Health Promotion in Nursing: Child Obesity Interventions

Health Promotion in Nursing: Child Obesity Interventions This essay will explore the knowledge, skills and attitudes nurses need for health promotion. In the last decade health promotion has been a significant part of health policy in the UK (Piper, 2009). For instance the Department of Health (DOH) policies: Choosing Health (DOH, 2004) and Better Information, Better Choices, Better Health (DOH, 2007), both highlight health promotion as a main concern in health service (Piper, 2009). Nurses have a significant part in reducing the effect of disease, promoting health and function (RCN, 2012). The NMC (2008) states that health promotion is a key aspect of the nursing profession and one they are required to undertake in practise. Health promotion is a procedure which helps people to enhance their health and have control over it (WHO, 1985). Tones (1987) describes health promotion as â€Å"any strategic measure which aids health or averts illness, disability and pre-mature death.† Health promotion aims to enhance ones skills and abilities in order to take action, and in the volume of a group or community to work mutually to place control over determinants of health and attain positive change (WHO, 1978). Health promotion is essential in child nursing as anything which affects a child’s health during childhood may have an effect on adulthood (Moyse, 2009). In order to provide effective health promotion nurses must have the correct skills, knowledge and attitudes (Cole, 2008). Having the right knowledge, skills and attitude allows nurses to implement successful health promotion, consequently making a positive effect on the patients’ life, health and wellbeing (Cole Porter, 2008). Child nurses delivering public health are working to establish opportunities for children to live positive healthy lives, by influencing public policies and via health promotion (RCN, 2007). However to ensure this nurses need knowledge (Risjord, 2011). For example having knowledge on various health conditions is vital for nurses, as they spend a significant amount of time with service users, thus nurses are usually the first source for information when service users want find out about a certain health condition (Risjord, 2011). In relation to tackling child obesity nurses will need knowledge about obesity to carry out successful health promotion (Bagchi, 2010). Grimmet et al (2010) found that parents and children either have inadequate or no knowledge on obesity and the severity of it. This suggests that there is lack of awareness on child obesity. Moyse states that nurses must offer guidance and lifestyle education each time they are in contact with service users. Working with the child’s family is vital as it will allow nurses to identify misunderstandings families have about: exercise, food consumption, and health matters (Moyse, 2009). This shows knowledge is vital when delivering health promotion as nurses can help both child and parent come to terms with health issues via education and advice. Having knowledge on health epidemiology will be vital for nurses in health promotion as if offers a depiction of current health conditions amid children thus highlighting areas which require priority. Currently in the UK 33% of boys and 30% of girls aged 2-15 years are obese (Health Survey for England, 2012). Since 1995-2006 the obesity rate has increased from 14% to 25% for boys and from 15% to 27% for girls. Obesity rates in boys aged 2-10 increased from 11% in 1995 to 17% in 2006 and girls 10% in girls to 12% in 2006 (Health Survey for England, 2012). Being aware of the prevalence and incidence of child obesity will allow nurses to identify: preventative approaches, monitor secular trends and allow nurses to recognise groups at risk (Naidoo Willis, 2009). Nurses need to have knowledge about a child’s psychological, social, physical and intellectual development. The Children Act (2004) states this as an obligation for all child practitioners involved in children’s health, protection and welfare. Being aware of child development is a significant step towardsunderstanding what establishes children’swellbeing, safety and promoting and maintaining wellbeing (DOH, 2012). This ensures that holistic care is given to the child as it considers all aspects of child’s health. In relation to childhood obesity child development is a vital aspect when delivering health promotion as it will help the nurse to identify how the child’s development is affected due to obesity and the implications caused by it, but most importantly it allows the nurse to identify how this can be altered to improve the child’s health (reference). Having evidence based knowledge is vital in health promotion, the NMC (2008) states that nurses must use evidence based practise to deliver excellent care and to ensure patient needs are met. In relation to child obesity nurses can acquire evidence based knowledge about obesity by reviewing literature this will offer understanding of key research, initiatives, interventions, and policy which are all key in implementing care for obese children  (Porter Cole, 2008). Having knowledge on health promotion theories and models will be beneficial for nurses as they underpin the application of health promotion. Theory can help implement health promotion in various ways (Nutbeam Harris, 2010). Models and theories offer a better understanding of health problem being addressed. They also explain the needs and motivations of the target population and offer suggestions in how to alter health status, health behaviour and their detriments. Health promotion models and theories also offer approaches and measures utilised to monitor the programmes and problems (Nutbeam Harris, 2010). In relation to child obesity nurses may use the nursing process, which has the following stages: assessment, diagnosis, planning, implementation and evaluation. For instance the child will be assessed to identify child’s health needs as basis for care implementation. For the diagnosis the child’s weight and height may be measured, this will allow the nurse to identify if the child is obese by comparing the results to the national body mass index percentile, for children. Nurses may also have a consultation with parents to identify what may be contributing to child being obese. For planning nurses may devise a care plan for the child consisting of planned actions which are suitable for child’s needs i.e. regular exercise, balance diet or decreasing calorie intake to a sensible amount. For the implementation stage nurses will help the child to implement actions from the care plan e.g. food diary to help reduce calorie intake to recommended amount, encouraging the child and family to do 30 minutes of exercise per day or increasing healthier food choices. For the evaluation stage the nurse and child or family, will assess if the interventions were effective and if not how actions can be improved to ensure patients’ needs are met. Nurses need knowledge on health inequalities as the UK government has identified health inequalities as a key public health issue (DOH, 2013). Child obesity can be considered as a health inequality, as the National Child Measurement Programme, found high obesity rates amid 5 and 12 year olds were linked to increased socioeconomic deprivation (NCMP, 2010). The Healthy Lives Healthy People policy (DOH, 2010) aims to reduce health inequalities and increase opportunities by offering various services for both family and children. The policy stresses the significance of giving children a healthy start in life, it sets goals for the Healthy Child Programme, health visitors, and the Family Nurse Partnership and demonstrates how this contributes to the public health priority of promoting good health and wellbeing (DOH, 2010). Nurses play a key role in this policy by improving health and opportunities for children and young people via health promoting initiatives. For instance it aims to tackle child obesity by educating parents on healthy eating, and exercise. To achieve this nurses will need knowledge on the factors of health inequalities and health promotion methods which can be utilised to aid children and their parents to avert infirmity, injury and mortality (Moyse, 2009). Skills There is a vast range of skills used in health promotion to tackle public health issues. One of them is having the skill to collaborate with others. Brammer, (2007) states that effective support for families and children cannot be attained by a sole agency. Thus nurses must cooperate with others when delivering health promotion, to meet child’s needs. The DOH, states that NHS staff collaborate with each other in effective teams and that partnership is vital in implementing care to patients (DOH, 2006). Acheson suggests that in order to help people lead independent lives inter-professional collaboration is required to encourage public agencies to adapt services to individuals needs and to promote choice along with independence (Acheson, 1999). In relation child obesity nurses can collaborate with others to tackle environmental challenges, as it’s an area where nurses have less input. The environment consists of: physical, cultural, social and economic environment which are needed for one to make lifestyle modifications (Davis, 2007). Via inter-professional collaboration within multidisciplinary team or with agencies for example with nutritionists, schools, religious representatives, fitness and leisure centres and community food personnel environment barriers can be tackled (Mosytn, 2005). Family culture and social life can be modified by motivating the family to embrace a healthier lifestyle, hence resulting in a positive environment for modification (Davis, 2007). Having communications skills is crucial in health promotion (Webb, 2011). Wills et al (2007) found that nurses had to recognise how individuals acquire information, how information is exchanged effectively, how individuals make choices regarding their health and understand the way in which communities alter. In relation to child obesity, communicating with parents creates cornerstone of intervention to address the issue of child being obese. When communication is carried out correctly the foundation for working in partnership with obese children and their family can be formed and nurtured (Mikhailovich Morrison, 2007). Having the skill to deliver family centred care is a key aspect in health promotion, as families have a crucial part in ensuring the health and well-being of children and young people (Moyse, 2009). The National Service Framework (DOH, 2004) has guidelines which emphasis on health promotion and assisting families with education and resources from birth to adulthood. The guidelines ask for high quality care to promote and safeguard children and young people. By implementing family centred care nurses allow the formation of partnership with the child’s family in the pursuit of being amenable to the priorities and necessities of the family and child (Bowden Greenberg, 2011). Family centred care beneficial in delivery of health promotion as it improves care, allows successful distribution of resources, and satisfies both family and patient (Bowden Greenberg, 2011). In relation to child obesity optimal care is delivered by adopting family centred care, where care and advice is offered to both family and child to allow concordance. Having the skill to empower patients is vital, Tones Tilford (2001) argue that empowerment is most crucial feature of health promotion. In relation to child obesity empowering the young person to manage their health while satisfying their needs is vital. Empowerment has been recognised as key concept in encouraging healthy eating and exercise (Cochran, 2008). Attitudes To achieve effective health promotion nurses must encompass health promoting attitudes and demonstrate respect for all patients. Empathy is a crucial attitude in health promotion, McQueen (2005) states that empathy refers to being able to understand the patient’s behaviour and feelings. Malloch (2001) suggests that empathy forms trust and allows care to be negotiated, implemented and evaluated efficiently. The NMC, (2008) also states nurses need to be able deliver care with empathy. In relation to child obesity empathy is a key attitude as the DOH (2010) states that nurses must be empathetic with families when dealing with sensitive issue like child obesity. Being compassionate is vital when delivering health promotion as the DOH (2010) states that compassion forms the basis of care via through relationships formed on respect, dignity and empathy. Being non-judgmental is vital in health promotion, as the NMC (2008) states that care must be given in a universal, non-judgmental, kind and sensitive manner that avoids assumptions. Being a motivational is a key attitude nurses will require as it helps patients feel confident, thus making a desired health action more achievable Fisher, (2013). Harter suggests that patients will be motivated when they perceive themselves as being confident however if one feels they are not capable of fulfilling an action they are less likely to do it. Thus having a motivational attitude is vital as it increases patient’s self-esteem and prompts patients to take action on their health. Conclusion This essay has explored why nurses need skills, knowledge and attitude to deliver health promotion and how this can be used to tackle child obesity.

