Flexible Network Architectures Security Issues and Principles

Flexible Network

Architectures Security

Issues and Principles

Flexible Network

Architectures Security

Issues and Principles

Bhawana Rudra

CRC Press

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

© 2018 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

Version Date: 20180306

International Standard Book Number-13: 978-1-1385-0543-8 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable

efforts have been made to publish reliable data and information, but the author and publisher cannot

assume responsibility for the validity of all materials or the consequences of their use. The authors and

publishers have attempted to trace the copyright holders of all material reproduced in this publication

and apologize to copyright holders if permission to publish in this form has not been obtained. If any

copyright material has not been acknowledged please write and let us know so we may rectify in any

future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,

transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or

hereafter invented, including photocopying, microfilming, and recording, or in any information

storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access

www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc.

(CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization

that provides licenses and registration for a variety of users. For organizations that have been granted

a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and

are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com

Library of Congress Cataloging-in-Publication Data

Names: Rudra, Bhawana, author.

Title: Flexible network architectures : security issues and principles / by

Bhawana Rudra.

Description: First edition. | Boca Raton, Florida : CRC Press/Taylor &

Francis Group, [2018] | “CRC Press is an imprint of Taylor & Francis

Group, an Informa business.” | Includes bibliographical references and

index.

Identifiers: LCCN 2017057557| ISBN 9781138505438 (hardback : acid-free paper)

| ISBN 9781351028301 (e-book)

Subjects: LCSH: Computer network architectures. | Computer networks--Security

measures.

Classification: LCC TK5105.52 .R83 2018 | DDC 005.8--dc23

LC record available at https://lccn.loc.gov/2017057557

Dedication

To my parents, who have guided me and given me inspiration to face challenges of life. This

book and my education would not have been possible without their sacrifices and the

encouragement they gave throughout to me and to my lovely sister and brother.

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv

1 Putting the Internet Forward to the Next Level . . . . . . . . . . . . . 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Ideas for Current Internet . . . . . . . . . . . . . . . . . . . . . . . 2

1.3 Internet Design Goals and Principles . . . . . . . . . . . . . . . . 4

1.3.1 Design Goals of Internet . . . . . . . . . . . . . . . . . . . 5

1.3.2 Internet Design Principles . . . . . . . . . . . . . . . . . . 5

1.3.3 Initiative toward OSI Reference Model . . . . . . . . . . . 6

1.4 Internet Architectural Principles . . . . . . . . . . . . . . . . . . . 7

1.5 The Internet of Today . . . . . . . . . . . . . . . . . . . . . . . . 10

1.6 “Patch-Work” Approaches for Current Internet Conflicts: Critical

Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.6.1 Multicast Routing Limitations . . . . . . . . . . . . . . . . 14

1.6.2 ATM Limitations . . . . . . . . . . . . . . . . . . . . . . . 14

1.6.3 Inter-Domain Routing Limitations . . . . . . . . . . . . . . 15

1.6.4 Network Layer-Specific Time Interval Limitations . . . . . 15

1.6.5 Long –Term Problems . . . . . . . . . . . . . . . . . . . . 15

1.6.6 Medium –Term Problems . . . . . . . . . . . . . . . . . . 16

vii

viii  Contents

1.6.7 Short –Term Problems . . . . . . . . . . . . . . . . . . . . 17

1.6.8 Avoiding New Generation Packet Network Limitations . . . 17

1.6.9 Security Hitches of Current Internet Architecture . . . . . . 17

1.6.9.1 IPSec Limitations . . . . . . . . . . . . . . . . . 18

1.6.9.2 IPv4, IPv6 and ND Limitations . . . . . . . . . . 18

1.6.9.3 Common Attacks in IPv4 and IPv6 . . . . . . . . 19

1.6.9.4 Security and Trust Limitations . . . . . . . . . . 20

1.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2 Future Internet Global Standardization—State of Play . . . . . . . . 23

