1 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department.

Slides:



Advertisements
Similar presentations
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Advertisements

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Secure Group communication for First Responders [SGFR] By Ganesh Godavari.
12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.
On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science.
Security Awareness: Applying Practical Security in Your World
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
1 Pfleeger Visit 4/13/2004 UCCS Network/System Security C. Edward Chow Xiaobo Joe Zhou Yu Cai Ganesh Godavari Department of Computer Science University.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
ChowSCOLD1 Secure Collective Internet Defense (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Cybersecurity Symposium 9/19/2003 chow C. Edward Chow Yu Cai Dave Wilkinson Department of Computer Science University of Colorado at Colorado Springs.
1 DACAManet Proposer’s Workshop UCCS-Raytheon Terry Boult C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Leland.
1 Security Research 2/7/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of.
Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs. Spring Semester 2003, CS691 Project.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
1 Enabling Secure Internet Access with ISA Server.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
11 NETWORK PROTOCOLS AND SERVICES Chapter 10. Chapter 10: Network Protocols and Services2 NETWORK PROTOCOLS AND SERVICES  Identify how computers on TCP/IP.
Terralite Solutions.  TCP/IP setting for communications  Subscription  Unicast  Multicast  UDP  Communications troubleshooting.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Barracuda Load Balancer Server Availability and Scalability.
1 Security Research 1/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of.
COEN 252 Computer Forensics
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chow6/23/2003 sgfr1 SFGR: Secure Groupware for First Responder C. Edward Chow Chip Benight Ganesh Godavari.
Module 5: Configuring Internet Explorer and Supporting Applications.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Module 10: Windows Firewall and Caching Fundamentals.
ERICSON BRANDON M. BASCUG Alternate - REGIONAL NETWORK ADMINISTRATOR HOW TO TROUBLESHOOT TCP/IP CONNECTIVITY.
Linux Operations and Administration
Outline of the Talk UCCS CS Programs/Network Security Lab Brief Overview of Distributed Denial of Services (DDoS) Intrusion Tolerance with Multipath Routing.
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.
CompTIA Security+ Study Guide (SY0-401)
C. Edward Chow Department of Computer Science
Security Related Research Projects at UCCS Network Research Lab
CompTIA Security+ Study Guide (SY0-401)
Routing and Switching Essentials v6.0
SFGR: Secure Groupware for First Responder
Presentation transcript:

1 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Network and Wireless Security Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F It was sponsored by NISSC Summer/Fall2003 grants.

2 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Outline of the Talk Overview of Network/Wireless Security Research Projects of Network/System Lab Secure Collective Internet Defense (SCOLD) –Modified Bind9 server and Secure DNS update with new DNS entries containing multiple indirect routing info –Implemented Secure Indirect Routing Protocol Autonomous Anti-DDoS (A2D2) –Integrated enhanced Snort IDS with multi-level adaptive rate limiting firewall –Design enterprise IDS/IHS with IDIP. Secure Groupware for First Responders (SGFR) –Integrated Group Rekeying with Instant Massaging –Run on Linux-based IPAQ/Palmtop with MANET. Secure Mobile Ad Hoc Network (SMANET) –Implemented PEAP module on freeRadius server –Compared performance of PEAP vs. TTLS –Investigate how to defense cyber attacks on MANET. First Responder Sensor Network (FRSN) –Track Fire Fighters with Crossbow Mote-based Sensor Network. –Design Interface between SMANET and FRSN. Overview of Network/Wireless Security Research Projects of Network/System Lab Secure Collective Internet Defense (SCOLD) –Modified Bind9 server and Secure DNS update with new DNS entries containing multiple indirect routing info –Implemented Secure Indirect Routing Protocol Autonomous Anti-DDoS (A2D2) –Integrated enhanced Snort IDS with multi-level adaptive rate limiting firewall –Design enterprise IDS/IHS with IDIP. Secure Groupware for First Responders (SGFR) –Integrated Group Rekeying with Instant Massaging –Run on Linux-based IPAQ/Palmtop with MANET. Secure Mobile Ad Hoc Network (SMANET) –Implemented PEAP module on freeRadius server –Compared performance of PEAP vs. TTLS –Investigate how to defense cyber attacks on MANET. First Responder Sensor Network (FRSN) –Track Fire Fighters with Crossbow Mote-based Sensor Network. –Design Interface between SMANET and FRSN.

