mobile IP protocol do not reduce the Home network performance. In this case, the Mobile host no longer needs to periodically re-register with its Home Agent and the Mobile host s routing table should be set for normal IP routing. 7 Tying System s Security First of all, it is common secret among security specialists that no computer system that is connected to the Internet can ever be completely secure, but it is usual to make it increasingly difficult for someone to compromise it. On the other hand, the more secure the whole system is, the more intrusive and hard to use it becomes. Systems such as kerberos can solve some of the security problems by providing privacy and authentication between applications at either end of the network. The aims of the CAS system are to maintain the Internet s current level of security for existing applications and help to prevent denial of service attacks on all applications, even those with end to end security [3]. 7.1 Key Management A common parameter for all the connections that transfer administrative messages is that they must be well encrypted, as they are the backbone of the whole system. The method of encryption may be based on a 1024-bit key algorithm like the MD5 one way hash function. This key, which will periodically change randomly when the TTL (Time To Live) expires, in addition to the ethernet MAC address and the PIN code, will assign every host (stationary or Mobile) that supports the Mobile IP protocol. The key of the encryption must be transparent to the Mobile host s user, as well as to the administrator of the Foreign Agent. Whenever this key changes, the CAS is informed through a special link, which is encrypted with the PIN code, in order to update its database. After the successful execution of the change key function, the Mobile host could use the new key to encrypt or decrypt messages. Despite the TTL expiration, when a Mobile host recognizes or is suspicious of someone else having learned the encryption key, it executes the change key function that is described above to generate a new key. The authentication and authorization of the Mobile host is done by a fixed PIN (Personal Identifier Number) code, which is an encrypted message that can not be changed by anyone. To increase the security, the PIN code is not transmitted through the network but it is assigned to the Mobile host during the Mobile IP protocol configuration. All the PIN codes are also stored in encrypted form in a database, located at the CAS. 7.2 Security Risks A possible security risk that might appear is when a Mobile host that has no admission to connect to a Foreign network, changes its ethernet card. Then probably the system will not be able to recognize this host any more. So, it can connect successfully at
9 any Foreign network without problems. But in this case, the PIN code can solve this security problem. As the Mobile host tries to connect to the Foreign network, the missing or incorrect PIN code will discard the connection. When such a case happens, the CAS is informed in order to block future attempts from this Mobile host with the new ethernet hardware address (MAC) [10]. However, a valid Mobile host has the opportunity to change its ethernet card without any problems. In this case, if the authentication is based only on the ethernet s hardware address (MAC), then the host would not be able to communicate any more with other computers because the new MAC would not be known at the CAS. Due to this, a special function that informs the Foreign Agent and the CAS securely about the ethernet change, is executed. The encryption used for those messages could be based on the Mobile host s PIN code. Another way to improve the system s security is to compare the logfiles from the CAS to them of any Agent. The most reasonable way for this, is the periodical logfile upload from any Foreign or Home Agent to the CAS. Then, a script running at the CAS will check and compare them to the local ones. Possible signs of system s attack may be found during this examination and the most common of them are the short, incomplete, missing logfiles, or even logfiles that contain strange timestamps. Moreover, records of starting or stopping services without reason and without first notify the CAS, as well as the access provision to a Mobile host without (or ignoring) the CAS advice is not something usual. It does not matter if the connections for the logfiles upload are slow, because the only data that are transmitted among them are administrative messages with small size. These connections may be implemented by Virtual Privates networks (VPNs) that are often used to connect securely two networks over the public Internet [6]. The timestamps that are attached to the administrative messages as reported above, consist of a critical point in the secure use of the Mobile IP protocol. Due to this, all the hosts that support the Mobile IP protocol should have the same time reference. This