Platform Architectures for Policy-Based Network Access Control

Tämä diplomityö käsittelee sääntöpohjaisen verkkoon pääsyn hallinnan (NAC) ratkaisuja arkkitehtonisesta näkökulmasta. Työssä käydään läpi Trusted Computing Groupin, Microsoft Corporationin, Juniper Networksin sekä Cisco Systemsin NAC-ratkaisuja. NAC koostuu joukosta uusia sekä jo olemassa olevia teknologioita, jotka auttavat ennalta määriteltyyn sääntökantaan perustuen hallitsemaan suojattuun verkkoon pyrkivien laitteiden tietoliikenneyhteyksiä. Käyttäjän tunnistamisen lisäksi NAC pystyy rajoittamaan verkkoon pääsyä laitekohtaisten ominaisuuksien perusteella, esimerkiksi virustunnisteisiin ja käyttöjärjestelmäpäivityksiin liittyen ja paikkaamaan tietyin rajoituksin näissä esiintyviä puutteita verkkoon pääsyn sallimiseksi. NAC on verraten uusi käsite, jolta puuttuu tarkka määritelmä. Tästä johtuen nykymarkkinoilla myydään ominaisuuksiltaan puutteellisia tuotteita NAC-nimikkeellä. Standardointi eri valmistajien NAC-komponenttien yhteentoimivuuden takaamiseksi on meneillään, minkä perusteella ratkaisut voidaan jakaa joko avoimia standardeja tai valmistajakohtaisia standardeja noudattaviksi. Esitellyt NAC-ratkaisut noudattavat standardeja joko rajoitetusti tai eivät lainkaan. Mikään läpikäydyistä ratkaisuista ei ole täydellinen NAC, mutta Juniper Networksin ratkaisu nousee niistä potentiaalisimmaksi jatkokehityksen ja -tutkimuksen kohteeksi TietoEnator Processing & Networks Oy:lle. Eräs keskeinen ongelma NAC-konseptissa on työaseman tietoverkolle toimittama mahdollisesti valheellinen tietoturvatarkistuksen tulos, minkä perusteella pääsyä osittain hallitaan. Muun muassa tähän ongelmaan ratkaisuna voisi olla jo nykytietokoneista löytyvä TPM-siru, mikä takaa tiedon oikeellisuuden ja koskemattomuuden.

Aggregating and Deploying Network Access Control Policies

Peer-reviewed

An analysis on the network access pricing rules

Mémoire numérisé par la Division de la gestion de documents et des archives de l'Université de Montréal

WormBase: network access to the genome and biology of Caenorhabditis elegans

WormBase (http://www.wormbase.org) is a web-based resource for the Caenorhabditis elegans genome and its biology. It builds upon the existing ACeDB database of the C.elegans genome by providing data curation services, a significantly expanded range of subject areas and a user-friendly front end.

The Architecture of a Fourth Generation Mobile Network

Neljännen sukupolven mobiiliverkot yhdistävät saumattomasti televerkot, Internetin ja niiden palvelut. Alkuperin Internetiä käytettiin vain paikallaan pysyviltä tietokoneilta perinteisten televerkkojen tarjotessa puhelin- ja datapalveluita. Neljännen sukupolven mobiiliverkkojen käyttäjät voivat käyttää sekä Internetiin perustuvia että perinteisten televerkkojen palveluita liikkuessaankin. Tämä diplomityö esittelee neljännen sukupolven mobiiliverkon yleisen arkkitehtuurin. Arkkitehtuurin perusosat kuvaillaan ja arkkitehtuuria verrataan toisen ja kolmannen sukupolven mobiiliverkkoihin. Aiheeseen liittyvät Internet-standardit esitellään ja niiden soveltuvuutta mobiiliverkkoihin pohditaan. Langattomia, lyhyen kantaman nopeita liitäntäverkkotekniikoita esitellään. Neljännen sukupolven mobiiliverkoissa tarvittavia päätelaitteiden ja käyttäjien liikkuvuuden hallintamenetelmiä esitellään. Esitelty arkkitehtuuri perustuu langattomiin, lyhyen kantaman nopeisiin liitäntäverkkotekniikoihin ja Internet-standardeihin. Arkkitehtuuri mahdollistaa yhteydet toisiin käyttäjiin ilman tietoa heidän senhetkisestä päätelaitteesta tai sijainnista. Internetin palveluitavoidaan käyttää missä tahansa neljännen sukupolven mobiiliverkon alueella. Yleiskäytöistä liikkuvuuden hallintamenetelmää yhden verkon alueelle ehdotetaan. Menetelmää voidaan käyttää yhdessä esitellyn arkkitehtuurin kanssa.