Nestle Infant Formula as cause of child deaths

Nestle Infant Formula as cause of child deaths Company Background Heinrich Nestle and his family members started off producing carbonated water. They later on also combined cows milk with wheat flour and sugar to produce a substitute of mothers milk for those children who couldnt accept breast feeding. In 1866 a milk food formula was developed for infants who were unable to tolerate their mother milk. His product became a success, and it created a demand throughout Europe. By the 1960s Nestle was one of Switzerlands biggest company with over 200 factories around the world (Nestle, 2009). Nestlà ©Ã‚  considers that research can help them make  better food  so that people live a better life.   Good Food is the primary source of Good Health throughout life. In the first months of life, a babys nutrition needs are very specific and different than any other stage of life. Obtaining energy and nutrients is vital for babies healthy growth and development at this critical stage of life. To meet the specialized needs of infants, Nestlà © Nutrition works with the  Nestlà ©Ã‚  Research  Center  and RD centers to provide infant formulas with total nutrition. We strive to bring consumers foods that are safe, of high quality and provide optimal nutrition to meet physiological needs. In addition to Nutrition, Health and Wellness, Nestlà © products bring consumers the vital ingredients of taste and pleasure. Research is a key part of our heritage at Nestlà © and an essential element of our future. Nestlà © believes that the best food for babies is mothers milk. Mission Statement Breast milk nutrients that nourish protect and promote growth and development. However, for different reasons, not all mothers are able to breastfeed their babies or choose to do so, and need a safe, high-quality alternative that provides babies with the precise nutrition they need in the first months of life (Nestle 1990). Infant formula Industry Infant Formula Industry Development and marketing of milk food product for infants begin in 1867. The Creation of the product progressed due to the urgent need of a substitute for infants who could not consume any food Infant formula foods were matured around the 1920s. As an alternative to breast milk the sales boost after WWII and reached its climax in 1957. The Market took a downturn around the 1970s. Nestlà © then decided to market to countries like Africa, South Africa and Far East because of population growth (Boycott, 2007). Nestle and the Infant Formula 1800 was the century when Henry Nestle founded the infant substitute for breast milk for women who could breast feed their children at the time of their birth. Thus, this led to the death of millions of child infant death. Nestle in the early years marketed Infant formula as the best option for infants and also continued to aggressively promote the milk better then breast feeding. The containers had large writing in blocked letters claimimg the best choice for newly born babies which led to an excessive drop of breast feeding and high number of women feeding their children the infant milk. The stats were roughly around 80 % of Singapore three- month-old infants were being breastfed in 1951. By 1971 on 5% of mothers nursed their infants In Mexico around 1966, fewer than 40% mothers nursed their infants Chile experienced three times as many deaths of infants before they became 3 months old in 1973 (Ford, 2008).    There was marked shoot in the rate of gastroenteritis and malnutrition among the babies in the third world countries relating to the improper use of infant formula and the associated feeding equipment, such as bottles and nipples During the 1970s, British Charity Organization circulated a 28 page pamphlet called the Baby Killer which was targeted towards Nestle Switzerland and the poorly advertised marketing efforts in Africa. After the publication was well distributed it raised a concern for the general public and population of the affected countries and other countries. Later, Nestle was alleged as Unethical and immoral behavior.Nestle fought back and the trial lasted for two years therefore nestle was sued for defamation but inevitably Nestle won. But during this time nestle was given a set of code of ethics to follow by World health organization and UNICEF (Birbeck, 2007). The rules were as follows: The key points of the Code as established in 1981 were: Breast milk substitutes should not be advertised. Mothers and health care members are not to be given free supplies and samples. No promotion of products through health care facilities. No the marketing personal is not supposed to be in contact with the mother Information to health workers should be scientific and factual only. All information on artificial feeding, including the labels, should explain the benefits of breastfeeding and the costs and hazards of artificial feeding. Unsuitable products prohibited for babies. Babies should not be depicted on infant formula packaging. Labels should be set out in local native languages. By the end of 1989, The MNC introduced plan of Action for Infant and Young Child feeding where it committed to put a stop to all low priced and free supplies of infant milk formula in developing countries except for the number of children who need it. How Nestle breaks the Rule: Unethical Practises Nido is promoted worldwide. In Bolivia and other countries, Community and health workers are given free samples of Nido which stirs a mixed feeling among the mothers for children above four months although there is no age limits for nido. Neslac is promoted widely for babies for their first birthday although breast feeding is recommended for at least two years of age. Nestle promoted Neslac with the help of posters, gift offer and advertisements in all types of media. In Mexico and in other countries, Nestlà © provides pediatricians and nurses funds for congresses and other professional events Nestle sponsors workers with boxed lunches and vouchers in Taiwan.. In Italy, Nestlà © sponsored meetings and conferences under the brand name Guigoz. Cerelac is promoted in Pakistan on huge posters and roadside banners. Labeled bowls and cups are given out with every purchase of cerelac. The blue bear Logo that is seen almost in every country represents Infant formula and food. In UAE, Nestles distributed Pens with Cerelac logo. Company reps contact mothers though telephone in Hong Kong and Taiwan (Stafford, 1999). Nestlà ©- Baby Milk Ethical Issues Ethical Issues a) Infant Formula. The most important ethical question that arises regarding the use of infant formula is that if it is moral to produce or use the formula as a substitute for breast milk? The point of concern is that, if the infant formula is a bad thing like tobacco smoking or does it lie on the same fronts as consumption of alcohol where misuse leads to harms? The International Baby Food Action Network (IFBAN) suggests that in theory the infant formula might not be a bad thing but, on moral grounds it acts as a substitute for a perfectly good thing that is breast milk. b) Infant Formula cause of Child Deaths? There is no point questioning the fact that hundreds of thousands of young infants die every year in the developing countries mainly because of water-borne disease, malnutrition and some other factors. In case of Nestle it is important to distinguish between the deaths caused by the use and misuse of the infant formula which is the result of improper marketing of the formula as a substitute of breast milk and the deaths caused by other reasons. The use or misuse of the infant formula may lead to child death for various reasons which include negligence to certain important facts regarding the usage or simple ignorance of the mother or the feeder. Non-availability of proper ingredients like pure or clean water, or usage of non-sterilized bottles which are used to feed the infants has proved to be the major health risks. c) Supply of infant formula to regions with inadequate healthcare systems. The supply and promotion of infant formula to areas with weak health care facilities leads to a ethical predicament that, if it is moral on the companys behalf to supply their products in areas like Africa even if they are working within the frame work of the International code? Continue supply to these areas by infant formula companies is not considered an illegal issue as they follow the international code but their product is liked to deaths of young infants which surely make it an ethical issue. In such areas like Africa unsafe water and lack of sanitation are major factors underlying many of the 10 million child deaths every year. Repeated episodes of waterborne diseases like diarrhoea can push children to the brink of survival, leaving them too weak and malnourished to survive even common childhood illnesses (IBFAN, 2008). Illiteracy is another issue that these areas face as they are not able to read the instructions. In some cases, cans of formula were being sold with the inst ructions in the wrong language for the women being targeted which also proved to be an issue to some extent (Moorhead,2007). d) Abiding by the Code Out of all the other ethical issues one of the key issue revolving around the infant formula is the extent to which manufacturers are abiding by the International Code. According to the code article 1, the aim of the Code is to contribute to the provision of safe and adequate nutrition for infants, by the protection and promotion of breastfeeding, and by ensuring the proper use of breast milk substitutes,  when necessary, on the basis of adequate information and through appropriate marketing  and distribution (Ann,2007). Another article from the code states that there should be no advertising or any other form of promotion to the general public of products within the scope of this Code. The code was formed in 1981 reason being the manufacturers of the infant formula products were promoting their products as a replacement for breast milk and breast feeding was declining. Nestle even stated that the infant formula is better than the breast milk that lead to the boycott of Nestle pr oducts. After the boycott Nestle fell in line with the code but every now and then it has been seen that they find a loop hole in the code and take advantage. This is the reason boycott still continues. In Defense of Nestle The key ethical issues to the substitution of the breast-milk feed, there are two main key points to discuss in this part, and to show how the company thinks that the infant formula is not unethical. First point will be the status and the position of the infant formula, Nestlà © has a unique question to ask those whom are considering the infant formula as an ethical formula, and the question is Is the infant formula a bad thing in itself, as bad as the gambling and tobacco? Second point to discuss is child death cases and relating it to the infant formula, where Nastles says that there are many child death cases all over the world, and there are people and organizations known as competitors or IBFAN where they relate some of those child death cases to the infant formula, and ignoring the other real facts which they were the reason behind those cases, for an example, these people or organizations are ignoring the fact of the death cases in some countries in South Africa, and these re ason are, it is really hard and somehow impossible to find pure and clean water, although the UN is trying their best to provide that clean water for the people in South Africa, and those people want the infant formula to be withdrawn from there. Withdrawn the infant formula from that part of Africa can lead to some serious problems, where other competitors can enter South Africa with new non-efficient infant formula and cause more serious problems to those kids or the infant formula can be replaced sugar water or goat milk. Another causing of death cases to those poor kids is the weak health care system, those people or organizations are ignoring the fact of the weak health care system for instant in some countries in South Africa, therefore Nestlà © argument here is that countries in South Africa are having a weak health system, and people there are not well treated medically, therefore death cases should be related to the weak health system there not to the infant formula, there fore it is unfair and unethical to relate the death cases to the infant formula and to Nestlà ©. These countries should have full medical health care, especially for kids to protect them and to make them strong in order to face other illnesses in the future. After providing full and strong medical health care to those kids, then people can start put the blame on Nestles side after considering the other serious causes of death. Based on these two argument points Nestlà © sees itself doing an ethical and right thing by providing that part of the word with the infant formula. In Conclusion Breastfeeding is the best thing for baby because its containing the perfect amount of antibodies, water, carbohydrates, fat, protein, vitamins and minerals. Also mothers who cant breastfeed there newborn babies they will select formula as the second option for there babies, also many business women who work most of their time They dont have time to feed their babies as a result they always try to choose alternative ways to feed their babies and in the same time it contains every thing the babys needs.   First of all when we talk about the advantages of breastfeeding we will find out a lot of good results that impact the childrens health and their bodies in the future. Breast milk is personalized for babies as a whole meal because this milk contains everything the babies need to protect their bodies from allergy so that they will be less likely to get allergies and protecting them from asthma. Also, breastfeeding may help reduce the chance of becoming over weight, reducing stomach infections, and support babys sensitive digestive system .more over breast feeding is a very comfortable for the mother and its easier than using other artificial milks , in addition to what I mentioned earlier , another advantage of breastfeeding is to save money and its available at anytime and everywhere while artificial milks can be expensive and unaffordable however the breast feeding has a strong relationship between the mother and their babies. Secondly, on the other hand, The disadvantages of the artificial milks as we know that nestle is a leading consumer products companies in the world however it has many ethical issues relating to the breast milk substitutes, first of all , the moral status of the artificial milk or   the infant formula is more like tobacco or gambling where the problem arise from misusing it   such as the role of infant formula in child death , supplying infant formula in areas of weak healthcare systems

