Ieee Paper Literature Review PDF
Ieee Paper Literature Review PDF
Ieee Paper Literature Review PDF
Abstract—The article issue is the enterprise secure interaction of smart devices (sensors). In order to
information protection within the internet of things effectively solve this problem, network equipment
concept. The aim of research is to develop arrangements manufacturers are developing new protocols and technologies
set to ensure secure enterprise IPv6 network operating. for protecting information transferring from such devices.
The object of research is the enterprise IPv6 network. In the 1990s a Purdue University (USA) under the
The subject of research is modern switching equipment as Theodor J. Williams guidance has developed Purdue
a tool to ensure network protection. The research task is Enterprise Reference Architecture (PERA), which is a
to prioritize functioning of switches in production and reference model for a secure enterprise architecture based on
corporation enterprise networks, to develop a network Computer-Integrated Manufacturing (CIM), a production
host protection algorithm, to test the developed algorithm approach to the computers using to manage the entire
on the Cisco Packet Tracer 7 software emulator. The production process. Such integration allows individual
result of research is the proposed approach to IPv6- production components to exchange information with each
network security based on analysis of modern switches other and initiate certain actions. Although production can be
functionality, developed and tested enterprise network less prone to errors due to computer integration its main
host protection algorithm under IPv6-protocol with an advantage is the ability to create safe automated production
automated network SLAAC-configuration control, a set processes. Usually CIM relies on management, based on the
of arrangements for resisting default enterprise gateway input signals from sensors in real-time mode. Firstly, ISA-
attacks, using ACL, VLAN, SEND, RA Guard security 99.29 standards, and then IEC 62448, which define how to
technology, which allows creating sufficiently high level of build technological and corporation enterprise network in
networks security order to ensure reliable and secure data transmission, were
developed on the basis of this model. The standard can be
Keywords—default gateway; host; network security;
represented in several interacted levels form: technological
attacks; protocols; network; IPv6-protocol ; switches;
(production) network, operating area (SCADA network),
routers ; IP network; host protection algorithm
demilitarized area (DMZ) and corporation (office) network.
Besides, the standard describes theoretical principles for
I. INTRODUCTION levels interaction with each other, but does not give necessary
Recently not only computers, but also many other devices means of security for using at a particular level.
acquired an Internet access possibility. This formed the basis One of the modern protocols representatives is IPv6. It
of popular nowadays Internet of things concept, where the replaced IPv4 protocol and have new possibilities in
defining term is host, which refers to any source of comparison, which simultaneously generate new problems
information device, the information recipient or both at the with security. [6]. IPv6 network security problems are solved
same time. by developers in different ways: the ability to protect the
According to Cisco estimates 50 billion different devices network based on distributed trust management (Trust-ND) is
will be connected to the Internet by 2020. Today in many considered [7]; the MITM attack test systems to help users
large cities in Europe and in the United States information aware the security risks and then design a defending tool
technologies are widely used in a variety of industries, for using DNSSEC to avoid session hijack attack are developed
which organization is primarily necessary to ensure the [8]. The most effective are comprehensive security measures
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
based on a reducing vulnerabilities impact methods, or end- Switches is the kind of network devices which
to-end connectivity model using host security system with functioning both in corporation and production enterprise
perimeter protection device, for example [9]. Besides, a set of networks and respectively different by priorities and
privacy policy rules is used in the model to facilitate the functional tasks. That is why it is necessary to identify the
management of confidential security relations[10]. However,
none of the proposed approaches gives the proper level of
TABLE I. COMPARING SWITCHES OPERATING TASKS AND PRIORITIES
network protection from cyber attacks. IN THE CORPORATION AND PRODUCTION ENTERPRISE NETWORKS
Tasks and
II. PROBLEM STATEMENT priorities of Corporation network Production
Different network equipment developers solve the switches switches network switches
functioning
problems with choosing implement instruments for security 1.The main
system in different ways. In most cases the following Intellectual property Trouble-free
functioning
protection operation
instruments are used: intrusion detection systems (IDS/IPS), purpose
switches, routers, access points, firewalls and a number of А) Confidentiality A) Availability
2.Priority ranking B) Integrity B) Integrity
software and hardware platforms. C) Availability C) Confidentiality
3. Device refresh
The authors of this article consider that it is necessary to rate
Constant Scheduled
dwell on switches, the main access level devices which 4.Operating
provide host connection in corporation and production Are not required Extreme conditions
conditions
enterprise networks. It seems relevant to determine the most important of them from the safety and reliable host
priorities and tasks of the modern switches operation in point of view in different enterprise segments.
