DOCSLIB.ORG

Facilitating the Deployment of Ad-Hoc Virtual Organizations With

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Facilitating the Deployment of Ad-Hoc Virtual Organizations With FacilitatingtheDeploymentofAd-hocVirtual Organizations with Integrated Social and Overlay Networks Renato J. Figueiredo, P. Oscar Boykin, Pierre St. Juste, and David Wolinsky Advanced Computing and Information Systems, University of Florida Gainesville, FL 32611 [email protected]fl.edu, [email protected]fl.edu, ptony82@ufl.edu, davidiw@ufl.edu ABSTRACT fact that, while commodity computers have become increas- Deploying virtual organizations (VOs) is difficult for small- ingly cheaper and faster, the management overhead asso- and medium-scale collaborations: the overheads in estab- ciated with deploying cross-organization, wide-area cyber- lishing and managing trust, and in deploying and managing infrastructures can be larger than researchers are able to computational resources distributed across multiple organi- afford. This is often the case in small- and medium-scale zations are daunting to many potential users, presenting a efforts and those involving institutions which do not have barrier to entry that significantly hinders wider deployment extensive personnel to manage the requirements of main- of VOs. We advocate an approach where social networking taining complex computational resources. and self-configuring overlay virtual networks are integrated A key management overhead associated with initiating a in a novel way that allows simple deployment and manage- VO is the establishment of trust among its participating ment of ad-hoc infrastructures for VOs. There are three cen- entities, typically by means of establishing a Public Key tral principles in our approach: (1) user relationships which Infrastructure (PKI) certificate authority. Furthermore, a have been increasingly recorded in social networking systems key management overhead in sustaining a VO is the sys- provide the opportunity to bootstrap trust relationships; (2) tem administration of distributed, cross-domain computing connections established at a social networking layer can effi- resources and associated software and middleware. In this ciently be mapped to the IP layer of virtual network overlays paper we investigate a systems approach which can reduce to support existing TCP/IP applications for collaboration both overheads through a novel approach integrating social and resource sharing while maintaining security against un- and overlay networks into social virtual private networks trusted parties; and (3) systems integrating social and vir- (VPNs). Social VPNs are self-managing network overlays in- tualnetworkscanbeself-configuring,enablingdeployment terconnecting wide-area resources where trust is established of collaborative infrastructures by non-experts. We discuss by leveraging relationships taken from social networks. motivations for this approach, describe a prototype imple- Today’s social networking infrastructures allow users to mentation which integrates the Facebook social network and manage and document their connections to others, thereby the IPOP overlay network, and discuss a use case scenario recording some aspect of the trust relationships between towards ad-hoc social cycle-sharing virtual Condor pools. users. Users record their personal information in profiles and are able to discover profiles of other peers in the system. In typical social networking infrastructures, the information Categories and Subject Descriptors stored in these profiles allows users to make decisions about C.2.4 [Distributed systems] whether they would be willing to be linked to other peers. These infrastructures have been proven to have Web-based General Terms interfaces that are very user-friendly: surveys have shown that a large percentage of Internet users now routinely in- Security, Human Factors teract with social networking Web sites [9]. We argue that the user interfaces of social networking infrastructures can 1. INTRODUCTION be leveraged to facilitate the establishment of trust among While there are several examples of successful large-scale users to bootstrap ad-hoc small- and medium-scale VOs. Virtual Organizations (VOs) in computational science and Furthermore, the social infrastructure can be used to facil- engineering, wide-spread adoption of VOs has yet to be at- itate the exchange of cryptographic keys that can then be tained. A major contributing factor to this situation is the used for secure communication among peers through inte- gration with IP overlay networks that establish peer-to-peer connectivity even in the presence of NATs and firewalls [5]. The goal is to securely interconnect Internet users, where Permission to make digital or hard copies of all or part of this work for end-to-end, point-to-point virtual network links are created, personal or classroom use is granted without fee provided that copies are automatically, as a result of connections established through not made or distributed for profit or commercial advantage and that copies social network infrastructures. In this approach, the only bear this notice and the full citation on the first page. To copy otherwise, to configuration required from users is the creation and man- republish, to post on servers or to redistribute to lists, requires prior specific agement of social connections; the configuration and mainte- permission and/or a fee. HPDC’08, June 23–27, 2008, Boston, Massachusetts, USA. nance of IP network connections is self-managing and com- Copyright 2008 ACM 978-1-59593-997-5/08/06 ...$5.00. 