CSC461-CN-Lecture-15-Feb.-13-2013

download CSC461-CN-Lecture-15-Feb.-13-2013

of 171

Transcript of CSC461-CN-Lecture-15-Feb.-13-2013

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    1/171

    BITS PilaniPilani | Dubai | Goa | Hyderabad

    Performance & Application-drivenApproaches

    to Design of Computer NetworksLectures - 15-17, February 15-17, 2013

    Rahul Banerjee, PhD (CSE)

    Professor, Department of Computer Science & Information Systems

    E-mail: [email protected]

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    2/171

    BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

    Significance of the Application-Driven Approach toDesign Computer Networks Need for Specialized Protocols for Applications /

    Classes of Applications / Services

    Select Application-Layer Services & Protocols HTTP, DNS, DHCP, SMTP, POP, IMAP SOAP, REST

    Network-based Multimedia Applications Overlay Networks, Protocols and Applications

    Example cases of VoIP, SIP, Skype, WebEx, ATT-Connect, AdobeConnect, Jabber

    Summary

    Interaction Points

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    3/171

    BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

    First, a quick recap of Protocols andProtocol Graphs and a little additional

    information!

    Starters, before we begin the main course!

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    4/171

    OfProtocols&ProtocolGraphs A network protocol, in the simplest sense, is a set of pre-

    defined behaviorally encoded request-response pairs that

    along with a set of rules and conventions allow meaningfulcommunication within and between nodes of a network.

    A graph showing interrelation of various collaboratingprotocols at different levels is called a Protocol Graph.

    In a protocol graph, each protocol is represented as a node.HTTP

    TCP UDP

    IP

    TFTP

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    5/171

    ExampleofaSimpleProtocol

    GraphasapplicabletotheInternet

    HTTP FTP TFTP

    TCP UDP

    IP

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    6/171

    ProtocolRepresenta@on

    There exist numerous schemes ofrepresentation of a given Protocol.

    One common way to specify a Protocol isto represent it as a State TransitionDiagram.

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    7/171

    ProtocolValida@on

    A Protocol needs to be proven correctbefore it is implemented.

    There exist quite a few ways of formal andsemi-formal verification of Protocols.

    One common technique is to firstrepresent a protocol a State TransitionDiagram and then examine it for its:

    completeness,Reachability,points of weakness etc.

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    8/171

    SystemModel

    Anabstractcomputermodel:statemachine.

    Anetworkoradistributedsystemmodelcomprisesofasetofnstatemachinescalledprocessorsthatcommunicatewitheachother,

    whichcanberepresentedasagraph. Messagepassingcommunica@onmodel:queue(s)

    Qij,formessagesfromPitoPj

    Systemconfigura@onissetofstates,andmessagequeues.

    Inanycaseitisassumedthatthetopologyremainsconnected,i.e.,thereexistsapath

    betweenanytwonodes.

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    9/171

    Defini@on

    Statessa@sfyingParecalledlegi@matestatesandthosenotsa@sfyingParecalled

    illegi@matestates.

    AsystemSisself-stabilizingwithrespecttopredicatePifitsa@sfiestheproper@esof

    closureandconvergence

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    10/171

    Dijkstra'sself-stabilizingtokenringsystem

    Whenamachinehasaprivilege,itisabletochangeitscurrentstate,whichisreferredtoasamove.

    Alegi@matestatemustsa@sfythefollowingconstraints: Theremustbeatleastoneprivilegeinthesystem(liveness

    ornodeadlock).

    Everymovefromalegalstatemustagainputthesystemintoalegalstate(closure).

    Duringaninfiniteexecu@on,eachmachineshouldenjoyaprivilegeaninfinitenumberof@mes(nostarva@on).

    Givenanytwolegalstates,thereisaseriesofmovesthatchangeonelegalstatetotheother(reachability).

    Dijkstraconsideredalegi1mate(orlegal)stateasoneinwhichexactlyone

    machineenjoystheprivilege.

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    11/171

    AutomatawithInputs/Outputs

    Eachstateemitsanoutputsymbolthatisnotedonthestate Alterna@vely,eachtransi@onismarkedwiththeeventthat

    triggersthetransi@onandbelowitliststheac@onsthatare

    takenasaresultofthetransi@on.

    1 2

    3

    a

    c

    bd

    s1

    s2

    s3

    1 2

    3

    a/s2

    b/s2

    c/s3

    d/s1

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    12/171

    ExampleofFSMModelforProtocol

    Verifica@on(StopandWaitProtocol)

    ThetransmiYersendsaframeandstopswai@ngforanacknowledgementfromthereceiver(ACK)

    Oncethereceivercorrectlyreceivestheexpectedpacket,itsendsanacknowledgementtoletthetransmiYersendthenextframe.

    WhenthetransmiYerdoesnotreceiveanACKwithinaspecifiedperiodof@me(@mer)thenitretransmitsthepacket.

    Timer

    Timer

    TransmiYer Receiver

    Frame0

    Frame1

    ACK0

    ACK1

    Frame0

    ACK0

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    13/171

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    14/171

    FSMforStopandWaitProtocol

    ReceiverPkt0received

    SendAck0

    Pkt1received

    SendAck1

    Pkt0

    Received

    Pkt1

    Received

    WaitPkt1WaitPkt0

    SendAck1SendAck0

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    15/171

    Communica@onprotocols

    Communica@onprotocolmightbeaffecteddueto:

    Ini@aliza@ontoanillegalstate. [email protected]

    processesgettherequestforthechangeatthesame@me,soanillegalglobalstatemayoccur.

    Transmissionerrorsbecauseofmessagelossorcorrup@on.

    Processfailureandrecovery. Alocalmemorycrashwhichchangesthelocal

    stateofaprocess.

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    16/171

    Exercise

    Writeasimula@onprogramthatimitatesthebehaviorofthenetworkshownbelow.

    Theinputstoyourprogramarethecapaci@esofeachbufferaswellastheclockstructure(threevectorswiththelife@mesofeachevent)

    Theoutputfromyourprogramisthesamplepathofthenetworki.e.,thestatetrajectoryand/oratraceconsis@ngofasequenceofeventsanditscorresponding@me.

    B1 B2

    a d1 d2

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    17/171

    (c)Dr.RahulBanerjee,BITS,Pilani,India 17

    AFewMeasuresofNetworkPerformance

    Performance MeasuresAvailable Performance Measured Performance

    Bandwidth: Width of the usable / allotted Frequency band Rate of data transfer in bits per second Throughput: Actual measured rate of achievable data transfer in

    bits per second

    Bandwidth has often a value greater than that of the Throughput Round-Trip Time (RTT) Latency: Delays of various kinds Delay x Bandwidth metric Quality of Service

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    18/171

    15/02/13 Dr. Rahul Banerjee, Department of Computer Science, BITS-Pilani, INDIA 18

    PerformanceMa-ers

    Withsignificantinputfrom:

    ProfessorBobKinicki,ComputerScienceDepartment,WPI,USA

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    19/171

    15/02/13 19

    Interac@onPoints

    Dr. Rahul Banerjee, Department of Computer Science, BITS-Pilani, INDIA

    ComputerNetworkPerformanceMetrics PerformanceEvalua@onTechniques WorkloadCharacteriza@on Simula@onModels Analy@cModels

    EmpiricalMeasurementStudies Whattomeasure? Choiceofmeasurementtools TheDesignofMeasurementExperiments

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    20/171

    PerformanceEvalua@on Performance evaluation is the application ofthe

    scientific method to the study of computersystems.

    Viewed as distinct from computer system design,the goal of performance evaluation is to

    determine the effectiveness and fairness of acomputer system that is assumed to workcorrectly.

    Performance evaluation techniques have beendeveloped to accurately measure theeffectiveness with which computer systemresources are managed while striving to provideservice that is fair to all customer classes.

    Performance Evaluation of ComputerNetworks

    20

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    21/171

    ComputerNetworkPerformanceMetrics

    Metric :: a descriptor used to represent someaspect of a computer networks performance.

