• Journal of Communications and Networks
• /
• v.10 no.4
• /
• pp.455-464
• /
• 2008

To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single firewall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple fire walls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

• Journal of Communications and Networks
• /
• v.9 no.4
• /
• pp.457-465
• /
• 2007

Native information provider(IP) anycast suffers from routing scalability issues and the lack of stateful communication support. For this reason, we propose architecture for scalable and transparent anycast services(ASTAS), a proxy-based architecture that provides support for stateful anycast communications, while retaining the transparency offered by native anycast. Dynamic resource assignment for each initiated session guarantees that a connection is established with the most suitable target server, based on network and server conditions. Traffic engineering in the overlay can be realized in an effective way due to the dissemination of aggregated state information in the anycast overlay. To minimize the total deployment cost for ASTAS architectures, we propose optimized proxy placement and path finding heuristics based on look-ahead information gathered in network nodes. Contrary to a regular integer linear program(ILP) formulation, these heuristics allow to optimize proxy placement in large networks. A use case on a European reference network illustrates that lower proxy costs enable proxy deployment closer to the end-users, resulting in a reduced network load.

• Journal of Internet Computing and Services
• /
• v.9 no.6
• /
• pp.37-48
• /
• 2008

VoIP service is a transmission of voice data using SIP protocol on IP based network, The SIP protocol has many advantages such as providing IP based voice communication and multimedia service with cheap communication cost and so on. Therefore the SIP protocol spread out very quickly. But, SIP protocol exposes new forms of vulnerabilities on malicious attacks such as Message Flooding attack and protocol parsing attack. And it also suffers threats from many existing vulnerabilities like on IP based protocol. In this paper, we propose a new Virtual Proxy Server system in front of the existed Proxy Server for anomaly detection of SIP attack and stateful management of SIP session with enhanced security. Based on stateful virtual proxy server, out solution shows promising SIP Message Flooding attack verification and detection performance with minimized latency on SIP packet transmission.

• Proceedings of the Korean Institute of Communication Sciences Conference
• /
• 2004.11a
• /
• pp.438-438
• /
• 2004

• Proceedings of the Korean Information Science Society Conference
• /
• 2006.10c
• /
• pp.575-580
• /
• 2006

인터넷 네트워크에 존재하는 방화벽(Firewall) 또는 라우터(Router) 장비에서의 패킷 필터 기능은 모든 방화벽 장비의 기본적인 기능이 될 수 있다. 하지만 최근에 등장한 세션기반의 악의적 침입과 바이러스의 출현으로 패킷 필터기는 단순한 정적 패킷 필터 기능이 아닌 상태기반 패킷 필터의 동적 패킷 필터 기능을 요구하게 되었다. 또한 최근에 인터넷 속도가 급증하는 환경변화에 맞추어 방화벽 장비의 TCP 패킷 처리기능은 매우 빠른 처리속도를 요구하고 있다. 이에 우리는 매우 빠른 고속의 TCP 상태기반 패킷 필터 처리를 요구하는 에지(Edge)급 라우터의 방화벽 옵션카드를 만들기 위해 하드웨어 기반의 TCAM(Ternary CAM) 관리를 이용한 TCP 세션 상태기반 (Stateful) 패킷 필터기를 구현하였으며, TCAM 제어와 패킷의 상태기반 검사 등 모든 기능처리는 FPGA(Field Programmable Gate Array)를 이용한 하드웨어 로직(Logic) 및 상태기(State Machine)로 구현하였다. 그리고 본 논문의 구현방식을 적용한 방화벽 옵션카드는 인-라인(In-line) 모드로 구성될 경우 1GHz 이상의 Wire Speed를 만족하는 처리성능을 보여주었다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.3 no.3
• /
• pp.251-265
• /
• 2009

VoIP service is the transmission of voice data using SIP protocol on an IP-based network. The SIP protocol has many advantages, such as providing IP-based voice communication and multimedia service with low communication cost. Therefore, the SIP protocol disseminated quickly. However, SIP protocol exposes new forms of vulnerabilities to malicious attacks, such as message flooding attack. It also incurs threats from many existing vulnerabilities as occurs for IP-based protocol. In this paper, we propose a new virtual proxy to cooperate with the existing Proxy Server to provide state monitoring and detect SIP message flooding attack with IP/MAC authentication. Based on a proposed virtual proxy, the proposed system enhances SIP attack detection performance with minimal latency of SIP packet transmission.

• The Journal of the Korea Contents Association
• /
• v.10 no.1
• /
• pp.46-58
• /
• 2010

The user valence of VoIP services with SIP protocol is increasing rapidly because of cheap communication cost and its conveniency. But attacker can easily modify the packet contents of SIP protocol as SIP header is transmitted by using UDP methods in text form. The reason is that SIP protocols does not provide an authentication function on the transmission session. Therefore, existing SIP protocol is very weak on SIP Packet Flooding attack etc. In order to solve like this kinds of SIP vulnerabilities, we used SIP status codes under the monitoring module for detecting SIP Flooding attacks and additionally proposed an advanced protocol where the authentication and security function is strengthened about SIP packet. We managed SIP session spontaneously in order to strengthen security with SIP authentication function and to solve the vulnerability of SIP protocol. The proposed mechanism can securely send SIP packet to solves the security vulnerability with minimum traffic transmission. Also service delay in SIP proxy servers will be minimized to solve the overload problem on SIP proxy server.

• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.1
• /
• pp.26-36
• /
• 2021

The Internet was created as a decentralized and autonomous system of interconnected computer networks used for data exchange across mutually trusted participants. The element technologies on the Internet, such as inter-domain and intra-domain routing and DNS, operated in a distributed manner. With the development of the Web, the Web has become indispensable in daily life. The existing web applications allow us to form online communities, generate private information, access big data, shop online, pay bills, post photos or videos, and even order groceries. This is what has led to centralization of the Web. This centralization is now controlled by the giant social media platforms that provide it as a service, but the original Internet was not like this. These giant companies realized that the decentralized network's huge value involves gathering, organizing, and monetizing information through centralized web applications. The centralized Web applications have heralded some major issues, which will likely worsen shortly. This study focuses on these problems and investigates blockchain's potentials for decentralized web architecture capable of improving conventional web services' critical features, including autonomous, robust, and secure decentralized processing and traceable trustworthiness in tamper-proof transactions. Finally, we review the decentralized web architecture that circumvents the main Internet gatekeepers and controls our data back from the giant social media companies.