Browsing by Author "Riaz, Maria"
Now showing 1 - 6 of 6
Results Per Page
Sort Options
Item BGP and its Security Vulnerabilities(2020-09-01) Nummisalo, Leia; Riaz, Maria; Sähkötekniikan korkeakoulu; Aalto, SamuliItem Cooperative Firewall Signaling over SCION(2022-01-24) Chandrashekar, Dheeraj; Riaz, Maria; Sähkötekniikan korkeakoulu; Kantola, Raimo5th Generation (5G) and Internet of Things (IoT) have contributed to the rise in connected devices, which in turn has exhausted the available set of IP addresses. NAT is a popular solution that solves the IP exhaustion problem but suffers from a reachability issue. Customer Edge Switching (CES) is a firewall solution intended to replace the traditional NAT by enforcing cooperative behavior. While CES solves the reachability issue, it is still troubled by some of the typical attacks present on the current Internet. Scalability, Control, and Isolation on Next-Generation Networks (SCION) is a new Internet architecture designed to provide effective point-to-point packet delivery. Realizing the SCION network would require changes to infrastructure and the protocol stack. However, SCION provides an application for the end-hosts in an IP network to connect to SCION using SCION-IP-Gateway (SIG).SCION does not provide any defensive mechanism for application-layer DoS attacks, while CES does. Having an end system focused on trust solution over SCION would provide defense against trivial attacks and application-layer DoS attacks. End-domains can benefit from the integration of CES and SCION, where CES provides host-level authenticity by cooperative behavior concept, and SCION can provide network-level security by design. In this thesis, the control plane/signaling traffic between the two CES nodes is switched from routed IP to SCION whenever available using SIG. The implementation is carried out in three phases: Proactive, Reactive, and Monitor phases, and verified with a range of tests such as design verification, delay calculation of CETP optimization, and SIG performance. The evidence suggests that the solution has no change from an end-user perspective. SCION's SIG is stable and provides good performance. The solution is the first prototype of an end-to-end, client-to-server trustworthy communication and service solution over the wide-area network.Item Extending the Functionality of the Realm Gateway(2019-10-21) Riaz, Maria; Tilli, Juha-Matti; Kabir, Hammad; Sähkötekniikan korkeakoulu; Kantola, RaimoThe promise of 5G and Internet of Things (IoT) expects the coming years to witness substantial growth of connected devices. This increase in the number of connected devices further aggravates the IPv4 address exhaustion problem. Network Address Translation (NAT) is a widely known solution to cater to the issue of IPv4 address depletion but it poses an issue of reachability. Since Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) application layer protocols play a vital role in the communication of the mobile devices and IoT devices, the NAT reachability problem needs to be addressed particularly for these protocols. Realm Gateway (RGW) is a solution proposed to overcome the NAT traversal issue. It acts as a Destination NAT (DNAT) for inbound connections initiated towards the private hosts while acting as a Source NAT (SNAT) for the connections in the outbound direction. The DNAT functionality of RGW is based on a circular pool algorithm that relies on the Domain Name System (DNS) queries sent by the client to maintain the correct connection state. However, an additional reverse proxy is needed with RGW for dealing with HTTP and HTTPS connections. In this thesis, a custom Application Layer Gateway (ALG) is designed to enable end-to-end communication between the public clients and private web servers over HTTP and HTTPS. The ALG replaces the reverse proxy used in the original RGW software. Our solution uses a custom parser-lexer for the hostname detection and routing of the traffic to the correct back-end web server. Furthermore, we integrated the RGW with a policy management system called Security Policy Management (SPM) for storing and retrieving the policies of RGW. We analyzed the impact of the new extensions on the performance of RGW in terms of scalability and computational overhead. Our analysis shows that ALG's performance is directly dependent on the hardware specification of the system. ALG has an advantage over the reverse proxy as it does not require the private keys of the back-end servers for forwarding the encrypted HTTPS traffic. Therefore, using a system with powerful processing capabilities improves the performance of RGW as ALG outperforms the NGINX reverse proxy used in the original RGW solution.Item Quality-aware trajectory planning of cellular connected UAVs(2020-09-25) Sheikh, Muhammad Usman; Riaz, Maria; Jameel, Furqan; Jäntti, Riku; Sharma, Navuday; Sharma, Vishal; Alazab, Mamoun; Department of Communications and Networking; Department of Electronics and Nanoengineering; Communication Engineering; Network Security and Trust; Charles Darwin UniversityThe use of Unmanned Aerial Vehicles (UAVs) is becoming common in our daily lives and cellular networks are effective in providing support services