Influence of the TCP packet setting and encryption for data transfer in medical applications



Similar documents
Performance Analysis of IPv4 v/s IPv6 in Virtual Environment Using UBUNTU

Wireless Technology in Medicine Applications

Network Security Part II: Standards

Overview. SSL Cryptography Overview CHAPTER 1

Application Note. Windows 2000/XP TCP Tuning for High Bandwidth Networks. mguard smart mguard PCI mguard blade

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Measure wireless network performance using testing tool iperf

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

VPN. VPN For BIPAC 741/743GE

Implementing and Managing Security for Network Communications

High Performance VPN Solutions Over Satellite Networks

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Application Note: Onsight Device VPN Configuration V1.1

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Protocols. Packets. What's in an IP packet

Chapter 5. Data Communication And Internet Technology

Lecture 17 - Network Security

Securing IP Networks with Implementation of IPv6

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

D1.2 Network Load Balancing

Quantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Site to Site Virtual Private Networks (VPNs):

IPv6 Security: How is the Client Secured?

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

Technical papers Virtual private networks

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Ethernet. Ethernet. Network Devices

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Integrated Services Router with the "AIM-VPN/SSL" Module

Using IPSec in Windows 2000 and XP, Part 2

Networking Test 4 Study Guide

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Cisco Integrated Services Routers Performance Overview

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Internet Protocol Security IPSec

Understanding the Cisco VPN Client

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Chapter 4 Virtual Private Networking

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Chapter 9. IP Secure

Network Security. Lecture 3

Frequently Asked Questions

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Integrated Services Router with the "AIM-VPN/SSL" Module

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Virtual Private Networks

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

MINI-FAQ: OpenBSD 2.4 IPSEC VPN Configuration

Measuring the Impact of Security Protocols for Bandwidth

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

CCNA Security 1.1 Instructional Resource

Performance Measurement of TCP/IP Header Compression

his document discusses implementation of dynamic mobile network routing (DMNR) in the EN-4000.

VXLAN: Scaling Data Center Capacity. White Paper

Internet Architecture and Philosophy

VMWARE WHITE PAPER 1

Introduction to Security and PIX Firewall

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Application Performance Analysis and Troubleshooting

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Overview. Protocols. VPN and Firewalls

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

VPN Modules for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Rohde & Schwarz R&S SITLine ETH VLAN Encryption Device Functionality & Performance Tests

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

TECHNICAL CHALLENGES OF VoIP BYPASS

Security vulnerabilities in the Internet and possible solutions

Definition. A Historical Example

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

How To Industrial Networking

TABLE OF CONTENTS NETWORK SECURITY 2...1

Communication Systems Internetworking (Bridges & Co)

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

ISG50 Application Note Version 1.0 June, 2011

21.4 Network Address Translation (NAT) NAT concept

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Technote. SmartNode Quality of Service for VoIP on the Internet Access Link

Computer Networks. Secure Systems

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 5 Diploma in IT. October 2009 EXAMINERS' REPORT. Computer Networks

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

An Experimental Study on Wireless Security Protocols over Mobile IP Networks

Clearing the Way for VoIP

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

VPN over Satellite A comparison of approaches by Richard McKinney and Russell Lambert

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Transcription:

Influence of the TCP packet setting and encryption for data transfer in medical applications VLADIMÍR SCHINDLER Department of Telecommunications,Faculty of Electrical Engineering and Communication Brno University of Technology Technická 12, 616 00 Brno CZECH REPUBLIC xschin02@stud.feec.vutbr.cz http://www.vutbr.cz ALEŠ ROČEK Technical Support Department,Institute of Computer Science Masaryk University, Botanická 554/68a, 602 00 Brno CZECH REPUBLIC rocek@ics.muni.cz http://www.muni.cz Abstract: The Requirements for thespeedtransmissionwith adequatesecurity of transmittedinformationin medical applicationsare prerequisites for theproposed solution that has the following specificrequirementsto meet.especiallyforensuring thesecureaccess fromworkstationswithslower connectionis requiredoptimizationandencryption optionso that the userdid not feeltoo muchdiscomfort. Possibilities how tooptimize theparameters ofthe transmitted dataandismoresuitablecombinationscanachieve betterresults thanthe normalsetting of activenetwork elements.it is alsoimportant to choose asuitable type ofencryptionin orderto meetdemands forsafe transmissionof sensitivemedical information as well asthe volume of thetransferred dataconsiderablyincreased. Key-Words:MSS, Medical applications, MeDiMed, MTU, IPsec, Iperf, PACS 1 Introduction Privacy and data security is a key point of many computer applications. transport over public data network (Internet) should be protected via encrypted tunnels. Tunneling protocols together with encryption algorithms bring some additional overhead which decrease the bandwidth available for the real data transport. The aim of this paper is to analyze protocol overhead introduced by both the IPSEC protocol itself and data encryption algorithm. We intend to fine tune TCP (Transmission Control Protocol) parameters to maximize data throughput when the TCP stream is transported over an IPSEC tunnel. The results of this measurement will be taken into consideration when optimizing the design solution for connecting a small healthcare institution and workstations within the project MeDiMed, which uses the system PACS (Picture Archiving and Communications System) for work with a medical data. 1.1 PACS and MeDiMed PACS is a currently used procedure and methodology for processing medical multimedia data obtained from picture acquisition machines like computer tomography, ultrasound, x-ray etc. Multimedia medicine data obtained from these machines - in PACS terminology called modalities - are stored in central PACS server. The Shared Regional PACS project MeDiMed started as a collaborative effort among Brno hospitals to process medical multimedia data. Masaryk University is the coordinator of this project ensuring that the demands and requirements of radiology departments are met, overseeing the changing legislative standards and the practical limitations of technology. The new goal for the MeDiMed project is to offer PACS system to small institutions. Small healthcare institutions and private doctor's offices usually have limited Internet connectivity and data network availability in general [1]. ISBN: 978-960-474-341-4 96