201 carol.facebook.ipop 10.10.0.2 virtual IP address automatically via DHCP, generates a pri- PrivKc, PubKa0-2, PubKb node0.alice.facebook.ipop vate/public key pair, binds Alice’s user name in the social 10.10.0.3 network and her virtual IP address to a self-signed certifi- Overlay network cate, and publishes her public key to the social networking Bob.facebook.ipop (e.g. IPOP) site. The virtual router also periodically polls for her list 10.10.0.1 node1.alice.facebook.ipop PrivKb, PubKa0-2, PubKc 10.10.0.4 of friends in the social network, and configures their X.509 Social certificates to be used by its IPsec stack. Bob and Carol Network API go through the same exact process of downloading and in- Alice: keys=PubKa0, PubKa1, PubKa2, links={Bob, Carol} Bob: key=PubKb, links={Alice, Carol} stalling the self-configuring virtual router. At the end of Carol: key=PubKc, links={Alice, Bob} this procedure, the three users can communicate seamlessly Social network Information system and securely with each other for collaboration tasks such Social network as conferencing, desktop sharing, data sharing, even though (e.g. Facebook) they might be behind different NATs and firewalls. As other Alice Social users are added to an individual’s social network list, they Network Web interface are also added to the list of social VPN participants for that Bob Carol individual only through point-to-point cryptographically au- thenticated/encrypted links. Figure 1: Integration of social and overlay networks to Use case scenario 2: ad-hoc cycle sharing: Encouraged support ad-hoc VOs. In the example, users Alice, Bob by their accomplishment, Alice, Bob and Carol now plan to and Carol have used a Web interface and information share pools of local resources each one has in their own labs. available from profiles to establish social links (bottom The social VPN virtual router they download is packaged half). The information stored in the social networking in a virtual machine appliance which also integrates a batch infrastructure is accessed through an API by overlay vir- job scheduler which self-configures a pool of resources for tual networking middleware to exchange keys and con- opportunistic computing, such as in the Condor-based [10] figure a VPN stack (e.g. IPsec) and establish secure Grid appliance. Each appliance instance obtains a different connections among user resources. Resources are bound virtual IP address, which again is automatically and trans- to virtual private IP addresses belonging to an isolated parently self-signed with the owner’s respective key, allowing IP namespace in the overlay; virtual DNS entries are de- multiple appliances to be bound to the same identity. rived from social network identities and mapped to the Use case scenario 3: grouping and trust delegation: Alice, numeric virtual IP addresses to facilitate discovery. Bob and Carol start interacting with other researchers in their field and the number of interested participants starts to grow. Initially adding such participants to their indi- pletely transparent to users. Social networking enables ad- vidual list of contacts, they eventually decide to delegate hoc VOs where no central administration is needed and users management to an entity they trust, Trent. In doing so, are able to establish and maintain their individual trust re- they configure their virtual router appliances to also trust lationships with friendly interfaces in a way that can be ac- Trent’s friends list. Every participant in this VO should cessed through APIs. Overlay networking is key to enable now seek a connection with Trent to be able to exchange a system where private tunneling is setup and maintained keys with other participants. This scenario is now similar without requiring central administration. to a typical VO, where Trent acts as a certificate authority The social VPN functionality is thus accomplished with- responsible for adding trusted users to the group according out burdening users with the complex, error-prone config- to some policy established by the group, and revoking those uration typically required to bring up public key and net- who may no longer be trusted.
Load more

Recommended publications
  • Deploying IBM Spectrum Accelerate on Cloud
    Front cover Deploying IBM Spectrum Accelerate on Cloud Bert Dufrasne Nancy Kinney Donald Mathisen Christopher Moore Markus Oscheka Ralf Wohlfarth Eric Zhang Redpaper International Technical Support Organization Deploying IBM Spectrum Accelerate on Cloud December 2015 REDP-5261-00 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (December 2015) This edition applies to IBM Spectrum Accelerate Version 11.5 © Copyright International Business Machines Corporation 2015. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .v Trademarks . vi IBM Redbooks promotions . vii Preface . ix Authors. ix Now you can become a published author, too . xi Comments welcome. xi Stay connected to IBM Redbooks . xi Chapter 1. Introducing IBM SoftLayer and IBM Spectrum Accelerate . 1 1.1 IBM Cloud computing overview. 2 1.2 IBM SoftLayer Cloud overview . 3 1.3 IBM Spectrum Accelerate . 6 1.3.1 IBM Spectrum Accelerate on Cloud . 7 Chapter 2. IBM Spectrum Accelerate on Cloud . 9 2.1 Description of service . 10 2.2 Customer responsibilities . 11 2.3 Configuration types . 11 2.4 Hardware in SoftLayer data centers . 12 2.5 Ordering process. 12 2.5.1 Order process flow . 12 2.6 Changes to the existing configuration . 13 2.6.1 Increasing capacity and performance . 13 2.6.2 Capacity and performance reduction . 13 2.6.3 Termination of service. 13 2.7 Restrictions . 14 2.7.1 Ordering for use in customer SoftLayer account. 14 2.8 Connectivity.