to UAVs for long-range applications. The main target of this paper is to propose a modified form of well-known graph search methods i.e., Dijkstra and A-star also known as Aalgorithm, for quality-aware trajectory planning of the UAV. The aerial quality map of the propagation environment is used as an input for UAV trajectory planning, and the quality metric considered for this work is Signal to Interference plus Noise Ratio (SINR). The UAV trajectory is quantified in terms of three performance metrics i.e., path length, Quality Outage Ratio (QOR), and maximum Quality Outage Duration (QOD). The proposed path planning algorithm aims at achieving a trade-off between the path length and other quality metrics of the UAV trajectory. The simulations are performed using an agreed 3GPP macro cell LOS scenario for UAVs in MATLAB. Simulation results illustrate that the proposed algorithm significantly improves the QOR by slightly increasing the path length compared with the naive shortest path. Similarly, the outage avoidance path achieves high QOR at the expense of large path length, and our proposed method finds a compromise and provides an optimal quality-aware path.Item Sec-ALG: An Open-source Application Layer Gateway for Secure Access to Private Networks(IEEE, 2020-08) Riaz, Maria; Tilli, Juha-Matti; Kantola, Raimo; Department of Communications and Networking; Network Security and Trust; Department of Communications and NetworkingMiddleboxes such as Network Address Translators (NATs), proxy servers or Application Layer Gateways (ALGs) provide remote access to end-hosts in the private address space. The middleboxes offer proprietary solutions and encrypted traffic poses a challenge when middleboxes employ packet payload inspection techniques for connection establishment. Session key sharing and decryption followed by re-encryption of the traffic, for correctly routing to the private host, increases the connection latency and also poses a higher threat in case of traffic interception by a malicious third-party.In this paper, we present a novel open-source ALG, called Sec-ALG, for providing secure end-to-end communication to the web servers situated in the private address space. Sec-ALG relies on the technique of light Deep Packet Inspection (DPI) for protocol detection and session establishment using a novel parser-lexer generator called YaLe. The proposed approach offers increased security by maintaining end-to-end encryption for an HTTPS connection. Our experimental analysis demonstrates that Sec-ALG reduces the HTTPS connection latency in comparison to the NGINX reverse proxy using a 24-core host machine. Moreover, Sec-ALG handles requests at a three-fold increased rate than NGINX proxy when tested with 100 concurrent connections. The ALG can be used either as a standalone solution or a component of the Realm Gateway, that is a generic interworking solution between public and private networks. The presented work is part of an extensive ongoing research at Aalto University focusing on embedding policy based trust into the network.Item Usable Orchestration for Customer Edge Switching(2022-06-13) Hadayat, Iqra; Riaz, Maria; Perustieteiden korkeakoulu; Kantola, RaimoCustomer Edge Switching (CES) is a network solution that sits at the network edge and addresses the issue of NAT traversal. To do so without sacrificing security, it provides cooperative firewalling between the connected customer networks and the served hosts. The CES solution comprises of three network functions, namely, NAT, Cooperative firewall and Realm gateway. To test the working of CES, a containerised single-shot network orchestration environment was implemented using LXC containers and published with the CES repository. To prepare CES for the challenges of future networks, we propose to develop a system that allows it to offload the tasks to remote servers through cloud computing. This way it will be able to scale up or down depending on the changing resource demand. As a first step towards total cloudification of CES, in this thesis, we intend to develop a user interface (UI) that will allow to quickly set up any kind of test network configuration with the required number of CES and RGW nodes (and other elements) needed in the test scenario. In this thesis, we present the architecture and implementation of our web-based test network orchestration. We implemented an easy-to-use web interface for the end user and located all the major complexity related to network orchestration to the backend. The frontend and backend systems interact with each other via a well-established REST interface, to serve the requests of a frontend user. The user interface presents a dashboard giving an overview of the test network and allows the user to manage the containers and services running on them via click of a button. The thesis also presents an evaluation of our implementation and reveals that our web-based orchestration solution has significantly reduced the launch time of containers as well as the launch time of the whole test network. Towards the end, we have also identified bottlenecks to fully automating CES deployment at network edge and recommend that these should be addressed in a future work.