Authentication and Authorisation Mechanisms in support of Secure Access to WMN Resources

Over the past several years, a number of design approaches in wireless mesh networks have been introduced to support the deployment of wireless mesh networks (WMNs). We introduce a novel wireless mesh architecture that supports authentication and authorisation functionalities, giving the possibility of a seamless WMN integration into the home's organization authentication and authorisation infrastructure. First, we introduce a novel authentication and authorisation mechanism for wireless mesh nodes. The mechanism is designed upon an existing federated access control approach, i.e. the AAI infrastructure that is using just the credentials at the user's home organization in a federation. Second, we demonstrate how authentication and authorisation for end users is implemented by using an existing web-based captive portal approach. Finally, we observe the difference between the two and explain in detail the process flow of authorized access to network resources in wireless mesh networks. The goal of our wireless mesh architecture is to enable easy broadband network access to researchers at remote locations, giving them additional advantage of a secure access to their measurements, irrespective of their location. It also provides an important basis for the real-life deployment of wireless mesh networks for the support of environmental research.

DISCUS : an end-to-end solution for ubiquitous broadband optical access

Fiber to the premises has promised to increase the capacity in telecommunications access networks for well over 30 years. While it is widely recognized that optical-fiber-based access networks will be a necessity in the shortto medium-term future, its large upfront cost and regulatory issues are pushing many operators to further postpone its deployment, while installing intermediate unambitious solutions such as fiber to the cabinet. Such high investment cost of both network access and core capacity upgrade often derives from poor planning strategies that do not consider the necessity to adequately modify the network architecture to fully exploit the cost benefit that a fiber-centric solution can bring. DISCUS is a European Framework 7 Integrated Project that, building on optical-centric solutions such as long-reach passive optical access and flat optical core, aims to deliver a cost-effective architecture for ubiquitous broadband services. DISCUS analyzes, designs, and demonstrates end-to-end architectures and technologies capable of saving cost and energy by reducing the number of electronic terminations in the network and sharing the deployment costs among a larger number of users compared to current fiber access systems. This article describes the network architecture and the supporting technologies behind DISCUS, giving an overview of the concepts and methodologies that will be used to deliver our end-to-end network solution. © 2013 IEEE.

Mobility in vehicular networks with multiple access points to the infrastructure

Nowadays there is a huge evolution in the technological world and in the wireless networks. The electronic devices have more capabilities and resources over the years, which makes the users more and more demanding. The necessity of being connected to the global world leads to the arising of wireless access points in the cities to provide internet access to the people in order to keep the constant interaction with the world. Vehicular networks arise to support safety related applications and to improve the traffic flow in the roads; however, nowadays they are also used to provide entertainment to the users present in the vehicles. The best way to increase the utilization of the vehicular networks is to give to the users what they want: a constant connection to the internet. Despite of all the advances in the vehicular networks, there were several issues to be solved. The presence of dedicated infrastructure to vehicular networks is not wide yet, which leads to the need of using the available Wi-Fi hotspots and the cellular networks as access networks. In order to make all the management of the mobility process and to keep the user’s connection and session active, a mobility protocol is needed. Taking into account the huge number of access points present at the range of a vehicle for example in a city, it will be beneficial to take advantage of all available resources in order to improve all the vehicular network, either to the users and to the operators. The concept of multihoming allows to take advantage of all available resources with multiple simultaneous connections. This dissertation has as objectives the integration of a mobility protocol, the Network-Proxy Mobile IPv6 protocol, with a host-multihoming per packet solution in order to increase the performance of the network by using more resources simultaneously, the support of multi-hop communications, either in IPv6 or IPv4, the capability of providing internet access to the users of the network, and the integration of the developed protocol in the vehicular environment, with the WAVE, Wi-Fi and cellular technologies. The performed tests focused on the multihoming features implemented on this dissertation, and on the IPv4 network access for the normal users. The obtained results show that the multihoming addition to the mobility protocol improves the network performance and provides a better resource management. Also, the results show the correct operation of the developed protocol in a vehicular environment.