Understanding and Preventing Child Abuse and Neglect Essay -- Preventi

â€Å"Childhood should be carefree, playing in the sun; not living a nightmare in the darkness of the soul.† -- Dave Pelzer, A Child Called "It"   Ã‚  Ã‚  Ã‚  Ã‚  Child abuse, the physical and/or emotional abuse of a child by a parent, guardian, or other person, is a major problem in the United States. Child abuse, including sexual abuse, beating, and murder have increased and it is believed that many cases go unreported. Another for of child abuse is child neglect, which includes malnutrition, desertion, and inadequate care for a child.   Ã‚  Ã‚  Ã‚  Ã‚  Efforts have increased on the primary prevention of child abuse. This must be started on many different levels before it can be successful. Prevention plans on a social level include increasing the economic self-sufficiency of families, preventing the birth of unwanted children, making health care more accessible, expanding and improving coordination of social services, improving the identification and treatment of psychological problems, and alcohol and drug abuse, and providing more affordable child care. Prevention plans on the family level include helping parents meet their basic needs, identifying problems of substance abuse and spousal abuse, and educating parents about child behavior, discipline, safety, and development. Primary prevention is to prevent the disease before it happens and reduce the chances of child abuse or negligence from happening.   Ã‚  Ã‚  Ã‚  Ã‚  Between 1995 and today child abuse cases have increased by more than fifty percent. More than thirty-five percent of which were confirmed. Each year one hundred and sixty thousand children are abused severely, even to life threatening extents. One thousand to two thousand children are killed resulting form child abuse. One of twenty murder victims is a child. Murder is the fourth leading cause of death in children from ages five to fourteen. The murder of a baby within the first twenty-four hours of life, Neonaticide, accounts for forty-five percent of children’s death.   Ã‚  Ã‚  Ã‚  Ã‚  Most child abuse occurs in the home and is started by someone who is known and trusted by the child. Abuse in day care center and foster car settings are only a small part of confirmed cases, but are more widely publicized. In a household where spousal abuse takes place, child abuse is fifteen percent more likely to occur also. Children are three times more likely to be abused by father rather than mot... ...education   Ã‚  Ã‚  Ã‚  Ã‚  Number of children -Identify families with problems of:   Ã‚  Ã‚  Ã‚  Ã‚  Substance abuse   Ã‚  Ã‚  Ã‚  Ã‚  Domestic Violence   Ã‚  Ã‚  Ã‚  Ã‚  Mental health -Offer new parents   Ã‚  Ã‚  Ã‚  Ã‚  Services of a social worker   Ã‚  Ã‚  Ã‚  Ã‚  Long-term home visitation   Ã‚  Ã‚  Ã‚  Ã‚  Parenting classes -Educate new parents regarding   Ã‚  Ã‚  Ã‚  Ã‚  Developmental tasks of children Age-appropriate anticipatory guidance Nutrition and feeding problems Safety Discipline -Discourage corporal punishment -Survey parents to identity health issues that are of interest to them -Support universal health care for children -Advocate for community respite care for parents -Advocate for community alcohol and drug treatment, mental health, and spouse and child abuse centers.   Ã‚  Ã‚  Ã‚  Ã‚  Child abuse is a complex problem with many causes, it is important that people do not take a negative attitude toward its prevention. Although the absence of strong evidence to guide preventive efforts, society can do things to try to prevent abuse. Showing concern for the parents or care givers and increasing attempts to enhance their skills as parents or care givers may be able to help save our most vulnerable people, the children, from the nightmare of abuse and neglect.

Native American Genocide :: American America History

Native American Genocide b. causing serious bodily or mental harm to members of the group; c. deliberately inflicting on the group conditions of life calculated to bring about its physical destruction in whole or in part; d. imposing measures intended to prevent births within the group; e. forcibly transferring children of the group to another group. (Destexhe). In this paper, I will argue that the act of genocide as here defined, has been committed by the United States of America, upon the tribes and cultures of Native Americans, through mass indoctrination of its youths. Primary support will be drawn from Jorge Noriega's work, "American Indian Education in the United States." The paper will then culminate with my personal views on the subject, with ideas of if and how the United States might make reparations to its victims. In lieu of the well known and brutal "Indian Wars," there is a means of cultural destruction of Native Americans, which began no later than 1611. This method was one of indoctrination. Methods included the forced removal of children from their cultural milieu and enrollment of these children in "educational programs," which were intended to instill more European beliefs. As the United States was not formally a Nation, until 1776, it would not be fair to use evidence, before this year in building a case against it. The most damaging, to the United States, are parcels of evidence that are drawn from events after 1948, the year of the Convention on Genocide. Beginning in 1778, the United States Board of War, a product of the Continental Congress appropriated grants for the purpose of, "the maintenance of Indian students at Dartmouth College and the College of New Jersey..." The young people who had returned from the schools are described by Seneca leader, Cornplanter as, "...ignorant of every means of living in the Woods, unable to bear either Cold or Hunger, [they] knew neither how to build a Cabin, take a Deer, or kill an Enemy, [they] spoke our Language imperfectly, were therefore neither fit for Hunters, Warriors, nor Counselors; they were totally good for nothing" (Noriega, 376). Grants given to other schools was just the beginning. In 1820, the United States made plans for a large scale system of boarding and day schools Noriega, 377). These schools were given the mission to, "instruct its students in 'letters, labor and mechanical arts, and morals and Christianity;' 'training many Indian leaders'" Noriega, 378).

Racism and its Inevitability as Portrayed in Crash Essay

Paul Haggis’ Crash was one of the biggest movie hits of 2004. Wining three Oscars at the 2005 Academy Awards, this film is undeniably written in film history as one of the greatest of this generation. Often described as a movie about how lives of different people intertwine through a twist of fate, Crash is largely about racial tensions – perhaps not only in its location of Los Angeles, California but in the whole of America. The movie features a whole slew of characters who has different racial backgrounds and who act in accordance to the pressures they in relation to their cultural backgrounds. Although most of the characters are interesting, I found Detective Graham Waters (Don Cheadle) and Officer John Ryan (Matt Dillon) as the most noteworthy ones. Not only have the actors portraying them delivered powerful performances, they have also shown enough background and – at times – justification as to why they act they way they do. As such, the following paragraphs will analyze both characters. Los Angeles, California, the place by which the Crash characters move in, plays a great part in Graham Waters’ and John Ryan’s judgment, beliefs, and actions. Teeming with people from different races, Los Angeles allows for interaction among people of varying cultures. It sets up room for Graham Waters and John Ryan to ‘practice’ their racial tendencies. Basically a melting pot if differing cultures, Los Angels is the perfect environment by which any character can feel racial superiority or inferiority. Graham Waters’ and John Ryan’s smaller environment – that of the one set up in a police station – is also highly-effective in influencing the characters’ personal biases. In both characters’ cases, it gave them a reason to feel superior, hence providing the perfect justification for one’s preference of leaning (or not leaning) towards people of their own race. Graham Waters is shown as being preoccupied with a case against a white cop who shot a black cop. Even with the white cop killing three black men already, Graham Waters still finds it in himself to deliberate on whether the killings are justified or not. The work place that this particular character was given is the best setting to allow him the ‘luxury’ of suspending judgment and possibly eliminating preferences over his fellow black people. John Ryan, on the other hand, was put in a position where he thinks it is okay for him to physically abuse a half-African woman and actually get away with it. His being a police officer magnified the way he performed his racist acts nonchalantly. A closer look at the lives of both characters under scrutiny reveals how much their personal history has affected the way they make judgments. Although of African-American descent, Graham Waters found it in himself to actually try and be forgiving to people of Caucasian heritage. This is because his family is poor and he experienced first hand having a drug-addict for a mother and he witnessed how his younger brother grew up to be a criminal. Growing up in a tumultuous black environment may have afflicted Graham Waters to not revere people of his own race. It has, in part, allowed him to think of blacks and whites as somehow equal. Yet Graham Waters is not devoid of racist tendencies. He has a partner, the Latin-American Ria (Jennifer Esposito). Despite working in male-dominated world and engaging in a sexual relationship with Graham Waters, Ria is still discriminated by the very man she sleeps with. Graham Waters never pins her country of origin right. And Graham doesn’t seem to mind. A perfect exhibit of how Graham can be at times racist – Professor Robin Lackoff of the University of California claims that not caring how someone’s background is a display of racism (Williams, 2004). The latter part of the film also reveals why John Ryan has been very negative towards people of other races. It is rooted to his father’s business’ demise. Shown as deeply concerned regarding his father’s health, one is wont to assume that John Ryan is indeed fond of his father. His actions then become a bit understandable when it is revealed that his father’s business collapsed after local policies favored businesses owned by the minority. As this had grave effect on his family’s life, John Ryan ‘naturally’ harbors anger (perhaps also hate) towards those who caused him and his family discomfort. Yet both characters are thrown into events that eventually lead them to ‘crash’ – abandon their own personal beliefs and act differently from how they normally would. Graham Waters, who was supposed to champion impartiality between blacks and whites, chose to act against the white cop by concealing an evidence that might have helped the cop in question. This was done through Jake Flanagan (William Fichtner) using Graham’s brother as a bait. By reminding Graham of the possibility of Peter’s arrest if Graham does not withhold the evidence, Flanagan is successful in pushing the black cop in acting against her own personal belief that the white cop should be given a fair trial. One of the most dramatic moments of this Haggis film is when John Ryan once again crashed into Christine, by that time he acted a hero and not anymore a villain. Seeing how Christine’s life was in danger, John Ryan put his life on the line and saved Christine from a blazing car accident. In a moment of crisis, John Ryan abandoned his prejudice and actually risked his own life to become a hero for someone he used to malign. I believe that both Graham Waters and John Ryan were racists – or at least had racist tendencies. John Ryan, most especially, had shown racial discrimination with his constant negative commentaries and actions towards people who are not of Caucasian descent. Graham Waters, on the other hand, may show his racial tendencies in more subtle ways yet it is still undeniably there. He has shown numerous times that he will choose to help someone of the same race over someone who is not black. Personally, I have not experienced any major racial discrimination but I admit to feeling that there is a racial tension hovering around society. I see it everyday and even practice it myself. Racism is seen in ways people choose their friends, in the cliques that are formed in school, and in the comments we make everyday. The media is one of the easy reference points of how racism prevails nowadays. There are times when headlines would shout a person’s race when talking about particular crimes. The news may say, â€Å"A black guy murders a woman† or â€Å"Asian men rob a bank† but never (or very, very rarely) will it brandish, â€Å"White guy kills family† or â€Å"Caucasian steals money†. This may not be personal attacks on me but I take them as large manifestations that racism still does exist. Racism, though, has changed a lot through the years. Thankfully, because of the way the world keeps getting smaller – thanks to the Internet and its ability to bring people from both ends of the world closer – racism has been greatly reduced, or so I would like to believe. I say that this is the case because people are getting to know those from other races better, thus eliminating some preconceived notions about a whole race. Of course, there is also this adverse effect: because people get to interact with more people, racism is spread to more races. In America, for example, racism before was centered only on the blacks versus whites. Today, though, we see racial discrimination applied against the Chinese, the Filipinos, the Hispanics, and a lot more. Paul Haggis’ aim in creating Crash was to demonstrate the fact that racism is still very much prevalent in these modern times. He wanted to paint a society that is still very much hinged on their racial biases. Haggis wanted to relate that perhaps this may not be totally eliminated because everybody comes from different cultures and different backgrounds that dictate what and how they think about themselves and others. Sadly, racism is an inevitable fact of life – but it is a fact that we can all strive to keep at a minimum by taking time to understand each other’s histories. REFERENCES Haggis, Paul. (Director). (2004). Crash [Motion picture]. United States: Bull’s Eye Entertainment. Williams, Brandt. (2004, August 08). â€Å"The ‘n-word’†. In Minnesota Public Radio. Retrieved August 19, 2007, from http://news. minnesota. publicradio. org/features/2004/06/28_williamsb_nword/.