3 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

4 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Wouldn’t it be Nice to Have Alternate Routes? DNS1... Victim AAAAAAAA net-a.milnet-b.milnet-c.mil DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic How to reroute clients traffic through R1-R3? Multi-homing

5 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Secure Collective Defense Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Enhanced Secure DNS extension: how to inform client DNS servers to add new DNS entries with alternate routes (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. Partition clients to come in at different proxy servers.  can help identify the origin of spoofed attacks! How clients use the new multiple path indirect DNS entries and route traffic through proxy servers?  Use Sock protocol, modify resolver library Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Enhanced Secure DNS extension: how to inform client DNS servers to add new DNS entries with alternate routes (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. Partition clients to come in at different proxy servers.  can help identify the origin of spoofed attacks! How clients use the new multiple path indirect DNS entries and route traffic through proxy servers?  Use Sock protocol, modify resolver library

6 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Implement Alternate Routes DNS1... Victim AAAAAAAA net-a.milnet-b.milnet-c.mil DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic Need to Inform Clients or Client DNS servers! But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways?

7 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Possible Solution for Alternate Routes DNS1... Victim AAAAAAAA net-a.milnet-b.milnet-c.mil DNS2 DNS3... RRR R R2 R1 R3 New route via Proxy3 to R3 Proxy1 block Proxy3 Proxy2 Attack msgs blocked by IDS Blocked by IDS Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim Distress Call

8 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SCOLD Phase1 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Reroute Coordinator Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator block

9 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SCOLD Phase 2 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS

10 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SCOLD Phase3 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... RR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 Attack Traffic Client Traffic Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block

11 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SCOLD Phase4 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... R Proxy1 Proxy2 Proxy3 R1 Attack Traffic Client Traffic Reroute Coordinator 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block 4a. Attack traffic detected by IDS blocked by Firewall 4. Attack traffic detected by IDS blocked by Firewall RR R3 R2R2

12 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SCOLD Secure DNS Update with New Indirect DNS Entries (target.targetnet.com, , ALT ) A set of alternate proxy servers for indirect routes New DNS Entries: Modified Bind9 IP Tunnel Modified Client Resolve Library Trusted Domain WAN DMZ Client Domain proxy2

13 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SCOLD Indirect Routing IP tunnel

14 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SCOLD Indirect Routing with Client running SCOLD client daemon IP tunnel

15 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Performance of SCOLD v0.1 Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) No DDoS attack direct route DDoS attack direct route No DDoS attack indirect route DDoS attack indirect route 0.49 ms225 ms0.65 ms

16 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Current SCOLD Project Results Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes. Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries. Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server. Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack. to allow client to communicate with target server through proxy server and alternate gateway. Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes. Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries. Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server. Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack. to allow client to communicate with target server through proxy server and alternate gateway.

17 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Benefits of Secure Collective Defense Security When attacked, users switch to different routes dynamically Urgent/critical packets sent over multiple routes simultaneously Encrypted content sent over multiple routes Information on DDoS attacks used to isolate source of attacks Reliability: Users can choose most reliable route dynamically Packet content spread over multiple routes Use redundant transmission or error correction to reduce PLR Performance: Multiple indirect routes provide additional bandwidth Can be used for dynamic bandwidth provisioning Security When attacked, users switch to different routes dynamically Urgent/critical packets sent over multiple routes simultaneously Encrypted content sent over multiple routes Information on DDoS attacks used to isolate source of attacks Reliability: Users can choose most reliable route dynamically Packet content spread over multiple routes Use redundant transmission or error correction to reduce PLR Performance: Multiple indirect routes provide additional bandwidth Can be used for dynamic bandwidth provisioning

18 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2: Autonomous Anti DDoS Main Idea  Integrate enhanced IDS with adaptive firewall for autonomous intrusion defense. Goal: Automate adaptive intrusion handling triggered by enhanced intrusion detection Investigate the impact of various intrusion types on QoS Techniques: Enhanced Snort Plug-in with subnet spoofing detection Adaptive rate limiting firewall with user defined threshold and intrusion history. Main Idea  Integrate enhanced IDS with adaptive firewall for autonomous intrusion defense. Goal: Automate adaptive intrusion handling triggered by enhanced intrusion detection Investigate the impact of various intrusion types on QoS Techniques: Enhanced Snort Plug-in with subnet spoofing detection Adaptive rate limiting firewall with user defined threshold and intrusion history.

