Logo des Repositoriums

Auflistung nach Autor:in "Waldvogel, Marcel"

1 - 7 von 7
  • Konferenzbeitrag
    bwIDM: Föderieren auch nicht-webbasierter Dienste auf Basis von SAML
    (5. DFN-Forum Kommunikationstechnologien – Verteilte Systeme im Wissenschaftsbereich, 2012) Simon, Michael; Waldvogel, Marcel; Schober, Sven; Semaan, Saher; Nussbaumer, Martin
    Zur organisationsübergreifenden Nutzung von IT-Diensten werden Dienst- Föderationen gebildet. Dabei kann das Nutzerkonto der sogenannten Heimateinrichtung auch zum Zugriff auf nicht-lokale Dienste genutzt werden, d.h. Dienste, die von Dritten innerhalb der Dienst-Föderation angeboten werden. Während die Integration webbasierter Dienste in Föderationen mit SAML und beispielsweise Shibboleth mittlerweile in vielen Anwendungsbereichen allgegenwärtig ist, fällt die Integration nicht-webbasierter IT-Dienste (z.B. Dienste mit SSH-Zugängen) schwer. Existierende Ansätze, mit denen sich prinzipiell auch nicht-webbasierte Dienste integrieren lassen, erfüllen essentielle Anforderungen nicht und/oder sind nach ihrem heutigen Entwicklungsstand noch nicht betriebsfähig. In diesem Papier werden zwei Verfahren für nicht-webbasierte, föderative Dienstzugriffe (Moonshot und PAM/ECP) evaluiert und notwendige Erweiterungen zur Sicherstellung der Betriebsfähigkeit vorgestellt. Ein implementierter Proof-of-Concept zeigt die Umsetzbarkeit der Lösung.
  • Konferenzbeitrag
    HomeCA: Scalable Secure IoT Network Integration
    (INFORMATIK 2019: 50 Jahre Gesellschaft für Informatik – Informatik für Gesellschaft, 2019) Müller, Robert; Schmitt, Corinna; Kaiser, Daniel; Waldvogel, Marcel
    Integrating Internet of Things (IoT) devices into an existing network is a nightmare. Minimalistic, unfriendly user interfaces, if any; badly chosen security methods, most notably the defaults; lack of long term security; and bugs or misconfigurations are plentiful. As a result, an increasing number of owners operate unsecure devices. Our investigations into the root causes of the problems resulted in the development of Home Certificate Authority (HomeCA). HomeCAincludes a comprehensive set of secure, vendor-independent interoperable practices based on existing protocols and open standards. HomeCA avoids most of the current pitfalls in network integration by design. Long-term protocol security, permission management, and secure usage combined with simplified device integration and secure key updates on ownership acquisition pave the way toward scalable, federated IoT security.
  • Konferenzbeitrag
    Interactive analysis of NetFlows for misuse detection inlarge IP networks
    (2. DFN-Forum Kommunikationstechnologien, 2009) Mansmann, Florian; Fischer, Fabian; Keim, Daniel A.; Pietzko, Stephan; Waldvogel, Marcel
    While more and more applications require higher network bandwidth, there is also a tendency that large portions of this bandwidth are misused for dubious purposes, such as unauthorized VoIP, file sharing, or criminal botnet activity. Automatic intrusion detection methods can detect a large portion of such misuse, but novel patterns can only be detected by humans. Moreover, interpretation of large amounts of alerts imposes new challenges on the analysts. The goal of this paper is to present the visual analysis system NFlowVis to interactively detect unwanted usage of the network infrastructure either by pivoting NetFlows using IDS alerts or by specifying usage patterns, such as sets of suspicious port numbers. Thereby, our work focuses on providing a scalable approach to store and retrieve large quantities of NetFlows by means of a database management system.