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2 Architectural Review Approaches for Current Internet . . . . . . . 23

2.3 Need of Network Architecture . . . . . . . . . . . . . . . . . . . . 27

2.4 Future Internet Research Issues and Challenges . . . . . . . . . . . 28

2.4.1 Network Foundation Challenges . . . . . . . . . . . . . . . 28

2.4.2 Pillar Challenges . . . . . . . . . . . . . . . . . . . . . . . 31

2.4.3 Vision of Future Internet . . . . . . . . . . . . . . . . . . . 33

2.5 Future Internet Initiatives . . . . . . . . . . . . . . . . . . . . . . . 34

2.6 Network Architecture: Recent Advances . . . . . . . . . . . . . . 34

2.6.1 RBA: Role Based Architecture . . . . . . . . . . . . . . . . 36

2.6.2 ANA: Autonomic Network Architecture . . . . . . . . . . . 37

2.6.3 RNA: Recursive Network Architecture . . . . . . . . . . . 37

2.6.4 SILO: Service Integration and controL Optimization . . . . 38

2.6.5 CCN: Content Centric Network . . . . . . . . . . . . . . . 38

2.6.6 AKARI Future Internet . . . . . . . . . . . . . . . . . . . . 38

2.6.7 NDN: Named Data Networking . . . . . . . . . . . . . . . 39

2.6.8 Mobility First . . . . . . . . . . . . . . . . . . . . . . . . . 40

2.6.9 NEBULA . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

2.6.10 XIA: eXpressive Internet Architecture . . . . . . . . . . . . 40

2.6.11 PONA: Policy Oriented Naming Architecture . . . . . . . . 41

2.6.12 RINA: Recursive Inter Network Architecture . . . . . . . . 41

2.6.13 GENI: Global Environment for Network Innovations/ FIND:

Future Internet Design . . . . . . . . . . . . . . . . . . . . 41

2.6.14 ChoiceNet . . . . . . . . . . . . . . . . . . . . . . . . . . 42

2.6.15 SOA: Service Oriented Architecture . . . . . . . . . . . . . 42

2.6.16 FIA: Future Internet Assembly . . . . . . . . . . . . . . . . 45

2.6.17 SONATE: Service Oriented Network Architecture . . . . . 47

2.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Appendix—2A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Contents  ix

