DOCSLIB.ORG

Master Thesis Electrical Engineering November, 2007

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Master thesis Electrical Engineering November, 2007. Security for Broadband Metropolitan and Wide Area Network at the Access Interface Level Abdulazeez Olayinka and Adenuga Kehinde Department of Electrical Engineering School of Engineering Blekinge institute of technology Se-371 79 karlskrona Sweden. 1 This thesis is submitted to the Department of Electrical Engineering, School of Engineering at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering. Contact Information: Author(s): Abdulazeez Olayinka E-mail: [email protected] Adenuga Kehinde E-mail: [email protected] Advisor: Adrian Popescu E-mail: [email protected] Department of Electrical Engineering. Department of Internet: www.bth.se/tek Electrical Engineering Phone: +46 455 38 50 00 School of Engineering Fax: +46 455 38 50 57 Blekinge institute of technology Se-371 79 karlskrona Sweden. 2 Abstract These thesis report deals with a range of secure high-speed networking over a metropolitan or wide area. Since this is quite active research area, a full report is given of the interfaces that thrive in removing the bandwidth burden from long distance networks. Only those with the status or potential of a standard are taking into consideration. Next, the position of security is evaluated. It is recommended that the access Interface enjoys certain advantages over the upper layers. Hence, the results of this work are directly applicable to virtually any layered communication architecture Amongst the security protocols that are available, the IEEE802.11 represents the only viable solution to have the CLS service properly secured. This protocol is designed for a different type of environment and the implications of this are known. In the real sense, IEEE802.11 proves to be a very valuable tool to built multi-level secure private and public networks using the most recent MAN/WAN technologies. Furthermore, it shows how to enhance the security issues related to Metropolitan and Wide Area Network considering the required security services and mechanism. 3 CONTENTS Chapter one Introduction Chapter two Standardised High-Speed MAN/WAN Technologies 2.1 Introduction 2.2 Earlier Solutions 2.2.1 Use of an Analogue Telephone Line and a Modem. 2.2.2 Packet Switched Data Network. 2.3 New Ground Rules. 2.4 Synchronous Physical Layer Network Interfaces. 2.4.1 Leased Carrier Systems 2.4.2 The Evolution of SONET/SDH 2.5 Asynchronous Transfer Mode (ATM) 2.5.1 ATM Traffic Management 2.6 Wide Area Networks (WANs) 2.6.1 Narrowband Integrated Service Digital Network (N-ISDN) 2.6.2 Broadband Integrated Services Digital Network (B-ISDN) 4 2.7 Metropolitan Area Networking 2.7.1 FDDI 2.7.2 Frame Relay Technologies Chapter Three Security for High-Speed MANs/WANs. 3.1 Introduction 3.2 Security Threats 3.3 Threat Identification 3.4 Security Concerns and TCP/ IP 3.5 Physical Security 3.6 Security Services and Mechanisms 3.7 Why A New Approach Is Needed. Chapter Four Applying IEEE802.11 for Secure WLAN Connection. 4.1 Introduction 4.2 Wireless Local Area Network Topology 4.3 IEEE 802.11 Standards 4.4 Security Threats in Link Layer 4.4.1 Threats in IEEE 802.11 MAC 4.4.2 Threats in IEEE 802.11 WEP 4.5 Security Issues in IEEE 802.11b 4.5.1 Service Set Identifier 4.5.2 MAC-Address Access List 4.6 Wireless Equivalent Privacy 4.7 Deployment of Access Points 4.8 What Need To Be Done To Improve Security Of 802.11b? 5 LIST OF FIGURES 2.1 Typical ―mesh‖ connectivity of a Wide Area Network 2.2 Physical links forming a Ring for the FDDI physical medium. 2.3 The frame structure for frame relay. 3.1 layouts to breakup security threat into difference areas 4.1 An Infrastructure Mode Network 4.2 An Ad Hoc Network 6 List of Tables 2.1 Plesiochronous digital transmission hierarchies (in Mbit/s) 4.1 Summary of IEEE802.11 WLAN Technologies 7 Chapter one Introduction Networking is one of the terms that best manage to capture the fundamental nature and spirit of the present information age. The global interconnection of systems irrespective of their size, that we experience today, has been greatly promoted over the years, as it is of very important in both business and day-to-day activities. The internet has becomes well-known and the services it renders continues to develop. These developments in internet did not leave behind the security problems associated most especially in the wireless networks. Every user want his/her traffic flow to be protected more especially the vital information such as e-commerce and real-time traffics (voice and video traffics). At present, high-speed interconnection is the most active field in the networking arena; special emphasis is given to communication over metropolitan and wide areas. These types of networks are experiencing rapid development similar to what LAN technologies witnessed in the last decades. But what makes this effort so significant is not only that the user notices an enhancement in performance. Until recently network size represented the major bottleneck for further technological advances. It brings about the creation of several independent networks, covering the same wide areas, but addressing various user needs. Having each type of network turned to the provision of a particular service, duplication of network resources is to be anticipated and the user faces an unpleasant financial impact. To deal with these problems, advanced broadband MAN/WAN access interfaces have recently arrived to fill the existing gap in technology. Nowadays, even though the word network makes most people think of a computer network as something not directly touching their lives, whereas network services are used one way or other without realizing it. 8 In the future, any type of information is expected to be carried over a common network platform, as never experienced before. The user will be connected to this ultimate from of network by means of a single fiber, delivering any possible service. For the moment, BISDN is the goal, but there is always the option for it to be outdated by something else as the technology develops. Hence, our concept of networks will change dramatically as regards to the role these have to play in our lives. With the increase in the use of information Technology and communications, security becomes an important issue. As a result, the role of security needs to be re-evaluated, and approach taken in the past to achieve it should be reconsidered. Although security has always been an essential user requirement, only a small group of parties, primarily restricted to the military, banks, and other financial institutions, have presented a serious effort to achieve it. Most of these organizations seriously rely on privately run networks for security. Such a private network can be simply set up by leasing lines from one or more telecommunications companies. But a private network is not automatically a secure network. Hence, extra security mechanisms must be frequently engaged. Generally, it is the actual application that represents the most promising place for tailoring security to the user needs. One example is the Electronic Transfer Funds system in the banking community, where secure communications protocols and cryptographic techniques have been especially developed to protect efficiently sensitive materials, such as cryptographic keys and personal identification numbers (PINS). For the average user, security was always kept to a minimum. The two main reasons for these are: the security which is driven by economic cost and its negative impact on performance as it adds complexity and extra processing. For the most application in the past, this extra cost was simply unjustifiable. Until recently, the great bulk of sensitive information was primary passed over easily controllable local environments. Subsequently, the main concern was how to protect the machines from unlawful access rights to the files stored there and processes running. 9 Communication security was abandoned and this attitude toward security is reflected by the lack of security features that characterizes the early design phase of communication systems and protocols. When the connection with the outside world became necessary, bridges, routers and gateways were engaged not only to provide the required connectivity but also to safeguard the customer environment. The type of protection these devices offered initially was a simple access control mechanism based strictly on address monitoring. These front end security providers came to be known as firewalls, but the truth is that they could be bypass without much effort by a serious attackers. For this reason, sites with higher security requirements configure their networking devices to permit only for one – way establishment of connections (i.e. from the private to the public domain). Even communication protocols designed to provide connectivity over open environments, such as ftp, rlogin, and telnet, are biased towards the end system aim to ease their risk towards illegal access. These protocols do nothing, but to carry user security related information (i.e. passwords) in plaintext. By doing so, no protection whatsoever is offered over the network, and highly sensitive user information is exposed to an open environment. Recently, incidents involving tampered machines acting as servers have become routine in Internet, and the great number of compromised accounts that is made known in each case gives an indication of how serious is the problem. High – speed networking raises some very interesting questions from a security point of view. As described earlier in due course, the full spectrum of services will be offered to the user via a single interface. Most of these services will become available and it is predicted that the financial survival of many businesses will seriously depend on whether or not they will have access to those services.
Recommended publications
  • Multimedia, Internet, On-Line