Hybrid Network Security

ACCEPTED FROM OPEN CALL SECURITY ISSUES IN HYBRID NETWORKS WITH A SATELLITE COMPONENT AYAN ROY-CHOWDHURY, JOHN S. BARAS, MICHAEL HADJITHEODOSIOU, AND SPYRO PAPADEMETRIOU, UNIVERSITY OF MARYLAND AT COLLEGE PARK ABSTRACT Satellites are expected to play an increasingly important role in providing broadband Internet services over long distances in an efficient manner. Most future networks will be hybrid in nature — having terrestrial nodes interconnected by satellite links. Security is an imporSSSL tant concern in such networks, since the session 2 Proxy satellite segment is susceptible to a host of attacks, including eavesdropping, session hijacking and data corruption. In this article we address the issue of securing communication in satellite networks. We discuss various security attacks that are possible in hybrid SSSL session 1 SSSL handshaking and satellite translation at client proxy (RPA) networks, and survey the different solutions proposed to secure data communications in these networks. We look at the perforMost future networks mance problems arising in hybrid networks due to security additions like Internet Security Prowill be hybrid in tocol (IPSec) or Secure Socket Layer (SSL), and suggest solutions to performance-related nature — having problems. We also point out important drawbacks in the proposed solutions, and suggest a terrestrial nodes hierarchical key-management approach for interconnected by adding data security to group communication in hybrid networks. satellite links. Security is an important concern in such networks, since the satellite segment is susceptible to a host of attacks, including eavesdropping, session hijacking and data corruption. INTRODUCTION With the rapid growth of the Internet, satellite networks are increasingly being used to deliver Internet services to large numbers of geographically dispersed users. The primary advantage of satellite networks is their wide broadcast reach — a satellite can reach users in remote areas where terrestrial connectivity is not available. Satellite networks are also easily and quickly deployed, and can be a more cost-effective solution in areas where laying ground fiber networks would be too expensive. Although satellite networks offer great potential, they also present significant challenges that need to be addressed. Security is becoming an increasingly important aspect of all network. In this article we focus on the challenges that need to be addressed in order to make satellite networks more secure while maintaining seamless interoperability with terrestrial networks. These security-related challenges include the following considerations: †¢ Satellite channels are wireless broadcast media, which makes it possible for an unauthorized user to receive the signal and eavesdrop on the communication, if it is not encrypted. †¢ Without proper security mechanisms, any sufficiently well-equipped adversary can send spurious commands to the satellite and jam or disrupt the communication. †¢ Satellite channels can occasionally have high bursty errors (for example, during heavy rain) that result in packet loss. Satellite networks also suffer from long propagation delays (for example, 0. 5 seconds for geostationary satellites). Therefore, security systems should add minimal delays to the communication and have mechanisms to recover from loss in security information. Incorporating security solutions originally designed for terrestrial networks, such as Internet Security Protocol (IPSec) or Secure Socket Layer (SSL), into satellite networks can cause severe performance penalties. In this article we consider some of these issues. We focus on data security for IP-based commercial networks, and discuss the performance problems that arise due to the encryption of the Transmission Control Protocol (TCP) header and payload when popular unicast security protocols like IPSec or SSL, originally designed for terrestrial connections, are applied to satellite networks without incorporating changes necessitated by the unique characteristics of satellite networks. We also look at the protocols proposed for secure group communication in hybrid satellite networks, and describe a hierarchical approach to group key management that is robust, scalable, and suitable for the characteristic topology of hybrid networks. The rest of the article is organized as follows. We describe the hybrid satellite-network topology and features that make it different from terrestrial networks. We discuss security needs for the hybrid network. We discuss the current approach to provide end-to-end unicast security in hybrid networks, and describe the performance problems arising as a result. We survey 50 1536-1284/05/$20. 00  © 2005 IEEE IEEE Wireless Communications †¢ December 2005 NOC Internet Gateway Proxy Client Proxy NOC (a) Internet Web server Web server (b) n Figure 1. Commercial direct-to-home network topology: a) case 1; b) case 2. the proposals for key management for secure group communication in satellite networks. We describe a possible solution to secure unicast communication without sacrificing performance and highlight our key-management approach to security for group communication in satellite networks. We conclude the article by pointing to future research directions. highly susceptible to the delay-bandwidth product and exhibits very poor performance in satellite channels. Satellite TCP connections need large transmit windows to fully utilize the available bandwidth. However, due to the TCP slowstart algorithm and large propagation delay in the satellite channel, it takes much longer for satellite TCP connections to reach the target window size, in comparison to terrestrial TCP connections. Also, the window is very vulnerable to congestion due to the multiplicative decrease strategy of TCP. The problem is compounded by the fact that TCP misinterprets link-layer corruption (which is the prevalent source of loss in satellite links) as congestion (which is rare) and consequently reduces the window. The PEP provides an efficient solution to the above problem. In satellite networks, a PEP agent is installed at the satellite gateway between the satellite network and the Internet. The PEP agent inspects every TCP packet that flows through the network. For data packets, the PEP sends back premature acknowledgments to the TCP senders, without waiting for the TCP segments to be actually delivered to the receivers. These premature acknowledgments are specially formatted to be indistinguishable from real acknowledgments and they considerably shorten the perceived round-trip delay. Studies have shown that this technique is critical for the performance improvement of satellite networks [2–4]. Hence, TCP PEPs have been widely deployed in satellite networks today. Commercial networks also employ HTTP proxy servers to improve the speed of responses to Web-browser requests. When a user browses through content on the Internet, the application layer protocol in use is HTTP. A typical HTTP exchange involves a request by the browser for a Web page (â€Å"GET†), and a response from the Web server, which contains the hypertext markup language (HTML) text of the requested Web page. A typical HTML page would also contain multiple embedded â€Å"objects† such as images, embedded media or scripts, and so forth. Each embedded object has to be retrieved with a separate HTTP request-and-response exchange. Therefore, a Web page that contains n – 1 embedded objects takes n * RTT time to load fully, where RTT is one round-trip time. This can be extremely costly in a satellite network, where the RTT is usually high. COMMERCIAL HYBRID SATELLITE NETWORK ARCHITECTURE The network topologies we consider are illustrated in Fig. 1. In both topologies, we assume that there is one geostationary satellite with multiple spot-beams covering a large geographical area. Each spot-beam covers a subset of the total user set. We assume that future satellites will have an IP stack, be capable of onboard processing, and switch the data between supported spotbeams. The satellite therefore acts as an IP router-in-thesky. The Network Operations/Control Center (commonly known as NOC or NCC) connects to the satellite through the hub satellite gateway. The NOC is also connected to the Internet through high-speed terrestrial links. Terrestrial users can be either standalone machines (Fig. 1a), or a cluster of machines at each location, such as a local area network (LAN) (Fig. 1b). Terrestrial LANs can be either wired or wireless. Each user or LAN is connected to a local satellite terminal. The users receive traffic from the satellite via the forward channel (satellite downlink). The users can also communicate with the satellite via the return channel (uplink). There is no terrestrial connectivity between the users or the LANs. Usually, in commercial satellite networks that transfer Internet traffic, a split-connection Transmission Control Protocol (TCP) Performance Enhancing Proxy (PEP) is implemented to reduce the negative effects of the satellite link on the Internet connection [1]. Satellite channels provide large bandwidth (which can be as high as 90 Mb/s in the downlink), but also suffer from long propagation delay in comparison to terrestrial links. The delay can be as high as 500 ms (round-trip) for a geostationary satellite link. The propagation delay can have a severe adverse impact on the delivery of Internet traffic. Most of the Internet traffic uses the TCP, which is IEEE Wireless Communications †¢ December 2005 51 SSSL encryption New IP header ESP Original TCP header IP header header TCP payload (SSL record) IPSEC encryption ESP trailer proxy (user side). There is a hub proxy server located at the NOC with the hub satellite gateway — this proxy server represents the gateway proxy for both TCP and HTTP performance enhancements. SECURITY THREATS Similar security attacks can be launched against different hybrid satellite network topologies, but the impact of attacks would differ depending on the type of network and the applications supported by the network scenario. In the following, we list some of the important security threats in the hybrid network described above, and highlight the importance of the threats for the different network scenarios. Confidentiality of information: For networks that require information privacy, a primary threat is unauthorized access to confidential data or eavesdropping. Since the satellite is a broadcast medium, any entity on the ground with the right equipment can receive the satellite transmission. If the data is broadcast in the clear, then adversaries can be privy to the information that is flowing in the network. Data confidentiality can be achieved by message encryption. This requires that the senders and receivers are concurrently aware of the correct cryptographic keys used in the encryption/ decryption operations. This is a twofold problem: the problem of selecting suitable cryptographic algorithms for doing encryption so that overall network performance is not affected, and the problem of coordinating keys between users, that is, key management. Sending spurious commands: An adversary with the right equipment can send spurious control and command messages to the spacecraft, thus making the spacecraft perform operations different from their intended use. This can disrupt legitimate operations and communication in the network. This attack can be prevented if the sources of the messages are properly authenticated by every receiver. This would require suitable mechanisms for authentication, such as digital signatures [5]. The level of security required would dictate the authentication policy, for example, whether only the end users should authenticate each other, or whether authentication should happen on a per-hop basis. The latter might be necessary for scenarios where the satellite should not broadcast spurious information. If the satellite authenticates the source of every message it receives, it will transmit only those messages for which source authentication occurs correctly. Message modification attack: When the traffic goes over open networks, an adversary who is listening on the path can intercept both control and data messages. The adversary can modify the messages and send them to the destination, which can be the spacecraft, the ground terminals, or the end users. When the message reaches the intended destination, it would think that the corrupt message is coming from the true source, but the message content might be different from that expected or required for normal network operation. Message modification can be prevented by SSL record HTML page n Figure 2. IPSec and SSL encryption on a packet. The HTTP proxy server (also known by various other names, depending on the vendor) is implemented in satellite networks to overcome this problem. In