different enterprise segments, because switches are the main
network access level equipment and representing one of the How it can be seen from the table, different networks
most important barriers in modern network security systems, have different priorities. If in corporation network it is
and this means they have to solve various tasks. necessary to direct all resources on authorized success
security and information leak prevention, in production
The main work emphasis is on the implementation of network segment switches should provide data transmission
security system applicable to IPv6 protocol, which is starting in “24/7” mode. Respectively switch reaction on threats
widespread ubiquitously, and information about its should be different. In case of a corporation network
vulnerability to attacks has not been systemized yet. The task everything that is not allowed must be prohibited, so any
of this research is to analyze new cyberattack opportunities unauthorized activity is immediately stopped. In production
provided by IPv6 protocol functionality and the subsequent segment switch must be guided by the “no harm to
protecting host algorithm and a recommended for protection production” principle. This means to continue network data
host arrangements set development using the example of a transmission from sensors despite the threats. Exactly in
known attack on the enterprise default gateway. connection with this difference enterprise network segments
are diametrically opposite.
III. THEORY Network device configuration is constantly updated in
According to the enterprise activity analysis, the accordance with enterprise privacy policy, but there are
following arrangements should be realized: differences. It is recommended to do an online device
updating in corporation network, so the faster switch
1) zoning, enterprise division by “cell – guild - factory” configuration is updated, the sooner privacy policy will be
principle; applied. There is no possibility of constant production
2) controlled access, security policy and identification network updating in case of a continuous production process
services organization; and this means that the updates should be carried out
according to the schedule during the hours of routine
3) physical security, maintenance of intellectual cameras maintenance.
work;
Certain conditions also exist for the switches operation in
4) industrial cybersecurity, monitoring the detection of networks. Corporation network has office working conditions
threats, incidents and event organization. and switches are established on simple 19 inch indoor rack
Production enterprise network is doing the main where the temperature, humidity, etc. are usual, whereas in
production process. There are conveyers, machines, sensors production segment extreme characteristics may be observed:
in it, i.e. production which must be controlled by IT tools. temperature from ultra-high to ultra-low, humidity, dust, rain,
Corporation enterprise network is an office network, where snow, hoarfrost presence, the whole climatic conditions
employees use computers, laptops and tablets to manage and variety which characterizes the production.
monitor production network. Unification of these networks Thus, it is necessary to select switches focusing not only
proceeds through operational and demilitarized zones. on their performance characteristics, but also on the
functionality provided by this equipment while designing an
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
Beginning
VLAN
Increasing
attacking
priority level The RA
successful high priority of Unsuccessful Guard,
attack legitimate router attack SEND
Representing
as legitimate
router The
successful access control lists Unsuccessful
attack (ACL) attack
RA-messages
fragmentation
The additionally
successful monitoring Unsuccessful
attack channel state firewall attack
Stable
Control over functioning
the device End of the host
information to the host. After that all data is sent to the suggest the following host protecting from organized attacks
attacker’s computer. This classic IPv4-based attack is known algorithm.
and some manufacturers have made DHCP-Snooping
function resisting this type of attack successfully. However IV. EXPERIMENT RESULTS
applying to the IoT concept this type of attack can lead not
The conducted experiments showed that only a combination
only to data leakage, but also to the shutdown of production.
of various technologies allows achieving the required
The main difficulties arise when using addressing devices,
information security level. That is why the authors of the
ibecause their specific functioning adds the advantages to the
article recommend the following organization of
attackers in organizing of this attack type.
arrangements set to protect the host from the default gateway
IPv6 Stateless Address Auto configuration (IPv6 attacks:
SLAAC) is one of the additions to the IPv6 protocol
1. Changing router preference (priority) status to a high;
functional. It came to the classical DHCP-service aid in order
to simplify the receipt of IPv6 addresses by host. Technology 2. To use switches access control lists (ACL);
solves the basic automatic host network parameters
configuration issues using a router. It receives a RS-request 3. Еnterprise Virtual Local Area Network (VLAN)
and provides to the addressee a network IPv6 address part organization on switches;
and the default gateway address with a help of RA-answer. 4. Trusted port appointment by RA Guard switch function
Thus, as we know that attacker imitates a legitimate options;
router and organizes certain types of attacks on default 5. Encryption setup of transmitting traffic on switches and
gateway having IPv6 SLAAC new functional, it is possible to host by send-technology means.