    [Show full text]
  • Distributed Automatic Configuration of Complex Ipsec
    J Netw Syst Manage (2010) 18:300–326 DOI 10.1007/s10922-010-9168-7 Distributed Automatic Configuration of Complex IPsec-Infrastructures Michael Rossberg • Guenter Schaefer • Thorsten Strufe Published online: 30 May 2010 Ó Springer Science+Business Media, LLC 2010 Abstract The Internet Protocol Security Architecture IPsec is hard to deploy in large, nested, or dynamic scenarios. The major reason for this is the need for manual configuration of the cryptographic tunnels, which grows quadratically with the total amount of IPsec gateways. This way of configuration is error-prone, cost-intensive and rather static. When private addresses are used in the protected subnetworks, the problem becomes even worse as the routing cannot rely on public infrastructures. In this article, we present a fully automated approach for the distributed configuration of IPsec domains. Utilizing peer-to-peer technology, our approach scales well with respect to the number of managed IPsec gateways, reacts robust to network failures, and supports the configuration of nested networks with private address spaces. We analyze the security requirements and further desirable properties of IPsec policy negotiation, and show that the distribution of security policy configuration does not impair security of transmitted user data in the resulting virtual private network (VPN). Results of a prototype implementation and simulation study reveal that the approach offers good characteristics for example with respect to quick reconfigu- ration of all gateways after a central power failure (robustness), or after insertion of new gateways (scalability and agility). M. Rossberg (&) Á G. Schaefer Technische Universita¨t Ilmenau, Telematics and Computer Networks Group, Postfach 100565, 98684 Ilmenau, Germany e-mail: [email protected] G.
    [Show full text]
  • Virtuaalikone Ja -Verkkoympäristön Hyödyntäminen Tietoverkkotekniikan Tutkimus- Ja Opetusympäristöjen Rakentamisessa
    Iikka Jaakkola Virtuaalikone ja -verkkoympäristön hyödyntäminen tietoverkkotekniikan tutkimus- ja opetusympäristöjen rakentamisessa Elektroniikan, tietoliikenteen ja automaation tiedekunta Diplomityö, joka on jätetty opinnäytteenä tarkastettavaksi diplomi-insinöörin tutkintoa varten Espoossa 10.5.2010 Työn valvoja: Prof. Jukka Manner Työn ohjaaja: TkL Markus Peuhkuri i AALTO-YLIOPISTO DIPLOMITYÖN TEKNILLINEN KORKEAKOULU TIIVISTELMÄ Tekijä: Iikka Jaakkola Työn nimi: Virtuaalikone ja -verkkoympäristön hyödyntäminen tietoverkkotekniikan tutkimus- ja opetusympäristöjen rakentamisessa Päivämäärä: 10.5.2010 Kieli: suomi Sivumäärä:55+26 Elektroniikan, tietoliikenteen ja automaation tiedekunta Tietoliikenne- ja tietoverkkotekniikan laitos Professuuri: Tietoverkot Koodi: S-38 Valvoja: Prof. Jukka Manner Ohjaaja: TkL Markus Peuhkuri Työn tavoitteena oli selvittää virtuaalisen tutkimusverkkoyhteyden tarvetta, vaatimuk- sia ja toteutuskelpoista tuomista tutkijoiden ja muiden tahojen, kuten opiskelijoiden, käyttöön. Virtuaalinen ympäristö oli tarkoitus rakentaa maksutta saatavilla olevien vir- tuaalikone- ja VPN-asiakasyhteysohjelmistojen varaan ja sen tulisi olla mahdollista asentaa tutkijoiden keskitetysti hallittuihin työasemiin. Lisäksi tutkittiin ratkaisun käyt- tökohteita, joista tärkeimpänä oli testiverkkoihin yhdistäminen. Ratkaisulle asetettavia vaatimuksia selvitettiin tietoturvapolitiikan, loppukäyttäjien, tietojärjestelmien ylläpi- don ja laitteistovaatimusten kannalta. Käyttäjien ja ylläpidon näkemyksiä kyseltiin haastatteluin ja kyselyin.