  • Konferenzbeitrag
    A legal and technical perspective on secure cloud storage
    (5. DFN-Forum Kommunikationstechnologien – Verteilte Systeme im Wissenschaftsbereich, 2012) Graf, Sebastian; Eisele, Jörg; Waldvogel, Marcel; Strittmatter, Marc
    Public cloud infrastructures represent alluring storage platforms supporting easy and flexible, location-independent access to the hosted information without any hassle for maintaining own infrastructures. Already widely established and utilized by end-users as well as by institutions, the hosting of data on untrusted platforms, containing private and confidential information, generates concerns about the security. Technical measures establishing security rely thereby on the technical applicability. As a consequence, legal regulations must be applied to cover those measures even beyond this technical applicability. This paper provides an evaluation of technical measures combined with legal aspects representing a guideline for secure cloud storage for end-users as well as for institutions. Based upon current approaches providing secure data storage on a technical level, german laws are applied and discussed to give an overview about correct treatment of even confidential data stored securely in the cloud. As a result, a set of technical possibilities applied on fixed defined security requirements is presented and discussed. These technical measures are extended by legal aspects which must be provided from the side of the hosting Cloud Service Provider. The presented combination of the technical and the legal perspective on secure cloud storage enables end-users as well as hosting institutions to store their data securely in the cloud in an accountable and transparent way.
  • Konferenzbeitrag
    Polybius: Secure web single-sign-on for legacy applications
    (4. DFN-Forum Kommunikationstechnologien, 2011) Gienger, Pascal; Waldvogel, Marcel
    Web-based interfaces to applications in all domains of university life are surging. Given the diverse demands in and the histories of universities, combined with the rapid IT industry developments, all attempts at a sole all-encompassing platform for single-sign-on (SSO) will remain futile. In this paper, we present an architecture for a meta-SSO, which is able to seamlessly integrate with a wide variety of existing local sign-in and SSO mechanisms. It is therefore an excellent candidate for a university-wide all-purpose SSO system. Among the highlights are: No passwords are ever stored on disk, neither in the browser nor in the gateway; its basics have been implemented in a simple, yet versatile Apache module; and it can help reducing the impact of security problems anywhere in the system. It could even form the basis for secure inter-university collaborations and mutual outsourcing.
  • Konferenzbeitrag
    SIEGE: Service-independent enterprise-grade protection against password scans
    (7. DFN-Forum - Kommunikationstechnologien, 2014) Waldvogel, Marcel; Kollek, Jürgen
    Security is one of the main challenges today, complicated significantly by the heterogeneous and open academic networks with thousands of different applications. Botnet-based brute-force password scans are a common security threat against the open academic networks. Common defenses are hard to maintain, error-prone and do not reliably discriminate between user error and coordinated attack. In this paper, we present a novel approach, which allows to secure many network services at once. By combining in-app tracking, local and global crowdsourcing, geographic information, and probabilistic user-bot distinction through differential password analysis, our PAM-based detection module can provide higher accuracy and faster blocking of botnets. In the future, we aim to make the mechanism even more generic and thus provide a distributed defense against one of the strongest threats against our infrastructure.
  • Konferenzbeitrag
    X.509 User Certificate-based Two-Factor Authentication for Web Applications
    (10. DFN-Forum Kommunikationstechnologien, 2017) Waldvogel, Marcel; Zink, Thomas
    An appealing property to researchers, educators, and students is the openness of the phys­ical environment and IT infrastructure of their organizations. However, to the IT administration, this creates challenges way beyond those of a single-purpose business or administration. Especially the personally identifiable information or the power of the critical functions behind these logins, such as financial transactions or manipulating user accounts, require extra protection in the heterogeneous educational environment with single-sign-on. However, most web-based environments still Jack a reasonable second-factor protection or at least the enforcement of it for privileged operations with­out hindering normal usage. In this paper we introduce a novel and surprisingly simple yet extremely flexible way to irnplement two-factor authentication based on X.509 user certificates in web applications. Our solution requires only a few !irres of code in web server configuration and none in the application source code for basic protection. Furthermore, since it is based on X.509 certificates, it can be easily combined with smartcards or USB cryptotokens to further enhance security.