3 Security in Future Internet Architecture . . . . . . . . . . . . . . . . . 69

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

3.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

3.3 Pillars of Security . . . . . . . . . . . . . . . . . . . . . . . . . . 70

3.4 Basic Concepts of Security . . . . . . . . . . . . . . . . . . . . . . 72

3.5 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

3.5.1 Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

3.5.2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . 74

3.5.3 Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

3.6 IP Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . 74

3.6.1 Passive Attacks . . . . . . . . . . . . . . . . . . . . . . . . 76

3.6.2 Active Attacks . . . . . . . . . . . . . . . . . . . . . . . . 77

3.7 Security Services and Mechanisms . . . . . . . . . . . . . . . . . 79

3.7.1 Security Services . . . . . . . . . . . . . . . . . . . . . . . 79

3.7.1.1 Authentication Service . . . . . . . . . . . . . . 79

3.7.1.2 Access Control . . . . . . . . . . . . . . . . . . . 80

3.7.1.3 Confidentiality . . . . . . . . . . . . . . . . . . . 81

3.7.1.4 Integrity . . . . . . . . . . . . . . . . . . . . . . 82

3.7.1.5 Nonrepudiation . . . . . . . . . . . . . . . . . . 83

3.7.1.6 Availability . . . . . . . . . . . . . . . . . . . . 83

3.7.2 Security Mechanisms . . . . . . . . . . . . . . . . . . . . . 83

3.8 IP Security —Layerwise . . . . . . . . . . . . . . . . . . . . . . . 86

3.8.1 Application Layer . . . . . . . . . . . . . . . . . . . . . . 86

3.8.2 Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . 87

3.8.3 Network Layer . . . . . . . . . . . . . . . . . . . . . . . . 87

3.8.4 Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . 87

3.9 Security Approaches for Future Internet . . . . . . . . . . . . . . . 87

3.9.1 Security Establishment Proposal . . . . . . . . . . . . . . . 89

3.9.2 Risk Level Determination . . . . . . . . . . . . . . . . . . 89

3.9.3 Future Internet- Objectives of Security . . . . . . . . . . . 90

3.9.4 Security Requirements . . . . . . . . . . . . . . . . . . . . 91

3.10 Security Requirements—SONATE . . . . . . . . . . . . . . . . . . 92

3.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Appendix—3A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4 Significance of Authentication —Future Internet Architecture . . . . 115

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

4.2 What is Authentication? . . . . . . . . . . . . . . . . . . . . . . . 115

4.3 Challenges in Secure Authentication . . . . . . . . . . . . . . . . . 116

4.4 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . 116

4.4.1 Authentication Threats . . . . . . . . . . . . . . . . . . . . 116

4.4.1.1 Protocol Threats . . . . . . . . . . . . . . . . . . 116

x  Contents

4.4.1.2 Encryption Technique Problems . . . . . . . . . . 117

4.4.1.3 Resistance to Threats . . . . . . . . . . . . . . . 117

4.4.2 Authentication Mechanisms . . . . . . . . . . . . . . . . . 118

4.4.2.1 Shared Secrets (Passwords) . . . . . . . . . . . . 118

4.4.2.2 One Time Passwords (OTP) . . . . . . . . . . . . 119

4.4.2.3 Soft Tokens or Certificates . . . . . . . . . . . . 119

4.4.2.4 Hardware Tokens . . . . . . . . . . . . . . . . . 120

4.4.2.5 Lightweight Directory Access Protocol (LDAP)

Authentication . . . . . . . . . . . . . . . . . . . 120

4.4.2.6 Biometric Authentication . . . . . . . . . . . . . 121

4.4.2.7 Public Key Infrastructure (PKI) . . . . . . . . . 121

4.4.2.8 CASCADED Authentication . . . . . . . . . . . 122

4.5 Future Internet —Authentication Objectives . . . . . . . . . . . . . 123

4.5.1 Authentication Mechanism in SONATE —Case Study . . . 123

4.5.2 SONATE —Public Key Infrastructure (PKI) . . . . . . . . . 125

4.5.2.1 PKI Cryptographic Resources . . . . . . . . . . 126

4.5.2.2 Components of PKI . . . . . . . . . . . . . . . . 127

4.5.3 Architecture for the Identity Management of the Entities . . 127

4.5.3.1 Service Consumer Identity . . . . . . . . . . . . 128

4.5.3.2 Service Broker’s Identity . . . . . . . . . . . . . 129

4.5.3.3 Service Provider’s Identity . . . . . . . . . . . . 129

4.5.4 SONATE: Generation of the Keys . . . . . . . . . . . . . . 129

4.5.4.1 PKI Consumer Functionalities . . . . . . . . . . 130

4.5.4.2 Key Establishment Process . . . . . . . . . . . . 130

4.5.5 Certificate Management Service —SONATE . . . . . . . . 130

4.5.5.1 SONATE –Certificate Request Process . . . . . . 130

4.5.5.2 SONATE –Certificate Revocation Process . . . . 131

4.5.5.3 SONATE –Certificate Verification Process . . . . 132

4.5.6 Secure Communication Model for SONATE . . . . . . . . . 134

4.5.7 Functional Overview . . . . . . . . . . . . . . . . . . . . . 134

4.5.7.1 SONATE Packet Format . . . . . . . . . . . . . . 136

4.6 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

4.6.1 Performance Analysis . . . . . . . . . . . . . . . . . . . . 141

4.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Appendix —4A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