    [Show full text]
  • Vyos Platform | DATASHEET HOW YOU CAN USE Vyos
    VyOS Platform the power of your environment VyOS is a network operating system which supports most of modern routing protocols and network security features. VyOS runs equally well on bare metal hardware and inside virtual machines, including common cloud platforms. OVERVIEW VyOS is a GNU/ Linux-based operating system which ties many popular open source applications under a single, unified command line interface. VyOS offers features that are inherent to the traditional hardware routers: commit and rollback functionality, built-in configuration versioning and archiving, scripting APIs. At the same time it provides VPN and firewalls options. One of the most popular use cases for VyOS is connecting an existing enterprise network to the cloud infrastructure or connecting networks that hosted at different cloud platform vendors to each other: Benefits: - Open and community-driven nature of development - Enterprise- and service provider networks oriented - Adaptable for any network - from a small office to a data center rack - Arise from the abandoned Vyatta Core system so you can upgrade old Vyatta Core systems to VyOS without reinstallation - Continues to be actively developed and improved by the community. Services offered: - Commercial support - Development services on demand - Private deployments design and configuration for small and medium-sized businesses (ISPs, MSPs and Enterprise users) - Trainings and workshops KEY FEATURES - Wide range of supported VPN technologies: GRE, IPSec, IPSec VTI, OpenVPN, WireGuard - API for working with configuration from shell, Python, and Perl scripts - Physical and virtual hardware supported equally - Command line interface in the style of JunOS - Wide range of COTS hardware and virtual platforms supported - One-step image build process: any users can build custom images for their needs - Support BGP, OSPF routing protocols - QoS for traffic prioritization and shaping - Safe and easy image-based upgrades.
    [Show full text]
  • Cisco ASR900 Series and NCS4200 Series Running IOS-XE 16.9
    Cisco ASR900 Series and NCS4200 Series running IOS-XE 16.9 Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration Version 1.0 11 October 2019 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Cisco ASR900 Series and NCS4200 Series Routers Table of Contents 1 Introduction ........................................................................................................................ 7 1.1 Audience .................................................................................................................... 7 1.2 Purpose ....................................................................................................................... 7 1.3 Document References ................................................................................................ 7 1.4 Supported Hardware and Software ............................................................................ 9 1.4.1 Supported Configurations ...................................................................................... 9 1.5 Operational Environment ......................................................................................... 10 1.6 Excluded Functionality ............................................................................................ 11 2 Secure Acceptance of the TOE ........................................................................................ 12
    [Show full text]
  • User-Defined P2P Virtual Network Overlays for Ad-Hoc Collaboration
    EAI Endorsed Transactions on Collaborative Computing Research Article TinCan: User-Defined P2P Virtual Network Overlays for Ad-hoc Collaboration 1 1 1 2 1 Pierre St Juste∗ , Kyuho Jeong , Heungsik Eom , Corey Baker , Renato Figueiredo 1Advanced Computing and Information Systems Lab, 2Wireless and Mobile Systems Lab Electrical and Computer Engineering, University of Florida, Gainesville, FL, 32611, USA Abstract Virtual private networking (VPN) has become an increasingly important component of a collaboration environment because it ensures private, authenticated communication among participants, using existing collaboration tools, where users are distributed across multiple institutions and can be mobile. The majority of current VPN solutions are based on a centralized VPN model, where all IP traffic is tunneled through a VPN gateway. Nonetheless, there are several use case scenarios that require a model where end-to-end VPN links are tunneled upon existing Internet infrastructure in a peer-to-peer (P2P) fashion, removing the bottleneck of a centralized VPN gateway. We propose a novel virtual network — TinCan — based on peer- to-peer private network tunnels. It reuses existing standards and implementations of services for discovery notification (XMPP), reflection (STUN) and relaying (TURN), facilitating configuration. In this approach, trust relationships maintained by centralized (or federated) services are automatically mapped to TinCan links. In one use scenario, TinCan allows unstructured P2P overlays connecting trusted end-user devices — while only requiring VPN software on user devices and leveraging online social network (OSN) infrastructure already widely deployed. This paper describes the architecture and design of TinCan and presents an experimental evaluation of a prototype supporting Windows, Linux, and Android mobile devices.
