Flexible access control for campus and enterprise networks

Nayak, Ankur Kumar

07 April 2010

We consider the problem of designing enterprise network security systems which are easy to manage, robust and flexible. This problem is challenging. Today, most approaches rely on host security, middleboxes, and complex interactions between many protocols. To solve this problem, we explore how new programmable networking paradigms can facilitate fine-grained network control. We present Resonance, a system for securing enterprise networks , where the network elements themselves en- force dynamic access control policies through state changes based on both flow-level information and real-time alerts. Resonance uses programmable switches to manipulate traffic at lower layers; these switches take actions (e.g., dropping or redirecting traffic) to enforce high-level security policies based on input from both higher-level security boxes and distributed monitoring and inference systems. Using our approach, administrators can create security applications by first identifying a state machine to represent different policy changes and then, translating these states into actual network policies. Earlier approaches in this direction (e.g., Ethane, Sane) have remained low-level requiring policies to be written in languages which are too detailed and are difficult for regular users and administrators to comprehend. As a result, significant effort is needed to package policies, events and network devices into a high-level application. Resonance abstracts out all the details through its state-machine based policy specification framework and presents security functions which are close to the end system and hence, more tractable. To demonstrate how well Resonance can be applied to existing systems, we consider two use cases. First relates to "Network Admission Control" problem. Georgia Tech dormitories currently use a system called START (Scanning Technology for Automated Registration, Repair, and Response Tasks) to authenticate and secure new hosts entering the network [23]. START uses a VLAN-based approach to isolate new hosts from authenticated hosts, along with a series of network device interactions. VLANs are notoriously difficult to use, requiring much hand-holding and manual configuration. Our interactions with the dorm network administrators have revealed that this existing system is not only difficult to manage and scale but also inflexible, allowing only coarse-grained access control. We implemented START by expressing its functions in the Resonance framework. The current system is deployed across three buildings in Georgia Tech with both wired as well as wireless connectivities. We present an evaluation of our system's scalability and performance. We consider dynamic rate limiting as the second use case for Resonance. We show how a network policy that relies on rate limiting and traffic shaping can easily be implemented using only a few state transitions. We plan to expand our deployment to more users and buildings and support more complex policies as an extension to our ongoing work. Main contributions of this thesis include design and implementation of a flexible access control model, evaluation studies of our system's scalability and performance, and a campus-wide testbed setup with a working version of Resonance running. Our preliminary evaluations suggest that Resonance is scalable and can be potentially deployed in production networks. Our work can provide a good platform for more advanced and powerful security techniques for enterprise networks.

Access control

Security

Enterprise networks

Programmable networks

Computer networks Security measures

Computer networks Management

Computer networks

Local area networks (Computer networks)

Supporting system deployment decisions in public clouds

Khajeh-Hosseini, Ali

January 2013

Decisions to deploy IT systems on public Infrastructure-as-a-Service clouds can be complicated as evaluating the benefits, risks and costs of using such clouds is not straightforward. The aim of this project was to investigate the challenges that enterprises face when making system deployment decisions in public clouds, and to develop vendor-neutral tools to inform decision makers during this process. Three tools were developed to support decision makers: 1. Cloud Suitability Checklist: a simple list of questions to provide a rapid assessment of the suitability of public IaaS clouds for a specific IT system. 2. Benefits and Risks Assessment tool: a spreadsheet that includes the general benefits and risks of using public clouds; this provides a starting point for risk assessment and helps organisations start discussions about cloud adoption. 3. Elastic Cost Modelling: a tool that enables decision makers to model their system deployment options in public clouds and forecast their costs. These three tools collectively enable decision makers to investigate the benefits, risks and costs of using public clouds, and effectively support them in making system deployment decisions. Data was collected from five case studies and hundreds of users to evaluate the effectiveness of the tools. This data showed that the cost effectiveness of using public clouds is situation dependent rather than universally less expensive than traditional forms of IT provisioning. Running systems on the cloud using a traditional 'always on' approach can be less cost effective than on-premise servers, and the elastic nature of the cloud has to be considered if costs are to be reduced. Decision makers have to model the variations in resource usage and their systems' deployment options to obtain accurate cost estimates. Performing upfront cost modelling is beneficial as there can be significant cost differences between different cloud providers, and different deployment options within a single cloud. During such modelling exercises, the variations in a system's load (over time) must be taken into account to produce more accurate cost estimates, and the notion of elasticity patterns that is presented in this thesis provides one simple way to do this.