a typical implementation, this requires a local Web proxy server at each user location, and a remote proxy server at the central hub facility of the satellite network (i. e. , the NOC). The Web browser at the user location should be able to recognize the local proxy (which can be either software on the client machine, or a separate hardware connected inbetween the client machine and the local satellite terminal). When the browser makes a request for a Web page, the HTTP GET request is sent to the local Web proxy, which forwards the request to the destination Web server. The Web server responds with the requested base HTML page. This page is intercepted by the proxy server at the network hub facility. The hub proxy server reads the base HTML page and sends multiple GET requests to the destination Web server for all the embedded objects in the base HTML page. This exchange occurs over a high-speed terrestrial connection between the hub and the Internet, thereby saving the time each request would have needed for a round trip over the satellite link. As the objects of the Web page are retrieved by the hub, they are immediately forwarded to the proxy at the user location. As the user browser receives the base HTML documents, it generates appropriate GET requests to fetch the objects corresponding to the links embedded in the document. The browser GET requests are terminated at the Web proxy server, which forwards the prefetched documents to the user browser immediately. The net result is that only a single â€Å"GET† request from the user browser traverses the satellite link, while a set of rapid responses quickly deliver the requested Web page and associated elements to the browser. The need for satellite capacity is also reduced, which is the most costly element of a satellite network. In terms of the user’s experience, the user sees a brief pause after the original Web-page request (corresponding to the round-trip time it takes for the request to the forwarded to the destination server, and the response to be received by the browser, over the satellite link), followed by near-instantaneous delivery of all content residing on the requested page. The trade-off is additional hardware at the user location and the central-hub facility. In Fig. 1a, the proxy server at the user represents both the PEP (user side) and the HTTP 2 IEEE Wireless Communications †¢ December 2005 appending message-integrity check mechanisms to every message, for example, message authentication codes (MACs) [6] or digital signatures. Security requirements and policies can dictate whether message authentication should happen only at the communication end points, or whether interme diate nodes should also verify the integrity of every message. Denial-of-service attack: Some attacks on security can be facilitated if strong security mechanisms are put in place for performing message-integrity checks or authenticating users. Consider the case where the satellite does authentication and integrity checks on all messages before broadcasting. An adversary can send a large number of spurious messages to the satellite, thus making the satellite spend significant computational cycles processing the spurious messages, which could be better spent broadcasting legitimate messages. Since the satellite has limited processing power, such an attack can be very effective, especially if strong cryptographic mechanisms like digital signatures are used for authentication and message integrity. This is a denial-of-service (DOS) attack. Although this DOS attack can be launched against any node in a network, a satellite network can be particularly susceptible to such an attack, since the satellite is a single point of failure and can be easily overwhelmed if made to perform too much computation. New IP header ESP Original IP TCP header header header TCP payload ESP trailer Encryption with K1 Original IPSEC ESP tunnel mode encryption New IP header ESP Original IP TCP header header header TCP payload ESP trailer Encryption with K2 Encryption with K1 Layered IPSEC ESP tunnel mode incryption n Figure 3. IPSec and layered IPSec encryption. Key K1 is shared between endpoints only. Key K2 is shared between endpoints and TCP PEPs. 1 embedded objects takes n * RTT to be loaded, an increase in delay by a factor of n. IPSEC FOR SECURITY AT THE NETWORK LAYER Several proposals for data confidentiality and authentication in satellite networks call for use of IPSec, which has been widely adopted by the Internet Engineering Task Force (IETF) for security at the network layer. IPSec and SSL are used independently of each other. IPSec creates an end-to-end tunnel at the network layer for the secure transfer of traffic. The two end-points in the communication negotiate security parameters known as the security association (SA) before traffic can be encrypted. Once the SA has been established in the handshake phase, the IP packets are encrypted using the algorithms and the keys specified in the SA. This is done when the IP-encrypted security payload (IPSec ESP) [9] is used. The IPSec ESP provides for both data encryption and authentication. IPSec provides strong security for data confidentiality and authentication, but it has a heavy byte overhead — in the ESP mode, IPSec adds 10 bytes of overhead to the header and trailer. In addition, if authentication is used, ESP adds 16 bytes or more for the integrity check value, and another 8 bytes or more of initialization vector (IV) if the encryption algorithm uses an IV. Also, IPSec has been designed primarily to secure point-to-point communication; it s not well suited for group communication, due to the lack of the dynamic key-establishment procedure necessary to for secure communication in groups where the membership changes with time. In addition, IPSec does not allow for authentication at intermediate nodes, but this might be useful in some security situations. A widely researched problem when using IPSec in satellite networks is its inability to coexist with PEPs. The keys used for encryption in the IPSec ESP are known only to the two endpoints and therefore any intermediate node in the network cannot decrypt the traffic. IPSec ESP has two modes of operation — tunnel mode and transport mode. In tunnel mode, the entire IP packet is encrypted and a new IP header and ESP header are generated and attached to the encrypted packet (Fig. 3), which adds an extra SECURING END-TO-END UNICAST COMMUNICATION USING IPSEC OR SSL Research on satellite security has focused on using the existing standardized technology, originally designed for terrestrial networks, to fix well-known security holes in satellite networks. Two such protocols that are widely used for secure unicast communication are IPSec [7] and SSL [8]. Figure 2 illustrates the encryption regions of SSL and IPSec. SECURE SOCKET LAYER FOR SECURE WEB TRAFFIC The SSL protocol secures the Web-browsing connection on an as-needed basis. When the client requests a secure connection or the server demands one, SSL is activated to secure the HTTP connection. The resulting connection is popularly known as secure HTTP (or HTTPS) and it encrypts the application-layer HTTP data end-to-end between the client and the server. In the protocol stack, the SSL layer sits between the application and the transport layers. Therefore, SSL encryption hides the TCP payload from all nodes in the network, except the client and the server. SSL encryption does not allow the HTTP proxy to function correctly. The HTML Web page encrypted into the SSL records is readable only by the client and the server who have the decryption keys. The keys are not available to the proxy, and therefore the proxy cannot read the HTML Web page. Consequently, the hub proxy server cannot send requests to the Web server for the embedded objects in the page and, therefore, HTML object prefetching cannot take place. The net result is that a Web page with n – IEEE Wireless Communications †¢ December 2005 53 The HTTP proxy also cannot function when the IPSec ESP is used. Since the HTML page is encrypted end-toend, the HTTP proxy cannot read the Web page in order to prefetch the embedded objects. Therefore, use of IPSec leads to a severe degradation in performance for both the TCP PEP and HTTP proxy. SSSL translation at hub proxy (HPA) SSSL session 2 SSL session 3 Proxy Client Internet Gateway NOC SSSL session 1 SSSL handshaking and translation at client proxy (RPA) Proxy Web server Figure 4. The SSL Internet Page Accelerator concept for efficient HTTPS over satellite. 20 bytes of overhead in addition to the overhead mentioned above. Encrypting the original IP header provides very strong security by disabling attacks (such as traffic analysis, etc. ). In transport mode, the payload portion of the IP packet is encrypted and a new ESP header is attached to the packet after the original IP header, which is in the clear. In either mode, the IP packet payload, which includes the TCP header, is encrypted with keys known only to the end points. Therefore, a TCP PEP, which is an intermediate node in the communication path, cannot read or modify the TCP header, since the PEP does not know the keys. Consequently, the PEP cannot function, thus leading to degradation in the performance of the TCP protocol. The HTTP proxy also cannot function when the IPSec ESP is used. Since the HTML page is encrypted end-to-end, the HTTP proxy cannot read the Web page in order to prefetch the embedded objects. Therefore, use of IPSec leads to a severe degradation in performance for both the TCP PEP and HTTP proxy. It is important to note that the problems that arise from the use of the SSL protocol or the IPSec ESP are independent of one another. It is conceivable that both protocols are used simultaneously, for example, when a secure Web page is accessed via a secure VPN tunnel. However, in such cases the performance issues do not change and the effect would be equivalent to using the IPSec ESP alone. On the other hand, if SSL alone is used, then the performance would be better, since the TCP PEP can function correctly in this scenario. [10] and layered IPSec [11], the idea is to encrypt different regions of the IP packet using different keys (Fig. ). The TCP payload is encrypted with key K1, which is shared only between the endpoints. The original IP header and the TCP header are encrypted with key K2, which is shared between the end points and also with intermediate authorized nodes such as the TCP PEP. Therefore, the TCP PEP can decrypt the header portion of the ESP packet with K2 and read the TCP header to do its performance optimizations. But the PEP cannot read the TCP payload and thus cannot access the actual data, since it does not posses the key K1. The layered IPSec approach allows TCP PEPs to function effectively. However, the method does not solve the problem of HTTP proxy servers. The HTML page is encrypted with key K1 as part of the TCP payload, and K1 is not shared with any intermediate node. Therefore, the Web page is not accessible to the HTTP proxy and no object prefetching can be accomplished. Olechna et al. [12] have suggested two solutions to the IPSec problem. In the first approach, the paper proposes moving the TCP PEP gateways to the endpoints. The TCP optimizations are done on the traffic in the clear, and then the traffic is encrypted using IPSec. There is no TCP PEP at the satellite hub. This approach improves the performance, but when a packet is lost or received in error TCP goes into congestionavoidance phase and the transmission is reduced by half. The second proposed approach, which deals effectively with this problem, is to split the secure connection into two at the satellite gateway. One connection is between the client and the gateway, and the second connection is between the gateway and the Internet server. This allows the gateway to decrypt the IPSec packet and read the headers and thereby do performance optimizations. This requires trust in the satellite gateway, which can now read all the traffic. This might be unacceptable to users who require strong end-to-end security. Several modified TCP protocols have been proposed that perform better than the original specification in the event of channel errors or delay, or when IPSec is used. A discussion of PROPOSED SOLUTIONS TO MITIGATE PERFORMANCE PROBLEMS WITH SSL OR IPSEC Several proposals have been made in academia and industry to deal with performance problems that arise from using IPSec and SSL in satellite networks. The concept of breaking up IPSec encryption into multiple encryption regions or zones on a single packet has been proposed independently in [10, 11]. Although the finer details in the two approaches are different, the basic idea is the same. Known as multilayer IPSec (ML-IPSec) 54 IEEE Wireless Communications †¢ December 2005 Group keys (TEK) K1,8 Internal keys (KEK) K1,4 K5,8 Path of keys for M8 K1,2 K3,4 K5,6 K7,8 Leaf keys Members Group key K2 K1,12 Group key K1 K1,8 K9,12 K1 K2 K3 K4 K5 K6 K7 K8 M1 M2 M3 M4 M5 M6 M7 M8 (a) K1K2 K3 K4K5 K6 K7K8 K9 K10K11K12 M1M2M3M4M5M6M7M8 G1 G2 G3 G4 Members Gateways (b) Figure 5. Logical key hierarchy and its extension to satellite networks: a) with eight members; b) ML-IPSec integrated LKH tree with users and gateways. these TCP enhancements can be found in [13]. The problem of HTTP proxy performance when SSL is used has been addressed within the industry by breaking up the end-to-end single SSL connection between client and server into m ultiple SSL connections [14]. In this solution, the client browser creates a secure HTTP connection with the remote page accelerator (RPA) at the client satellite terminal, a second connection is created between the RPA and the hub page accelerator (HPA), and a third connection is between the HPA and the server (Fig. 4). The RPA performs all necessary handshaking with the client browser. The HPA can decrypt the SSL traffic from the server and perform the desired object prefetching. Taken together, this allows delivery of secure Web content with little performance degradation and with little change to the standard protocols. The major drawback to this scheme is that it requires a high level of trust in the intermediate nodes. The HPA, which is a third-party entity, can read all the sensitive Web traffic that passes between the client and the server. This might be unacceptable when absolute end-to-end security is desired. is O(logN) (where N is the number of members in the group), which is less than the O(N) keys required if the GC arranged the members in a flat topology. To allow PEPs to function correctly when network-layer security is used, [15] proposes the use of ML-IPSec. The paper proposes using a single LKH tree to manage the group key K2, used to encrypt the transport layer header (known to end users and trusted gateways), and the group key K1, known only to the end users and used for encrypting the transport layer data. As shown in Fig. b, users M 1 †¦M 8 are leaf nodes in a subtree of degree three, and gateways G 1 †¦G 4 are leaf nodes in a subtree of degree two. The root key of the member node subtree, K 1,8 , is used to encrypt the transport payload. The root of the overall key tree, K1,12, is used to encrypt the transport header. All member nodes know both K1,8 and K1,12, but the gateways know K 1,12 only (apart from the internal keys in the gateway subtree). How the LKH tree would be managed is not stated in [15]. This is important, since the users and the gateways might not be in the same administrative or security domain. The paper also considers all users and gateways as a â€Å"flat† network for key distribution purposes, rather than taking into account the hierarchical nature of the network topology. The use of LKH for key management in satellite links has also been proposed in [18], which suggests algorithms for dynamically managing the LKH tree in case of member joins and leaves. Duquerroy et al. [19] proposed â€Å"SatIPSec,† for key distribution and secure communication for both unicast and multicast in a satellite network. The solution is based on IPSec, with the addition of flat multicast key exchange (FMKE) to support key management for secure group communication. Management of SAs for both unicast and multicast communication is integrated into the FMKE protocol. FMKE also incorporates reliability mechanisms so as to guarantee reliable key distribution in the lossy satellite setting. However, FMKE manages SAs between the satellite terminals or gateways only and does not extend to the end users. Therefore, end-to-end security is not provided when using SatIPSec. The RPA performs all necessary handshaking with the client browser. The HPA can decrypt the SSL traffic from the server and perform the desired object prefetching. Taken together, this allows delivery of secure Web content with little performance degradation and with little change to the standard protocols. KEY MANAGEMENT PROPOSALS FOR SECURE GROUP COMMUNICATION IN HYBRID NETWORKS Some research has been done with individual algorithms that serve as tools in building keymanagement protocols in order to facilitate secure group communication in hybrid satellite networks. Howarth et al. [15] have proposed the use of logical key hierarchy (LKH) [16, 17] for efficient key management for multicast groups in a satellite network. LKH makes use of a centralized key manager or group controller (GC), which constructs a logical key tree with the group members as the leaves of the tree (Fig. 5a). The internal nodes of the tree are the key encrypting keys (KEK), which are used to securely transport key updates to the group. The root of the tree is the session key or traffic-encrypting key (TEK), which is used to encrypt the session traffic. The number of keys that need to be updated when a member node joins or leaves the group IEEE Wireless Communications †¢ December 2005 55 New IP header ESP Original TCP HTML header IP header header object links Base HTML page Encryption with K2 ESP trailer Encryption with K1 n Figure 6. Layered IPSec with modifications for HTTP optimization. Also, FMKE treats all the satellite terminals it services (which are called SatIPSec clients) in a â€Å"flat† topology, and establishes separate secure channels to all SatIPSec clients. This will not scale when there are a large number of clients. Also, SatIPSec does not consider the dynamic joins and leaves of members in the group communication setting; a client needs to be preauthorized for all the groups it wants to take part in. The protocol also requires complete trust in the group controller and key server (GCKS), which is a third party that is responsible for managing the SAs between the clients. All clients need to have preshared secrets with the GCKS. IPSEC AND SSL IN HYBRID NETWORKS: OUR APPROACH We look at separate solutions to the performance problem arising out of using SSL and IPSec in hybrid networks, and also consider how the two approaches can be combined. HTTP OVER IPSEC TUNNEL One viable method is to break up the end-to-end IPSec tunnel into multiple connections. This is similar to the solution proposed in [12]. But while their approach looks at only the TCP enhancements, we add the use of the HTTP proxy as well. In our approach, the IPSec connection from the client is terminated at the client proxy. The proxy creates its own IPSec connection to the gateway TCP proxy. A third IPSec connection is created from the gateway TCP proxy to the Web server. Schematically, this is similar to Fig. , with IPSec connections replacing the SSL connections in the figure. The IPSec handshaking between the client and the server is spoofed by the client proxy on the client end, and by the TCP hub proxy on the server end. In this model, the Web traffic can be read completely by the client proxy and the hub proxy. The two proxies are able to perform the TCP enhancements because they can read the TCP header. In addition, the hub HTTP proxy can perform HTM L object prefetching from the server because it can read the base HTML page as it is returned to the client on a HTTP request. When the client browser generates staggered requests for the embedded objects upon receiving the base HTML page, the client proxy is responsible for returning local acknowledgments to the requests, and sending all the objects to the client browser at one time. The design is therefore fully able to maintain the functionality of the TCP and HTTP proxies. It also encrypts the traffic so that it can be seen only by the client, the server, and the two intermediate proxy servers. The design also makes minimal changes to existing standard protocols. However, the design also requires that there be full trust in the proxy servers. Also, there is additional overhead in setting up three IPSec connections, as opposed to one (as in the end-to-end case). The overhead in encryption/decryption also increases by a factor of three for every IP packet, since the intermediate proxies need to decrypt the TCP header and the HTML content. When the security requirement is that the traffic be unreadable to intermediate nodes, the above approach will not work. In this situation, we propose extending the layered IPSec approach in order to allow portions of the HTML content to be also accessible to the proxy servers. Assume for layered IPSec that the keys are K1 and K2. K1 is known only to the client and the server, while K2 is known to the client, the Web server, and the intermediate proxy servers at the client and the gateway. When the client makes HTTP requests, the requests are encrypted using K2, so that the client proxy server can read the requests and send local acknowledgments. Additional software at the Web server parses the requested HTML page so as to obtain all the embedded object links. These object links are collated into a new HTML page that contains only the object links, and this new page is encrypted with K2. The base HTML page that contains all the information and the object links is encrypted with K1. Both the encrypted base HTML page and the encrypted object links HTML page are sent in reply. Therefore, the encrypted ESP packet looks as it is depicted in Fig. 6. Upon receiving the IPSec packet from the Web server, the hub proxy is able to read the object links (since it has K2) and therefore do prefetching for the embedded links. In addition, the hub proxy can also read the TCP header and perform TCP enhancements. However, the HTML base-page data cannot be read by the hub proxy, since it does not have K1. The encrypted base HTML page can only be read by the client when the IPSec packet reaches the destination. This design allows the TCP and HTTP proxies to perform effectively while maintaining a high level of end-to-end security. However, the security is not as strong as in traditional IPSec, since the intermediate proxies do get some information insofar as they can read the links of the embedded objects, even though they cannot read the application data. This is the major trade-off necessary to achieve acceptable performance in this design. In addition, the model requires changes to be made to the IPSec protocol so that layered IPSec is supported with the HTTP performance additions. A major issue in the above model is the handshaking mechanism required to set up the layered IPSec connection. To maintain a high level of security, we propose that the connection be set up primarily between the client and the server, who negotiate both K1 and K2, apart from other parameters of the security association. The handshaking mechanism then provides K2 securely to both the client and the hub proxy servers. The client and the hub proxy servers are required to authenticate themselves correctly before they can receive the secondary key or access the IPSec traffic. 56 IEEE Wireless Communications †¢ December 2005 DSSL main mode (K1) DSSL main mode (K2) Internet Gateway Proxy (K2) Client (K1, K2) NOC DSSL primary and secondary modes Original TCP IP header header Proxy SSL record Primary SSL record Proxy (K2) Web server (K1,K2) Encryption with K2 Encryption with K1 IP packet format for DSSL n Figure 7. Dual-mode SSL for HTTP optimization. HTTP OVER SSL When the HTTP traffic is secured using SSL only, and there is no IPSec tunnel in use, several approaches are possible to ensure acceptable performance. If the security requirement of the client and the Web server allow for trusted intermediate nodes, then the SSL accelerator concept of [14] can be a viable solution. This would require no change to the protocols at the expense of higher overhead in order to set up multiple SSL connections between the client, proxy, and Web server. When the security policy does not allow for trusted third parties, a different approach is needed. We propose the use of a modified SSL protocol, which we term dual-mode SSL (DSSL). As shown in Fig. 7, the secure connection in DSSL has two modes — an end-to-end main mode connection between the client and the Web server, and a secondary mode connection that has the hub HTTP proxy as an intermediate node. When secure HTTP traffic is requested, the DSSL main mode connection is first negotiated between the client and the server. As part of the handshake for the main mode, the client and the Web server also negotiate the parameters for the secondary mode. Let K1 be the encryption key for the main mode, and K2 be the encryption key for the secondary mode. The client transfers the parameters of the secondary mode to the client and hub HTTP proxy servers only after the proxy servers authenticate themselves to the client. When the client makes an HTTP request, the client proxy sends local replies to the client browser, as discussed previously. The Web server, on receiving the