can be accomplished, if the CAS acts also as a timeserver. Then the Home and the Foreign Agent, as well as the Mobile host will periodically request from the CAS to send them each time in order to adjust their system clocks. Finally it is possible for security reasons not to permit Mobile hosts, when they are connected to a Foreign network, to have access to IP s that are blocked in their Home network. In order to manage this, the Home Agent informs the CAS about what connections are blocked for the specific Mobile host. So, when the Mobile host moves to a Foreign network, the Foreign Agent after finishing the algorithm for obtaining address, as described above, requests from the CAS to be informed about what connections of the Mobile host should be rejected. After receiving the reply from the CAS, it blocks that connection, simply by discarding them. 8 Future Work We plan to implement the ideas presented in this paper on a Linux box running kernel
10 9 Conclusion This implementation of the Mobile IP protocol has clearly some advantages over the classic one. The most important of them is the system s capability to reduce the system administrator s work load, without reducing the security standard. In other words, the scripts that run at CAS act as a super administrator who is authorized to protect all the networks. Moreover, the logfiles from the whole system are available to any network administrator, so that the protection is even better. On the other hand, at the classic Mobile IP protocol, any network has to protect itself alone, ignoring the experience of previous attacks to other networks. Acknowledgement We thank Apostolos Syropoulos for his valuable suggestions and comments. References 1. Stuart Cheshire and Mary Baker. Internet Mobility 4x4. In SIGCOMM 96, Also available from 2. Ralph Droms. Dynamic Host Configuration Protocol. RFC 1541 (available from http: // 3. Kevin Fenzi. Linux security howto. Electronic document available from linux.com/howto/security-howto.html, S. Glass, T. Hiller, S. Jacobs, and C. Perkins. Mobile IP Authentication, Authorization and Accounting Requirements. Electronic document available from org/rfcs/rfc2977.html, David B. Johnson and David A. Maltz. Protocols for Adaptive Wireless and Mobile Networking. Electronic document available from johnson96protocols.html, S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401 (available from G. Montenegro. Bi-directional Tunneling for Mobile IP. Electronic document available from txt, C. Perkins. IP Encapsulation within IP. RFC 2003 (available from org/rfcs/rfc2003.html), C. Perkins. IP Mobility Support. RFC 2002 (available from rfc2002.html), David C. Plummer. An Ethernet Address Resolution Protocol. RFC 826 (available from
Mobile IP. Bheemarjuna Reddy Tamma IIT Hyderabad. Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP
Mobile IP Bheemarjuna Reddy Tamma IIT Hyderabad Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP IP Refresher Mobile IP Basics 3 parts of Mobile IP: Outline Advertising Care-of Addresses
More information6 Mobility Management
Politecnico di Milano Facoltà di Ingegneria dell Informazione 6 Mobility Management Reti Mobili Distribuite Prof. Antonio Capone Introduction Mobility management allows a terminal to change its point of
More informationSecurity Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress
Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org
More informationRARP: Reverse Address Resolution Protocol
SFWR 4C03: Computer Networks and Computer Security January 19-22 2004 Lecturer: Kartik Krishnan Lectures 7-9 RARP: Reverse Address Resolution Protocol When a system with a local disk is bootstrapped it
More informationInternet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
More informationIP and Mobility. Requirements to a Mobile IP. Terminology in Mobile IP
IP and Mobility Chapter 2 Technical Basics: Layer Methods for Medium Access: Layer 2 Chapter Wireless Networks: Bluetooth, WLAN, WirelessMAN, WirelessWAN Mobile Telecommunication Networks: GSM, GPRS, UMTS
More informationVirtual Private Networks
Virtual Private Networks ECE 4886 Internetwork Security Dr. Henry Owen Definition Virtual Private Network VPN! Virtual separation in protocol provides a virtual network using no new hardware! Private communication
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationTomás P. de Miguel DIT-UPM. dit UPM
Tomás P. de Miguel DIT- 15 12 Internet Mobile Market Phone.com 15 12 in Millions 9 6 3 9 6 3 0 1996 1997 1998 1999 2000 2001 0 Wireless Internet E-mail subscribers 2 (January 2001) Mobility The ability
More informationICS 351: Today's plan
ICS 351: Today's plan Quiz, on overall Internet function, linux and IOS commands, network monitoring, protocols IPv4 addresses: network part and host part address masks IP interface configuration IPv6
More informationApplication Note. Onsight TeamLink And Firewall Detect v6.3
