Optimal Quality of Service (QoS) and efficient traffic management in 5G Non-Terrestrial Networks (NTNs) rely on the effective orchestration of communication between the various network elements. Through real-time monitoring of the 5G infrastructure, we can derive signi

This document serves as a comprehensive overview of the 5G research infrastructure developed for the TRANTOR project, a 3-year initiative nanced by the HORIZON EUROPE program that concentrates on the forward trajectory of 5G Non-Terrestrial Network (NTN) evolution, heading towards 6G systems. The goal of the infrastructure is to facilitate and deeply investigate the Quality of Service (QoS) and traffic management in NTN associated with 5G systems and to develop new functionalities as foreseen by the TRANTOR project. The experimental network infrastructure is based on the open-source free5GC project, further complemented by a standalone implementation of a 5G RAN (Radio Access Network, also known as gNodeB) and multiple 5G UE (User Equipment) using UERANSIM, an open source state-of-the-art 5G UE and gNodeB simulator. Detailed overview and use cases of the deployed 5G infrastructure are also described.

The rapid advancements in Low Earth Orbit (LEO) satellite technologies promise high bandwidth and lower costs, making them crucial components for the future 6G networks. However, these orbits introduce a range of challenges not present in traditional Geosynchronous Orbit (GEO) systems, such as mobility issues, smaller coverage areas, and the need for inter-satellite communications. Within the scope of the TRANTOR project, we aim to investigate the complexities and peculiarities involved in utilizing LEO satellites for global communications. In this technical paper we will focus on reviewing the dynamic traffic and Quality of Service (QoS) management of NTN networks primarily being based on the 3GPP document "Technical Specification Group Radio Access Network; Solutions for NR to support non-terrestrial networks, NTN, Release 16" (3GPP TR 38.821 V16.1.0 (2021-05)).

This document explores control and monitoring mechanisms commonly employed in Ethernet-based network infrastructures, aiming to provide a comprehensive understanding of their functionality. It presents practical script examples that utilize scapy, a powerful and user-friendly Python library for sensing and manipulating network packets. The showcased scripts focus on essential functionalities such as ARP monitoring, IPv4 collision detection, and rogue DHCP server detection. By examining these examples, readers can gain a comprehensive understanding of how these mechanisms contribute to network control and maintenance. The main objective is to offer valuable insights and practical applications of these mechanisms within Ethernet-based network infrastructures.

The 2D Random Movement Simulator is a minimal web application for locally simulating the random movement of random points in a 2D space on a canvas. The application allows users to display distances between these points, with different colors indicating the level of safety: - green for okay distances; - yellow for alerting distances; - red for danger distances.

This document presents a technical-practical methodology to discover multiple IP addresses used by a single host with multiple network interfaces, regardless of using wired or wireless technology. After a brief introduction regarding the protocols involved and the requirements to satisfy, it describes the main steps of the proposed algorithm. Finally it reports an example of implementation to demonstrate its effectiveness. In fact, because of its usefulness it has been integrated into a software instrument used for the management of the CNR research area network in Pisa.

Oltre alle funzionalità di apertura ticket il portale mette a disposizione degli utenti delle reti del CNR di Pisa una sezione "Knowledge base" con le domande più frequenti. Dal punto di vista dei gestori del portale, ovvero il personale afferente all'unità tecnologica Computer and Communication Networks dell'IIT, esso permette di gestire le richieste da un'unica interfaccia web.