    The goal is objective performance indices. For computer networks, metrics can capture

    performance at multiple layers of the protocolstack, e.g., UDP throughput IP packet round trip time MAC layer channel utilization

    Performance metrics can be positive and negative. e.g., goodput, packet loss rate, MAC layer retries

    Performance Evaluation of Computer Networks21

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    22/171

    Performance Evaluation of ComputerNetworks

    22

    12

    1

    11

    8

    4

    7

    2

    6

    9

    10

    14

    5

    13

    15

    3

    Host

    B

    Host

    C

    Host

    DHost

    E

    HostG

    Host

    J

    HostA

    Host

    H

    Host

    F

    Host

    N

    16

    17

    routers

    HostL

    Host

    M

    WideAreaNetwork(WAN)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    23/171

    Performance Evaluation of ComputerNetworks

    23

    WirelessLocalAreaNetwork(WLAN)

    AP

    Clients

    Server

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    24/171

    SamplePerformanceMeasuresCategory Metric Units

    productivity throughput

    effective capacity

    Mbps

    responsiveness delay

    round trip time

    queue size

    milliseconds

    packets

    utilization channel utilization percentage of

    time busy

    losses packet loss rate

    frame retries

    loss percentage

    buffer problems AP queue overflow

    playout buffer underflow

    packet drops

    rebuffer events

    Performance Evaluation of Computer Networks24

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    25/171

    Performance Evaluation of ComputerNetworks

    25

    12

    1

    11

    8

    4

    7

    2

    6

    9

    10

    14

    5

    13

    15

    3

    Host

    B

    Host

    C

    Host

    DHost

    E

    HostG

    Host

    J

    HostA

    Host

    H

    Host

    F

    Host

    N

    16

    17

    nodes

    HostL

    Host

    M

    WideAreaNetwork(WAN)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    26/171

    Performance Evaluation of ComputerNetworks

    26

    A ZXC

    YB

    LocalAreaNetwork(LAN)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    27/171

    Performance Evaluation of ComputerNetworks

    27

    WirelessLocalAreaNetwork(WLAN)

    AP

    Client

    Server

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    28/171

    Outline

    Performance Evaluation Computer Network Performance Metrics Performance Evaluation Techniques

    Workload Characterization Simulation ModelsAnalytic Models

    Empirical Measurement Studies What to measure? Choice of measurement tools The Design of Measurement Experiments

    Performance Evaluation of ComputerNetworks

    28

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    29/171

    PerformanceEvalua@onTechniques

    Workload characterization for computernetworks involves the design and choice oftraffic types that provide the inputs forcomputer network performance evaluation.

    Performance measures of computernetworks are all dependent to some extenton the input workload, the network topologyand the choices in controlled parameters ornetwork default settings.

    An evaluation study of a computer networkseeks to determine the values for network

    performance indices under a given trafficworkload and network configuration.

    Performance Evaluation of ComputerNetworks

    29

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    30/171

    TypicalNetworkTrafficTypes

    Web Traffic between a Browser and an InternetServer.

    Long-Lived File Transfers

    FTP downloads.

    Multimedia Streaming Video clip downloads (UDP and/or TCP)Audio VOIP (Voice Over IP)

    Peer-to-Peer Exchanges Concurrent downloads and uploads Telnet file edits

    Performance Evaluation of ComputerNetworks

    30

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    31/171

    Performance Evaluation of ComputerNetworks

    31

    WirelessLocalAreaNetwork(WLAN)

    AP

    Client

    Server

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    32/171

    PerformanceEvalua@onTechniques

    Models Simulation Modeling Analytic Modeling Both modeling techniques tend to rely on queuing theory.

    Measurement Studies Empirical measurement of real networks Measurements where some aspect of the network architecture or

    topology is emulated via software or hardware." The primary focus of this presentation is on the design andtechniques used in experiments to measure real computernetworks.

    Performance Evaluation of Computer Networks32

    Networkevalua1onu1lizestheactualnetwork,anemulatednetworkoramodelofthenetwork.

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    33/171

    ConceptualModels

    Researchers utilize knowledge about theinteractions of network components to

    understand and explain the workings of a

    computer network via a conceptual model. Models are partitioned into simulation models or

    analytic models. Both model types rely on

    simplifying assumptions that that enable the

    model to capture important characteristics ofnetworks (usually in terms ofnetworks ofqueues).

    Performance Evaluation of ComputerNetworks

    33

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    34/171

    SimpleQueuingModel

    Performance Evaluation of ComputerNetworks

    34

    Arrivals

    Queue Server

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    35/171

    NetworksofQueuesModel

    Performance Evaluation of ComputerNetworks

    35

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    36/171

    Simula@onModels

    Simulation attempts to reproduce the behavior ofthe network in the time domain.

    Event-driven simulation defines a network interms of states and transitions where eventstrigger transitions.

    Simulation is essentially a numeric solution thatutilizes systems of equations and data structures

    to capture the behavior of the simulated networkin terms of logical conditions.

    Performance Evaluation of ComputerNetworks

    36

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    37/171

    Simula@onModels

    The three types of simulators are:Trace-drivenProgram-drivenDistribution-driven

    The choice of the duration of a simulationrun is subject to the same issues of

    estimating variance and variancereduction as found in the design ofempirical measurements.

    Performance Evaluation of ComputerNetworks

    37

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    38/171

    Analy@cModels

    Similar to simulation models, analytic modelsinvolve systems of equations.

    Analytic models of computer networks usuallystart with a network of queues model anddevelop a system of equations that may or mayyield a closed form solution.

    Analytic models of computer networks tend to bestochastic models built on the theory ofstochastic processes associated withindependent random variables.

    Performance Evaluation of ComputerNetworks

    38

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    39/171

    Outline

    Performance Evaluation Computer Network Performance Metrics Performance Evaluation Techniques

    Workload Characterization Simulation ModelsAnalytic Models

    Empirical Measurement Studies What to measure? Choice of measurement tools The Design of Measurement Experiments

    Performance Evaluation of ComputerNetworks

    39

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    40/171

    EmpiricalMeasurementStudies

    The planning phase objectives of an empirical measurement are:

    1. To decide what to measure.2. To choose the measurement tools3. To design the experiments.

    " Network measurements can be either active or passive. Active measurement involves purposely adding traffic to the

    network workload specifically to facilitate the measurement (e.g.,sending packet pair probes into the network to estimate theavailable bandwidth along a flow path).

    An example of a passive measurement tool is a network snifferrunning in promiscuous mode to collect information about allpackets traversing a network channel.

    Performance Evaluation of ComputerNetworks

    40

    h ?

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    41/171

    WhattoMeasure?

    The overall objective of the computernetwork measurement study guides thechoice of performance indices to bemeasured.

    Metrics are either direct or indirectindices. Indirect indices require sometype of data reduction process todetermine metric values.

    Due to the large data volume associatedwith network traffic, measurement ofcomputer networks often involves filteringof data or events (e.g., It is common fornetwork measurement tools to onlyretain packet headers for off-linePerformance Evaluation of ComputerNetworks 41

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    42/171

    NetworkMeasurementTools

    While hardware probes provide the best qualitymeasurements, they are expensive and notalways available.

    The availability of software tools for computernetworks depends on the ability to get inside thecomponents of the network protocol stack andthe ability to access nodes of the networktopology.

    Network software measurement tools providehooks within the network layering software tocapture and store network measurement data.

    Performance Evaluation of ComputerNetworks

    42

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    43/171

    ChoiceofMeasurementToolsKey issues in the usability of network

    measurement tools are:

    1. Tool location2. Interference or bias introduced by the tool.3.

    Accuracy of the tool.

    4. Tool resolution- This has become a problem with respect to the granularity

    of system clocks relative to the speed of modern high

    speed network links.

    Performance Evaluation of ComputerNetworks 43

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    44/171

    Performance Evaluation of ComputerNetworks 44

    WirelessLocalAreaNetwork(WLAN)

    AP

    Clients

    Server

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    45/171

    TheDesignofMeasurementExperiments

    Measurement Experiments are divided into two major categories:

    1. Live measurements With live empirical studies, the objective is to measure the

    performance of the computer network while it is handling real traffic.

    The advantage of this type of study is that the measurement involvesa real workload. One disadvantage of measuring live traffic is being convinced that

    this measurement involves typical traffic for this network.