004.67

Investigating the viability of a framework for small scale, easily deployable and extensible hotspot management systems

Thinyane, Mamello P

January 2006

The proliferation of PALs (Public Access Locations) is fuelling the development of new standards, protocols, services, and applications for WLANs (Wireless Local Area Networks). PALs are set up at public locations to meet continually changing, multiservice, multi-protocol user requirements. This research investigates the essential infrastructural requirements that will enable further proliferation of PALs, and consequently facilitate ubiquitous computing. Based on these requirements, an extensible architectural framework for PAL management systems that inherently facilitates the provisioning of multiple services and multiple protocols on PALs is derived. The ensuing framework, which is called Xobogel, is based on the microkernel architectural pattern, and the IPDR (Internet Protocol Data Record) specification. Xobogel takes into consideration and supports the implementation of diverse business models for PALs, in respect of distinct environmental factors. It also facilitates next-generation network service usage accounting through a simple, flexible, and extensible XML based usage record. The framework is subsequently validated for service element extensibility and simplicity through the design, implementation, and experimental deployment of SEHS (Small Extensible Hotspot System), a system based on the framework. The robustness and scalability of the framework is observed to be sufficient for SMME deployment, withstanding the stress testing experiments performed on SEHS. The range of service element and charging modules implemented confirm an acceptable level of flexibility and extensibility within the framework.

Local area networks (Computer networks)

Computer networks -- Management

Computer network architectures

Computer network protocols

Wireless communication systems

XML (Document markup language)

Caracterização das redes de suprimentos brasileiras de exportação de frango de corte: cenário atual e tendências futuras

Carona, Natércia Filipe Mendeiros

26 March 2008

Made available in DSpace on 2010-04-20T20:48:37Z (GMT). No. of bitstreams: 3 71040100498.pdf.jpg: 20294 bytes, checksum: 6ecefcc85f0e2b04170ede657782f8dc (MD5) 71040100498.pdf: 4465512 bytes, checksum: 8a4fb7604d12cd82d51a32e4245872fb (MD5) 71040100498.pdf.txt: 415589 bytes, checksum: 3c7c70463c22b7dce924116495f11151 (MD5) Previous issue date: 2008-03-26T00:00:00Z / Globalization, technological, political and social breakthroughs create internal pressure inside the organizations which need to reply by developing its abilities and capacities. Business with focus on the international markets, must face bigger challenges. Even more complex and unstable environment, fluctuation import quotas and other barriers placed in the international commerce made quality stop being a competitive advantage in many industries and become a standard. The development of competitive strategies and supply chain networks are now crucial to survive in this environments. Brazil is one of the biggest world players in food production, specially beans and animal protein. Since 2004, Brazil is the second biggest chicken producer, and the first in exportation. The understanding of the characteristics underlying the supply network might help towards a more efficient orientation. Therefore, general objective of this study is to analyze the competitiveness in the Brazilian exportation agribusiness four poultry, by means of characterization of its supply networks. Moreover, it aims to identify which factors impact more in its success. For such purpose an analysis and synthesis of the relevant literature concerning Supply Networks Management and Agribusiness is developed, as well as the main tendencies and future challenges in the poultry business are researched. A framework resulting from the literature review was used in the multiple case study complying four companies from the exportation business of poultry. Results show that managing coordination, differentiation and reconfiguration, allows knowing the types of networks and verifying their skills to face future tendencies. / A globalização, a desregulamentação, os avanços tecnológicos, políticos e sociais geram pressões internas nas organizações que precisam responder desenvolvendo suas competências e capacidades. Em negócios com foco no mercado internacional, os desafios aumentam. Ambiente ainda mais complexo e instável, interferências dos limites de quotas e outras barreiras colocadas ao comércio internacional fizeram com que a qualidade deixasse de ser um diferencial em muitas indústrias, e passasse a ser um requisito standart obrigatório. O desenvolvimento de estratégias competitivas e a gestão das redes são cruciais para sobreviver nestes ambientes. O Brasil atua como um dos maiores produtores de alimentos do mundo, sobretudo na produção de grãos e proteína animal. Desde 2004, o Brasil é o segundo maior produtor de frango e o primeiro em exportação. O entendimento das características que definem uma rede de suprimentos pode contribuir para uma orientação mais eficiente. Nesse sentido, este estudo tem como objetivo analisar a competitividade da rede agro-exportadora de frango de corte no Brasil, por meio da caracterização das suas redes de suprimentos, identificando os fatores e as atividades que mais impactam no seu sucesso. Para tal é desenvolvida uma análise e síntese da literatura relevante de Gestão de Redes de Suprimentos e Agronegócio especialmente focado no frango de corte para exportação, incluindo as principais tendências e desafios do negócio. Um constructo resultante da revisão serviu de base para a pesquisa empírica desenvolvida por meio de caso múltiplo, contemplando quatro empresas do setor. Os resultados indicam que a gestão da coordenação, da diferenciação e da reconfiguração das redes, permitem acessar os tipos de redes e verificar as suas aptidões para enfrentar o futuro.