The network security solution in use at the Pisa Research Area since 2008, is based on two on premise Next Generation Firewalls (NGFWs) capable of protecting the network infrastructure using typical NGWF features such as application awareness, threat prevention, anti-virus, anti-spyware, URL filtering, file blocking, DDoS protection, etc. Unlike traditional packet filtering firewalls, NGFWs enforce security policies not only based on network traffic attributes (e.g. IP addresses, protocol numbers and port numbers, etc.) but also on other types of attributes, such as the username of an authenticated user, the name of the used application, the type of the transported data, etc. Furthermore, NGFWs support the concept of zone-based firewalling and allow the configuration of individual protection rules regardless of the used network layer protocol, thus implementing a dual stack (IPv4/IPv6) firewall. There are various NGFW manufacturers in the market. Therefore, a public organization in need of acquiring a NGFW-based network security solution, should compare various products in order to select the best quality-price ratio. Unfortunately, at the time of writing of this document, there are no standard methods, i.e. benchmarks, for objectively evaluating and comparing performance indicators of NGFW devices from different manufacturers. For this reason, organizations are forced to make a choice by following a logical process that takes into account a series of different evaluation criteria (technical, practical, economical, administrative, etc.). This document tries to address the various issues that an organization might face during the phases of selection and acquisition of a security solution based on NGFW technologies, mainly considering both technical and administrative aspects.

Questo technical report riporta la prima versione della Security Policy dell'Istituto di Informatica e Telematica, adottata nel rispetto della normativa vigente "Misure minime di sicurezza ICT per le pubbliche amministrazioni" previste dall'Agenzia per l'Italia Digitale. Tratta gli aspetti necessari per rilevare eventuali criticità di sicurezza informatica e stabilisce le azioni da intraprendere per accrescere il livello di sicurezza dell'intero ecosistema informatico dell'Istituto. Definisce inoltre un insieme di misure organizzative e comportamentali da adottare, da parte del personale dello IIT, per contrastare le minacce informatiche più frequenti e gestire eventuali incidenti. Un ulteriore obiettivo è la consultazione e divulgazione della policy stessa ad altri istituti del CNR, enti di ricerca e Pubblica Amministrazione, al fine di supportarli nella definizione di una politica di sicurezza per la propria organizzazione.

Il presente documento costituisce un quaderno di esercizi focalizzati sull'implementazione di strategie di Zone-based policy firewalling (aka "Zone-Policy Firewalling" or "ZPF") mediante l'utilizzo di router Cisco con sistema operativo IOS. La sicurezza delle reti è di fondamentale importanza per proteggere i dati e le risorse all'interno di un'infrastruttura, e i router Cisco offrono funzionalità avanzate per il controllo granulare del flusso di traffico di rete. Attraverso una combinazione di configurazioni e test pratici, questi esercizi consentiranno di acquisire familiarità con la creazione di zone di sicurezza, l'assegnazione di interfacce alle zone specifiche e la verifica del funzionamento delle restrizioni di traffico predefinite.

The easiest and widely used authentication method to access Internet services is based on username and password. When users can create their own accounts on services that require online self-registration procedure, email addresses are usually used as usernames. Cybercriminals are constantly aiming to steal this type of data for various reasons, for example with the purpose of selling them in the underground market. Sometimes stolen accounts can be found on the public Internet, even without the owner being aware of it. In this report we provide a qualitative description and a quantitative analysis of Cit0Day data leak, a collection of more than 345 million hacked login credentials from 23600 online services, made available on the public Internet in October 2020. In particular, our analysis focuses on two different aspects: one related to the hacked services and the other related to the end user credentials. Finally, we have carried out a specific analysis of the data leak in order to assess the security concerns regarding our organization. Even if there were no hacked services belonging to our organization, we found out that nearly 2500 CNR related credentials were used on more than 450 hacked services.

