Bezpečnost firemních telefonních sítí využívajících VoIP / Security of Enterprise VoIP Telephony Networks

Šolc, Jiří

January 2008

This thesis focuses on enterprise VoIP telephony network security. Introduces brief comparison of old analog and digital voice networks and IP telephone networks with special focus on VoIP system security. The goal of the thesis is to identify the risks of implementation and operation of VoIP technologies in enterprise environment and so thesis brings some conclusion how to minimalize or avoid these risks. First two chapters briefly introduce the development of telephony technologies with differentiation of enterprise telephone network from public telephone networks. Further it describes individual technologies, digitalization of voice, processing the signal and VoIP protocols and components. Third chapter focuses on infrastructure of telephony networks with special interest for architecture of IP telephony and ways of establishing call processing. It describes data flows for further security risk analysis, which this technology came with. Fifth chapter is about enterprise security standards in common and is trying to describe information security management system (ISMS) adopting VoIP technology. Individual security threats and risks are described in sixth chapter, along with known methods how to avoid them. Final parts of thesis concludes of two real situation studies of threats and risks of VoIP technologies implemented in environment of small commercial enterprise and medium size enterprise, in this example represented by University of economics. These chapters conclude theoretical problems shown on practical examples.

Sessões de comunicações tolerantes a rupturas: uma camada de Socket para aplicações cientes de mobilidade na Internet / Disruption-tolerant sessions: a socket layer for mobility-aware applications on the internet

Bruno Yuji Lino Kimura

16 October 2012

Com a heterogeneidade de tecnologias de comunicação sem fio presentes na borda de redes de acesso, serviços providos na Internet podem ser acessados de forma quasi ubíqua através de dispositivos móveis ou portáteis. O acesso a esses serviços, contudo, está associado a atrasos e rupturas frequentes na comunicação devido a razões inerentes à mobilidade do dispositivo, como: i) perda de sinal em locais onde há pouca ou nenhuma cobertura de acesso móvel; ii) erros no quadro de dados durante a transmissão e, consequentemente, perdas de pacotes, que podem ser ocasionados por interferência no sinal ou enfraquecimento deste pelo distanciamento do dispositivo em relação à Estação Base; iii) mudanças de endereços IP durante transmissões em andamento causadas pela migração do dispositivo entre diferentes redes. Como consequência, aplicações falham com a ruptura de comunicações orientadas a conexão. Tratar a mobilidade de forma transparente à aplicação é um dos desafios da Computação Móvel e Ubíqua que vem sendo pesquisado ao longo da última década. Soluções foram propostas para operarem desde a Camada de Enlace à Aplicação. Muitas delas, entretanto, exigem modificações na pilha de protocolos TCP/IP e adição de infraestrutura específica de rede no suporte à comunicação fim-a-fim. Além de elevar o custo das etapas de implantação e manutenção, estratégias intrusivas e dependentes de infraestrutura adicional podem não apresentar desempenho satisfatório. Nesse contexto, propomos tratar a mobilidade no nível da própria aplicação através de Sessões de Comunicação que não falham com atrasos e desconexões. Operando somente nos nós-fim e de modo transparente às Camadas adjacentes de Aplicação e Transporte, as sessões não requerem infraestrutura adicional para intermediar ou controlar a comunicação entre pares, tampouco modificações em protocolos legados da pilha TCP/IP. O conceito de Sessões Tolerantes a Rupturas é implementado através de uma API de propósito geral em sistemas Linux que estende a interface de Sockets. A API é, na prática, uma camada transparente sobre o Socket que provê Ciência de Mobilidade à aplicação através de mecanismos para: acompanhar a localização de nós ao longo da duração de uma sessão; detectar rupturas nas transmissões causadas pela mobilidade do nó ou de seu par remoto; suspender e retomar sessões de forma eficiente, segura e confiável. Experimentos conduzidos em ambientes emulados e reais com equipamentos de uso comercial mostram a eficiência das sessões. Além de introduzir baixa degradação na vazão fim-a-fim, rupturas na transmissão podem ser detectadas em microssegundos e sessões suspensas são reabertas em milissegundos. Com um desempenho superior a solução de mobilidade geral da Camada IP, as sessões não necessitam de adaptações de software em equipamentos de rede / Nowadays services available on the Internet can be accessed from mobile devices while they roam across heterogeneous wireless networks. Due to the inherent reasons of device mobility, however, the access to such services is frequently involved with delay and disruptions. The most common reasons are: i) losing radio signal at places where mobile access coverage area is not available; ii) frame error, losses, and fading on the radio signal when the mobile device moves away from the Base Station; iii) changes on the devices IP address over ongoing transmission, while the mobile node migrates among different wireless networks. As result, networked application fails with disruptions on TCP connections established in the mobile users path. Handling seamlessly mobility on the Internet is a technical challenge of the Mobile Computing Paradigm. It has been widely researched over the last decade. Several solutions have been proposed to work from the Link Layer to the Application Layer. Most of them, however, work intrusively and require modifications in the classical TCP/IP protocol stack, as well as rely on additional network infrastructure to support mobile end-to-end communication. Besides increasing the cost of deployment and maintenance, intrusive and infrastructure dependent strategies may not present suitable performance. In this sense, we devised an architecture to handle mobility at the Application level by means of communication sessions that do not fail with delay, disruption or disconnection. Such sessions work only at the end-systems in a such way that: are fully transparent to the adjacent layers of Transport and Application; do not require additional network infrastructure to forward and manage the communication between two mobile peers; and do not impose any modification on the legacy protocols from the TCP/IP stack. The concept of Disruption-Tolerant Sessions is implemented in Linux by means of a general purpose API extended from the Socket interface. Such API is a transparent layer placed on top of the Socket to provide mobility awareness to the Application Layer. To do so, session services are provided for: tracking mobile peers along the session duration; detecting disruptions over TCP connection caused by mobility of the local or remote peer; suspending and resuming sessions with efficiency, security and reliability. Experiments conducted in emulated and real systems (off-the-shelf hardware and open source software) showed the desired efficiency. Besides introducing little overhead on the goodput, disruptions are detected in a range of microseconds and suspended sessions are resumed in milliseconds. With performance greater than the general IP layer mobility solution, the proposed sessions do not require software adaptation in the core of the network infrastructure