Application Note Onsight And Firewall Detect v6.3 1 ONSIGHT TEAMLINK HTTPS TUNNELING SERVER... 3 1.1 Encapsulation... 3 1.2 Firewall Detect... 3 1.2.1 Firewall Detect Test Server Options:... 5 1.2.2 Firewall
More informationREDUCING PACKET OVERHEAD IN MOBILE IPV6
REDUCING PACKET OVERHEAD IN MOBILE IPV6 ABSTRACT Hooshiar Zolfagharnasab 1 1 Department of Computer Engineering, University of Isfahan, Isfahan, Iran hoppico@eng.ui.ac.ir hozo19@gmail.com Common Mobile
More informationMPLS VPN in Cellular Mobile IPv6 Architectures(04##017)
MPLS VPN in Cellular Mobile IPv6 Architectures(04##017) Yao-Chung Chang, Han-Chieh Chao, K.M. Liu and T. G. Tsuei* Department of Electrical Engineering, National Dong Hwa University Hualien, Taiwan, Republic
More informationVXLAN: Scaling Data Center Capacity. White Paper
VXLAN: Scaling Data Center Capacity White Paper Virtual Extensible LAN (VXLAN) Overview This document provides an overview of how VXLAN works. It also provides criteria to help determine when and where
More informationEE6390. Fall 1999. Research Report. Mobile IP in General Packet Radio System
EE6390 Introduction to Wireless Communications Systems Fall 1999 Research Report Mobile IP in General Packet Radio System Kelvin K. W. Wong Ramzi Hamati Date: Dec. 6, 1999 1.0 Abstract Tunneling is one
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationVPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert
VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert Contents: 1.0 Introduction p2 1.1 Ok, what is the problem? p2 1.2 Port Forwarding and Edge based Solutions p2 1.3 What is a VPN? p2 1.4
More informationNetwork Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
More informationReadyNAS Remote White Paper. NETGEAR May 2010
ReadyNAS Remote White Paper NETGEAR May 2010 Table of Contents Overview... 3 Architecture... 3 Security... 4 Remote Firewall... 5 Performance... 5 Overview ReadyNAS Remote is a software application that
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationImplementing and Managing Security for Network Communications
3 Implementing and Managing Security for Network Communications............................................... Terms you ll need to understand: Internet Protocol Security (IPSec) Authentication Authentication
More informationAPNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationWireless Encryption Protection
Wireless Encryption Protection We re going to jump around a little here and go to something that I really find interesting, how do you secure yourself when you connect to a router. Now first and foremost
More informationAn Experimental Study on Wireless Security Protocols over Mobile IP Networks
An Experimental Study on Wireless Security Protocols over Mobile IP Networks Avesh K. Agarwal Department of Computer Science Email: akagarwa@unity.ncsu.edu Jorinjit S. Gill Department of Electrical and
More informationG.Vijaya kumar et al, Int. J. Comp. Tech. Appl., Vol 2 (5), 1413-1418
An Analytical Model to evaluate the Approaches of Mobility Management 1 G.Vijaya Kumar, *2 A.Lakshman Rao *1 M.Tech (CSE Student), Pragati Engineering College, Kakinada, India. Vijay9908914010@gmail.com
More informationUnderstanding the Cisco VPN Client
Understanding the Cisco VPN Client The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is a software program that runs on a Microsoft Windows -based PC. The VPN Client on a
More informationDATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0
DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS
More informationDetection of Promiscuous Nodes Using ARP Packets
Detection of Promiscuous Nodes Using ARP Packets Version 1.0 Written by: 31Aug01 Daiji Sanai Translated by: Kelvin KingPang Tsang http://www.securityfriday.com 1 Contents Abstract...3
More informationSCADA SYSTEMS AND SECURITY WHITEPAPER
SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of
More informationMobility (and philosophical questions about names and identity) David Andersen CMU CS 15-744. The problem
Mobility (and philosophical questions about names and identity) David Andersen CMU CS 15-744 The problem How to support mobile users What do we mean by support? Make it easy and convenient to effectively
More informationAn Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks
An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks Avesh K. Agarwal Wenye Wang Department of Electrical and Computer Engineering North Carolina State University,
More informationNetwork Security Part II: Standards
Network Security Part II: Standards Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/ 18-1 Overview
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationComputer Networks. Wireless and Mobile Networks. László Böszörményi Computer Networks Mobile - 1
Computer Networks Wireless and Mobile Networks László Böszörményi Computer Networks Mobile - 1 Background Number of wireless (mobile) phone subscribers now exceeds number of wired phone subscribers! Computer
More informationFinal for ECE374 05/06/13 Solution!!