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
Results of studying modern security switches addresses and priorities are contained. Then the attacking
functionality, as well as specified measures set application router assigns a clarified IPv6 address, sends an RA-
allow to develop an algorithm for protecting host operation message where identifies itself as a legitimate router.
from the attacks on the enterprise production network default Moreover, the attacker turns off checking duplicate IPv6
gateway. (Fig. 1). addresses function on its device, thereby creating a
precedent: two devices with the same IPv6 addresses and
Attacks specifity and the methodology of reacting to them different MAC addresses appearing in the network. The
are presented below: host, receiving such a message, believes that the default
1. Kind of attack: Increasing attacking priority level. gateway MAC address has changed, so it updates IPv6
Routers have a priority (Preference) with three values: cache, and the attacker achieves its goal again: data from
Low, Medium, High. By managing these values on a the device is sending to the attacker router. To prevent
multiple routers network, the administrator can create this type of attack, it is possible to organize access control
fault-tolerant system, where in the event of a high priority lists (ACL) on the switch by prohibiting all ports except
router failure the SLAAC role will be assumed by the authorized ones to send an RA-message. But this
medium priority router, insured by low priority router. By protection method is not perfect.
default this parameter is set to the medium value. That 3. Kind of attack: RA-messages fragmentation. The ACL
means in networks where there is the only one router the checks an entire packet, analyzing whether it is relating to
attacker has the opportunity to intercept its initiative by the prohibited directive. If an attacker sends RA-message
priorityincreasing. If the legitimate router has high breaking it into fragments before, they will not be handled
priority, it will be equal with the attacker and the host will by access control lists, but they will be transferred to the
accept the offer from the router, sending its network offer host, which will put them together and will change its
first. As a result, the attacking router can still obtain network information, i.e. the switch will not block this
control over the transmitting device. data as it cannot compile and examine the entire package,
2. Kind of attack: requesting network information from a so it will pass to the host. In this situation, the defending
legitimate router and then representing for him. The host side may suggest to use additionally monitoring channel
sends RS-requests and the router answers with RA- state firewall and to add a rule on the switch: if an IPv6
messages. Here the attacking router send an RS-message fragment or packet top-level information cannot be read
to the legitimate router, appearing as a usual host, and (no corresponding header), it is discarded.
receives an RA-message where router IPv6, MAC
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
These types of attacks and countermeasures were tested accessibility, not security. This leads to the contradiction: on
on the Cisco Packet Tracer 7.0 software emulator and also on the one hand, it is necessary to organize an appropriate
Cisco company access level switches (Fig. 2). security level for data transmission from hosts, on the other
hand, we can not overload the switching devices with
Modern switches provide a number of additional additional security functions, as the ACL and SEND
functions which can be successfully used in countering technologies, for example, consume large hardware resources
attacks on the default gateway: of network equipment, and the network segmentation using
1. Virtual Local Area Network organization (VLAN) [7]. VLAN makes the network configuration more complex and
This classic network segmenting method in combination less flexible.
with MAC-based filtering (Port-security) allows to install Consequently, for the security organization in the
different host in isolated virtual networks. This will stop enterprise production network it is extremely important to
transmitting messages from attacking computer with the make not an unsystematic conglomeration of listed
connected host ports. This approach cannot be considered technologies, but their well-thought-out implementation in
perfect either, because it has certain drawbacks making accordance with the solution of tasks based on particular
the network configurations more complicated in whole, enterprise activities analysis, including:
namely: any connection to the host and determining the
same addresses function are blocked, and this leads to the enterprise resources;
necessity for additional configuration of the proxy server
nd dad for duplicate search system working. specific device hazards;
2. Enabling the switch function Router Advertisement Guard threat occurrence probability;
(RA Guard) [8], helping administrator to define the threat vectors that can be used to attack.
various policies applied to the ports. Every policy is
connected to the device role, host or router; so the devices As a result of this problem studying, the authors suggest
connected to the host port are considered as a host, to discuss ways of applying the protection arrangements
whereas devices, connected to the router port are described above selectively, depending on the host types and
considered as routers. This division leads to ensuing the specific industries tasks where the algorithm can be
results: the host can communicate with the other host, but realized.
it cannot send RA-messages. The fact that RA Guard
function does not solve the problem with fragmented VI. CONCLUSION
packages deserves special mention.