    Another disadvantage of live traffic measurement is thatreproducibility of the exact same traffic workload is usually notpossible. This is problematic when the goal is to evaluate the impact

    of changing network components on overall performance.

    Performance Evaluation of ComputerNetworks 45

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    46/171

    2. Controlled-traffic measurements

    Traffic generator tools or traffic script files provide repeatable,controlled traffic workloads on the network being measured.

    Controlled-traffic workloads are chosen when the goal of theperformance study is to evaluate the impact of different versions of anetwork component, strategy or algorithm on network performance.

    Controlled, repeatable traffic makes it easier to conduct cause-and-effect performance analysis.

    One difficulty with controlled-traffic is being confident in the accuracyof the traffic generator tool and the ability to conduct measurementexperiments where the traffic workload choices are adequatelyvaried to provide representative, robust network performanceevaluation.

    Performance Evaluation of ComputerNetworks 46

    TheDesignofMeasurementExperiments

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    47/171

    MeasurementDesignDecisions

    Understanding which network components (orindependent variables) significantly impact

    network performance.

    Deciding which network parameters are to becontrolled and/or held fixed during experimentalruns.

    How long to run a single experiment? How many times to repeat an experiment?

    Performance Evaluation of ComputerNetworks 47

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    48/171

    Performance Evaluation of ComputerNetworks 48

    Time (sec)

    Throughput

    (Mbps)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    49/171

    Performance Evaluation of ComputerNetworks 49

    Time (sec)

    RSSI(dB)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    50/171

    MeasurementDesignDecisions

    When to run experiments?Namely, to determine whether time of day or

    other temporal periods influence performance

    measurements.

    How to control, minimize and/orunderstand physical phenomenon or

    other interference sources that can

    produce discrepancies and variability inthe measurement results?

    Performance Evaluation of ComputerNetworks 50

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    51/171

    Performance Evaluation of ComputerNetworks 51

    Time (sec)

    Throughput

    (Mbps)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    52/171

    Performance Evaluation of ComputerNetworks 52

    Time (sec)

    RSSI(dB)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    53/171

    MeasurementDesignDecisions

    What data filters to use? How and where to store experimental results? Determining the best choices of graphical and

    tabular forms of data representation to facilitate

    network performance analysis while providing aclear view of the results of the computer

    network performance evaluation.

    Performance Evaluation of ComputerNetworks 53

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    54/171

    Performance Evaluation of ComputerNetworks 54

    Time (sec)

    MACLayerRetries

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    55/171

    Cumula@veDistribu@onFunc@on(CDF)

    Performance Evaluation of ComputerNetworks 55

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    56/171

    ComingAYrac@ons

    Professor Claypool will discuss:

    The Scientific Method applied toComputer Science

    Statistical Techniques used inExperimental Measurement Design

    Performance Evaluation of ComputerNetworks 56

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    57/171

    SummaryoftheConcepts&Terms

    learntsofar

    15/02/13 (c)Dr.RahulBanerjee,SDETUnit,BITS-Pilani,INDIA 57

    S N ki T

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    58/171

    (c)Dr.RahulBanerjee,BITS,Pilani,India 58

    SomeNetworkingTerms Repeaters / Repeater Hubs / Shared Hubs:

    where usually Physical layer / level exist withL1-protocol data unit (raw bits) regenerationand onward transmission

    Managed Hubs / Layer-2 Switching Hubs:where Physical and Data Link layers / levelsexist with ability to handle and deliver Layer-2-protocol data unit (frame)

    Bridges: where Physical and Data Link layers /levels exist with L2-protocol data unit (frame)processing and forwarding

    Switches: where Physical and Data Link and /or Network (sometimes even higher) layers /

    levels exist with Layer-2 and / or Layer-3-

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    59/171

    Thank you for your kind attention!

    Any question please?

    For further details, you may contact at:E-mail: [email protected] / [email protected]

    or visit:Home: http://www.bits-pilani.ac.in/~rahul/

    f

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    60/171

    References Larry L. Peterson & Bruce S. Davie: Computer Networks: A

    Systems Approach, Fourth Edition, Morgan Kaufmann / Elsevier,New Delhi, 2007.

    IEEE 802 standards issued so far PLUS amendments like: 802.3ap-2007: IEEE Standard for LAN/MAN Specific

    Requirements

    Part 3: CSMA/CD Access Method and Physical Layer Specifications

    Amendment 4: Ethernet Operation over Electrical Backplanes 802.11-2007 IEEE Standard for LAN/MAN Specific Requirements

    Part 11: Wireless LAN Medium Access Control (MAC)and PhysicalLayer (PHY) Specifications

    802.15.4a-2007 IEEE Standard for Telecommunications andInformation Exchange Between Systems; PART 15.4: Wireless MAC

    and PHY Specifications for Low-Rate Wireless PANs (LR-WPANs) Amendment 1: Add Alternate PHY

    802.1ag-2007 IEEE Standard for LAN/MAN Virtual Bridged LANs Amendment 5: Connectivity Fault Management

    Dr. Rahul Banerjee, BITS, Pilani (India)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    61/171

    (c)Dr.RahulBanerjee,BITS,

    Pilani,India 61

    References A. S. Tanenbaum: Computer Networks, Fourth Edition, Pearson

    Education, New Delhi, 2003. Mohammed G. Gouda: Elements of Network Protocol Design,

    Wiley Student Edition, John Wiley & Sons (Pte.) Ltd.,Singapore, 2004.

    Thomas G. Robertazzi: Computer Networks and Systems:Queuing Theory and Performance Evaluation, Third Edition,

    Springer-Verlag, New York, 2000. S. Keshav: Computer Networking: An Engineering Approach,

    Pearson Education, New Delhi, 1997.

    A. Leon Garcia and I. Widjaja: Communication Networks:Fundamental Concepts and Key Architectures, Second Edition,Tata McGraw-Hill, New Delhi, 2004.

    Baldwin, D.: Discovery Learning in Computer Science. InProceedings of the Twenty-seventh SIGCSE TechnicalSymposium on Computer Science Education, ACM, pp.222-226,February 1996.

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    62/171

    NOTE:Some of the duly marked slides have been prepared withrespective input from BITS, UIUC, ETH-Zurich, MSR, UoW,

    CMU, IETF, ITU, Sun, W3C, KU, CU, LU, IEEE PC as dulypermitted for academic and research use.

    Use of copyrighted material from these and other

    sources in the following slides is meant for pureacademic reference herein is thankfully acknowledged.

    Wh i W b S i ?

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    63/171

    WhatisaWebService?

    A Web Service is simply a service available viathe Web Service can be implemented in any language. Problems with Web Services:

    It is not practical to automatically find web services foryour needs

    There is no built-in mechanism for payment for use of aweb service

    There is no built-in security control When a web service changes (e.g., adds a parameter to its

    method), the program using it breaks

    h l b l

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    64/171

    TheSimpleObjectAccessProtocol

    SOAP stands for "Simple Object Access Protocol" Used for "Remote Procedure Calls", similar to:

    IIOP (for CORBA) and RMI (for Java) Major Distinguishing Features:

    SOAP is text-based (uses XML), not binary. It istherefore, Firewall-friendly

    It is Programming Language-independent.Therefore, it can call a program in any language

    IT uses standard port, since uses standard protocols

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    65/171

    SOAP:RPC&DOC

    SOAP is just a standard for sending messages (thusused as an envelope that encapsulates messages)

    We can send two types of messages using SOAP: RPC: Remote Procedure Call, a request to call a method DOC: A document (this is used for more complex client -

    server communication)

    H d th SOAP W k?

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    66/171

    HowdoestheSOAPWork?

    SOAP Header Sec@on

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    67/171

    SOAPHeaderSec@on

    The SOAP Header can contain information that describes theSOAP request. Example:

    5

    Here, 5is the transaction ID of which this method is a part. SOAP envelope's mustUnderstandattribute is set to 1, which means

    that the server must either understand and honor the transaction

    request or must fail to process the message.

    SOAP R E

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    68/171

    SOAPResponseonError

    There may be many errors in processing a SOAPrequest

    Error in Running Method: Error in Processing SOAP Headers:

    e.g., Problem running method as part of atransaction

    The Main Players in SOAP

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    69/171

    TheMainPlayersinSOAP

    There are three components that take part in a SOAPapplication:

    Client Application: A program that sends a SOAP request.Wants to use a service.