5 Authorization —Future Internet Architecture . . . . . . . . . . . . . 179

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

5.2 Need of Authorization . . . . . . . . . . . . . . . . . . . . . . . . 179

5.3 Access Control Mechanisms . . . . . . . . . . . . . . . . . . . . . 181

5.3.1 Access Control Matrix (ACM) . . . . . . . . . . . . . . . . 182

5.3.2 Access Control Lists (ACL) . . . . . . . . . . . . . . . . . 182

5.3.3 Identity-Based Access Control (IBAC) . . . . . . . . . . . 184

Contents  xi

5.3.4 Authorization-Based Access Control (ABAC) . . . . . . . . 184

5.3.5 Rule-Based Access Control (R-BAC) . . . . . . . . . . . . 184

5.3.6 Policy-Based Access Control (PBAC) . . . . . . . . . . . . 185

5.3.7 Discretionary Access Controls (DAC) . . . . . . . . . . . . 185

5.3.8 Mandatory Access Controls (MAC) . . . . . . . . . . . . . 186

5.3.9 Role-Based Access Control (RBAC) . . . . . . . . . . . . . 187

5.4 SONATE —Access Control Mechanism Model for Distributed Net￾works Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . 189

5.4.1 Role-Based Access Control (RBAC) to suite SONATE: . . . 190

5.4.2 Mandatory Access Control (MAC) to suite SONATE: . . . . 192

5.5 Access Control Operations for SONATE . . . . . . . . . . . . . . 196

5.5.1 Access Control Conditions . . . . . . . . . . . . . . . . . . 199

5.5.2 Access Control Functions . . . . . . . . . . . . . . . . . . 199

5.5.2.1 Function (PF1): Read . . . . . . . . . . . . . . . 200

5.5.2.2 Function (PF2): Write . . . . . . . . . . . . . . . 200

5.5.2.3 Function (PF3): Get Execute . . . . . . . . . . . 201

5.5.2.4 Function (PF4): Cancel the Access Permissions

(am) . . . . . . . . . . . . . . . . . . . . . . . . 201

5.5.2.5 Function (PF5): Development of an Application . 202

5.5.2.6 Function (PF6): Deletion of an Application . . . . 203

5.5.2.7 Function (PF7): Change Security Level of an Ap￾plication . . . . . . . . . . . . . . . . . . . . . . 203

5.5.2.8 Function (PF8): Change Current Security Level of

Principal . . . . . . . . . . . . . . . . . . . . . . 203

5.6 Convergence of Services . . . . . . . . . . . . . . . . . . . . . . . 204

5.6.1 Pointwise Convergence of Service Request . . . . . . . . . 204

5.6.2 Almost Sure Convergence of Service Request . . . . . . . . 205

5.7 Secure Service Compositon - Read permission . . . . . . . . . . . 205

5.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

6 Intrusion Detection and Prevention Systems—Future Internet

Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

6.2 Intrusion Detection and Prevention System (IDPS) . . . . . . . . . 212

6.3 Why to Use Intrusion Detection and Prevention System (IDPS) . . 213

6.4 IDPS Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

6.4.1 Host-Based Instrusion Detection and Prevention System

(HIDPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

6.4.2 Network-Based Instrusion Detection and Prevention System

(NIDPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

6.4.3 Signature-Based Detection . . . . . . . . . . . . . . . . . . 216

6.4.4 Anamoly Detection . . . . . . . . . . . . . . . . . . . . . 216

6.4.4.1 Protocol Anamoly-Based Intrusion Detection . . 217

6.4.4.2 Traffic Anamoly-Based Intrusion Detection . . . 217

xii  Contents

6.4.4.3 Stateful Protocol Anamoly Based Intrusion Detec￾tion . . . . . . . . . . . . . . . . . . . . . . . . . 217

6.4.4.4 Stateful Matching Intrusion Detection System . . 218

6.4.4.5 Statistical Anamoly Based Detection . . . . . . . 218

6.5 Log File Monitor (LFM) . . . . . . . . . . . . . . . . . . . . . . . 219

6.6 Intrusion Detection and Prevention System (IDPS) Response . . . . 219

6.7 DoS and Types of DoS Attacks . . . . . . . . . . . . . . . . . . . 220

6.7.1 Semantic Attacks and Flooding Attacks . . . . . . . . . . . 221