    [Show full text]
  • Middleboxes As a Cloud Service
    Middleboxes as a Cloud Service By Justine Marie Sherry A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor Sylvia Ratnasamy, Chair Professor Scott Shenker Professor John Chuang Professor Arvind Krishnamurthy Fall 2016 Middleboxes as a Cloud Service Copyright 2016 by Justine Marie Sherry 1 Abstract Middleboxes as a Cloud Service by Justine Marie Sherry Doctor of Philosophy in Computer Science University of California, Berkeley Professor Sylvia Ratnasamy, Chair Today’s networks do much more than merely deliver packets. Through the deployment of middleboxes, enterprise networks today provide improved security – e.g., filtering malicious content – and performance capabilities – e.g., caching frequently accessed content. Although middleboxes are deployed widely in enterprises, they bring with them many challenges: they are complicated to manage, expensive, prone to failures, and challenge privacy expectations. In this thesis, we aim to bring the benefits of cloud computing to networking. We argue that middlebox services can be outsourced to cloud providers in a similar fashion to how mail, compute, and storage are today outsourced. We begin by presenting APLOMB, a system that allows enterprises to outsource middlebox processing to a third party cloud or ISP. For en- terprise networks, APLOMB can reduce costs, ease management, and provide resources for scalability and failover. For service providers, APLOMB oers new customers and business opportunities, but also presents new challenges. Middleboxes have tighter performance de- mands than existing cloud services, and hence supporting APLOMB requires redesigning software at the cloud.
    [Show full text]
  • VPN Openswan
    VPN OpenSWAN VPN OpenSWAN 1 / 3 2 / 3 Openswan is an implementation of IPsec for Linux and a continuation of the FreeS/WAN project (dating back to 1999).. How to configure ipsec site to site vpn server in Linux. Openswan ipsec vpn configuration for interconnecting two remote private networks using .... Configuring OpenSwan client for use with a FortiGate VPN connection. Components. All FortiGate units. FortiOS version 2.8 and 3.0; OpenSwan .... Creating a repeatable, dynamic site to site VPN with OpenSwan on Ubuntu 10.04 from Amazon EC2 - tutorial.md.. A cheaper alternative is to use a “software VPN” like Openswan that runs on a Linux-based EC2 instance. Although the cost of an m4.large instance on a 3-year .... Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X. 509 Digital Certificates, NAT Traversal, and many others.. OpenSWAN is, without question, the easiest of all the Linux VPN solutions to get operational; but that's not saying much, because the other .... Openswan L2TP/IPsec VPN client setup. From ArchWiki. Jump to navigation Jump to search. Related articles. strongSwan. This article .... In this tutorial we will setup a gateway to gateway IPSec VPN using OpenSwan. The Scenario: The scenario we will use in this guide will be .... This howto explains how to configure an openwrt router to act as an ipsec/l2tp vpn server using openswan and xl2tpd. Introduction. Required .... In the field of computer security, Openswan provides a complete IPsec implementation for Linux ..
    [Show full text]
  • The Center for Autonomic Computing
    Peer-to-peer Virtual Private Networks and Applications Renato Jansen Figueiredo Associate Professor Cloud and Autonomic Computing Center/ACIS Lab University of Florida Visiting Researcher at VU Backdrop Virtual machines in cloud computing On-demand, pay-per-use, user-configurable Federated environments End-to-end Internet connectivity hindered by address space and presence of NATs, firewalls Network virtualization – seamlessly connecting virtual machines across multiple providers Applications Distributed virtual private clusters Education, training in distributed computing Private communication among Internet users extending online social networks 2 Rationale Virtualization techniques for decoupling, isolation, multiplexing also apply to networking E.g. VLANs, VPNs However, there are challenges in configuration, deployment, and management Peer-to-peer techniques provide a basis for scalable routing, and self-management Software routers, integration at network end-points enables deployment over existing infrastructure Architecture, design needs to account for connectivity constraints, and support TCP/IP efficiently; optimize for common cases 3 Application Examples Cloud-bursting Run additional worker VMs on a cloud provider Extending enterprise LAN to cloud VMs – seamless scheduling, data transfers Federated “Inter-cloud” environments Multiple private clouds across various institutions Virtual machines can be deployed on different sites and form a distributed virtual private cluster Hands-on laboratories for classes
    [Show full text]
  • Future After Openvpn and Ipsec
    Ville Korhonen FUTURE AFTER OPENVPN AND IPSEC Computing and Electrical Engineering Master of Science Thesis August 2019 i ABSTRACT Ville Korhonen: Future after OpenVPN and IPsec Master of Science Thesis Tampere University Master’s Degree In Information Technology August 2019 Virtual private networks (VPN) are used to connect private networks of organizations securely over public Internet. Virtual private network offers a secure and encrypted network connection even though the underlying network is public and insecure. In addition to connecting two remote sites with a virtual private network, it is possible to create a virtual private network between a remote worker and an organization site. Virtual private networks allow organizations to build secure connections relatively cheap and fexibly over the Internet. The most widely used virtual private network protocols are IPsec (Internet Protocol Security) and SSL/TLS (Secure Socket Layer/Transport Layer Security) based protocols. IPsec is usually used for connecting two remote sites and SSL/TLS based technologies are used when a remote worker connects to the organization’s resources. Both of these protocols have held a strong po- sition for years even though especially IPsec have been criticized since the day it was born. The goal of this thesis was to investigate are there any alternatives available currently for IPsec and SSL/TLS based virtual private networks and are there protocols or architectures under develop- ment which could be alternatives in the future. Based on the research, IPsec and SSL/TLS based protocols have superseded all older tech- nologies and there aren’t any real alternatives available to them.