    SOAP Processor: A program that can receive SOAP requestsand act accordingly (e.g., call an method of the Application

    Server)

    Application Server: A program that supplies the Web service

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    70/171

    Applica@onServer:SomeSimple@ps

    The application server providing any Web Service doesnot need anything special.

    In fact, your application server need not know that it isbeing used for providing a Web Service!!

    A bit th Cli t A li @

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    71/171

    AbitontheClientApplica@on

    The SOAP client needs to generate a SOAP request When using Java, you shall need the following packages

    in your CLASSPATH to compile: soap.jar mail.jar activation.jar

    Tips on Tomcat / Servlet & SOAP Processor

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    72/171

    TipsonTomcat/Servlet&SOAPProcessor

    Scenario

    Your Tomcat web server needs a web application that isa SOAP Processor

    Put soap.war in your /webapps directory To actually run the SOAP Processor, it needs the

    soap.jar, mail.jar, activation.jar files in its classpath

    Easiest way to get the files in its classpath: Add them tothe directory /lib

    Crea@ng the Applica@on Server

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    73/171

    Crea@ngtheApplica@onServer

    package hello;

    public class HelloServer {public String sayHelloTo(String name) {

    return "Hello " + name +

    ", How are you doing?";}

    }

    Note:Putapplica@oninapackage.Createajarfilefromthepackageandputthepackagein/lib,sothatitwillbeinTomcat'sclasspath

    D l i th W b S i

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    74/171

    DeployingtheWebService

    The SOAP Processor must be told aboutyour application. This is called "deploying"

    Deployment is a two-step process:Create a deployment descriptorCall the java command that deploys the web

    application

    Deployment Descriptor

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    75/171

    DeploymentDescriptor

    org.apache.soap.server.DOMFaultListener

    Thescopeofthe

    Objectusedtofulfill

    theSOAPRequest.

    Applica1onmeansthatallSOAP

    requestswillbesent

    tothesameobject.

    Deployment Descriptor

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    76/171

    DeploymentDescriptor

    org.apache.soap.server.DOMFaultListener

    Scope of Web Service

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    77/171

    ScopeofWebService

    page: The service instance is available until a responseis sent back or the request is forwarded to anotherpage

    request: The service instance is available for theduration of the request, regardless of forwarding session: The service instance is available for the entiresession

    application: The same service instance is used toserve all invocations

    Which of these scope values require us to thinkabout synchronizing access to data members andmethods?

    Comple@ng the Deployment

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    78/171

    Comple@ngtheDeployment

    Save the deployment descriptor in a file, e.g.,HelloDescriptor.xml

    Run the command:java org.apache.soap.server.ServiceManagerClient http://

    :/soap/servlet/rpcrouter deploy HelloDescriptor.xml

    where and are those of Tomcat

    Note that Tomcat must be running for this to workYou can get a list of all deployed web services

    using the commandjava org.apache.soap.server.ServiceManagerClient http://

    :/soap/servlet/rpcrouter list

    Undeploying a Service

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    79/171

    UndeployingaService

    You can undeploy a web service, so that itis no longer recognized by the SOAP

    Processor using the command

    java org.apache.soap.server.ServiceManagerClient http://:/soap/servlet/rpcrouter undeploy urn:helloApp

    Note that the last argument is the URI ofthe web service to be removed

    Whatmusttheclientdo:A

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    80/171

    SummaryNote

    Create the SOAP-RPC call Set up any type mappings for custom parameters Set the URI of the SOAP service to use Specify the method to invoke Specify the encoding to use Add any parameters to the call Connect to the SOAP service Receive and interpret a response

    Note on Parameters

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    81/171

    NoteonParameters

    It must be possible to "serialize" the parameters thatthe method invoked receives and returns.

    The following have default serialization/deserialization:

    primitive types: int, long, double, etc. primitive Objects: Integer, Long, Double, String, etc. complex Objects: Vector, Enumeration, Hashtable, arrays easy to use JavaBeans

    Crea@ngtheServer

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    82/171

    g

    When the application server is a script, thescript is actually put in the deployment

    descriptor

    Need the jar files bsf.jar andjs.jar Put them in your /lib

    directory

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    83/171

    UDDI-UniversalDescrip@on,

    DiscoveryandIntegra@onService

    UDDIisastandardfordescribingand

    findingwebservices

    UDDI Business Registry (UBR), Public

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    84/171

    UDDIBusinessRegistry(UBR),Public

    Cloud

    Nodes contain all UDDI information Nodes are synchronized, so they retain the

    same data

    You can query any nodeYou can add UDDI to a node, and it will be

    replicated to all others

    Interac@ng with the UDDI

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    85/171

    Interac@ngwiththeUDDI

    UDDI is itself a web service!!! Interaction is via SOAP messages The JAXR package defines a standard way to interact

    with registries (can work with other types of registriestoo, e.g., ebXML)

    Two types of interaction:

    Inquiry: Does not need authentification Publish: Needs authentification

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    86/171

    WSDL-WebServicesDescrip@onLanguage

    Describing a Web Service

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    87/171

    DescribingaWebService

    SOAP is just one standard to access a web service,there are many others (XML-RPC)

    Need a standard way to describe a Web Service: the methods available their parameters etc.

    WSDL is a standard for describing web services usingXML

    UPnP Services

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    88/171

    UPnPServices

    Description is stored as XML file Control via SOAP messages: SOAP developed for

    web service

    Most every language/platform has SOAP/XMLlibraries

    Event notification with XML in General EventNotification Architecture

    Presentation URL can be supplied by device

    TheOSGi

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    89/171

    OSGi is open, standards-based, language-neutral and OS-neutral

    Consists offramework in which bundles ofservices that register with a registry can run

    Runs atop the Java 2 Runtime Environment(J2RE)

    OSGi Service Specifica@ons

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    90/171

    OSGiServiceSpecifica@ons

    Logging service Web server Device access Configuration service Preferences service

    User administrationservice

    Permissionadministrationservice

    Packageadministration

    service

    ClientAuthen@ca@onovertheInternetworks

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    91/171

    There exist four possibilities: No Authentication Basic Authentication Moderate Authentication Advanced Authentication

    Basic Authentication: It may be provided as an extension tothe HTTP 1.1 (HHTP: RFC 2616, Extn.: RFC 2617)

    Moderate Authentication: Digest Access Authenticationusing Challenge-Response technique

    Advanced Authentication: There are two choices, dependingupon the requirements:

    Kerberos-based Authentication (K-5: RFC 1510) Public-Key Cryptography-based Authentication (SSL:

    RFC 2246, TLS: RFC 2818)

    BASIC AUTHENTICATION

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    92/171

    Client may use it to authenticate itself toeither the Origin Server or an intermediateProxy Server.

    In this basic scheme, if an unauthorizedaccess attempt is made by a client, server /proxy sends it back an Error Code: 401 /407: Unauthorized Access Error

    However, server / proxy may ask / challengethe requesting client to supply / respond toone or more pieces of information and if the

    client sends the correct iece s in its

    AUTHENTICATION

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    93/171

    AUTHENTICATION

    In this scheme, users ID and his/herpassword are transmitted using base64-endedplaintext.

    This clearly is as insecure as the defaultTelnet authentication scheme.

    Moderate andAdvanced schemes ofauthorization attempt to tackle this issue byoffering cryptographic measures.

    ModerateAuthoriza@onusingDigest

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    94/171

    Access

    In this case, a client requesting a restrictedservice receives a nonce-challenge from theserver and is expected to generate a

    message digestusing this nonce containingthe user Id, password, numeric value of thereceived nonce, the requested HTTPmethod and the URI.

    This digest is then transmitted over theinsecure network to the server who upon

    receipt, knowing the nonce and algorithm

    AdvancedAuthen@ca@onusingSSL/TLS

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    95/171

    TLS

    In this case, as discussed earlier, if a client requestsan access to a restricted service, the servergenerates a random secret / challenge to the client.

    Client is expected to respond by signing the sentchallenge by using its Private Key and transmit thissigned response along with its digital certificate.