Carnes

Exportação

Gestão de redes de suprimentos

Agronegócio

Supply networks management

Agribusiness

Exportation

Meats

Administração de empresas

Frango de corte - Exportação - Brasil

Indústria avícola - Brasil

Cadeia de suprimentos

Gerenciamento baseado em modelos da configuração de sistemas de segurança em ambientes de redes complexos / Model-based configuration management of security systems in complex network environments

Pereira, João Porto de Albuquerque

24 May 2006

Orientador: Paulo Licio de Geus / Tese (doutorado) - Universidade Estadual de Campinas, Instituto de Computação / Made available in DSpace on 2018-08-07T08:33:59Z (GMT). No. of bitstreams: 1 Pereira_JoaoPortodeAlbuquerque_D.pdf: 3410336 bytes, checksum: b604fcebba7d50ce5939b35de40ce518 (MD5) Previous issue date: 2006 / Resumo: Os mecanismos de segurança empregados em ambientes de redes atuais têm complexidade crescente e o gerenciamento de suas configurações adquire um papel fundamental para proteção desses ambientes. Particularmente em redes de computadores de larga escala, os administradores de segurança se vêem confrontados com o desafio de projetar, implementar, manter e monitorar um elevado número de mecanismos, os quais possuem sintaxes de configuração heterogêneas e complicadas. Uma conseqüência dessa situação é que erros de configuração são causas freqüentes de vulnerabilidades de segurança. O presente trabalho oferece uma sistemática para o gerenciamento da configuração de sistemas de segurança de redes que corresponde especialmente às necessidades dos ambientes complexos encontrados em organizações atuais. A abordagem, construída segundo o paradigma de Gerenciamento Baseado em Modelos, inclui uma técnica de modelagem que trata uniformemente diferentes tipos de mecanismos e permite que o projeto de suas configurações seja executado de forma modular, mediante um modelo orientado a objetos. Esse modelo é segmentado em Subsistemas Abstratos, os quais encerram um grupo de mecanismos de segurança e outras entidades relevantes do sistema ¿ incluindo seus diferentes tipos de mecanismo e as inter-relações recíprocas entre eles. Uma ferramenta de software apóia a abordagem, oferecendo um diagrama para edição de modelos que inclui técnicas de visualização de foco e contexto. Essas técnicas são particularmente adaptadas para cenários de larga escala, possibilitando ao usuário a especificação de certa parte do sistema sem perder de vista o contexto maior no qual essa parte se encaixa. Após a conclusão da modelagem, a ferramenta deriva automaticamente parâmetros de configuração para cada mecanismo de segurança do sistema, em um processo denominado refinamento de políticas. Os principais resultados deste trabalho podem ser sumarizados nos seguintes pontos: (i) uma técnica de modelagem uniforme e escalável para o gerenciamento de sistemas de segurança em ambientes complexos e de larga escala; (ii) um processo para o projeto de configurações apoiado por uma ferramenta que inclui técnicas de foco e contexto para melhor visualização e manipulação de grandes modelos; (iii) uma abordagem formal para a validação do processo de refinamento de políticas / Abstract: The security mechanisms employed in current networked environments are increasingly complex, and their configuration management has an important role for the protection of these environments. Especially in large scale networks, security administrators are faced with the challenge of designing, deploying, maintaining and monitoring a huge number of mechanisms, most of which have complicated and heterogeneous configuration syntaxes. Consequently, configuration errors are nowadays a frequent cause of security vulnerabilities. This work offers an approach to the configuration management of network security systems specially suited to the needs of the complex environments of today¿s organizations. The approach relies upon the Model-Based Management (MBM) paradigm and includes a modelling framework that allows the design of security systems to be performed in a modular fashion, by means of an object-oriented model. This model is segmented into logical units (so-called Abstract Subsystems) that enclose a group of security mechanisms and other relevant system entities, offering a more abstract representation of them. In this manner, the administrator is able to design a security system¿including its different mechanism types and their mutual relations¿by means of an abstract and uniform modelling technique. A software tool supports the approach, offering a diagram editor for models, which includes focus and context visualization techniques. These techniques are particularly suitable to large scale scenarios, enabling a designer to precisely specify a given part of the system without losing the picture of the context to which this part belongs. After the model is complete, the tool automatically derives configuration parameters for each security mechanism in the system, in a process called policy refinement. The major results of this work can be summarised as follows: (i) definition of a uniform and scalable object-oriented modelling framework for the configuration management of large, complex network security systems; (ii) development of a configuration design process assistes by a tool that implements focus and context techniques to improve visualization and manipulation of large models; (iii) a formal validation approach of the policy refinement process / Doutorado / Doutor em Ciência da Computação