    Multimedia, Internet, On-Line

    Section IV: Multimedia, the Internet, and On-Line Services High-End Digital Video Applications Larry Amiot Electronic and Computing Technologies Division Argonne National Laboratory The emphasis of this paper is on the high-end applications Internet and Intranet that are driving digital video. The research with which I am involved at Argonne National Laboratory is not done on dig- The packet video networks which currently support many ital video per se, but rather on how the research applications applications such as file transfer, Mbone video (talking at the laboratory drive its requirements for digital video. The heads), and World Wide Web browsing are limiting for high- paper will define what digital video is, what some of its com- quality video because of the low throughput one can achieve ponents are, and then discuss a few applications that are dri- via the Internet or intranets. Examples of national packet ving the development of these components. The focus will be switched networks developed in the last several years include on what digital video means to individuals in the research the National Science Foundation Network (NSFNet). The and education community. Department of Energy had its own network called ESNET, and the National Aeronautics and Space Administration The Digital Video Environment (NASA) had a network as well. Recently, the NSFNet was de- commissioned, and commercial interests are now starting to In 1996, a group of people from several universities in the fill that void. Research and education communities are find- Midwest and from Argonne formed a Video Working Group. ing, however, that this new commercial Internet is too re- This body tried to define the areas of digital video of impor- stricting and does not meet their throughput requirements; it tance to their institutions.
  • Point-To-Point Connections