    Upon receipt, the server verifies the authenticity ofthe certificate, extracts clients public-key from it

    and using this verifies the clients signature.

    If the process succeeds, the client is granted accessto the requested service / resource.

    Applica@onsonrespec@ve

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    96/171

    devices/deviceclusters

    Client-side Issues,

    Middleware-specific Issues

    Server-side Issues

    Role of Network Security in

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    97/171

    RoleofNetworkSecurityin

    PervasiveCompu@ng

    Environments

    Interac@on Points

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    98/171

    Interac@onPoints

    Brief introduction to Network andinternetwork Security Principles

    Various forms and mechanisms ofsecurity

    Influence of Network Security onPervasive Computing Systems

    Discussion

    Networks Internetworks & Security

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    99/171

    (c)RahulBanerjee,BITS,

    Pilani(India) 99

    Networks,Internetworks&Security

    Network AComputer Network is an interconnected group of autonomouscomputing nodes which:

    Use a well-defined, mutually-agreed set of rules and conventionsknown as Protocols,

    Interact with one-another meaningfully; Allow resource-sharing preferably in a predictable and controllable

    manner.

    Internetwork A network of two or more networks is called an Internetwork Participating networks in an Internetwork may be

    interconnected for restricted or unrestricted resource sharing

    Security Security is often viewed as the need to protect one or more

    aspects of networks operation and permitted use (access,behaviour, performance, privacy and confidentiality included),

    Security requirements may be Local or Global in their scope,depending upon the network

    s or internetwork

    s purpose ofdesi n and de lo ment.

    Criteria for Evaluating Security Solutions

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    100/171

    (c)RahulBanerjee,BITS,Pilani

    (India) 100

    g y

    Abilitytomeetthespecifiedneeds/requirementsEffec@venessofApproachAcrossNetworksCompu@ngResourcesNeededvis--visthevalueoftheprotec@onoffered

    QualityandScalabilityAvailabilityofMonitoringmechanismsAdaptabilityandFlexibilityPrac@cabilityfromSociological/Poli@calperspec@veEconomicconsidera@ons&Sustainability

    Classifica@on of Security Problems: Access

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    101/171

    (c)RahulBanerjee,BITS,

    Pilani(India) 101

    Classifica@onofSecurityProblems:Access

    BreachesinInternetworks

    (S/W&H/W)Inten@onal/Non-Inten@onalAccessBreaches

    Origin-basedAccessBreachesCentralized/DistributedAccessBreachesServiceBlocking/Overwhelming/Redirec@on/Abuse/Modifica@on/Termina@on-basedAccessBreaches

    Periodic/AperiodicApplica@on-Data/Control-DataAccessBreachesEvent-basedAccessBreaches

    Storage-basedAccessBreaches

    Of Security AYacks, Security Threats, Security

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    102/171

    (c)RahulBanerjee,BITS,

    Pilani(India) 102

    OfSecurityAYacks,SecurityThreats,Security

    MechanismsandSecurityServices

    Security Attack => compromises theinformation-system security

    Security Threat => has potential for securityviolation

    Security Mechanism => detects / locates /identifies / prevents / recovers from security

    attacks

    Security Service => enhances security,makes use of the security mechanisms

    Ac@ve versus Passive AYacks

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    103/171

    (c)RahulBanerjee,BITS,

    Pilani(India) 103

    Ac@veversusPassiveAYacks

    Active attacks involve active attemptson security leading to modification,redirection, blockage or destruction ofdata, devices or links.Examples:

    Replay attacks Masquerade attacks Modification / corruption of data or access

    control bits

    Denial-of Service attacks Passive attacks involve simply

    getting access to link or device andconsequently data.

    A typical Internetwork Model of Security

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    104/171

    (c)RahulBanerjee,BITS,

    Pilani(India) 104

    AtypicalInternetworkModelofSecurity

    Par@esinvolved: Sender Receiver Interceptor(Passive/Ac@ve)

    Devicesinvolved: TransmiYer Receiver Encoder Decoder

    Linksinvolved: DataandControlsignaltransmissionlinks

    Iden@fica@onofSourcesofSecurity

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    105/171

    (c)RahulBanerjee,BITS,

    Pilani(India)105

    Problems

    Importance of Identification of sources Strategic importancefor planning, preventing

    and / or countering

    Importance with respect to Sensitivity-analysisand Economic-impact-analysis and pro-activeprotection

    Possible Approaches for Analysis Monitoring-based approaches

    Log-basedAgent-based

    Non-monitoring approaches Model-based Experimental Replication-based

    Role of Cryptography, OS & Configura@on

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    106/171

    (c)RahulBanerjee,BITS,

    Pilani(India)106

    RoleofCryptography,OS&Configura@on

    Role of Cryptography Secret-key cryptography Public-key cryptography

    Role of Operating Systems Built-in OS Security at the Kernel-level Support for Cryptographic APIs Network Protocol Stack implementation

    decision-based security

    Role of Configuration in Security

    Network configuration OS configuration

    Application configuration Security System configuration

    On the Internetwork Cryptography

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    107/171

    (c)RahulBanerjee,BITS,

    Pilani(India)107

    OntheInternetworkCryptography

    Internetwork Cryptography aims to handle internetwork-specific or network-specific issuesand

    problems involving authentication, integrity andsecrecy / confidentiality / privacy.

    Cryptography can existwith or withoutnetworks but Internetwork / NetworkCryptography specifically addresses theInternetwork / Network needs /requirements and is thus a subset of generalcryptography.

    Symmetric-KeyCryptography

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    108/171

    (c)RahulBanerjee,BITS,

    Pilani(India)108

    y y yp g p y

    Symmetric-Key cryptography is calledso since in this class of cryptographicalgorithms, encryption as well asdecryption processes are performed

    using the same (i.e. symmetric) key.

    The algorithms / schemes / programsthat use this paradigm are often

    termed as Symmetric-Key Ciphers /Private-Key Ciphers / Secret-KeyCiphers / Conventional Ciphers etc.

    In such cases, Plaintext, Encryption-

    CharacterizingtheSymmetricKeyCiphers

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    109/171

    (c)RahulBanerjee,BITS,

    Pilani(India)109

    g y y p

    This is often done by: Choice ofkey-space Key-derivation / identification within the key-

    space

    Number of cycles involved in encryption /decryption process

    Choice of operations (or choice of type ofoperators) that are used in the process ofencryption / decryption

    Number of internal algorithms that form the finalscheme of enciphering / deciphering Role, if any, of the compression algorithms /

    schemes in adding the security value

    SomeMoreBasics

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    110/171

    (c)RahulBanerjee,BITS,

    Pilani(India)110

    Any cryptographic scheme is safe if andonly if it is unbreakable in reasonabletime using feasible resources in spite ofthe intruders being aware of:

    Encryption and decryption algorithm Size of the key Kerckhoffs Principle: Security of

    conventional encryptiondepends

    only upon the Secrecy ofthe Key, andnot on the Secrecy of theAlgorithm.

    Strength of the algorithm and the size ofkey remain two important factors in

    OntheSecureDeploymentofthe

    Conven@onal (Secret Key) Cryptography

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    111/171

    (c)RahulBanerjee,BITS,

    Pilani(India)111

    Conven@onal(Secret-Key)Cryptography

    Requirements for securedeployment of conventionalcryptography:

    Availability ofa strongEncryption Algorithm Secure distribution ofthe Secret Key to the intended

    recipients

    Kerckhoffs Principle remains a guiding

    line for the research on conventionalcryptography and its real-life use ininternetworks.

    Uncondi@onallySecureVersusComputa@onallySecure

    h

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    112/171

    (c)RahulBanerjee,BITS,

    Pilani(India)112

    Encryp@onSchemes

    Unconditionally Secure Encryption schemes: Here, the generated Ciphertext simply does not have

    adequate informationto allowdiscovery ofthe uniqueplaintextirrespective of the amount of Ciphertext

    available (as well as irrespective of the computational

    resource available) to the attacker.

