Ralf Ackermann

31. Security-Related Issues in Peer-to-Peer Networks

The main characteristic of great autonomy of peers in Peer-to-Peer networks and the resulting “openness” of such networks makes them vulnerable to diverse attacks on their integrity and security. The possibility and the feasibility of obstruction of a Peer-to-Peer network as a whole, or forthright attacks on a single peer depend largely on a usage scenario of a Peer-to-Peer network. This aspect conditions the possibilities of attacks one has to either take care of or ignore.

Vulnerabilities and Security Limitations of current IP Telephony Systems

Within the traditional telephone system a certain level of quality and security has been established over the years. If we try to use IP Telephony systems as a core part of our future communication infrastructure (e.g. as classical PBX enhancement or replacement) continuous high availability, stable and error-free operation and the protection of the privacy of the spoken word are challenges, that definitely have to be met. Since manufacturers start deploying new end systems and infrastructure components rather fast now - a critical inspection of their security features and vulnerabilities is mandatory. The critical presentation of the theoretical background of certain vulnerabilities, testing and attacking tools and the evaluation results reveals, that well-known security flaws become part of implementations in the new application area again and the security level of a number of examined solutions is rather insufficient.

Enhanced SIP communication services by context sharing

Communication plays a central in our society. It affects our private lives as well as business activities. Humans usually observe the environment and the communication partner with all their senses. The perceived information is evaluated to deduce the context of the targeted communication partner. However, distant interpersonal communication does not provide a priori knowledge of the called partys current situation, condition or mood - the callees context. Current communication systems do not offer satisfying technical means to support context sharing between communication partners. The proposed solution in This work is based on an enhancement of the session initiation protocol (SIP) for IP telephony systems. Different mechanism of sharing context among communication peers have been investigated, implemented and evaluated.

Conditional and User Specific Access to Services and Resources using Annotation Watermarks

The tremendous recent efforts to develop and deploy ubiquitous mobile communication possibilities are changing the demands but also possibilities for establishing new business and commerce relationships. Within this paper we show our innovative approach for integrating watermark and cryptography based methods within a framework of new application scenarios spanning a wide range from dedicated and user specific services, “Try&Buy” mechanisms to general means for long-term customer relationships. Based on a description of the challenges of the application domain and the existing work we show, which methods must be used for establishing services in a fast convenient and secure way for conditional access services. The paper closes with an overview of steps for practically establishing these concepts.

A Distributed Firewall for Multimedia Applications

Firewalls are a widely used security mechanism to provide access control and auditing at the border between “open” and private networks or administrative domains. As part of the network infrastructure they are strongly affected by the development and deployment of new communication paradigms and applications.Currently we experience a very fast rise in the use of multimedia applications. These differ in many aspects from “traditional applications”, for example concerning bandwidth usage, dynamic protocol elements or multiple data flows for one application session. Corresponding firewall mechanisms and techniques did not change with the same dynamics though. Currently existing firewalls have problems supporting these new type of applications because to some extent they try to map the new characteristics to the manner of conventional applications which they are able to handle. We strongly believe that new application types require new firewall techniques and mechanisms. In this paper, we identify typical characteristics of multimedia applications that cause problems using traditional firewalls. Based on this analysis we deduce enhancements to existing firewalls that can be used to better adapt to a communication environment in which multimedia applications are used. We describe these enhancements in general, show a adequate systems architecture and present a implementation based on this design. The feasibility of that approach has been shown in the example scenario that we finally present.

VDMFA: eine verteilte dynamische Firewallarchitektur für Multimedia-Dienste

Im Rahmen einer umfassenden Security Policy stellen Firewalls eine wichtige Masnahme zum Schutz eines privaten Netzes vor Angriffen aus dem Internet dar. Sie basieren in der Regel auf IP-Filtern und Proxies. Filter selektieren an den Netzgrenzen Datenstrome nach definierten Regeln, zumeist uber TCP- oder UDP-Portnummern, die einen Dienst identifizieren, leiten sie weiter oder blocken sie ab. Die Selektion uber bestimmte Portnummern ist bei vielen Protokollen nicht statisch moglich, da diese erst zur Verbindungszeit dynamisch bestimmt werden. Daher kommen - sollen solche Dienste die Firewall passieren - sogenannte Proxies zum Einsatz. Proxies stellen den Endpunkt der Kommunikation zu beiden Seiten (lokales Netz und Internet) dar und leiten die Daten auf Anwendungsebene weiter. Sie mussen fur jedes Protokoll der Anwendungsebene neu entwickelt werden. Eine Alternative bildet eine dynamische, vom Protokollstatus abhangige Erweiterung der Regeln einer filterbasierten Firewall wahrend der Verbindungszeit. Bestehende kommerzielle Ansatze realisieren diese Dynamik heute im Kern der Firewall selbst, indem in diesen Kenntnisse uber die Semantik der Protokolle auf Anwendungsebene integriert werden. Wunschenswert ist aber eine allgemeinere Architektur, wie die Verteilte Dynamische Multimedia Firewallarchitektur VDMFA, die es erlaubt, einfache filterbasierte Firewalls flexibel fur neue, insbesondere multimediale Protokolle zu erweitern. Die Funktionsweise der VDMFA basiert auf einer dynamischen Anpassung von Filterregeln uber die intelligente Komponente VDMFA-Core, welche wiederum per Skriptsprache oder ein benutzerfreundliches Front-end gesteuert wird. In diesem Beitrag werden die VDMFA vorgestellt und Einsatzmoglichkeiten der Firewallarchitektur fur Internet Telefonie Anwendungen aufgezeigt.