Most general-purpose operating systems implement and enable native IPv4 and IPv6 support and implement a number of transition/coexistence technologies by default. The deployment of native IPv6 networks is constantly growing, and is already present in almost all our networks. Sometimes it is "official" IPv6 traffic, often it is just link-local traffic, or global-scope traffic going through tunnels unknown to the network administrators. It is very important to prevent security exposure in enterprise networks resulting from unplanned use of IPv6. Whatever the reason of the presence of IPv6 in an enterprise network, the time when network administrators just needed to control IPv4 is over. Many communication protocols operating over the modern Internet use hostnames. Hostnames often resolve to multiple IPv4 and IPv6 addresses, so in a Dual Stack portion of the Internet, a communication between two nodes may be established either in IPv4 or in IPv6. For example, a Dual Stack client may establish an http session to a WEB server using either IPv4 or IPv6. It is therefore essential to apply a consistent security policy on both bi-directional IPv4 and IPv6 traffic independently of which protocol is being used. In this Technical Report, our main objective is to demonstrate how to plan and enforce a consistent security policy for a Dual Stack enterprise network by applying the same controls on bi-directional legitimate IPv4 and IPv6 sessions by using a Next-Generation Firewall.

Newly implemented IPv6 only networks are becoming common and these sites have interest to communicate with the whole Internet (IPv4 Servers and the whole IPv6 Internet). In this paper we will describe and show how to implement a reliable mechanism that allow client nodes connected to IPv6 only networks to be able to communicate with all IPv4 Servers using NAT64/DNS64 protocol translation. When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server including the transit networks. We present a testbed to demonstrate and to guide on how to realise a stateful NAT64/DNS64 which is capable of translating unicast packets carrying TCP, UDP, and ICMP traffic

Materiale didattico del "Lab of Secure system configuration, device hardening and firewall management": insegnamento nell'ambito del Master di primo livello in cybersecurity organizzato dall'Università di Pisa e dall'Istituto di Informatica e Telematica del CNR tenuto nel periodo Settembre/Novembre 2018. Il documento approfondisce i concetti di APP-ID ed application signatures relativi ai NGFW.

Materiale didattico del "Lab of Secure system configuration, device hardening and firewall management": insegnamento nell'ambito del Master di primo livello in cybersecurity organizzato dall'Università di Pisa e dall'Istituto di Informatica e Telematica del CNR tenuto nel periodo Settembre/Novembre 2018. Il documento introduce il concetto di Zone Protection Profile relativo ai NGFW.

Materiale didattico del "Lab of Secure system configuration, device hardening and firewall management": insegnamento nell'ambito del Master di primo livello in cybersecurity organizzato dall'Università di Pisa e dall'Istituto di Informatica e Telematica del CNR tenuto nel periodo Settembre/Novembre 2018. Il documento introduce i concetti relativi alle tematiche di URL Category, URL Filtering e SSL Decryption relative ai NGFW.

Materiale didattico del "Lab of Secure system configuration, device hardening and firewall management": insegnamento nell'ambito del Master di primo livello in cybersecurity organizzato dall'Università di Pisa e dall'Istituto di Informatica e Telematica del CNR tenuto nel periodo Settembre/Novembre 2018. Il documento illustra il programma del corso e tutti i concetti introduttivi relativi al mondo dei Next Generation Firewall.

Il documento ha lo scopo di fornire una guida pratica per l'auditing dei "Zone Protection Profiles" utilizzando lo scripting in Python. Nell'ambito della sicurezza di rete e più specificamente dei Next-Generation Firewalls, i "Zone Protection Profiles" rappresentano una componente fondamentale. Infatti essi mirano a proteggere le reti da una serie di minacce come il flood, il port scanning o il ping sweep.

Il sito web è stato creato per la distribuzione del tool 6MoNPlus.

Monitoring and controlling geographically distributed Dual Stack networks on the present Internet architecture is a complex task. The diffused use of Network Address Translation (NAT) and issues caused by border firewalls make remote network monitoring difficult. It is also necessary to physically be connected to the remote networks to sniff packets. There are several situations in which it is convenient to have an easy to use tool, accessible from every location, for monitoring and managing various networks, distributed in different locations, using a single management interface. This article is proposing a geographically distributed, scalable and extensible open tool for monitoring and controlling geographically distributed Dual Stack (IPv4/Ipv6) networks using a single management interface by solving the NAT traversal and firewall issues.