    Computationally Secure Encryption schemes

    Here, the cost of decipheringexceeds the value ofenciphered information

    Time needed to decipherexceedsthe lifetime of theenciphered information

    DigitalSignatures

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    113/171

    (c)RahulBanerjee,BITS,

    Pilani(India)113

    A Digitally-signed Communication is amessage that has been processed by acomputer in such a manner that ties themessage to the individual that signedthe message.

    Criteria for Digital SignaturesTechnology: An acceptable technology must be capable of

    creating signatures that conform to

    requirements:It is unique to the person using it;It is capable of verification;It is under the sole control of the person

    using it;

    Signature Dynamics

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    114/171

    (c)RahulBanerjee,BITS,

    Pilani(India)114

    SignatureDynamics

    TheSignatureDynamicsTechnology: Itisanacceptabletechnologyforusebypublicen@@esthatusesasthemeansthemetricsoftheshapes,speedsand/orotherdis1nguishing

    featuresofasignatureasthepersonwritesitbyhand.

    Itinvolvesbindingthemeasurementstoamessagethroughtheuseofcryptographictechniques.

    SignatureDigestistheresul@ngbit-stringproducedwhenasignatureis@edtoadocumentusingSignatureDynamics.

    DigitalCer@ficates

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    115/171

    (c)RahulBanerjee,BITS,

    Pilani(India)115

    Digital Certificate: It refers to acomputer-based record which:

    identifies the certification authorityissuing it;

    names or identifies its subscriber;contains the subscriber's public key;

    and

    is digitally signed by the certificationauthority issuing or amending it &

    conforms to widely-used standards.

    Relatedterms:

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    116/171

    (c)RahulBanerjee,BITS,

    Pilani(India)116

    Related terms:

    Certification Authority: This refers to anentity that issues a certificate, or in the caseof certain certification processes, certifiesamendments to an existing certificate.

    Key Pair: This refers to a private key and itscorresponding public key in an asymmetriccryptosystem. The keys have the property

    that the public key can verify a digitalsignature that the private key creates.

    AfewmorepointsonDigitalCer@ficates

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    117/171

    (c)RahulBanerjee,BITS,

    Pilani(India)117

    One of the simplest ways to describe the function of aDigital Certificate is to treat it as a means to verify thegenuineness of the Public-Key.

    Just as the individuals / groups are normally assignedDigital Signatures, the corporate merchants and E-Commerce / I-Commerce Gateways are issued DigitalCertificates for proving their authenticity to others.

    Certificate Expiry: Most of the certificates have theirperiod of legal validity as marked by the issuingentity / authority, after which it is considered asinvalid or expired.

    Certificate Revocation: If the Certificate is found to becompromised, it may be explicitly revoked by theCertificate Authority (CA) and included in thesubsequently published Certificate Revocation List.

    Certificate Validation: It refers to the verification ofthe Certificate Chain.

    WhoarethecommonCer@ficate

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    118/171

    (c)RahulBanerjee,BITS,

    Pilani(India)118

    Authori@es?

    AspertheSecureElectronicTransac@ons(SET)standard,thefollowingCAsmayexist:1. TheRootCer@ficateAuthority(RCA)2. TheBrandCer@ficateAuthority(BCA)3. TheGeo-Poli@calCer@ficateAuthority(GCA)

    4. TheMerchantCer@ficateAuthority(MCA)5. ThePaymentGatewayCer@ficateAuthority

    (PGCA)

    6. TheCardholderCer@ficateAuthority(CCA) Cer@ficateCategories:

    1. MerchantCer@ficates2. CardholderCer@ficates

    The Hierarchical CA Architecture

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    119/171

    (c)RahulBanerjee,BITS,

    Pilani(India)119

    TheHierarchicalCAArchitecture

    The Root Certificate Authority (RCA)

    The Brand Certificate Authority (BCA)

    The Geo-Political Certificate Authority(GCA)

    MCA PGCA CCA

    Merchant

    Certificates

    Payment

    Gateway

    Cardholder

    Certificates

    Whoissuesandsignsthe

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    120/171

    (c)RahulBanerjee,BITS,

    Pilani(India)120

    Cer@ficates?

    A Certificate Authority is a Trusted entitythat issues, monitors, revokes, modifiesand cancels digital certificates for a

    subscribers holding / requiringcertificates.

    A digital certificate is signed with CAsprivate key.

    In principle, certificates can be of severaltypes including Institutional AuthorityCertificates and Web Server Certificates.

    Stepsinvolved

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    121/171

    (c)RahulBanerjee,BITS,

    Pilani(India)121

    1.A pair of Private and Public keys is created bythe Requester.

    2.Requester generates and encrypts a CertificateRequest using its private key and sends thecertificate request to your chosen CA .

    3.CA initiates and completes a process to verifythe correctness of the information supplied bythe Requester.

    4.The certificate for the Requester (who hereafterbecomes a Subscriber) is signed by a device that

    holds the private key of the CA.5.The certificate is sent to the Subscriber.6.A copy of the issued Certificate is kept in

    certificate repository / directory (so that usingLDAP etc. Certificates could be retrieved).

    Cer@ficaterevoca@on

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    122/171

    (c)RahulBanerjee,BITS,

    Pilani(India)122

    Certificate revocation: Canceling acertificate before than its originallyscheduled validity period.

    Certificate Revocation Lists (CRL)A CRL is a time-stamped list ofrevoked certificates

    Online Certificate Status Protocol isused for online verification.

    TrustedversusUntrustedNetworks

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    123/171

    (c)RahulBanerjee,BITS,

    Pilani(India)123

    My Network (PAN/LAN) Fully Trusted Partly Trusted

    Our Network (LAN/MAN/WAN/WAI) Fully Trusted Partly Trusted Unsure

    Other Networks (LAN/MAN/WAN/WAI)

    Partly Trusted Untrusted

    TheNetworkPerimeter

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    124/171

    (c)RahulBanerjee,BITS,

    Pilani(India)124

    A Network / Internetwork Perimeter is asecure boundary of a network that mayinclude some or all of the following:

    Firewalls Routers IDSVPN mechanisms DMZ Screened subnets

    DMZ is outside the Firewall Screened subnet is an isolated sub-

    network connected to a dedicatedfirewall interface

    IntrusionDetec@onSystem

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    125/171

    (c)RahulBanerjee,BITS,

    Pilani(India)125

    Intrusion Detection System (IDS) isa system that comprises of mechanisms / devices

    involving one or more IntrusionDetection Sensors (traffic monitoringdevices / mechanisms) placed atsecurity-wise strategic locations; and,

    Has been designed to detect anyknown or likely intrusion into theprotected network.

    Types of IDS: Network-based IDS (NIDS) : Subnet-resident Host-based IDS (HIDS) : Host resident

    Sensor reporting may involveseveral forms like logs, database

    InternetworkFirewall

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    126/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    126

    Firewall is an internetwork securitydevice that

    serves on the only access route thatconnects the internal network /internetwork (i.e. the segment to be

    protected) to the external network (s) /internetwork (s); and,

    decides about physically allowing / denyingentry / exit to / from the protected segment

    using a set of policies (often manifested interms of rules) is called a Firewall.

    A Firewall may be implemented inhardware / software / firmware or acombination of these.

    Characteris@csofInternetFirewalls

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    127/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    127

    Characteristically, an Internet Firewall exhibits securitymeasures and internetwork-control-mechanisms relatedto but not necessarily limited to: Internet services as separated from the intranet services Service-based directional traffic User-specific / Class-specific / Group-specific service access Service-usage / deployment-behaviour Origin-specific / Destination-specific service / traffic /

    monitoring / QoS-security bindings

    Relaying / blocking / redirection of encapsulated and / orencrypted traffic

    A common assumption (though debatable) made is thatthe Firewall itself is incorruptible / impenetrable

    A firewall works under the assumption that it is solelyresponsible for blockade / allowance of any trafficbetween two or more than two networks / internetworksseparated by it.

    Whatdoesafirewalldo?

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    128/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    128

    As part of an Internetwork Security System, a

    firewall:Allows defining exit and entry points for traffic

    from and to the internal protected network /intranet

    Offers a set of mechanisms and a set of locations /points for supervising security-sensitive activities /events / behaviour

    Provides network-level encapsulation, encryption,decryption, decapsulation, tunnelling services

    Permits a variable-security facility-zones creationthat may also offer some functionalities notnecessarily related to the security function that isthe primary function of the firewall

    Supports creation and interpretation of structuredlogging mechanisms and files for a variety of

    ur oses.