API de Sockets

Aplicações cientes de mobilidade

Computação móvel

Gerenciamento de mobilidade IP

Sessões tolerantes a atrasos e rupturas

Delay/Disruptions tolerant sessions

IP mobility management

Mobile computing

Mobility-aware applications

Sockets API

Uma arquitetura hierárquica baseada em sistema de arquivos para monitoramento de pacotes de rede no sistema operacional GNU/Linux / A hierarchical architecture based on the file system for monitoring network packets on GNU / Linuxoperating system

Beraldo Costa Leal

14 October 2013

Capturar e analisar pacotes de dados que trafegam pelas redes são tarefas essenciais para os administradores de redes. Estas tarefas ajudam na detecção de anomalias nos sistemas e na verificação do estado atual da rede. Existem várias aplicações que desempenham este papel para o sistema operacional GNU/Linux. Estes programas também exportam informações para os usuários e outras aplicações de várias maneiras. Entretanto, não exportam estas informações de forma hierárquica. Esta pesquisa propõe uma arquitetura alternativa aos sistemas atuais. Nossa arquitetura exporta pacotes de dados em uma estrutura hierárquica de arquivos e diretórios. Além disso, por se tratar de uma arquitetura modular, filtros adicionais, desenvolvidos por terceiros, podem ser adicionados ao sistema. A arquitetura proposta acompanha uma implementação de referência: o sistema de arquivos virtuais netsfs (Network Statistics File System), que funciona em espaço de núcleo (kernel space). A arquitetura e o sistema de arquivos netsfs, propostos nesta pesquisa, apresentam um método alternativo para exibir os pacotes de redes. Os resultados mostraram uma aparente melhoria no que diz respeito à vazão da rede. / Capturing and analyzing data packets flowing across networks are essential tasks for network administrators. These tasks help to detect anomalies in the systems and check the current status of a network. There are software applications for the GNU/Linux operating system which perform such tasks. These tools also export their information to users and other applications in different ways. However, current systems do not export this information in a hierarchical manner. This research introduces an alternative architecture to current systems. Our architecture exports data packets in a hierarchical structure of directories and files. Furthermore, since this is a modular architecture, additional third-party filters can be developed and loaded into the system. The proposed architecture comes with a reference implementation: the pseudo file system netsfs (Network Statistics File System), in kernel space. The architecture and the pseudo file system netsfs, developed in this research, introduce an alternative method to display data packets. Results show an apparent improvement regarding network throughput