request, parses the requested HTML page to obtain the embedded object links, which are collated into a new HTML page. The object links HTML page is then encrypted by DSSL using K2 to create the proxy SSL record. DSSL encrypts the base HTML page using K1 to create the primary SSL record. The two records are appended together and sent to the client in an IP packet (Fig. 7). The hub proxy intercepts the IP packet, extracts the object links from the proxy SSL record using K2, and prefetches the embedded objects. The Web server always encrypts the actual objects using K1, so that the hub proxy cannot read the base HTML page data. The hub proxy transfers all the embedded objects together to the client at one time. Therefore, the HTTP proxy functionality is preserved in DSSL while maintaining the end-to-end security of the HTML page contents. However, the security is less than in the end-to-end SSL connection case, since the HTTP proxy can read the object links. In standard SSL, the proxy servers can read no part of the base HTML page, not even the object links. We believe this slight reduction in security is acceptable, given the considerable improvement in performance using this method. The DSSL design is more complex in comparison to SSL since it requires the creation of an additional connection, and therefore involves a higher overhead. There is also the added overhead of multiple encryptions and decryptions with two different keys, and the complexity of parsing the HTML page for the object links. All these require changes to the base SSL protocol. The DSSL concept is similar to the multiplechannel SSL concept proposed in [20]. However, the authors do not differentiate encryption in primary and secondary SSL records but instead suggest that HTTP traffic with lower security requirements be encrypted entirely with keys known to intermediate nodes. For our security requirements, that approach would not be acceptable. Differential Encryption in Single SSL Record — The use of a proxy SSL record is not necessary if various parts of the HTML page can be encrypted with The DSSL design is more complex in comparison to SSL since it requires the creation of an additional connection, and therefore involves a higher overhead. There is also the added overhead of multiple encryptions and decryptions with two different keys. IEEE Wireless Communications †¢ December 2005 57 Secondary SSL encryption Primary SSL encryption New IP header ESP Original TCP Proxy SSL header IP header header record Secondary IPSec encryption Primary SSL record ESP trailer Primary IPSec encryption n Figure 8. Packet format for dual-mode SSL with IPSec. different keys. In that case, the Web server can encrypt the object links in the HTML page with key K2 and the rest of the HTML page contents with key K1, thus creating a single SSL record with different encryption. The hub proxy server can parse the SSL record and decrypt only the object links with key K2, before forwarding the IP packet to the client proxy. We assume that the primary and secondary encryption keys K1 and K2 have been set up and distributed as described in the previous sections, with K1 known to the client and the Web server only, while K2 is known to the client, the Web server, and the intermediate proxy servers. A similar technique can be applied when IPSec encryption is used instead of SSL encryption. The advantage here is that the size of the packet does not increase, although there is the overhead of distributing key K2 to the proxy servers to be considered. HTTPS OVER IPSEC For the sake of completeness, we consider the situation where a secure Web page is requested over an IPSec tunnel. This method involves redundancy of resources, since use of SSL when IPSec is being used does not provide any substantially added security. However, our approach can take care of the performance in this scenario as well. In this situation, we propose integrating DSSL with layered IPSec. Then the secondary keys for both the layered IPSec connection and the DSSL connection are shared with the proxy servers. The secondary key for layered IPSec is shared with both the TCP proxy and the HTTP proxy. When layered IPSec encrypts the packet, the secondary key encryption extends up to the proxy SSL record. The TCP proxy servers can therefore decrypt the TCP header of the ESP packet, and the HTTP proxy server can decrypt the proxy SSL record. Consequently, performance optimizations for both TCP and HTTP are allowed without letting the intermediate servers read the HTML page. A schematic of the IPSec packet in this setting is shown in Fig. 8. A HIERARCHICAL APPROACH TO KEY MANAGEMENT FOR DATA SECURITY IN HYBRID NETWORKS In [21], we have proposed a key-management framework for distributing cryptographic keys securely and in a scalable manner to users taking part in group communication in a hybrid satellite network. The objective is to ensure data confidentiality, by encrypting the data traffic with group keys known to all the group members. The key-management framework is built on top of the multicast routing architecture. We have considered the hybrid network topology shown in Fig. 1b and designed a multicast routing architecture to allow users to communicate seamlessly between multiple terrestrial LANs (also referred to as subnetworks) [22]. Our routing design makes specific use of asynchronous transfer mode (ATM) point-to-multipoint routing [23] over the satellite links, and Protocol-Independent Multicast Sparse-Mode (PIM-SM) multicast routing [24] in terrestrial LANs. We have extended PIM-SM to allow multiple rendezvous points (RPs) in each multicast group. The satellite gateway in each LAN acts as the local RP for the LAN and creates the local multicast trees for group members within the LAN. The local multicast trees are connected together over the satellite links by using the ATM point-to-multipoint virtual connection, thereby creating one end-to-end multicast tree for each group, encompassing all the LANs with group members in them. The multicast routing architecture is thus adapted closely to the hierarchical network topology, and allows for building efficient multicast trees with low control and data overhead. The design of the key-management protocol is independent of the routing algorithm, although it is based on the same underlying principle, that is, a hierarchical breakup of the network based on the topology. We divide the network into two levels — the lower level, comprised of terrestrial LANs where the users are located, and a higher level consisting of the satellite, the NOC, and the satellite gateways or RPs in each LAN, which together form an overlay (Fig. 9a) interconnecting terrestrial LANs. The RPs act as the â€Å"bridge† between the two levels. Key management is done separately in the two levels. In each LAN we introduce a local group controller (called the â€Å"subnetwork key controller† or SKC) to manage the keys for all groups active in the LAN. The SKC is responsible for access control of all members of all groups that are active in its LAN, generating the group keys for all local groups, and updating the keys on group-member joins and leaves when a group is active. The keys managed by an SKC are entirely local to its LAN, and do not affect the key management in any other LAN in the network. The SKC uses the LKH algorithm to manage keys in its LAN, creating a logical key tree that we term the SN Tree. Each group active in a LAN has its own SN Tree. The leaves of the SN Tree for a group correspond to the longterm shared secrets between the SKC and the local users in the LAN who are active as sources and/or receivers in the group. The root of the SN Tree corresponds to the session key that is used for encrypting the group traffic within the LAN at any particular instant. On member joins and leaves, the session key, and all the keys on the path from the root to the leaf node corresponding to the member joining/leaving, are updated, while all other keys in the SN Tree remain unchanged. The overlay has its own key management, 58 IEEE Wireless Communications †¢ December 2005 Overlay RP tree root key Level-1 Satellite Overlay network NOC Gateway Gateway Gateway SN tree SKC RP (root) RP (leaf) SKC RP tree RP (leaf) Gateway Level-0 SKC Subnet n Subnet 1 Subnet 2 (a) Subnet 3 Subnetwork Subnetwork (b) Subnetwork n Figure 9. A hierarchical approach to key management in hybrid networks: a) hierarchy in the hybrid network; b) tiered tree key management. also based on the LKH algorithm. At the overlay level, the key management for a particular group is controlled by the satellite gateway/RP (known as the root RP for that group) of the LAN that has group sources active for the longest continuous period in the group. The logical key tree for any group thus formed at the overlay is termed the RP Tree. The root RP is responsible for generating keys for the RPs of the LANs who subscribe to the particular group, that is, have sources and/or receivers active in the LAN. Each group has its own RP Tree. The design ensures that the NOC cannot receive/transmit data to any active group, unless it explicitly subscribes to the group as a member node. However, LANs joining any particular group initially register with the NOC, which maintains a group membership table for all active groups, so that at all times the NOC is aware of the LANs which are participating in all active groups. The NOC is also responsible for selecting the root RP of the RP Tree for each group, which it does based on the earliest-to-join policy. The root RP also might be different for different groups, since the LAN with the longest continuously active sources might be different for different groups. Our algorithm has the provision to allow the root RP for any group to change — this happens if the currently active root RP leaves the group, when all sources/receivers within its local LAN cease to participate in the group. Our algorithm therefore builds a hierarchy of logical key trees that closely follow the hierarchy in the network topology, as shown in Fig. 9b. We term this framework Tiered Tree-based Key Management. In this hierarchy of key trees, the gateway RPs are responsible for performing key translation on all the multicast group traffic as it transmits the data from local sources to receivers in remote LANs, or when it receives group traffic from remote sources for local receivers. This translation is necessary since the data traffic is encrypted with the RP Tree session key in the overlay, and with the SN Tree session ey within the local LAN, with the two session keys being independent of one another. The detailed design of Tiered Tree-based Key Management, analysis of its security, and experimental results can be found in [25]. The primary objective in our design is to minimize the amount of key-management control traffic n Figure 10. Tiered tree framework: total key management traffic vs. RP tree traffic for three groups (Y-axis shows the traffic in bytes per second; X-axis is the simulation duration in minutes). hat flows over the satellite links, due to the long delay involved as well as susceptibility to channel errors. We have attempted to ensure that the security of the data traffic does not add any overhead in terms of delay other than that absolutely unavoidable, and that the security protocol does not contribute to deadlocks in group-data dissemination where some group members in certain LANs cannot read the data due to having wrong keys. From the simulation results, Fig. 10 shows the reduction in key-control traffic over the satellite links using our tiered-tree approach. The graph compares the total key-management IEEE Wireless Communications †¢ December 2005 59 Our solution is a generic solution aimed specifically at multicast key management and does not deal with an end-to-end security solution for secure communication or give any implementation specifics. information sent in the network for three simultaneous groups (i. e. , sent over the RP trees, sent over the satellite links, and all SN trees limited to local LANs), to the total key information sent on the RP trees (satellite links) only. As the graph shows, the resource savings on the satellite links is substantial when the tiered-tree scheme is used. Even though the group dynamics are high, the amount of message exchanges are very few in the RP tree, that is, over the satellite links. If a flat key-management hierarchy had been used instead, the total key-management traffic would have been sent over the satellite links, thus leading to increased delay and increasing the possibility that the correct keys do not reach all the members at the same time. Our solution is therefore very scalable. It also acknowledges the fact that the group members might be located in different security domains and, therefore, a single network-wide security management might not be