Videovigilância, compressão e criptografia

Mestrado em Engenharia Electrotécnica e de Computadores

A communication support for real-time distributed computer controlled systems

In this paper, we analyse the ability of P-NET [1] fieldbus to cope with the timing requirements of a Distributed Computer Control System (DCCS), where messages associated to discrete events should be made available within a maximum bound time. The main objective of this work is to analyse how the network access and queueing delays, imposed by P-NET’s virtual token Medium Access Control (MAC) mechanism, affect the realtime behaviour of the supported DCCS.

Mining social individuals movements and friends based on mobile devices

Trabalho de Projeto realizado para obtenção do grau de Mestre em Engenharia Informática e de Computadores

Multi-agent system for personalization of location-based services

The current ubiquitous network access and increase in network bandwidth are driving the sales of mobile location-aware user devices and, consequently, the development of context-aware applications, namely location-based services. The goal of this project is to provide consumers of location-based services with a richer end-user experience by means of service composition, personalization, device adaptation and continuity of service. Our approach relies on a multi-agent system composed of proxy agents that act as mediators and providers of personalization meta-services, device adaptation and continuity of service for consumers of pre-existing location-based services. These proxy agents, which have Web services interfaces to ensure a high level of interoperability, perform service composition and take in consideration the preferences of the users, the limitations of the user devices, making the usage of different types of devices seamless for the end-user. To validate and evaluate the performance of this approach, use cases were defined, tests were conducted and results gathered which demonstrated that the initial goals were successfully fulfilled.

Aplicação de Internet of Things em casas inteligentes: Serviços de Rede

O foco principal no estudo da Internet of Things tem sido a integração de dispositivos digitais com o mundo físico e vice-versa. Os dispositivos inteligentes têm vindo a ganhar uma forte presença na nossa vida diária e cada vez mais, tendem a integrar o sistema de uma casa, automatizando processos comuns como o controlo de temperatura ambiente ou mesmo a percentagem de luminosidade de uma divisão. A visão da IoT contempla um mundo interconectado, recolhendo informações de forma automática e possibilitando a comunicação entre dispositivos. Contudo, as tecnologias existentes para a criação de redes que albergam estes novos dispositivos carecem de padrões bem definidos, dificultando a interoperabilidade entre as diversas soluções existentes. Neste projeto são estudadas e aplicadas as tecnologias mais promissoras aplicáveis ao paradigma Internet of Things, com o objetivo de encontrar um conjunto de protocolos padrão para a implementação de sistemas de automação em casas inteligentes.1 Como objetivo final deste projeto, pretende-se criar uma rede de dispositivos com capacidades sensoriais que tenham a capacidade de comunicar com o mundo externo, permitindo o acesso à rede por qualquer tipo de utilizador. Com isso, espera-se caminhar para mais perto da padronização dos protocolos inerentes à IoT e habilitar interoperabilidade entre as mais diversas soluções. São apresentados e utilizados os protocolos que mais se adaptam ao tema escolhido, tentando simplificar a rede para que esta possa ser incluída em qualquer ambiente doméstico, recorrendo a hardware de custo reduzido. Os protocolos apresentados são o 6LoWPAN, utilizando o protocolo IEEE 802.15.4 como interface de rede juntamente com endereçamento IPv6. É também utilizado o protocolo CoAP na troca de mensagens entre os dispositivos.