    Point-To-Point Connections

    CHAPTER 3 Point-to-Point Connections Objectives Upon completion of this chapter ■ What are the fundamentals of point-to-point ■ How is a PPP session established? serial communications across a WAN? ■ How do you configure PPP encapsulation on ■ How do you configure HDLC encapsulation a point-to-point serial link? on a point-to-point serial link? ■ How do you configure PPP authentication ■ What are the benefits of using PPP over protocols? HDLC in a WAN? ■ How are the show and debug commands ■ What is the PPP layered architecture and the used to troubleshoot PPP? functions of LCP and NCP? Key Terms This chapter uses the following key terms. You can find the definitions in the glossary. point-to-point connections page 80 primary station page 99 clock skew page 82 Cisco 7000 page 103 time-division multiplexing (TDM) page 85 trunk lines page 105 statistical time-division multiplexing Link Control Protocol (LCP) page 105 (STDM) page 85 Network Control Protocols (NCPs) page 105 data stream page 85 Novell IPX page 105 transmission link page 85 SNA Control Protocol page 105 demarcation point page 88 Password Authentication Protocol null modem page 91 (PAP) page 119 DS (digital signal level) page 94 Challenge Handshake Authentication Protocol (CHAP) page 119 E1 page 95 fragmentation page 119 E3 page 95 reassembly page 119 bit-oriented page 97 message digest 5 (MD5) page 130 Synchronous Data Link Control (SDLC) page 97 TACACS/TACACS+ page 135 004_9781587133329_ch03.indd4_9781587133329_ch03.indd 7799 33/13/14/13/14 22:56:56 AAMM 80 Connecting Networks Companion Guide Introduction (3.0.1.1) One of the most common types of WAN connections, especially in long-distance communications, is a point-to-point connection, also called a serial or leased line connection.
  • 01 Myhre.Qxp

    01 Myhre.Qxp

    ONE Using Cisco for Remote Access In This Chapter As technology increases in importance to businesses, wide area network (WAN) connectivity becomes a pri- N Overview of WAN mary factor in implementing business practices. WANs Connections are used to connect multiple sites together with a N WAN Considerations medium that can carry data over longer distance than N Product Selection is possible with local area network (LAN) technology. As businesses expand to new geographic regions, thereby becoming more competitive in the market- place, the types of connectivity through WANs can dif- fer greatly. In this chapter we will examine the differ- ent types of WANs that can be used and the consid- erations a business (or consultant) must make to effectively choose the right type. Overview of WAN Connections Although connecting all users to a LAN is ideal because of the high speed and low cost, it is impractical to do so across large distances. These distances can be as close as an office 1 2 Chapter 1 • Using Cisco for Remote Access across the street or as far as an international branch office halfway around the world. These distances require us to examine the types of WANs that are available. For each type, we must keep in mind • Availability: Is the technology available in the area? • Bandwidth: How much do we need, and how much do we get for that type of WAN connection? • Cost: Is there a cheaper connection type that still takes into account future growth? • Ease of management: Is the initial configuration as well as normal oper- ation easy
  • Section II WAN Physical and Data Link Circuits

    Section II WAN Physical and Data Link Circuits

    s Section II WAN Physical and Data Link Circuits Internet Access and Internetworking Remote Sites Each site to be internetworked over the public Internet will require a physical connection to the Internet through an Internet Service Provider (ISP). This section deals with the equipment, connection types and services offered. Setting up access will require that you choose an Internet service provider and obtain a circuit for network access that connects to your provider. In most cases, some equipment will need to be procured for each site. The typical components to internetworking are: Customer Premises Equipment (CPE) CPE devices include a router, firewall, and depending on the circuit, a bridge, multiplexer (MUX) or Channel Service Unit/Digital Service Unit (CSU/DSU). Typically the customer owns, installs and maintains the equipment at the customer site, though often the telecommunications carrier will lease the equipment to the customer as an option. CPE is located where the provider service enters the location and is termed the ‘Demarcation Point’. Telecommunications Company (Telecom Carrier) A Telecom Carrier may offer a variety of choices to the customer that suits different price and performance levels. The simplest is of course, dial-up analog. Most WAN circuit choices are digital such as DS-X, ATM, T-1, T-3, Frame Relay, ISDN-BRI, ISDN-PRI, DSL and Wireless. This circuit can either connect to another of your sites directly in a private network configuration, or it can connect through the Internet via an Internet Service Provider (ISP). The installed circuit is terminated at the customer site demarcation point and connects to the CPE.
  • Connecting to the WAN

