Jose Brustoloni's Research on Network Security

José Carlos Brustoloni

Research on Network Security

Enterprise networks

A major problem in enterprise networks is that perimeter defenses (e.g., using firewalls) are increasingly insufficient. Attackers can bypass such defenses by infecting mobile or home computers that later are brought into the office or connected remotely to the enterprise network via a virtual private network.

I have investigated how to use secure coprocessors to allow an enterprise network to verify securely the configuration of a computer before allowing that computer's access to the network. Secure coprocessors standardized by the Trusted Computing Group have low cost and are embedded in an increasing number of computers.

I proposed novel operating system techniques (TCB prelogging, root tripping, and attestation confinement) for preventing spoofing or abuse of configuration information. I also proposed bound keyed attestation to prevent man-in-the-middle attacks against protocols using such configuration information. These techniques are described and evaluated in the papers:

Using Secure Coprocessors to Protect Access to Enterprise Networks (with H. Xia and J. Kanchana), in Proceedings of the Networking'2005 Conference, IFIP, Waterloo, ON, Canada, Lecture Notes in Computer Science, 3462:154-165, Springer-Verlag, May 2005 (copyright notice). (slides)

Enforcement of Security Policy Compliance in Virtual Private Networks (with H. Xia and J. Kanchana), in Proceedings of the 7th International Symposium on System and Information Security (SSI'2005), ITA, São José dos Campos, Brazil, Nov. 2005. (slides)

Access Wi-Fi networks

MicroISPs: Secure LAN-based nomadic Internet access in public areas

MicroISPs were one of the earliest proposals to use LANs such as Ethernet or Wi-Fi to provide Internet access in public venues, such as hotels, airports, and cafés. Unlike other proposals, MicroISPs employ IPsec tunnels to prevent nonpaying clients from gaining service. MicroISPs allow a variety of online and offline payment methods that enable local management and ownership and therefore require much less investment than alternatives, such as 3G wireless. MicroISPs are described in the paper:

MicroISPs: Providing Convenient and Low-Cost High-Bandwidth Internet Access (with J. Garay), in Computer Networks, 33(1-6):789-802, Elsevier, June 2000. Also appears in Proceedings of the 9th International World Wide Web Conference (WWW'9), W3C, Amsterdam, Netherlands, May 2000, pp. 789-802.

SOHs: Secure opportunistic hotspots

Secure opportunistic hotspots (SOHs) overcome three limitations in the original MicroISP proposal:

MicroISPs need to be set up independently from but may interfere with enterprise networks, which are much more common.
IPsec implementations often are difficult to configure and interoperate without technical help and installation of client software.
None of the originally envisioned online payment schemes reached significant deployment.

SOHs enable a same Wi-Fi network to provide secure access to members and invited or paying visitors to an enterprise. Member access is unlimited, while visitor access is Internet-only and bandwidth-limited. The following paper gives an overview of SOHs:

Secure and Flexible Support for Visitors in Enterprise Wi-Fi Networks (with H. Xia), in Proceedings of the 48th Annual Global Telecommunications Conference (GLOBECOM'2005), IEEE, St. Louis, MO, Nov. 2005 (copyright notice). (slides)

Instead of IPsec, SOHs use enterprise Wi-Fi security protocols (WPA or 802.11i) to secure member access. These protocols, like IPsec, may not readily interoperate with visitors' computers. Therefore, SOHs use instead two novel security techniques, session id checking and MAC sequence number tracking, to prevent theft of service. The new techniques are transparent to clients:

Detecting and Blocking Unauthorized Access in Wi-Fi Networks (with H. Xia), in Proceedings of the Networking'2004 Conference, IFIP, Athens, Greece, Lecture Notes in Computer Science, 3042:795-806, Springer-Verlag, May 2004 (copyright notice). (slides)

Instead of subscriptions or online payment schemes proposed in the literature but seldom deployed, SOHs use Virtual Prepaid Tokens based on the popular PayPal service:

Virtual Prepaid Tokens for Wi-Fi Hotspot Access (with H. Xia), in Proceedings of the 29th Annual Conference on Local Computer Networks (LCN), IEEE, Tampa, FL, pp. 232-239, Nov. 2004 (copyright notice).

Defenses against Internet denial-of-service attacks

VIPnet: Protecting e-commerce from distributed denial-of-service attacks

VIPnet is a novel architecture that exploits the fact that the communication between e-merchants and their legitimate clients is punctuated by payments. This allows ISPs that deploy VIPnet to provide robust and deterministic protection from distributed denial-of-service attacks and collect new fees that pay for the necessary investment. VIPnet is described in the paper:

Protecting Electronic Commerce from Distributed Denial-of-Service Attacks, in Proceedings of the 11th International World Wide Web Conference (WWW2002), ACM, Honolulu, HI, May 2002, pp. 553-561.

ASTUF: Automatically segregating greedy and malicious Internet flows

In the current Internet, compliance with TCP congestion control is voluntary. Noncompliant flows can gain unfair performance advantages or deny service to other flows. ASTUF is a scheme that automatically detects and segregates noncompliant flows and preserves network availability for compliant flows. ASTUF requires modifications only in access routers and is incrementally deployable. Like VIPnet, ASTUF is a value-added service. Unlike VIPnet, ASTUF can secure any sites that are TCP-friendly, including those that are not e-merchants. ASTUF is described in the paper:

Automatically Segregating Greedy and Malicious Internet Flows (with S. Chen), in Proceedings of the International Conference on Communications (ICC'2007), IEEE, Glasgow, Scotland, June 24-28, 2007 (copyright notice).

IPsec interoperation

IPsec is the standard protocol suite for securing the Internet Protocol (IP) and is commonly used to implement virtual private networks (VPNs). As originally specified, IPsec did not interoperate with NAT (Network Address Translation), a technique commonly used in homes and hotels for sharing a single global IP address among multiple computers. EASE was an early and extensible proposal for promoting interoperation:

Application-Independent End-to-End Security in Shared-Link Access Networks (with J. Garay), in Proceedings of the Networking'2000 Conference, IFIP, Paris, France, Lecture Notes in Computer Science, 1815:608-619, Springer-Verlag, May 2000 (copyright notice).

IPsec Pass-through (IPT) eventually became a common feature in home routers for (partially) solving the interoperability problem. However, it was never standardized. In the following paper, I documented the principles of operation and limitations of the main IPT versions. I also proposed IPT automatic client recovery, a client modification that promotes automatic recovery of IPsec tunnels when IPT fails:

Automatic VPN Client Recovery from IPsec Pass-through Failures, in Proceedings of the 30th Annual Conference on Local Computer Networks (LCN'2005), IEEE, Sydney, Australia, pp. 756-763, Nov. 2005 (copyright notice). (slides)

Back to José Brustoloni's home page.