possible. This is a more realistic scenario, since terrestrial LANs might be individual company domains, while the satellite overlay infrastructure is usually owned by a separate entity that provides network connectivity to the LANs, and is not responsible for generating the network traffic. This framework addresses the problem that all users might not be visible to a single, centralized security authority, and the dynamics of user joins or leaves in one LAN should not create an overhead to users in other LANs. Also, in widearea satellite networks we consider that the satellite channel conditions at a given point in time might be different in different sections of the network. There might be loss in information due to bad channel conditions in some network segments; however, this should not disrupt communication in network segments where the channel conditions are better. Solutions which treat all users in a single tree will not be able to perform as robustly under such conditions. Our solution is also similar to the ML-IPSec concept in that the satellite terminals are only partially trusted; they are allowed to do partial decryption/encryption of the IP packets for efficient routing. However, it is a generic solution aimed specifically at multicast key management and does not deal with an end-to-end security solution for secure communication or give any implementation specifics. approaches for typical topologies and validating the proposed designs by simulation. Lastly, we have described our hierarchical approach of key management for providing data security in hybrid networks. We are continuing our research in this area and examining designs to integrate our keymanagement protocol with the unicast case. A considerable amount of work needs to be done with regard to secure protocols for hybrid networks, specifically for the case where users are mobile. Here we have touched upon only a small subset of the problems. None of the proposed solutions, including our own, address the question of user authentication or message integrity for group communication. However, we believe the security problems discussed here will receive further treatment from the research community, and this work will be a useful contribution to the field. ACKNOWLEDGMENT The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. The research reported here is supported by the National Aeronautics and Space Administration (NASA) Marshall Space Flight Center under award no. NCC8-235. The views expressed in this article are solely the responsibility of the authors and do not reflect the views or position of NASA or any of its components. REFERENCES [1] J. Border et al. , â€Å"Performance Enhancing Proxies Intended to Mitigate Link-Related Degradations,† IETF RFC 3135, June 2001. [2] V. Arora et al. , â€Å"Effective Extensions of Internet in Hybrid Satellite-Terrestrial Networks,† University of Maryland, College Park, Tech. Rep. CSHCN TR 96-2, 1996. [3] V. Bharadwaj, â€Å"Improving TCP Performance over HighBandwidth Geostationary Satellite Links,† University of Maryland, College Park, Tech. Rep. ISR TR MS-99-12, 1999. [4] N. Ehsan, M. Liu, and R. Ragland, â€Å"Evaluation of Performance Enhancing Proxies in Internet over Satellite,† Wiley Int’l. J. Commun. Sys. , vol. 16, Aug. 2003, pp. 513–34. [5] NIST, â€Å"Digital Signature Standard (DSS),† May 19, 1994. [6] H. Krawczyk, M. Bellare, and R. Canetti, â€Å"HMAC: KeyedHashing for Message Authentication,† IETF RFC 2104, Feb. 1997. [7] R. Atkinson and S. Kent, â€Å"Security Architecture for the Internet Protocol,† IETF RFC 2401, Nov. 1998. [8] IETF Transport Layer Security Working Group, â€Å"The SSL Protocol Version 3. 0,† Nov. 1996, available at http://wp. netscape. com/eng/ssl3/draft302. txt [9] R. Atkinson and S. Kent, â€Å"IP Encapsulating Security Payload (ESP),† IETF RFC 2406, Nov. 998. [10] Y. Zhang, â€Å"A Multilayer IP Security Protocol for TCP Performance Enhancement in Wireless Networks,† IEEE JSAC, vol. 22, no. 4, 2004, pp. 767–76. [11] M. Karir and J. Baras, â€Å"LES: Layered Encryption Security,† Proc. ICN’04, Guadeloupe (French Caribbean), Mar. 2004. [12] E. Olechna, P. Feighery, and S. Hryckiewicz, â€Å"Virtual Private Network Issues Using Satellite Based Networks,† MILCOM 2001, vol. 2, 2001, pp. 785–89. [13] P. Chitre, M. Karir, and M. Hadjitheodosiou, â€Å"TCP in the IPSec Environment,† AIAA ICSSC 2004, Monterey, CA, May 2004. 14] SSL Accelerator, Spacenet Inc. , available at http://www. spacenet. com/technology/advantages/ssl. ht ml [15] M. P. Howarth et al. , â€Å"Dynamics of Key Management in Secure Satellite Multicast,† IEEE JSAC, vol. 22, no. 2, 2004, pp. 308–19. [16] C. Wong, M. Gouda, and S. S. Lam, â€Å"Secure Group Communications Using Key Graphs,† IEEE/ACM Trans. Net. , vol. 8, 2000, pp. 16–30. CONCLUSION Security is a critical component in hybrid IPbased satellite networks. In this article we have focused on some of the challenges that lie ahead. We have discussed the unique characteristics of hybrid satellite networks that make the problem of ensuring secure communication different from that of purely terrestrial networks. We have presented a survey of the various security solutions that have been proposed, and discussed their advantages and disadvantages. We have proposed several approaches to solve the performance problems of TCP and HTTP in satellite networks arising from secure communication. However, a lot of further work needs to be done to validate our approaches, and we are in the process of developing specific detailed security 0 IEEE Wireless Communications †¢ December 2005 [17] D. Wallner, E. Harder, and R. Agee, â€Å"Key Management for Multicast: Issues and Architectures,† IETF RFC 2627, June 1999, available at http://www. apps. ietf. org/rfc/ rfc2627. html [18] G. Noubir and L. von Allmen, â€Å"Security Issues in Internet Protocols over Satellite Links,† Proc. IEEE VTC ‘99, Amsterdam, The Netherlands, 1999. [19] L. Duquerroy et al. , â€Å"SatIPSec: An Optimized Solution for Securing Multicast and Unicast Satellite Transmissions,† 22nd AIAA Int’l. Commun. Sat. Sys. Conf. and Exhibit, Monterey, CA, May 2004. [20] Y. Song, V. Leung, and K. Beznosov, â€Å"Supporting Endto-End Security across Proxies with Multiple-Channel SSL,† Proc. 19th IFIP Info. Sec. Conf. , Toulouse, France, Aug. 2004, pp. 323–37. [21] A. Roy-Chowdhury and J. Baras, â€Å"Key Management for Secure Multicast in Hybrid Satellite Networks,† 19th IFIP Info. Sec. Conf. , Toulouse, France, Aug. 2004. [22] A. Roy-Chowdhury and J. Baras, â€Å"Framework for IP Multicast in Satellite ATM Networks,† AIAA ICSSC 2004, Monterey, CA, May 2004. [23] G. Armitage, â€Å"Support for Multicast over UNI 3. 0/3. 1 Based ATM Networks,† Internet RFC 2022, Nov. 1996. [24] S. Deering et al. , â€Å"The PIM Architecture for Wide-Area Multicast Routing,† IEEE/ACM Trans. Net. , vol. 4, no. 2, 1996, pp. 153–62. [25] A. Roy-Chowdhury, â€Å"IP Routing and Key Management for Secure Multicast in Satellite ATM Networks,† Master’s thesis, University of Maryland, College Park, 2003, available at http://techreports. isr. umd. edu/reports/2004/ MS2004-1. pdf Paper Award, 2004 WiSe Conference. He holds three patents. His research interests include wireless networks and MANET, wireless network security and information assurance, integration of logic programming and nonlinear programming for trade-off analysis, multicriteria optimization, noncooperative and cooperative dynamic games, robust control of nonlinear systems and hybrid automata, mathematical and statistical physics algorithms for control and communication systems, distributed asynchronous control and communication systems, object-oriented modeling of complex engineering systems, satellite and hybrid communication networks, network management, fast Internet services over hybrid wireless networks, stochastic systems, planning and optimization, intelligent control and learning, biologically inspired algorithms for signal processing, and sensor networks. MICHAEL HADJITHEODOSIOU [M] received an M. A. (honours) in electrical and information sciences from the University of Cambridge, United Kingdom, in 1989, an M. S. in electrical and computer engineering from the University of California, Irvine in 1992, and a Ph. D. n engineering (specializing in satellite communications) from the Centre for Satellite Engineering Research (CSER) at the University of Surrey, United Kingdom, in 1995. Among his awards are a scholarship award for studies at the University of Cambridge from the Cambridge Commonwealth Trust (1984–1986); a Fulbright Scholarship for post-graduate work in the United States (1989–1991); a Research Fellowship from the U. K. Engineering and Physical Sciences Research Council (EPSRC) (1992); and the Canadian National Science and Engineering Research Council (NSERC) post-doctoral fellowship award (1995). He worked as a research fellow in the Communication Systems group of CSER (1991–1995) and spent a year as a visiting fellow at the Canadian Government Communications Research Center (CRC) (1995–1996). In November 1996 he joined the Center for Satellite and Hybrid Communication Networks (CSHCN) at the Institute for Systems Research, University of Maryland, College Park, where he is currently an assistant research scientist. He is an expert on space communications and satellite networks. His research interests include performance optimization of wireless and hybrid networks, security and protocol support issues for satellite systems, and design optimization of next-generation broadband satellite networks and applications. He is currently working on supporting the communication needs of NASA enterprises and the communication architecture enabling space exploration. He is currently serving as secretary of the IEEE Satellite and Space Communications Technical Committee. SPYRO PAPADEMETRIOU received his B. S. in computer science from George Mason University, Fairfax, Virginia. Since then he has been actively involved in Internet research and development within both industry and academia. He was the principal Internet researcher at Synectics Corp. , where he developed network and database software. He worked as a researcher at the University of Maryland’s Institute for Systems Research, where he designed and developed their first networking laboratory, which is part of the CSHCN. At Inktomi Corp. he spearheaded client acceleration research and was a member the content-distribution network design team. These resulted in several patent filings, of which he holds one. The latter also resulted in American Online’s Web client accelerator product. Currently he is with Orbital Data Corp. working on network and application optimization. His research interests include network optimization, application optimization, satellite and terrestrial wireless networking, delay-tolerant networks, sensor networks, distributed systems, and network software architecture. We have touched upon only a small subset of the problems. None of the proposed solutions, including our own, address the question of user authentication or message integrity for group communication. BIOGRAPHIES AYAN ROY-CHOWDHURY ([email  protected] umd. edu) received his B. E. in electronics and telecommunications engineering in 1998 from Jadavapur University, India, and his M. S. in electrical engineering in 2003 from the University of Maryland, College Park, where he is currently a Ph. D. student. Between 1998 and 2000 he worked as a senior software engineer at Wipro Technologies, India. His research focuses on the design of protocols and frameworks for secure communication in hybrid networks. He is working on secure protocols for unicast and multicast routing in networks that have wired and wireless terrestrial components interconnected by satellite links. He is also looking into key management techniques for secure data transmission for these network architectures, and efficient user-authentication mechanisms for the same. As part of these topics, he is also investigating performance problems for network communication in satellite networks when security is involved. J OHN S. B ARAS [F] received a B. S. in electrical engineering from National Technical University of Athens, Greece, in 1970, and M. S. and Ph. D. degrees in applied mathematics from Harvard University in 1971 and 1973, respectively. He was founding director of the Institute for Systems Research (one of the first six NSF Engineering Research Centers) from 1985 to 1991. Since August 1973 he has been with the Electrical and Computer Engineering Department and Applied Mathematics Faculty at the University of Maryland, College Park. In 1990 he was appointed to the Lockheed Martin Chair in Systems Engineering. Since 1991 he has been director of the Center for Hybrid and Satellite Communication Networks (a NASA Research Partnership Center). Among his awards are the 1980 Outstanding Paper A