    WhataFirewalldoesnotdo?

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    129/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    129

    A Firewall is not meant for:

    Virus / Worm / Trojan Horse / Logicbomb detection

    Virus / Worm / Trojan Horse / Logicbomb removal

    Semantic analysis of the application-to-application messages with certainexceptions

    Protecting a network / internetworkfrom a trusted entity (client / server /user) or an internal authorized userwith adequate privileges

    Protecting from power, link or protocolfailure

    Cons@tuents&TypesofaFirewall

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    130/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    130

    Firewall Constituents:(some of these can serve as firewalls aswell)Application-level Gateways and Proxies Transport-level / Circuit-level Gateways and Proxies Network-level Gateways / Routers Packet filters (also known as Static Packet Filtering

    Firewalls)

    Bastion Host Screened Host

    Types of Firewalls: Stateless Firewalls Stateful Inspection-based Firewalls Perimeter Firewalls Screened Host Firewalls Intranet Firewalls Internet Firewalls Extranet Firewalls

    Examples of Commercial Firewalls

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    131/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    131

    ExamplesofCommercialFirewalls

    Static Packet Filtering Firewall(implemented on a Router):

    Example:

    Nortels Accellar Router

    Firewall Proxy Firewall:

    Example:

    Secure Computings

    Sidewinder Firewall

    Stateful Inspection-basedFirewall:

    Example:

    VirtualPrivateNetworks

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    132/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    132

    AVirtual Private Network (VPN) is a mechanismthat allows establishment of aprotected session

    betweentwo network nodes / serviceslocated in / ontwo different protected networks / internetworksseparated by unprotected / untrusted / insecure(often public) networks / channels / infrastructure.

    Example: Nortels Contivity, Ciscos VPN 3000Concatenator Another perspective: SSH, TLS, SSL, IPSec, L2TP,PPTP are choices providing different types ofsecurity at different layers.

    Although, all of these could be reused in anappropriately designed VPN mechanism, often theL-3 and L-2 mechanisms are preferred by manyVPN designers.

    Often, people refer to a VPN as a security device /mechanism on the perimeter of the protectednetwork / internetwork that allows encrypted

    sessions.

    AdvantagesofVPNs

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    133/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    133

    g

    Capability to access remotenetwork as if there exists aprivate channel to that network

    Several security optionsavailable to provide a range ofsecurity

    Adequacy of lower-strengthencryption schemes on certain

    occasions Cost-effective if well-designed,

    well-implemented and well-configured

    Can be uickl im lemented

    DisadvantagesofVPNs

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    134/171

    (c)RahulBanerjee,BITS,

    Pilani(India)

    134

    Requirement of encryption, decryption,encapsulation and decapsulation induce a sizeableprocessing overhead, packet overhead and storageoverheads and may introduce latency as well asincrease cost of service

    In some cases, if designed ad-hoc, certain networkinstallations may pose additional challenges inadding the VPN functionality due to the addedoverhead in packet processing.

    Intricate design issues, unless handled carefully,may actually serve to lower the network

    performance without really bring correspondingincrease in the security level of the network.

    Implementation issues include VPN pass throughissues, NAT-specific issues and MTU-size relatedissues

    DefiningtheControlZone

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    135/171

    (c)RahulBanerjee,BITS,Pilani

    (India)

    135

    g

    The Control Zone:Consider a typical electronically controlled device like atape drive, hard disk drive or other gadget that operates in

    an unshielded environment. Each such device emits signals

    that can be sensed within a zone called Control Zone.For security reasons, it is important that:

    No important information about any device operationleaks out of the target environment

    No external body should be able to make use ofcontrol or data signals related to this device

    TheConceptofSecurityServices

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    136/171

    (c)RahulBanerjee,BITS,Pilani

    (India)

    136

    Authentication ServiceAccess Control ServiceAvailability ServiceConfidentiality ServiceIntegrity ServiceIdentification: Author, Authorization, Endorsement,Approval, Access, Concurrence, Licensing, Certification,

    Signature, Witness, Validation, Timestamps, Authenticity,

    Ownership, Registration, Privacy / Confidentiality /Secrecy

    Non-Repudiation Service

    GSM network architecture

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    137/171

    GSM network architecture

    BSC

    MSBTS

    EIR

    AUC

    HLR

    VLR

    MSC

    OMC

    Um

    A-bis

    Voice Traffic

    Mobility

    mgt

    A

    PSTN/ISDN

    (c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/

    800,900,1900Mhz

    Licensed&

    expensiveSubscribermodelStartedoutlikePSTN,and

    gengmore

    complexPre-paid,

    premiumrateSMS

    WAP security architecture

    WirelessApplica@onProtocol

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    138/171

    WAP security architecture

    (c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/

    Bluetooth security architecture

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    139/171

    Bluetooth security architecture

    (c) http://www.cs.hut.fi/Opinnot/Tik-86.174/Bluetooth_Security.pdf

    IEEE 802.11 architecture

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    140/171

    (c) Source: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prdc_mcc_ardu.asp

    Mobile IP

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    141/171

    Mobile IP

    Foreign Agent (FA)Home Agent (HA)

    [email protected]

    (c) Source: http://www.iab.org/Workshops/IAB-wireless-workshop/

    Bindingupdateissue:IfIchangeFAhowdoItellhomeagentandpreviousFAsuchthatno-oneelsecanspoofthatmessage?

    Andinaperformant,scalablemanner?MobileIPv6hasthisproblem(noFAthough,justcare-ofaddress)

    J2ME

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    142/171

    J2ME

    J2ME includes somesecurity primitives forcode signing and tosupport (some)

    application security

    (c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/ & (c) Sun Microsystems Inc.

    Common security issues

    O h i (OTA) fid i li

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    143/171

    Over the air (OTA) confidentialityBut don't ignore e.g. Microwave links usedafter a base station!

    Data origin authentication/integrity forsome data and some origins

    Bad use of cryptography Various types of fraud

    Cloning of hostsRe-direction to premium rate

    Authentication of node or user?

    Security relevant differences

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    144/171

    Security relevant differences

    GSM's subscription model vs. 802.11'slack of a subscriber model

    GSM Security

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    145/171

    GSM Security

    A3

    Mobile Station Radio Link GSM Operator

    A8

    A5

    A3

    A8

    A5

    Ki Ki

    Challenge RAND

    KcKc

    mi Encrypted Data mi

    SIM

    Signed response (SRES)SRESSRES

    Fn Fn

    Authentication: areSRES values equal?

    GSM crypto breaks

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    146/171

    Several researchers have developed breaksof GSM's use of encryption

    Typically involve some known plaintext and quiteintensive (though do-able) memory and processing

    e.g. Goldberg, Wagner, Green: requires difference in theplaintext of two GSM frames, which are exactly 2^11frames apart (6 seconds) with time complexity of 2^16 dotproducts of 114 bit vectors.

    Base stations can also be impersonated

    No authentication of BSC to ME!

    (c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/

    GSM Attack Details

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    147/171

    GSM Encryption uses A5:A5/0 no encryptionA5/1 - strong encryptionA5/2 - export (i.e. designed weak) encryption

    All use a 64-bit key generated from thenetwork's challenge

    Same key bits regardless of algorithm!!!

    GSM Attack Details (2)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    148/171

    A5 is a stream cipherApplied after error correcting bits are

    added

    even though the attacker might not knowthe values of particular input bits,

    they know that certain groups of them XORto 0

    taking the same groups of encrypted bitsand XORing them

    reveals the corresponding XOR of thekeystream bits

    GSM Attack Details (3)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    149/171

    GSM Attack Details (3)

    Numbers:A5/2 passive attack (eavesdropping)

    requires milliseconds of ciphertext!