    Connecting to the WAN

    CHAPTER 2 Connecting to the WAN Objectives Upon completion of this chapter ■ What is the purpose of a WAN? ■ How do the link connection options available from private WAN infrastructures and public ■ How does a circuit-switched network differ WAN infrastructures differ? from a packet-switched network? ■ What questions should you answer when ■ How do service provider networks connect choosing a WAN link connection? to enterprise networks? Key Terms This chapter uses the following key terms. You can find the definitions in the glossary. service provider page 38 broadband modem page 48 digital subscriber line (DSL) page 40 channel service unit / data service unit (CSU/ DSU) page 48 Point-to-Point Protocol (PPP) page 45 circuit-switched network page 48 Frame Relay page 45 Integrated Services Digital Network Asynchronous Transfer Mode (ATM) (ISDN) page 49 page 45 packet-switched network (PSN) page 50 High-Level Data Link Control (HDLC) page 45 virtual circuit (VC) page 50 customer premises equipment (CPE) private WAN infrastructure page 51 page 46 public WAN infrastructure page 51 data communications equipment Synchronous Optical Networking (DCE) page 46 (SONET) page 52 data terminal equipment (DTE) page 46 Synchronous Digital Hierarchy (SDH) demarcation point page 46 page 52 local loop page 47 light-emitting diodes (LEDs) page 52 central office (CO) page 47 dense wavelength-division multiplexing (DWDM) page 53 toll network page 47 leased lines page 54 dialup modem page 47 Basic Rate Interface (BRI) page 57 access server page 48 003_9781587133329_ch02.indd3_9781587133329_ch02.indd
  • Internet and Intranet Administration

    Internet and Intranet Administration

    Internet and Intranet Administration Course Designer and Acquisition Editor Centre for Information Technology and Engineering Manonmaniam Sundaranar University Tirunelveli Internet and Intranet Administration Centre for Information Technology and Engineering, Manonmaniam Sundaranar University CONTENTS Lecture 1 1 Internet Linking to the Internet Internet address Internet tools Information retrieval tools Communication tools Multimedia information tools Information search tools Lecture 2 12 Intranet Intranet Vs. Groupware Intranet Hardware Intranet Software Intranet Services Extranet Lecture 3 25 Internet server Web protocols Browser Future of internet and intranet Lecture 4 51 The evolution of TCP/IP The rise of the internet TCP/IP protocol architecture TCP/IP core protocols TCP/IP application interfaces Lecture 5 72 IP addressing Basic Address scheme Address classes Dotted-decimal notation Networking basics Host restrictions Subnets Domain name system Lecture 6 90 Subnet mask Subnetting Centre for Information Technology and Engineering, Manonmaniam Sundaranar University Variable length subnetting Supernetting and classless interdomain routing Public & private addresses Lecture 7 110 Internet protocol The ip header Address resolution Tcp source and destination port FTP Telnet Http Lecture 8 127 Network infrastructure Component of network infrastructure Ethernet Token ring Fiber distributed data interface Fast Ethernet Asymmetric digital subscriber line Lecture 9 147 ISP Need of ISP Basic connections Bulletin board systems Not-so-basic
  • 2003 Eligible Services List

    2003 Eligible Services List

    Eligible Services List Of the Schools and Libraries Support Mechanism Overall eligibility requirements for all categories of service: The Eligible Services List indicates whether specific products or services may be able to receive discounts under the Schools and Libraries Support Mechanism. If a product or service is not eligible under program rules, it is labeled “Not Eligible.” If no indication of ineligibility is provided, the product or service may be eligible, depending on details of its use.1 This version of the Eligible Services List is dated October 18, 2002. Items in Bold indicate a modification or clarification of product or service eligibility from the previous Eligible Services List of October 17, 2001. TELECOMMUNICATIONS SERVICES Eligibility Requirements for All Telecommunications Services: To be eligible for support, Telecommunications Services must be provided by an eligible telecommunications provider, that is, one who provides Telecommunications Service on a common carriage basis. A provider/carrier is providing services on a common carriage basis if it holds itself out to provide service generally to the public for a fee. A State commission may upon its own motion or upon request designate a common carrier that meets the requirements as set forth in the Communications Act of 1934, Section 214 {47 U.S.C. 214} (e) (2) Designation of Eligible Telecommunications Carriers. Telecommunications is defined as “the transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received” [47 U.S.C. 153]. Eligibility in this category of service is for the procurement of Telecommunications Services, and not component purchases by applicants.