19 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow

20 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDos Defense

21 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2 Results – Non-stop Attack Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Connection Timed-out Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Connection Timed-out QoS Experienced at A2D2 Client

22 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2 Results – UDP Attack Mitigation: Firewall Policy Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 QoS Experienced at A2D2 Client

23 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2 Results – ICMP Attack Mitigation: Firewall Policy Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out QoS Experienced at A2D2 Client

24 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2 Results – ICMP Attack Mitigation: Firewall Policy & CBQ Packets Received: 23,438 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 Packets Received: 23,438 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 QoS Experienced at A2D2 Client

25 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2 Results – TCP Attack Mitigation: Policy+CBQ Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Screen Quality Impact Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Screen Quality Impact QoS Experienced at A2D2 Client

26 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow A2D2 Results – TCP Attack Mitigation: Policy+CBQ+Rate Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 QoS Experienced at A2D2 Client

27 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Autonomous Anti-DDoS

28 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SGFR: Secure Groupware for First Responder Main Idea  design a framework for enhancing security of groupware packages such as instant messenger and video monitoring/conferencing tool. Goal: Investigate proper interface between group rekeying system and groupware. Develop secure instant messaging system with remote group file download and remote display. Experiment the prototype software on PDA with mobile ad hoc network. Integrate with stress level and tool usage effectiveness evaluation This is a joint project with Dr. Chip Benight of psychology department at UCCS. Techniques: Scalable group key management (Keystone from UT Austin) Efficient groupware (Jabber Instant Messaging System) Mobile Ad Hoc Network (NIST) Main Idea  design a framework for enhancing security of groupware packages such as instant messenger and video monitoring/conferencing tool. Goal: Investigate proper interface between group rekeying system and groupware. Develop secure instant messaging system with remote group file download and remote display. Experiment the prototype software on PDA with mobile ad hoc network. Integrate with stress level and tool usage effectiveness evaluation This is a joint project with Dr. Chip Benight of psychology department at UCCS. Techniques: Scalable group key management (Keystone from UT Austin) Efficient groupware (Jabber Instant Messaging System) Mobile Ad Hoc Network (NIST)

29 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SGFR Features Security Enhanced Groupware Instant messenger (JabberX) Group Communication Server Instant Messaging Server (Jabber) Psychology Evaluation Stress Level Tracking Effectiveness of Tool Usage (Keyboard/Mouse Event Tracking, History of Commands, Mistakes, Popup Quiz?) Group Key Managment Secure Group Rekeying system (Keystone)

30 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SGFR System Architecture SGFR Client SGFR Group Key Server SGFR Instant Messenger Server Group key distribution Sign-in create/join chat groups Registration/authentication Encrypt/Decrypt msgs using group key

31 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow SGFR System Operation

32 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Associate JabberX client with Keyserver and Jabber server Users login to the Jabber server If login successful, the client registers with the Keyserver. When a user creates/joins a group, the Keyserver gives a key to the client. When a user leaves the group, the Keyserver generates a new key for the remaining members of the group. Users login to the Jabber server If login successful, the client registers with the Keyserver. When a user creates/joins a group, the Keyserver gives a key to the client. When a user leaves the group, the Keyserver generates a new key for the remaining members of the group.

33 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Output of the Keystone Server User ganesh joining group g1 User ayen joining group g1 First group key assigned to group Second group key assigned to group When a member joined

34 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Packet captured by Ethereal Packet Sniffer Output of the Jabber server running on a machine Encrypted “Hello” Surrounded by tag

35 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Testing Results RunsClient Registration Time (ms) Group Join Time (ms)Group Leave Time (ms) Avg/Run Table 1 time taken for client registration group join, group leave File sizeTime Taken (ms) 8.5K K K K Table 2 time taken for file transfer

36 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Conclusion A secure group communication software package SGFR v.0 was developed. Use Digital Certificate to authenticate client access. Group keys are distributed when members join/leave or based on some time period. Group key is used to encrypted the messages. Enhanced Jabber-based text chat with remote file download and remote display. Ported the SGFR v.0 to run on handheld devices include iPAQ PDA running Linux and Sony PalmTop with b mobile ad hoc network. A secure group communication software package SGFR v.0 was developed. Use Digital Certificate to authenticate client access. Group keys are distributed when members join/leave or based on some time period. Group key is used to encrypted the messages. Enhanced Jabber-based text chat with remote file download and remote display. Ported the SGFR v.0 to run on handheld devices include iPAQ PDA running Linux and Sony PalmTop with b mobile ad hoc network.