    A5/1 ciphertext only attack: 5 minutes of intercepted frames (doesn't have

    to be one call)

    4.4 terabytes of disk a lab full of 2003 AD type PCs for a year's worth

    of one-time precomputation

    Active attacks: bid down to A5/2

    Wardriving / boating

    IEEE802.11security

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    150/171

    g g

    http://www.catalina42.org/war-sail/

    Picking up IEEE 802.11access points as you cycle/drive/fly/sail past Many of these give(sometimes intentionally)open access to the Internet

    802.11 security overview

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    151/171

    Good setup depends on network topology There are a few choices

    WEP is broken and IPsec should be usedinstead as much as possible (probably intunnel mode)

    TLS should then be used wherever sensible aboveIPsec (e.g. IMAP over SSL)

    Then secure applications should be usedwhere possible

    Probably based on proprietary protocols (whichmay make use of standard constructs likePKCS#7)

    WEP Encapsulation

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    152/171

    p

    802.11 Hdr Data

    WEP Encapsulation Summary:

    Encryption Algorithm = RC4Per-packet encryption key = 24-bit IV concatenated to a pre-shared keyWEP allows IV to be reused with any frame

    Data integrity provided by CRC-32 of the plaintext data (the ICV)Data and ICV are encrypted under the per-packet encryption key

    802.11 Hdr DataIV ICV

    Encapsulate Decapsulate

    Properties of Vernam Ciphers(1)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    153/171

    ( )

    The WEP encryption algorithm RC4 is a Vernam Cipher:

    Pseudo-randomnumbergeneratorEncryption Key K

    Plaintext data bytep

    Random byte b

    Ciphertext data bytec

    Decryption works the same way:p = cb

    Properties of Vernam Ciphers(2)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    154/171

    ( )

    Thought experiment 1: what happens whenp1 andp2 areencrypted under the same random byte b?

    c1 =p1b c2 =p2bThen:

    Conclusion: it is a very bad idea to encrypt any two bytes of datausing the same byte output by a Vernam Cipher PRNG.

    c1c2 = (p1b) (p2b) =p1p2

    How to Read WEP EncryptedTraffic (1)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    155/171

    Traffic (1)

    By the Birthday Paradox, probability Pn two packets will share same IVafter n packets is P2 = 1/2

    24 after two frames and Pn = Pn1 + (n1)(1Pn1)/224 for n > 2.

    50% chance of a collision exists already after only 4823 packets!!!Pattern recognition can disentangle the XOR-ed recovered plaintext.Recovered ICV can tell you when youve disentangled plaintext correctly.After only a few hours of observation, you can recover all 224 key streams.

    802.11 Hdr DataIV ICV

    24 luxurious bits Encrypted under Key +IV using aVernam Cipher

    How to Read WEP Encryptedff ( )

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    156/171

    Traffic (2) Ways to accelerate the process:

    Send spam into the network: no pattern recognitionrequired!

    Get the victim to send e-mail to you The AP creates the plaintext for you!

    Decrypt packets from one Station to another via anAccess Point

    If you know the plaintext on one leg of the journey, you canrecover the key stream immediately on the other

    Fixing WEP Protect against ALL known threats:

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    157/171

    g IV Collisions Weak Keys Message Forgery Replay Two alternatives: Short-term and long-term

    Short-term: Temporal Key Integrity Protocol (TKIP) Does not require new hardware (but firmware/

    software)

    Some performance penalty Longer term

    Move to AES based primitives with proper keymanagement

    The 802.11x security scheme

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    158/171

    A reasonable 802.11configuration

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    159/171

    g

    http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf

    WLAN topologies

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    160/171

    p g

    Sensible network topologiesCorporate (small WLAN)Corporate (widespread WLAN)Service providerVolunteerism

    Network topology issuesNetwork accessAddress allocation (DHCP)NAT/private addressesFirewall location and rulesets

    Some Interesting Networks Mobile Ad-hoc networks:

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    161/171

    Idea is that a network emerges from nodeswhich just happen to be in the vicinity(AODV)

    Delay tolerant networks Sensor networks Issues:

    Mainly academic at the momentSecurity not really thought all the waythrough for these yet

    Pervasive / Ubiquitous Computing

    Wh t if l d d l d f thi (d TV

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    162/171

    What if loads and loads of things (doors, TVs,couches) were nodes on a network? Hot topic How do you secure these systems?

    TCD and partners SECURE project http://secure.dsg.cs.tcd.ie/

    Conclusions (1)

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    163/171

    There are a range of different types of mobilenetwork GSM and 802.11 are the interesting ones

    Security hasn't been handled well for these Nor was it for the wired Internet for a loooong time! There are substantial security problems with

    today's deployed mobile networks

    So, overlaying a VPN is probably a good ideain most cases

    And overlay that with TLS and that with applicationsecurity if you can

    Conclusions (2)

    U ll l i t l f bil

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    164/171

    Users are generally less in control of mobilenetworks Bandwidth is allocated Manufacturer/Operator/Subscriber model differs

    from wired Internet

    e.g. Closed operating systems Network security is given and not easily fixed/

    managed

    So, try to gain control of your applications andtry to secure the applications themselves Better if wireless technology changes anyway Can create a porting headache though

    Acknowledgements

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    165/171

    (c)RahulBanerjee,BITS,

    Pilani(India)165

    Some of these slides have been inspiredby / borrowed from some well-receivedpresentations made in different partsof the world.

    All inspired / reused slides either carrytheir respective copyrightinformation on them or have beenacknowledged about their sources in agroup just after / before their respectiveusage herein.

    These slides are being used here purelyfor instructional purposes during a livesession for the registered students of

    Anyques@ons?

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    166/171

    (c)RahulBanerjee,BITS,

    Pilani(India)166

    Thank you!

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    167/171

    Case-StudyofofaNetwork-Based

    Mul@-siteCollabora@onSystemDesign

    BITS-Connect 2.0 built atop theMPLS Cloud, not cloud computing!

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    168/171

    BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

    Project BITS-Connect 2.0

    The Immersive Tele-presence Rooms

    Thi i h

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    169/171

    BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

    This is how an18-seaterimmersive tele-

    presence room

    looks like at all

    the Indiancampuses.

    Chancellorsofficeisequippedwith

    onetwo-seater

    system

    References

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    170/171

    Larry L. Peterson & Bruce S. Davie: Computer Networks: A Systems Approach,Fifth Edition, Morgan Kaufmann / Elsevier, New Delhi, 2011.

    S. Keshav: Computer Networking: An Engineering Approach, PearsonEducation, New Delhi, 1997.

    A. S. Tanenbaum: Computer Networks, Fifth Edition, Pearson Education, NewDelhi, 2012.

    Y. Zheng and S. Akhtar: Networks for Computer Scientists and Engineers,Oxford University Press, New York, 2002.

    A. Leon Garcia and I. Widjaja: Communication Networks: FundamentalConcepts and Key Architectures, Second Edition, Tata McGraw-Hill, New Delhi,2004.

    Mohammed G. Gouda: Elements of Network Protocol Design, Wiley StudentEdition, John Wiley & Sons (Pte.) Ltd., Singapore, 2004.

    Thomas G. Robertazzi: Computer Networks and Systems: Queuing Theory andPerformance Evaluation, Third Edition, Springer-Verlag, New York, 2000.

    15/02/13 (c)Dr.RahulBanerjee,BITSPilani,INDIA 170

    References

  • 7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013

    171/171

    Larry L. Peterson & Bruce S. Davie: Computer Networks: A Systems Approach,Fifth Edition, Morgan Kaufmann / Elsevier, New Delhi, 2011.

    S. Keshav: Computer Networking: An Engineering Approach, PearsonEducation, New Delhi, 1997.

    A. S. Tanenbaum: Computer Networks, Fifth Edition, Pearson Education, NewDelhi, 2012.

    Y. Zheng and S. Akhtar: Networks for Computer Scientists and Engineers,Oxford University Press, New York, 2002.

    A. Leon Garcia and I. Widjaja: Communication Networks: FundamentalConcepts and Key Architectures, Second Edition, Tata McGraw-Hill, New Delhi,2004.

    Mohammed G. Gouda: Elements of Network Protocol Design, Wiley StudentEdition, John Wiley & Sons (Pte.) Ltd., Singapore, 2004.

    Thomas G. Robertazzi: Computer Networks and Systems: Queuing Theory andPerformance Evaluation Third Edition Springer-Verlag New York 2000