The aim of the InstantPACS project is to develop a maintenance-free PACS system suitable for small and mid-sized healthcare institutions. This PACS system should offer a user amenity obvious in hospitals including e.g. automatic backup of medicine data. The most important properties are user friendliness, maintenance free operation and pricing acceptable for private doctor's offices. This project is an integral part of the MeDiMed shared regional PACS server overlaying project. As small healthcare institutions and private doctor's offices are being more and more equipped with diagnostics devices like CT, X-ray, ultrasound etc. we expect demand for medicine picture data processing capabilities and services. Our intention is to offer PACS services also to these new perspective medicine users. The specific property of PACS or any ICT services in small healthcare institution is limited bandwidth available for medicine picture data transport. The main intention of this work is optimization of networking protocol's parameters to maximize bandwidth utilization. [1] 1.2 MSS MSS (Maximum Segment Size) indicates the largest amount of TCP data that can be sent in TCP segment. The resulting IP datagram is still about 40 octets longer (IP and TCP s), encapsulation TCP segment to the IP diagram is shown in Fig. 1. Theoretically the MSS can be 65.495 bytes long, but practically is used MTU (maximum transmission unit) value of outgoing interface reduced by 40 octets (e.g. for Ethernet would be MSS 1500B 40B = 1460B) Typical size of the MSS is just 1460 bytes. In case the TCP segment is longer than 1460 bytes, there may happens further fragmentation by a network layer in IP protocol. The MSS is not a value that the devices negotiate during establishing a connection with each other. Any device may use the optional opportunity to inform its peer about the MSS which expect, but it is not required. If the information about MSS is missing, it is set to default value of 536 octets. The network performance can be degraded by using either extremely large or extremely short segments. Each segment contains at least 40 octets of the IP and the TCP except separate data. [11] The number of bits: 20 20 less or equal than MSS TCP TCP data 1.3IPsec The term IPsec (IP Security Protocol) adds security mechanism to the network layer. IPsec defines two security mechanisms. The first mechanism is authentication, which ensures the authenticity of transmitted data. The receiver can verify that the received IP packet was originate from the sender. Adding an AH (Authentication Header) to the IPv4 transport mode is shown in Fig. 2 and in tunnel mode in Fig. 3. [10] The second mechanism is encryption, where everything except the of the packet is encrypted using a pre-agreed algorithm. The recipient must agree in advance with the sender, which type of encryption will be used. Using (Encapsulating Security Payload) in transport mode is shown in Fig. 4 and in tunnel mode in Fig. 5. [10] IPsec is independent of the upper layer protocols. The application need not support any special communication methods to transmit over IPsec. It is possible to create an encrypted tunnel (VPN) or encrypt only communication between two computers. New - Before applying AH - - After applying AH - AH Fig. 2.AH in transport mode in IPv4. AH - Before applying AH - - After applying AH - Authenticated (except for the mutable fields in the new ) Fig. 3.AH in tunnel mode in IPv4. Fig. 1.Encapsulation TCP segment to the IP diagram. ISBN: 978-960-474-341-4 97