1 Final for ECE374 05/06/13 Solution!! Instructions: Put your name and student number on each sheet of paper! The exam is closed book. You have 90 minutes to complete the exam. Be a smart exam taker -
More informationStatic and Dynamic Network Configuration
CHAPTER 6 This chapter describes: Static Networks Dynamic Networks Static Networks The mobile access router can be part of a static network or a dynamic network. A static network supports stub routers
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More information7.1. Remote Access Connection
7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to
More informationA SENSIBLE GUIDE TO LATENCY MANAGEMENT
A SENSIBLE GUIDE TO LATENCY MANAGEMENT By Wayne Rash Wayne Rash has been writing technical articles about computers and networking since the mid-1970s. He is a former columnist for Byte Magazine, a former
More informationFrequently Asked Questions
Frequently Asked Questions 1. Q: What is the Network Data Tunnel? A: Network Data Tunnel (NDT) is a software-based solution that accelerates data transfer in point-to-point or point-to-multipoint network
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationSage ERP Accpac Online
Sage ERP Accpac Online Mac Resource Guide Thank you for choosing Sage ERP Accpac Online. This Resource Guide will provide important information and instructions on how you can get started using your Mac
More information5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network
5.0 Network Architecture 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network 1 5.1The Internet Worldwide connectivity ISPs connect private and business users Private: mostly dial-up connections Business:
More informationSage 300 ERP Online. Mac Resource Guide. (Formerly Sage ERP Accpac Online) Updated June 1, 2012. Page 1
Sage 300 ERP Online (Formerly Sage ERP Accpac Online) Mac Resource Guide Updated June 1, 2012 Page 1 Table of Contents 1.0 Introduction... 3 2.0 Getting Started with Sage 300 ERP Online using a Mac....
More informationTunnel Broker System Using IPv4 Anycast
Tunnel Broker System Using IPv4 Anycast Xin Liu Department of Electronic Engineering Tsinghua Univ. lx@ns.6test.edu.cn Xing Li Department of Electronic Engineering Tsinghua Univ. xing@cernet.edu.cn ABSTRACT
More informationVRRP Technology White Paper
Issue 01 Date 2012-08-31 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of
More informationRaptor Firewall Products
Axent Technologies, Ltd The Leader in Integrated Firewall and VPN Solutions Raptor Firewall Products Security Cannot Be Ignored >100M Users on WWW E Commerce Shift Billions Lost to Cyberthieves 150,000
More informationMobile Routing. When a host moves, its point of attachment in the network changes. This is called a handoff.
Mobile Routing Basic Notions of Mobility When a host moves, its point of attachment in the changes. This is called a handoff. The point of attachment is a base station (BS) for cellular, or an access point
More informationMobile Communications Chapter 9: Mobile Transport Layer
Mobile Communications Chapter 9: Mobile Transport Layer Motivation TCP-mechanisms Classical approaches Indirect TCP Snooping TCP Mobile TCP PEPs in general Additional optimizations Fast retransmit/recovery
More informationThe next generation of knowledge and expertise Wireless Security Basics
The next generation of knowledge and expertise Wireless Security Basics HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404 (fax), www.hta-inc.com
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationEfficient Addressing. Outline. Addressing Subnetting Supernetting CS 640 1
Efficient Addressing Outline Addressing Subnetting Supernetting CS 640 1 IPV4 Global Addresses Properties IPv4 uses 32 bit address space globally unique hierarchical: network + host 7 24 Dot Notation 10.3.2.4
More informationCisco Which VPN Solution is Right for You?
Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2
More informationIP Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49
IP Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationChapter 5. Data Communication And Internet Technology
Chapter 5 Data Communication And Internet Technology Purpose Understand the fundamental networking concepts Agenda Network Concepts Communication Protocol TCP/IP-OSI Architecture Network Types LAN WAN
More informationBest practices for protecting network data
Best practices for protecting network data A company s value at risk The biggest risk to network security is underestimating the threat to network security. Recent security breaches have proven that much
More informationTCP for Wireless Networks
TCP for Wireless Networks Outline Motivation TCP mechanisms Indirect TCP Snooping TCP Mobile TCP Fast retransmit/recovery Transmission freezing Selective retransmission Transaction oriented TCP Adapted
More information8.2 The Internet Protocol
TCP/IP Protocol Suite HTTP SMTP DNS RTP Distributed applications Reliable stream service TCP UDP User datagram service Best-effort connectionless packet transfer Network Interface 1 IP Network Interface
More informationIMHP: A Mobile Host Protocol for the Internet. Abstract
IMHP: A Mobile Host Protocol for the Internet Charles Perkins T. J. Watson Research Center IBM Corporation P. O. Box 218 Yorktown Heights, NY 10598 Andrew Myles Department of Electronics
More informationWireless Networks: Network Protocols/Mobile IP
Wireless Networks: Network Protocols/Mobile IP Mo$va$on Data transfer Encapsula$on Security IPv6 Problems DHCP Adapted from J. Schiller, Mobile Communications 1 Mo$va$on for Mobile IP Rou$ng based on IP
More informationNetwork Security TCP/IP Refresher
Network Security TCP/IP Refresher What you (at least) need to know about networking! Dr. David Barrera Network Security HS 2014 Outline Network Reference Models Local Area Networks Internet Protocol (IP)
More informationHigh Performance VPN Solutions Over Satellite Networks
High Performance VPN Solutions Over Satellite Networks Enhanced Packet Handling Both Accelerates And Encrypts High-Delay Satellite Circuits Characteristics of Satellite Networks? Satellite Networks have
More informationLoad Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.
Load Balancing Un article de Le wiki des TPs RSM. PC Final Network Exam Sommaire 1 LSNAT 1.1 Deployement of LSNAT in a globally unique address space (LS-NAT) 1.2 Operation of LSNAT in conjunction with
More informationSCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005
SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems
More informationOwn your LAN with Arp Poison Routing
Own your LAN with Arp Poison Routing By: Rorik Koster April 17, 2006 Security is a popular buzzword heard every day throughout our American culture and possibly even more so in our global economy. From
More informationChapter 4 Virtual Private Networking
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
More informationNetwork Services Internet VPN
Contents 1. 2. Network Services Customer Responsibilities 3. Network Services General 4. Service Management Boundary 5. Defined Terms Network Services Where the Customer selects as detailed in the Order
More informationHow To Set Up A Net Integration Firewall
Net Integration Technologies, Inc. http://www.net itech.com Net Integrator Firewall Technical Overview Version 1.00 TABLE OF CONTENTS 1 Introduction...1 2 Firewall Architecture...2 2.1 The Life of a Packet...2
More informationChapter 9. IP Secure
Chapter 9 IP Secure 1 Network architecture is usually explained as a stack of different layers. Figure 1 explains the OSI (Open System Interconnect) model stack and IP (Internet Protocol) model stack.