37 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Secure Wireless Access Control Goal: Compare performance of two proposed wireless authentication protocols, PEAP vs. TTLS. Develop a PEAP module for freeRadius server on Linux. Techniques/Tools used: Xsupplicant, Window XP freeRadius, Win 2003 server OpenSSL Goal: Compare performance of two proposed wireless authentication protocols, PEAP vs. TTLS. Develop a PEAP module for freeRadius server on Linux. Techniques/Tools used: Xsupplicant, Window XP freeRadius, Win 2003 server OpenSSL

38 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow UCCS Secure Wireless Access Testbed Client RADIUS

39 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Client/Server Machine Configurations Machine SpecIP AddressOSSoftware wiper.uccs.edu 1.8 Ghz, 1 GB RAM RADIUS Server and DHCP server RedHat 9.0 Running Linux kernel FreeRadius Modified CVS snapshot radiusd tar.gz willow.uccs.edu Access Point Cisco Aironet RedHat 9.0 Running Linux kernel Cisco 1200 series Software Toshiba – 366 Mhz, 512 MB Wireless Client Using Cisco Aironet 350 PC Card Dynamic IP address to RedHat 6.2 running Linux kernel Open1x Xsupplicant Version 9.0 Hobbit – 1 Ghz Dell Optiplex, 512 MB Wireless Client Using Cisco Aironet 350 PCI Card Dynamic IP address to Windows XP-SP1 And RedHat 9.0 Running Linux kernel Open1x Xsupplicant for Linux and built in Service Pack for XP

40 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow PEAP vs. TTLS on Toshiba machine PEAPTTLS Average Variance

41 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow PEAP vs. TTLS Average Performance

42 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Conclusion Developed a Radius Server on Linux that supports both PEAP and TTLS. PEAP is relatively more influenced by Client’s processor speeds, distance range and network transient nature as compared to TTLS. Although the higher performance shown by TTLS over PEAP is negligible, it is worth noting that TTLS was outperforming PEAP on an average by 10% in all the tests. The enhanced Radius Server can serve both Windows and Linux clients. Developed a Radius Server on Linux that supports both PEAP and TTLS. PEAP is relatively more influenced by Client’s processor speeds, distance range and network transient nature as compared to TTLS. Although the higher performance shown by TTLS over PEAP is negligible, it is worth noting that TTLS was outperforming PEAP on an average by 10% in all the tests. The enhanced Radius Server can serve both Windows and Linux clients.

43 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow First Responder Sensor Network Goal: How wireless sensor network can assist first responders. Status: Created a wireless sensor testbed with Crossbow Professional Mote Kits and Intel stargate gateway devices. Current Tasks: Investigate how to deploy sensor networks (pre- planned/dynamically deployed). Develop algorithms for tracking first responders using wireless sensors. Security in SMANET+FRSN. Goal: How wireless sensor network can assist first responders. Status: Created a wireless sensor testbed with Crossbow Professional Mote Kits and Intel stargate gateway devices. Current Tasks: Investigate how to deploy sensor networks (pre- planned/dynamically deployed). Develop algorithms for tracking first responders using wireless sensors. Security in SMANET+FRSN.

44 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Scenario 1: Preplanned Wireless Sensors Building is surveyed and deployed with wireless sensors and include floor plan info in the gateway device. When there is fire, first responders can tap into the secure wireless sensor network to find the condition of the building and over with the floor plan picture. Building is surveyed and deployed with wireless sensors and include floor plan info in the gateway device. When there is fire, first responders can tap into the secure wireless sensor network to find the condition of the building and over with the floor plan picture.

45 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Scenario 2: Dynamically Deploy Sensors Fire Fighter drops the wireless sensors along the route in. If sensors detects temperature increase or location movement!!, they relay the date through multiple hop wireless sensor network to both the team inside and the team outside. Fire Fighter drops the wireless sensors along the route in. If sensors detects temperature increase or location movement!!, they relay the date through multiple hop wireless sensor network to both the team inside and the team outside.

46 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Secure Access to Sensor Network Terrorist may access the sensors and information on the gateway. Need authentication for secure access. Need encryption for avoid sniffing by terrorist. Need redundancy for fault tolerance and verifying the sensor results. Terrorist may access the sensors and information on the gateway. Need authentication for secure access. Need encryption for avoid sniffing by terrorist. Need redundancy for fault tolerance and verifying the sensor results.

47 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow Summary We have innovated ideas on intrusion tolerance/SMANET We have developed expertise in Secure DNS system Secure multiple path indirect routing Autonomous system with Enhanced IDS+Firewall Secure wireless access and MANET Group key management Secure groupware Wireless sensor network for first responders Content switching Network restoration Very interested in research and development collaboration. We have innovated ideas on intrusion tolerance/SMANET We have developed expertise in Secure DNS system Secure multiple path indirect routing Autonomous system with Enhanced IDS+Firewall Secure wireless access and MANET Group key management Secure groupware Wireless sensor network for first responders Content switching Network restoration Very interested in research and development collaboration.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.