6.7.2 DoS/ DDoS Attacks . . . . . . . . . . . . . . . . . . . . . 221

6.7.3 DNS Reflector Attack . . . . . . . . . . . . . . . . . . . . 222

6.7.4 Permanent Denial of Service Attack (PDoS) . . . . . . . . . 223

6.7.5 DoS Targets . . . . . . . . . . . . . . . . . . . . . . . . . . 223

6.7.6 Recent Attacks . . . . . . . . . . . . . . . . . . . . . . . . 223

6.7.7 Classification of Defense Techniques of DoS . . . . . . . . 225

6.7.7.1 Detection Techniques . . . . . . . . . . . . . . . 225

6.7.7.2 DoS Prevention Techniques . . . . . . . . . . . . 226

6.8 DoS Attack in SONATE . . . . . . . . . . . . . . . . . . . . . . . 227

6.9 DoS Detection and Prevention Mechanism for SONATE . . . . . . 228

6.9.1 Detection State . . . . . . . . . . . . . . . . . . . . . . . . 229

6.9.2 Prevention State . . . . . . . . . . . . . . . . . . . . . . . 232

6.10 Discussion and Results . . . . . . . . . . . . . . . . . . . . . . . . 235

6.10.1 DoS Detection Building Block (DDBB) Class . . . . . . . . 237

6.10.1.1 Alert Class . . . . . . . . . . . . . . . . . . . . . 237

6.10.2 DoS Filter Building Block (DFBB) . . . . . . . . . . . . . 238

6.10.2.1 Filter Class . . . . . . . . . . . . . . . . . . . . . 239

6.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Appendix-6A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Foreword

The Internet is a remarkable catalyst for creativity, collaboration and innovation pro￾viding us today with amazing possibilities that just two decades ago it would have

been impossible to imagine; and yet we are not amazed. Tim Berners-Lee invented

the Web 20 years ago and immediately after two years, CERN publicized the new

World Wide Web project. In today’s world, even a child can access a free satellite

image from any place and interact with others over the globe. This raised the issues

of security. Our challenge is to solve the issues of security and make the architecture

sustain from the patches. How do we sustain the Internet after 10 to 20 years?

Internet was never designed to serve massive scale applications with guaranteed

quality of service and security. It is being used to transact the digital packets to each

other through cyberspace, digital cash or any other sensitive information. Everything

got changed to digital in the form of sequence of zeros which enabled broadcasting

easily with Net as even our own dog wouldn’t recognize it. Emerging technologies

like streaming high quality video, other applications face severe constraints to run

them from anywhere and at any time with good quality. If we want to support quality

of services, then the new models have to emerge to survive for a long time.

The growth of connectivity, of viruses and hackers, of electronic eavesdropping

and electronic fraud, security is paramount in current and Future Internet. Two trends

have come together to make the topic of this book of vital interest. First, the explo￾sive growth of the Internet connections for the exchange of information via networks

increased the dependence of both organizations and individuals on the systems stored

and communicated. To cope with the demands, researchers have come up with a set

of solutions like Clean State, Revolutionary or Evolutionary approaches. As a result,

many organizations like FIArch, GENI, IETF etc., have come up with new architec￾tures based on one of the proposed approaches. This in turn has increased the aware￾ness for the need to protect the data and add security as the chief ingredient in the

newly emerged architectures. Second, the disciplines of cryptography and network

security are mature and lead to the development of new techniques and protocols to

enforce the network security in the Future Internet.

xiii