More informationJK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
More informationWireless VPN White Paper. WIALAN Technologies, Inc. http://www.wialan.com
Wireless VPN White Paper WIALAN Technologies, Inc. http://www.wialan.com 2014 WIALAN Technologies, Inc. all rights reserved. All company and product names are registered trademarks of their owners. Abstract
More informationTCP and Wireless Networks Classical Approaches Optimizations TCP for 2.5G/3G Systems. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme
Chapter 2 Technical Basics: Layer 1 Methods for Medium Access: Layer 2 Chapter 3 Wireless Networks: Bluetooth, WLAN, WirelessMAN, WirelessWAN Mobile Networks: GSM, GPRS, UMTS Chapter 4 Mobility on the
More informationIf security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders. Dan Farmer, System Administrators Guide to Cracking
More informationTransport and Network Layer
Transport and Network Layer 1 Introduction Responsible for moving messages from end-to-end in a network Closely tied together TCP/IP: most commonly used protocol o Used in Internet o Compatible with a
More informationGuideline for setting up a functional VPN
Guideline for setting up a functional VPN Why do I want a VPN? VPN by definition creates a private, trusted network across an untrusted medium. It allows you to connect offices and people from around the
More informationDYNAMIC MULTIPOINT VPN HUB AND SPOKE INTRODUCTION
DYNAMIC MULTIPOINT VPN HUB AND SPOKE INTRODUCTION NOVEMBER 2004 1 INTRODUCTION Spoke, Presentation_ID 11/04 2004, Cisco Systems, Inc. All rights reserved. 2 What is Dynamic Multipoint VPN? Dynamic Multipoint
More informationCS 356 Lecture 27 Internet Security Protocols. Spring 2013
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationSecurity issues with Mobile IP
Technical report, IDE1107, February 2011 Security issues with Mobile IP Master s Thesis in Computer Network Engineering Abdel Rahman Alkhawaja & Hatem Sheibani School of Information Science, Computer and
More informationCharles E. Perkins, Sun Microsystems
Abstract Mobile IP has been designed within the IETF to serve the needs of the burgeoning population of mobile computer users who wish to connect to the Internet and maintain communications as they move
More informationA Study on Mobile IPv6 Based Mobility Management Architecture
UDC 621.396.69:681.32 A Study on Mobile IPv6 Based Mobility Management Architecture VTsuguo Kato VRyuichi Takechi VHideaki Ono (Manuscript received January 19, 2001) Mobile IPv6 is considered to be one
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Exercise: Chapters 13, 15-18 18 1. [Kaufman] 13.1
More information(Refer Slide Time: 01:38 01:37)
Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No: 29 IP Version 6 & Mobile IP Good day, in the last lecture we discussed
More informationNCP Secure Enterprise Management Next Generation Network Access Technology
Data Sheet NCP Secure Enterprise Management Next Generation Network Access Technology General description NCP Secure Enterprise Management is the central component of the NCP Next Generation Network Access
More informationMoonv6 Test Suite DRAFT
Moonv6 Test Suite DHCP Interoperability Test Suite DRAFT Technical Document Revision 0.1 IPv6 Consortium 121 Technology Drive, Suite 2 InterOperability Laboratory Durham, NH 03824-3525 Research Computing
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationDefinition. A Historical Example
Overlay Networks This lecture contains slides created by Ion Stoica (UC Berkeley). Slides used with permission from author. All rights remain with author. Definition Network defines addressing, routing,
More informationDr. Arjan Durresi. Baton Rouge, LA 70810 Durresi@csc.LSU.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601_07/
Set of Problems 2 Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.LSU.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601_07/ Louisiana State University
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationAvailability Digest. www.availabilitydigest.com. Redundant Load Balancing for High Availability July 2013
the Availability Digest Redundant Load Balancing for High Availability July 2013 A large data center can comprise hundreds or thousands of servers. These servers must not only be interconnected, but they
More informationGuide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols
Guide to TCP/IP, Third Edition Chapter 3: Data Link and Network Layer TCP/IP Protocols Objectives Understand the role that data link protocols, such as SLIP and PPP, play for TCP/IP Distinguish among various
More informationACHILLES CERTIFICATION. SIS Module SLS 1508
ACHILLES CERTIFICATION PUBLIC REPORT Final DeltaV Report SIS Module SLS 1508 Disclaimer Wurldtech Security Inc. retains the right to change information in this report without notice. Wurldtech Security
More informationInternet Control Protocols Reading: Chapter 3
Internet Control Protocols Reading: Chapter 3 ARP - RFC 826, STD 37 DHCP - RFC 2131 ICMP - RFC 0792, STD 05 1 Goals of Today s Lecture Bootstrapping an end host Learning its own configuration parameters
More informationWireless ATA: A New Data Transport Protocol for Wireless Storage
Wireless ATA: A New Data Transport Protocol for Wireless Storage Serdar Ozler and Ibrahim Korpeoglu Department of Computer Engineering, Bilkent University, 06800 Bilkent, Ankara, Turkey {ozler, korpe}@cs.bilkent.edu.tr
More informationCS268 Exam Solutions. 1) End-to-End (20 pts)
CS268 Exam Solutions General comments: ) If you would like a re-grade, submit in email a complete explanation of why your solution should be re-graded. Quote parts of your solution if necessary. In person
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More information