Thus, the concept of IoT, improving the production
3. Enabling the router function Secure Neighbor Discovery process, adds a number of significant problems to the
(SEND) [9], which allows encrypting all messages that organization of the information transmitting security within
host and router exchanging. The disadvantage of this the enterprise. One of the important tasks about its ensuring
technology is the fact that both routers and host taking is splitting it into functional zones and choosing the network
part in the encrypted information exchange, so device equipment for different zones, taking into account their
resources have additional loading. And if the router can specificity. The situation of the enterprise protection is
try to cope with this, the smart sensors in the enterprise complicated because of using IPv6 protocol, whose
are likely to be deprived of necessary hardware resources vulnerability issues are beginning to be seriously studied only
to encrypt and decrypt the received and transmitted now. This is connected primarily to the new functionality of
information. this protocol and to the huge amount of supported address
space.
V. THE DISCUSSION OF RESULTS The conducted studies results are:
It can be seen from the collected in the Packet Tracer 1. Suggested approach to IPv6 network security, including
model how an attack on the enterprise production network defining the main goal and ranking priorities in the
main gateway allows to imitate a legitimate router and to switches operation, and the analysis of an updating
organize forwarding information from sensors and network frequency and operating conditions of their functioning in
computers to a fake registration server. After that it is not the enterprise production and corporation networks;
difficult for an intruder to do a distortion of information sent
2. Developed arrangements set to confront the enterprise
on legitimate registration server with the subsequent
default gateway attack, including priority management
shutdown of the production.
and traffic encryption on a legitimate router and the
Therefore, it is necessary to pay special attention to access control lists application, confidential ports and
counteracting attacks on the company's production network enterprise production network segmentation on the
default gateway. switches.
However, we should not forget that the main production 3. Developed algorithm for protecting hosts in an IPv6
network switch task is uninterrupted operation throughout the network, making resisting cybercriminals, using the IPv6
entire production process, so the priority of its functioning is
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
REFERENCES
[1] White paper: Cisco VNI Forecast and Methodology, 2015-2020.
Available at: http://www.cisco.com/c/en/us/solutions/collateral/service-
provider/visual-networking-index-vni/complete-white-paper-c11-
481360.html.
[2] M. Bornheim and M. Fletcher, "Public Safety Digital Transformation:
The Internet of Things (IoT) and Emergency Services," EENA 112, 03
03 2016. Available at: http://www.eena.org/download.asp?item_id=170.
[3] T. Williams, "The Purdue enterprise reference architecture," in
Computers in industry, vol 24 (2), 1994, pp.141–158.
[4] S. Kalpakjian and S. Schmid, "Manufacturing engineering and
technology (5th ed.)," in Prentice Hall, 2006, p. 1192
[5] The 62443 series of standards. Industrial Automation and Control
Systems Security. Available at:
http://isa99.isa.org/Public/Information/The-62443-Series-Overview.pdf
[6] C. Min, "Research on network security based on IPv6 architecture,"
IEEE Transl. Electronics and Optoelectronics (ICEOE), vol. 3 , рр: 415–
417, July 2011
[7] S. Praptodiyono, M. M. Kadhum, R. K. Murugesan and A. Osman,
"Improving Security of Duplicate Address Detection on IPv6 Local
Network in Public Area," IEEE Transl. Modelling Symposium (AMS),
vol.6, pp. 123–128, Sept. 2015
[8] W. Liu, P. Ren, D. Sun, Yi Zhao and K. Liu, " Study on attacking and
defending techniques in IPv6 networks," IEEE Transl. Digital Signal
Processing (DSP), vol. 6, рр: 48–53, July 2015
[9] H. A. Dawood and K. F. Jassim, "Mitigating IPv6 Security
Vulnerabilities," IEEE Transl. Advanced Computer Science
Applications and Technologies (ACSAT), vol. 6, рр: 304–309, June
2014
[10] R. Choudhary and A. Sekelsky, "Securing IPv6 network infrastructure:
A new security model," IEEE Transl. Technologies for Homeland
Security (HST), vol. 7, рр: 500–506, nov. 2010
[11] IPv6 Stateless Address Autoconfiguration. RFC 2462. Available at:
https://tools.ietf.org/html/rfc2462.
[12] IEEE’s 802.1Q standard 2005 version. Available at:
http://standards.ieee.org/getieee802/download/802.1Q-2005.pdf.
[13] IPv6 RA Guard. Available at:
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/IPv6/configuration/15-2s/ip6-15-2s-book/ip6-ra-guard.html.
[14] Secure Neighbor Discovery (SEND). RFC 3971. Available at:
https://tools.ietf.org/html/rfc3971.
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017