    [Show full text]
  • Cisco Catalyst 9200/9200L Series Switches Running IOS-XE 16.12 Common Criteria Operational User Guidance
    Cisco Catalyst 9200/9200L Series Switches running IOS-XE 16.12 Common Criteria Operational User Guidance And Preparative Procedures Version 1.2 17 March 2020 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Cisco Catalyst 9200/9200L Series Switches Table of Contents 1. Introduction 9 1.1 Audience 9 1.2 Purpose 9 1.3 Document References 9 1.4 Supported Hardware and Software 12 1.4.1 Supported Configurations 12 1.5 Operational Environment 13 1.6 Excluded Functionality 13 2. Secure Acceptance of the TOE 15 3. Secure Installation and Configuration 17 3.1 Physical Installation 18 3.2 Initial Setup via Direct Console Connection 18 3.2.1 Options to be chosen during the initial setup of the Catalyst 9200/9200L Series Switches 18 3.2.2 Saving Configuration 19 3.2.3 Secure Remote Management 19 3.2.4 FIPS Mode 20 3.2.5 Administration of Cryptographic Self-Tests 20 3.2.6 Administration of Non-Cryptographic Self-Tests 22 3.2.7 Access Control and Lockout 22 3.2.8 Session Termination 24 3.2.9 User Lockout 24 3.3 Network Protocols and Cryptographic Settings 25 3.3.1 Remote Administration Protocols 25 3.3.2 Authentication Server Protocols 27 3.3.3 Routing Protocols 28 3.3.4 MACSEC and MKA Configuration 28 3.3.5 X.509 Certificates 29 3.3.6 IPsec Overview 34 Page 2 of 74 Cisco Catalyst 9200/9200L Series Switches 3.3.7 Configuration of IPsec 35 3.3.8 Session Protection 44 3.4 Logging Configuration 46 3.4.1 Usage of Embedded Event Manager 48 3.4.2 Remote Logging 48 3.4.3 Logging Protection 48 4.
    [Show full text]
  • Private and Censorship-Resistant Communication Over Public Networks
    Private and Censorship-Resistant Communication over Public Networks Michael John Rogers Thesis submitted for the degree of Doctor of Philosophy of UCL Department of Computer Science University College London University of London 2010 1 I, Michael John Rogers, confirm that the work presented in this thesis is my own. Where information has been derived from other sources, I confirm that this has been indicated in the thesis. 2 Abstract Society’s increasing reliance on digital communication networks is creating unprecedented opportunities for whole- sale surveillance and censorship. This thesis investigates the use of public networks such as the Internet to build robust, private communication systems that can resist monitoring and attacks by powerful adversaries such as national governments. We sketch the design of a censorship-resistant communication system based on peer-to-peer Internet overlays in which the participants only communicate directly with people they know and trust. This ‘friend-to-friend’ approach protects the participants’ privacy, but it also presents two significant challenges. The first is that, as with any peer-to-peer overlay, the users of the system must collectively provide the resources necessary for its operation; some users might prefer to use the system without contributing resources equal to those they consume, and if many users do so, the system may not be able to survive. To address this challenge we present a new game theoretic model of the problem of encouraging cooperation between selfish actors under conditions of scarcity, and develop a strategy for the game that provides rational incentives for cooperation under a wide range of conditions.
    [Show full text]