- Before applying - environment is also positioned firewall Cisco ASA 5505, which encrypts traffic on the client side. MeDiMed SERVER IP - After applying - (Upper layer protocol trailer Encrypted (confidentially) Authenticated Authentication data Firewall ASA 5505 Switch Catalyst 3550 Fig. 4. in transport mode in IPv4. New IP - Before applying - - After applying - (Upper layer protocol) IP Encrypted (confidentially) Authenticated Fig. 5. in tunnel mode in IPv4. trailer Authentication data Network Switch Catalyst 3550 Firewall ASA 5505 Client 2 Research environment This method is based on comparing of delays necessary for transferring 500MB file between server and client using different combinations of ciphers and hash functions. From these measurements is selected one combination of the cipher and the hash function. With this combination are performed further measurements. Firstly, the influence of window size on the transmission delay, is shown. Secondly the effect of buffer size settings, to the transmission delay is measured. The last measurements again examine transmission delay influenced by the size MSS (Maximum Segment Size) at TCP packet. The scheme of research environment is shown in Fig. 6. It consists of a rackmount server, which is configured by aiperf program as a server. To this server is connected firewall Cisco ASA 5505, at which is set encryption, hash function and the size TCPMSS. Two Cisco Catalyst 3550 switches, which simulate ISP (internet service provider) terminals, are connected in addition to the measuring environment. They reduce maximal network speed to 10Mbps to better match the average speed of an internet provider. On the opposite side of research Fig. 6.Research environment 2.1Parameters of used computers Server rackmount server RedHat EL 5 Intel Xeon 2,8GHz 4 GB RAM, 80GB SSD HDD Iperf 2.0.5, rel. 1.el5 Client Notebook HP-6730b Win7 Prof. SP1 v 2009 32b Intel Core2 Duo CPU T9400@2,53GHz 4GB RAM, 60GB HDD Iperf 1.7.0, Jperf 2.0.2 Wireshark 1.6.7 (SVN Rev 41973 from/trunk- 1.6) 2.2 Program Iperf a Jperf This utility is a simple application that tests throughput of the data link. Extension Jperf simplifies operation and parameters settings. Instead of using text commands can be simply entered the criteria in the graphical interface. On the server was ISBN: 978-960-474-341-4 98

installed Iperf 2.0.5. rel 1.el5. On the client PC was installed Iperf 1.7.0 and Jperf 2.0.2. 2.3Application Wireshark Wireshark is one of the most widely used protocol analyzers. It is used to analyze and debug problems in computers networks. The application was installed on the client PC to monitor network traffic. Wireshark was used for transfer delay measuring of 500 megabytes file. 3 Measurement of a transmission speed 3.1 Comparing file transfer speed with different combinations of ciphers and hash functions On the both Cisco ASA 5505 firewalls were gradually set encryption and hashing parameters of transfer the 500MB file. The results of these measurements show the table 1 and graph 1. There it is compared five types of encryption. Starting from the simplest and unreliable DES ( Encryption Standard), through its improved version of 3DES (Triple DES) to the currently most widely used symmetric block cipher AES (Advanced Encryption Standard) with 128, 192, and 256-bit keys. The chart also shows how the transfer rate depends on a combination of encryption and hash functions. The MD5 (Message-Digest) and SHA (Secure Hash Algorithm) were chosen as a representatives of hash functions. For comparison of the measurements results were taken the values without hash function. Firewalls unfortunately don t allow set up transfer data without encryption and hash at the same time. The differences between the lowest and highest values within one used hash functions were very small and varied in a few kbps. The difference between the slowest transmission speed with a combination of encryption AES-256 with SHA and the highest speed of transmission with combination AES-256 without hash was about 19 kbps, which corresponds to 1.7%. For this reason was selected the combinations of a parameters, which were used for the additional measurements. It is an AES-256 and hash SHA. This combination is currently the strongest commonly used solution in the transmission of sensitive medical information. CRYPT HASH Speed[MBps] DES MD5 1,13221 3DES MD5 1,13264 AES-128 MD5 1,12542 AES-192 MD5 1,12357 AES-256 MD5 1,12345 NONE MD5 1,13596 DES SHA 1,12960 3DES SHA 1,12978 AES-128 SHA 1,12335 AES-192 SHA 1,12358 AES-256 SHA 1,12256 NONE SHA 1,13575 DES NO HASH 1,13930 3DES NO HASH 1,14154 AES-128 NO HASH 1,13408 AES-192 NO HASH 1,13438 AES-256 NO HASH 1,14163 NONE NO HASH 0 Tab. 1.File transfer speed of different combinations ofciphersandhash functions Graph. 1.File transfer speedof different combinations ofciphersandhash functions 3.2 Comparison of a file transfer speeds with different sizes of window size The transmission times of transmitting 500MB file, which were achieved by setting different sizes of window size in the TCP packet in Iperf are recorded in Chart 2. We set up the cipher AES-256 and SHA hash functions. Size of the buffer was 2 megabytes. The chart shows, that the highest speed was achieved in window with size 64kB. ISBN: 978-960-474-341-4 99