GNU

kernel

linux

netsfs

núcleo

pacotes

redes

sistema de arquivos

sistema operacional

TCP/IP

file system

GNU

kernel

linux

netsfs

network

operational systems

packets

TCP/IP

Improving the Cyber defence of an organisation based on IP Geolocation and security appliances / Förbättra en organisations cyberförsvar baserad på IP Geolocation och säkerhetssystem

Opasinov, Aleksandar, Eftekhari, Sina

January 2020

As advancement and usage of data communication has increased exponentially on a global scale, with a devastating exposure to attacks and varying security threats to home offices as well as to large enterprises, there is always a need for enhanced network protection. The IT department of the company OneDefence, located in western Sweden, was chosen for the thesis and based on the stated information from the organisation, aims were set on how to improve their network defence capabilities. The aim of this thesis is to list ten countries posing the most serious IT threats, and to limit the attack surface of OneDefence’s IT network as much as possible while still providing the necessary services to users abroad. After researching the countries, a prototype was set up to mimic OneDefence’s topology of interest and test attacks were conducted as detailed in the Methodology chapter. The results of the investigations showed the countries posing most serious cyber threats included China, Russia and North Korea among others which were statistically calculated based on the total number of recognised cyberwarfare attacks. The results obtained from the different DoS attacks in the prototype showed that an IPS should be at the heart of an organisation's network defence for combating these intrusions, as well as potentially other types. With the help of a prototype built based on the organisation's topology, several attacks were somewhat successfully mitigated with the equipment used on hand, with only a low percentage of packets allowed to pass through the security unit. Lastly, to explore further enhancements of defence capabilities of OneDefence, a comparison between different products and devices were performed. This resulted in products from the Fortinet brand such as FortiGate NGFW and UTM capabilities as they are offering several advantages compared to competitors. / Då stora framsteg och användning av datakommunikation har ökat exponentiellt på en global skala, med en förödande exponering av attacker och säkerhetshot mot hemanvändare såväl som stora företag, finns detalltid ett behov av förbättrad nätverksskydd. IT-avdelningen hos företaget OneDefence, valdes för att utföra examensprojektet och baserade sig på organisationens angivna information för att förbättra deras nätverksförsvar. Syftet med denna rapport är att sammanställa en lista på tio länder som utgör de allvarligaste IT-hoten i världen, samt begränsa attackytan för organisationens nätverk så mycket som möjligt medan man behåller alla nödvändiga tjänster till användare utomlands. Efter att ha undersökt länderna, anordnades en prototyp för att efterlikna delar av OneDefences topologi av intresse och testattacker utfördes enligt metodologikapitlet. Resultaten av utredningarna visade att från de länder som utfört de allra allvarliga cyberhoten inkluderade bland annat Kina, Ryssland och Nordkorea, som har beräknats statistiskt baserat på antalet igenkända cyberwarfare attacker. Resultaten från de olika DoS-attackerna visade att en IPS bör vara kärnan i en organisations nätverksförsvar för att kunna bekämpa dessa intrång, samt potentiellt andra typer. Med hjälp av den prototyp som byggdes baserad på organisationens topologi, blockerades flera attacker rätt framgångsrikt, med en låg procentandel av paketen som gick genom säkerhetsenheten. Slutligen utforskades ytterligare förbättringar av försvarsförmågan hos organisationen genom att jämföra olika produkter och enheter. Detta resulterade i produkter från Fortinet-varumärket såsom FortiGate NGFW med UTM förmåga, då de erbjuder flera fördelar jämfört med konkurrenter.