Associating network flows with user and application information

The concept of authenticating users e.g. by means of a login process is very well established and there is no doubt that it is absolutely necessary and helpful in a multiuser environment. Unfortunately specific information about a user originating a data stream or receiving it, is often no longer available at the traversed network nodes. This applies to the even more specific question of what application is used as well. Routers, gateways or firewalls usually have to base their classification of data on IP header inspection or have to try to extract information from the packets payload. We present an approach that works transparently and allows to associate user and application specific information with IP data streams by only slightly modifying components of the operating system environment and infrastructure components. On top of this framework we show usage scenarios for dedicatedly placing copyright information in media content and for an enhancement of the interoperation with the security infrastructure.

A survey of requirements and standardization efforts for IP-telephony-security

Security as a dimension of trustworthiness in IP-Telephony systems and protocols is a main condition for the commercial success of IP-Telephony. In this work, we present a survey of security requirements and show how various standardization efforts address these requirements. We describe the basic tasks and elements of IP-Telephony systems and compare them to Telephony via PSTNs to derive some possible attacks for example. We classify the security preconditions to achieve trustworthiness of users and providers in this systems. We list weighty criteria for further evaluation of security mechanisms which can fulfil these requirements. After this, we describe the integration of security mechanisms in current IP-Telephony protocols and figure out work areas which have to be solved in future.

Verbesserte Systemsicherheit durch Kombination von IDS und Firewall

Ausgangspunkt jeglicher Aktivitaet im Bereich IT-Sicherheit ist die Erstellung einer Security Policy. In dieser werden die schutzbeduerftigen Objekte und Werte und die gegen sie gerichteten Bedrohungen beschrieben sowie das angestrebte Sicherheitsniveau definiert. Neben herkoemmlichen technischen Massnahmen, wie z.B. dem Einsatz von Firewalls zur Abschirmung von Netzbereichen und Endsystemen sowie von kryptographischen Algorithmen zur Sicherung der Vertraulichkeit und Ueberpruefung der Unversehrtheit von Daten, werden zur Umsetzung einer solchen Security Policy vermehrt Intrusion Detection Systeme (IDS) eingesetzt. Uebereinstimmend wird heute eingeschaetzt, dass sich durch deren Verwendung ein hoeheres Niveau der Systemsicherheit erreichen laesst. 1999 wurden in 37% der Unternehmen, fuer die Sicherheit ein wichtiges Thema darstellt, IDS-Komponenten benutzt (Vorjahr 29%). Neben der generellen Verfuegbarkeit einzelner zur Erhoehung der Systemsicherheit einsetzbarer Komponenten ist auch die Effizienz ihres Zusammenwirkens ein entscheidendes Kriterium fuer das erreichbare Sicherheitsniveau. Dieses Zusammenwirken ist -- insbesondere auch bei Verwendung relativ neuer Komponenten, wie z.B. der ID Systeme -- bisher jedoch teilweise nicht gegeben, bzw. nicht entsprechend optimiert. Innerhalb dieses Beitrags werden wir einen Ansatz vorstellen, der durch die aktive Verknuepfung der Komponenten Firewall und IDS, die Effizienz beider Systeme steigern und zusaetzliche Moeglichkeiten erschliessen kann. Da diese Kopplung spezielle Implikationen auf Design und auszuwaehlende Mechanismen des zu integrierenden IDS hat, werden wir ein IDS-Modell vorstellen, welches fuer diesen Zweck optimiert wurde. Der Beitrag umfasst die Beschreibung einer exemplarischen Implementierung unseres Ansatzes und die Vorstellung und Bewertung erster Einsatzerfahrungen.

The Digital Call Assistant: Determine Optimal Time Slots for Calls

Communication plays a key role in today’s businesses. Reaching a communication partner often has become a time consuming task. A multitude of potential communication channels with individual addresses forces a callee to guess an appropriate device at the right time. Under these circumstances additional information about a high probability to reach the calling target at a specific point in time enhances efficiency in communication. The decision when to call and the choice of the communication channel can be based on these information. This paper presents a Digital Call Assistant to determine an optimal time slot to place a call. The proposed approach combines calendar events and context information. The combination of these two information sources allows the creation of call plans which provide a list of possible time slots for communication with another user. A trust concept will assure that these sensible data will only be shared among trusted peers. Pending call requests and open call slots are presented to the user. The proposed planning application is going to form a novel part in our context-aware communication service framework.