Graph. 2.File transfer speedwith different size of window size Graph. 4. File transfer rate of different MSS size 3.3 Comparison of a file transfer speeds with different buffer sizes The chart 3 shows the speed of transmission, which were achieved when we set up different TCP packet buffer size in application Iperf. Again, we set up cipher AES-256 and SHA hash function. The highest transfer rates were achieved in the buffer size 1 MB. Graph. 3.File transferspeed with different size of buffer size 4 Conclusion By optimizing the MTU can be partially improved the usage of data link. We have studied properties of TCP streams transported over IPSEC tunnel. Fine tuning of the TCP MSS according to used encryption algorithm can improve the data throughput. As expected, the bigger TCP MSS offers better data throughput in general. This is caused by less data units (packets) needed to transport the required amount of data. In case of AES-256 encryption algorithm, the best results were obtained when the TCP MSS is a multiple of 16 Bytes. E.g. if the TCP MSS must be below 1400 bytes due to properties of used transport technology (e.g. ADSL), the best data transfer rate will be achieved by setting the TCP MSS to 1396 B. The gain of this TCP MSS optimization is about 1.5%. It doesn t seems to be so much, but for lines with limited bandwidth (e.g. ADSL or 3G) may be helpful every even small throughput improvement. 3.4 Comparison of a file transfer speeds with different TCP MSS size To measure the effect of setting the MSS at the TCP packet were set up at firewalls following values: Size of the buffer 2MB Window size 64kB AES 256-bit key Hash function SHA. The graph 4 shows how with increasing size of the MSS increases the data transfer rate. Acknowledgements This work is supported by Czech Technology Agency fund project number TA01010268 - "Maintenance-free PACS system for small and midsized healthcare institutions". References: [1] SLAVÍČEK, K., JAVORNÍK, M., DOSTÁL, O., Extension of the Shared Regional PACS Center MeDiMed to Smaller Healthcare Institutions. In The Eleventh International Conference on Networks. Saint Gilles, Reunion Island : IARIA, 2012. ISBN 978-1-61208-183- 0, s. 83-87. 2012, Saint Gilles, Reunion Island. ISBN: 978-960-474-341-4 100

[2] JAVORNÍK, M., DOSTÁL, O., SLAVÍČEK, K., Regional Medical Imaging System. World Academy of Science, Engineering and Technology, France. ISSN 2010-376X, 2011, vol. 7, no. 79, s. 389-393. [3] SLAVÍČEK, K., DOSTÁL, O., JAVORNÍK, M., DRDLA, M., MEDIMED - Regional Centre for Medicine Image Processing. InKnowledge Discovery and Mining. Published. 2010. USA : IEEE Computer Society, 2010. ISBN 978-0-7695-3923-2, s. 310-313. 2010, Phuket, Thailand. [4] SLAVÍČEK, K., JAVORNÍK, M., DOSTÁL, O., Redundancy in Processing of Medical Image. InFourth International Conference on Computer Sciences and Convergence Information Technology. Seoul, Korea : IEEE Computer Society Conference Publishing Services, 2009. ISBN 978-1-4244-5244-6, s. 519-523. [5] SLAVÍČEK, K., NOVÁK, V., Introduction of Alien Wavelength into Cesnet DWDM Backbone. InSixth International Conference on Information, Communications and Signal Processing.Singapore : IEEE, 2007. ISBN 978-1-4244-0982-2, s. 977-981. Singapore. [6] SLAVÍČEK, K., Maximum Frame Size in Large Layer 2 Networks. Lecture Notes in Computer Science, Germany. ISSN 0302-9743, 2007, vol. 4712, no. 1, s. 409-418. [7] DOSTÁL, O., SLAVÍČEK, K., Wireless Technology in Medicine Applications. InPersonal Wireless Communications. Published. 2007. Praha : Springer Verlag, 2007. ISBN 978-0-387-74158-1, s. 316-324. 2007, Praha. [8] DOSTÁL, O., SLAVÍČEK, K., JAVORNÍK, M., PKI Utilisation for PACS Users Authentication. InICN 2006.Mauritius : IEEE Computer Society, 2006. ISBN 0-7695-2552-0, s. 151-156. 2006, Mauritius. [9] DOSTÁL, O., JAVORNÍK, M., SLAVÍČEK, K., PETRENKO, M., MEDIMED-Regional Centre for Archiving and Interhospital Exchange of Medicine Multimedia. In Proceedings of the Second IASTED International Conference on Communications, Internet, and Information Technology.Scottsdale, Arizona, USA : International Association of Science and Technology for Development- IASTED, 2003. ISBN 0-88986-398-9, s. 609-614. 2003, Scottsdale Arizona USA. [10] RFC4302 IP Authentication Header, BBN Technologies, December 2005. The Internet Society [11] PUŽMANOVÁ, R., TCP/IP v kostce. 2nd ed. ČeskéBudějovice: KOPP, 2009. ISBN 978-80- 7232-388-3 [12] Federal information processing standards publication (FIPS 197). Advanced Encryption Standard (AES), 2001. ISBN: 978-960-474-341-4 101

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information