Redes de computadores - Gerência

Modelagem de dados

Internet

Computer networks, security measures

Computer networks, management

Data modeling

Internet (Computer networks)

Integrated Network Management Using Extended Blackboard Architecture

Prem Kumar, G

07 1900

No description available.

Computer Networks - Management

Computer Network Architectures

Integrated Network Management (INM)

Extended Blackboard Architecture

Network Fault Management

Security Management

Network Management (NM)

Computer Science

Proposta e validação de nova arquitetura de redes de data center / Proposal and Validation of New Architecture for Data Center Networks

Macapuna, Carlos Alberto Bráz

18 August 2018

Orientadores: Mauricio Ferreira Magalhães; Christian Esteve Rothenberg / Dissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação / Made available in DSpace on 2018-08-18T11:07:49Z (GMT). No. of bitstreams: 1 Macapuna_CarlosAlbertoBraz_M.pdf: 1236245 bytes, checksum: a91bba6ee11302ae78b90231dd6c0241 (MD5) Previous issue date: 2011 / Resumo: Assim como as grades computacionais, os centros de dados em nuvem são estruturas de processamento de informações com requisitos de rede bastante exigentes. Esta dissertação contribui para os esforços em redesenhar a arquitetura de centro de dados de próxima geração, propondo um serviço eficaz de encaminhamento de pacotes, que explora a disponibilidade de switches programáveis com base na API OpenFlow. Desta forma, a dissertação descreve e avalia experimentalmente uma nova arquitetura de redes de centro de dados que implementa dois serviços distribuídos e resilientes a falhas que fornecem as informações de diretório e topologia necessárias para codificar aleatoriamente rotas na origem usando filtros de Bloom no cabeçalho dos pacotes. Ao implantar um exército de gerenciadores de Rack atuando como controladores OpenFlow, a arquitetura proposta denominada Switching with in-packet Bloom filters (SiBF) promete escalabilidade, desempenho e tolerância a falhas. O trabalho ainda defende a ideia que o encaminhamento de pacotes pode tornar-se um serviço interno na nuvem e que a sua implementação pode aproveitar as melhores práticas das aplicações em nuvem como, por exemplo, os sistemas de armazenamento distribuído do tipo par <chave,valor>. Além disso, contrapõe-se ao argumento de que o modelo de controle centralizado de redes (OpenFlow) está vinculado a um único ponto de falhas. Isto é obtido através da proposta de uma arquitetura de controle fisicamente distribuída, mas baseada em uma visão centralizada da rede resultando, desta forma, em uma abordagem de controle de rede intermediária, entre totalmente distribuída e centralizada / Abstract: Cloud data centers, like computational Grids, are information processing fabrics with very demanding networking requirements. This work contributes to the efforts in re-architecting next generation data centers by proposing an effective packet forwarding service that exploits the availability of programmable switches based on the OpenFlow API. Thus, the dissertation describes and experimentally evaluates a new architecture for data center networks that implements two distributed and fault-tolerant services that provide the directory and topology information required to encode randomized source routes with in-packet Bloom filters. By deploying an army of Rack Managers acting as OpenFlow controllers, the proposed architecture called Switching with in-packet Bloom filters (SiBF) promises scalability, performance and fault-tolerance. The work also shows that packet forwarding itself may become a cloud internal service implemented by leveraging cloud application best practices such as distributed key-value storage systems. Moreover, the work contributes to demystify the argument that the centralized controller model of OpenFlow networks is prone to a single point of failure and shows that direct network controllers can be physically distributed, yielding thereby an intermediate approach to networking between fully distributed and centralized / Mestrado / Engenharia de Computação / Mestre em Engenharia Elétrica

