Research in System and Network Security
Obviously, the network and the computer system of any institution is more and more threatened by the increased appearance of hackers, intruders, viruses, worms, and other malicious code. On the other hand, the complexity of the network due to different protocols and applications even in a medium sized institution like the UL continuously increases. Moreover, the popularity of wireless networks adds many new security problems. Therefore, practical system and network security should not be considered an all-or-nothing issue. The designers and operators of systems should assume that security breaches are inevitable in the long term. The research unit wants to examine how the security requirements for a very heterogeneous network, based on cable and wireless commu?ni?cation links, linking computers running the Microsoft Windows, Linux, and the Mac OS operating system, can be fulfilled "as good as possible" without limiting the freedom of the users more than necessary.
This general research problem has a strong relationship to the other subjects in the research group, since it combines cryptographic algorithms and results from Information Security Management. Especially, topics like Public Key Infrastructure (PKI), user authen?ti?cation, and identity management play an important role in system and network secu?rity. But there are also other important technical and managerial aspects. Important technical aspects in?clude the optimal usage of intrusion detection systems and intrusion prevention / reaction with firewalls, or a flexible and reactive audit management to keep the ''window of vul?ne?ra?bility'' as short as possible. One technical research objective is a security enhancement for known insecure network protocols, e.g. the anonymity of low latency communication. More exactly, this problem deals with non-observability (i.e., how to provide a way for one person to com?municate with another person without allowing an observer to know it). Reliable non-observable communications will have a wide range of applications, from banking to free-speech and privacy issues. Practical schemes for this problem exist for high-latency communications (like e-mail), but for very-low latency communications (like VoIP) these ideas can not be applied directly. Another technical research topic focuses on privacy and anonymity in network communication, e.g. how to enhance the privacy of the Domain Name Service (DNS) protocol.
The research unit is also interested in the different aspects of security in large scale distributed systems, more particularly in authentication and result checking. Large scale distributed sys?tems include not only Peer-To-Peer networks, but also clusters grid and grids in the sense of Globus. The two last architectures are not only dedicated to specific applications, but should allow users to execute programs of different natures. This kind of architecture also imposes additional constraints as the geographic extension raises availability and security issues. The design of an Open-Source authentication system suitable for a cluster grid has been studied in the context of Grid'5000, one of the leading grid project in France. Yet, even if a secure and scalable authentication system allows to control the access to computing resources, a malicious user can still try to fake some or all the results of the computations. New approaches for certifying the correctness of program executions in hostile environments will be studied.
Besides these technical aspects, there is also a managerial aspect of network and system security, which is equally important. A security policy is a generic document that among others outlines rules for computer network access, determines how policies are enforced and lays out some of the basic archi?tec?ture of the institution security environment. A security policy goes far beyond the simple idea of "keep the bad guys out". It's a very complex document, meant to govern data access, web-browsing habits, use of passwords or more advanced access methods, and more. It specifies these rules for individuals or groups of individuals throughout the institution. A security policy should keep the malicious users out and also exert control over "potential risky" users within an organization. The group wants to examine in more detail, how the conflicting perspectives of network security and user-friendliness can be combined for the network at the UL. The definition of a security policy for an educational institution like the UL obviously has to consider the specific environment given at UL, especially the existence of three campuses with three already existing IT systems. The transformation of an existing network system with basic security to an optimally secured, flexible, and heterogeneous network at UL can be seen as a prototype application, where theoretical cryptographic and mathematical research is combined with practical steps for achieving best possible practical system and network security. Of course, analysis of the security requirements for the development of the IT system at UL in future (e.g., the introduction of information systems for various administrative tasks, or even Enterprise Resource Planning (ERP) tools) will also be an aspect of our research activity.