Cybersecurity

Cisco ASA Firewall

IP Geolocation

Malware

Cyber Attacks

IPS

IT-säkerhet

Cisco ASA Brandvägg

IP Geolocation

Malware

Cyberattacker

IPS

Information Systems

Metody měření výkonnostních a kvalitativních parametrů datových sítí / Methods for measurement of data network performance and quality parameters

Sukup, Luboš

January 2012

Master thesis involves the development of quality measurement issues and performance parameters in data networks. It describes the main technologies as they affect the quality and performance parameters and the effect of these parameters for voice, video and data services. Next are listed some methods for measuring parameters of the data network.In the practical part is selected one method of measuring network parameters and properties of this method are demonstrated by illustrative examples.

Implementace kvality služby do řízení síťového prvku / Implementation of quality of service in the control of a network element

Boháč, Martin

January 2008

The main task of the Master Thesis is introduction into problems of quality of service in converged networks especially with use of IP protocol version 6. Converged networks are able to transfer different data types - voice, data or multimedia stream. Design of active network unit is realized in Matlab Simulink. Designed model consists of simple network with some computer terminals which are connected with network element - switch. Switch model simulates real traffic of computer terminals, that are sending data to remote users. Packets in switch are sorting by data stream type and QoS. Switch is managed by neuron network. Neuron network reacts to input data and controls switch depending on type of recipient. Switch model can be used in laboratory exercising. Solving this theme needs basic skill in Simulink and theme can be done in one laboratory exercise.

Efektivní využití konvergované sítě / Effective utilization of converged network

Nesveda, Marek

January 2011

The Master´s thesis deals with the field of converged networks and their effective utilization, focusing specifically on telematic networks. For modelling of a specific application, the field of vehicle telematics has been chosen. The thesis consists of two series of simulations performed in Opnet Modeler network simulator. The first theoretic part gave an overview of protocols used in converged networks, with a more detailed description of routing protocols. The attention also centred on the mechanisms for assuring the quality of service in IP. The subsequent practical part consisted in creating the simulation of a converged telematic network in Opnet Modeler network simulator, configuration of scenarios for assuring QoS using RSVP and DSCP protocols and the simulation itself. The results of the simulations for both scenarios were compared and represented in graphic form. The second theoretic part described queueing disciplines, as well as congestion control and congestion avoidance mechanisms. The corresponding practical part compared FIFO, PQ and WFQ queueing algorithms within the same simulated converged telematic network, using DSCP protocol scenario, which gave much better results in the first series of simulations. Again, the results of the simulations were compared and represented in graphic form.

Realizace zařízení pro komunikaci Car2X a Car2Car / Realization of the Car2X and Car2Car communication device

Štohanzl, Milan

January 2011

This work explores possibilities of Car2Car and Car2X communication. It contains survey of system properties, types of transmission messages, etc. It represents architecture of the system and deals with technical expectations and limitations of system. In the light of the fact that this work is created in the time, when development of this system hasn’t finished yet, the work doesn’t contain details which would allow deeper technical view about area of vehicular communication. The work also deals with the possibility of realization of device, communicating with a similar standard. Like the most suitable standard was chosen an IEEE 802.11a. Mobile unit has been realized by single board computer Mini 2440 and communication has been realized by WiFi module OWS451i, which works as AT modem. Mini 2440 and infrastructure server are based on Linux operation system.

Vysokorychlostní sítě v domácnosti / High-speed Networks in Household

Rosenberg, Michal

January 2012

The master thesis discusses about the relation between high-speed networks and intelligent system installation features and possibilities of this mutual interaction. Furthermore principles of KNX bus tunneling through IP networks are theoretically analyzed (KNXnet/IP). Practical use of implements KNXnet/IP shows real elements on the test panel. The control is realized by KNX@Home in the Ubuntu environment. Simulation of the real state tunneling KNX bus represent model in Opnet Modeler, which shows how the delays may change due to network load.

Komunikační protokoly pro optické bezkabelové spoje / Communication protocols for Free-Space Optical links

Šedo, Ondrej

January 2015

This master’s thesis is focused on behaviour of the TCP/IP protocol on free-space optical link which is affected by the effect of atmospheric turbulence. This causes fluctuation of the received optical power and therefor bit error rate changes. In the simulation model short-time bit error rate is calculated from random generated received optical signal and then used in time-domain analysis of the OMNeT++ network simulator. A buffer in transmitter is designed based on simulation results. It pauses the data transmitting in cases of FSO link outage. This method is then implemented into FPGA device.