Arquitetura de redes de computador

Centros de processamento de dados

Redes de computadores - Gerência

Redes de computadores - Protocolos

Redes de computadores

Computer networks

Architecture of computer networks

Data processing center

Computer networks (Management)

Computer networks - Protocols

Vulnerabilities in SNMPv3

Lawrence, Nigel Rhea

10 July 2012

Network monitoring is a necessity for both reducing downtime and ensuring rapid response in the case of software or hardware failure. Unfortunately, one of the most widely used protocols for monitoring networks, the Simple Network Management Protocol (SNMPv3), does not offer an acceptable level of confidentiality or integrity for these services. In this paper, we demonstrate two attacks against the most current and secure version of the protocol with authentication and encryption enabled. In particular, we demonstrate that under reasonable conditions, we can read encrypted requests and forge messages between the network monitor and the hosts it observes. Such attacks are made possible by an insecure discovery mechanism, which allows an adversary capable of compromising a single network host to set the keys used by the security functions. Our attacks show that SNMPv3 places too much trust on the underlying network, and that this misplaced trust introduces vulnerabilities that can be exploited.

Vulnerability

Man-in-the-middle

MITM

Exploit

Weakness

Authoritative

Non-authoritative

USM

TSM

Rfc1443

1443

Auth

Authentication

NMS

Manager

Management

Embedded

Computer networks Monitoring

Computer networks Management

Connection management applications for high-speed audio networking

Sibanda, Phathisile

12 March 2008

Traditionally, connection management applications (referred to as patchbays) for high-speed audio networking, are predominantly developed using third-generation languages such as C, C# and C++. Due to the rapid increase in distributed audio/video network usage in the world today, connection management applications that control signal routing over these networks have also evolved in complexity to accommodate more functionality. As the result, high-speed audio networking application developers require a tool that will enable them to develop complex connection management applications easily and within the shortest possible time. In addition, this tool should provide them with the reliability and flexibility required to develop applications controlling signal routing in networks carrying real-time data. High-speed audio networks are used for various purposes that include audio/video production and broadcasting. This investigation evaluates the possibility of using Adobe Flash Professional 8, using ActionScript 2.0, for developing connection management applications. Three patchbays, namely the Broadcast patchbay, the Project studio patchbay, and the Hospitality/Convention Centre patchbay were developed and tested for connection management in three sound installation networks, namely the Broadcast network, the Project studio network, and the Hospitality/Convention Centre network. Findings indicate that complex connection management applications can effectively be implemented using the Adobe Flash IDE and ActionScript 2.0.

Flash (Computer file)

Computer networks

Computer networks -- Management

Digital communications

Computer sound processing

Broadcast data systems

C# (Computer program language)

C++ (Computer program language)

ActionScript (Computer program language)

The role of cloud computing in addressing small, medium enterprise challenges in South Africa

Kumalo, Nkosi Hugh

08 1900

This thesis was motivated by Roberts (2010) who found that 63% of SMEs in South Africa do not make it past second year of operation. To expand further on this problem, we reviewed literature to understand key business challenges experienced by SMEs in South Africa which contribute to this high failure rate. The challenges include red tape, labour legislation, lack of skills, lack of innovation, impact of crime, and lack of funds. The research project aimed to answer a key question: “How can information technology, in the form of Cloud Computing be used to address the challenges faced by small and medium businesses in South Africa?” To answer this question, data was collected from 265 SME companies and quantitatively analysed. It is important to note that the profile of SMEs targeted in this study are those that employed fewer than 200 employees, with a turnover of not less than 26 million rand per annum, and registered with South African Revenue Services (SARS) and also with the Companies and Intellectual Property Commission (CIPC) of South Africa. Over 60% of the firms that responded to the survey were in business for more than 10 years which means we are mainly dealing with data from businesses that have past the survivalist stage and are matured businesses. These are businesses that can share their experiences and challenges they faced throughout their journey. The profile of SMEs in this study should not be confused with that of Very Small Medium Enterprise Businesses. The questionnaire was designed to address four themes being the Demographic profile, SME Business Environment, Threat of Survival, and lastly Technology Adoption. Key finding in this research is that 60% of the panellists stated that red tape is the overriding challenge that small businesses contend with. 67% of the panellists confirmed that they have not invested in their businesses in the past year; and 53% stated that they have not applied for finance from the bank for fear of being rejected. Only 30% of the SME market were found to use enterprise resource planning (ERP) and 62% do not have their own IT department. Of great concern is that 65% of the panellists have experienced server down time at least once in the past year. Inability to predict the rising IT costs in a firm has been cited as the main concern when running IT on premise. The cost predictability finding was also discovered to be a benefit enjoyed by the SMEs who use Cloud Computing. The conclusion is that there is a relationship between Cloud Computing, Small and Medium Enterprise businesses and the challenges they face in their business environment. To address the identified business challenges, technology adoption studies by Gumbi & Mnkandla (2015), Carcary, Doherty & Conway (2014), Lacovou et al (1995), Mohlomeane & Ruxwana (2014), Kshetri (2010), BMI Research (2018), Conway & Curry (2012), Li, Zhao & Yu (2015), Wernefeldt (1985), Schindehuitte & Morris (2001), Tornatzy & Flesher (1991) were reviewed. From these publications, the Technology, Organisational and Environmental (TOE) was found to be relevant and of interest for use in answering the main research question. This study developed the Cloud Adoption Framework which is the anchor of all SME challenges. Key study contribution is that the TOE model, which is predominantly used to understand the determinants of technology adoption like various industry applications, infrastructure innovations etc., are now used to address specific challenges that have contributed in the high failure rate of SME business. This is the first-time TOE model has been used to align with key SME challenges that contribute to firms’ failure. Specific technology across Software, Infrastructure and Platform services models are recommended for use by SMEs to ensure challenges are mitigated and improve the chances of survival for SMEs operating in South Africa. By following the recommended Cloud Adoption Framework, SMEs should be able to navigate the complexities brought about by the tough operating environment and also the technologies available to address those challenges. All six challenges have solutions in Cloud Computing and SMEs are educated on these solutions and also how to access these on a pay as you use model of consumption. / Business Management / D.B.L.

SME

Small and mdeium enterprise

Cloud adoption

Cloud computing

Cloud

Enterprise business challenges

South Africa

Information technology

IT

004.6782068

Cloud computing -- South Africa

Management information systems