Misconfiguration in Firewalls and Network Access Controls: Literature Review

Firewalls and network access controls play important roles in security control and protection. Those firewalls may create an incorrect sense or state of protection if they are improperly configured. One of the major configuration problems in firewalls is related to misconfiguration in the access control roles added to the firewall that will control network traffic. In this paper, we evaluated recent research trends and open challenges related to firewalls and access controls in general and misconfiguration problems in particular. With the recent advances in next-generation (NG) firewalls, firewall roles can be auto-generated based on networks and threats. Nonetheless, and due to the large number of roles in any medium to large networks, roles’ misconfiguration may occur for several reasons and will impact the performance of the firewall and overall network and protection efficiency

Directed Security Policies: A Stateful Network Implementation

Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover.Comment: In Proceedings ESSS 2014, arXiv:1405.055

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive

Modeling Firewalls for Behavior Analysis

AbstractThis work presents a software behavioral model of the capabilities found in firewall type devices and a process for taking vendor specific nuances to a common implementation. This includes understanding interfaces, routes, rules, translation, and policies; modeling them in a common manner such that different models may be compared to each other for functional similarity. This work makes use of recent efforts to model firewall policies in a concise efficient data structure referred to as a Firewall Policy Diagram (FPD). The structure facilitates the canonical representation of a policy as well as human comprehension of the policy. Its use with behavior modeling is to capture and compare the results of a potentially large solution space

Verkon tietoturvan kehittäminen ohjelmisto-ohjatuilla verkoilla

Software-defined networking (SDN) is a new technology in computer networks, which enables the management of the network and the development of new network functions in a higher level of abstraction than in traditional networks. In the SDN concept, the management of the network can be centralized to a specific SDN controller instead of managing each network device separately through a vendor-specific interface. This enables new possibilities for designing computer networks and makes the administration easier than before. In this thesis we are considering the security improvements in computer networks achieved by the software-defined networking. The purpose of the research is to find out if the current maturity of the SDN technology allows traditional networks to be replaced by SDN and what kind of security enhancing network functions can be implemented with the SDN technology. We are also discovering existing SDN applications and solutions presented in former research. Based on the research, the solutions providing improved network security can be divided to two categories. First is the SDN security applications and second is the solutions that are providing better network management. Many of the proposed solutions are still under development and they will need more research and development contribution before they are ready for the production use. During the research, it became clear that the SDN technology brings new security threats for consideration because of the centralized network management and the management performed by software. In particular the attacks against the management network and the usage of the third party software are possible security threats. Currently, migration from a traditional network to an SDN based network needs still much resources, but in the future the technology will definitely become more common

Intrusion detection and management over the world wide web

As the Internet and society become ever more integrated so the number of Internet users continues to grow. Today there are 1.6 billion Internet users. They use its services to work from home, shop for gifts, socialise with friends, research the family holiday and manage their finances. Through generating both wealth and employment the Internet and our economies have also become interwoven. The growth of the Internet has attracted hackers and organised criminals. Users are targeted for financial gain through malware and social engineering attacks. Industry has responded to the growing threat by developing a range defences: antivirus software, firewalls and intrusion detection systems are all readily available. Yet the Internet security problem continues to grow and Internet crime continues to thrive. Warnings on the latest application vulnerabilities, phishing scams and malware epidemics are announced regularly and serve to heighten user anxiety. Not only are users targeted for attack but so too are businesses, corporations, public utilities and even states. Implementing network security remains an error prone task for the modern Internet user. In response this thesis explores whether intrusion detection and management can be effectively offered as a web service to users in order to better protect them and heighten their awareness of the Internet security threat

Secure Virtual Machine Migration in Cloud Data Centers

While elasticity represents a valuable asset in cloud computing environments, it may bring critical security issues. In the cloud, virtual machines (VMs) are dynamically and frequently migrated across data centers from one host to another. This frequent modification in the topology requires constant reconfiguration of security mechanisms particularly as we consider, in terms of firewalls, intrusion detection/prevention as well as IPsec policies. However, managing manually complex security rules is time-consuming and error-prone. Furthermore, scale and complexity of data centers are continually increasing, which makes it difficult to rely on the cloud provider administrators to update and validate the security mechanisms. In this thesis, we propose a security verification framework with a particular interest in the abovementioned security mechanisms to address the issue of security policy preservation in a highly dynamic context of cloud computing. This framework enables us to verify that the global security policy after the migration is consistently preserved with respect to the initial one. Thus, we propose a systematic procedure to verify security compliance of firewall policies, intrusion detection/prevention, and IPsec configurations after VM migration. First, we develop a process algebra called cloud calculus, which allows specifying network topology and security configurations. It also enables specifying the virtual machines migration along with their security policies. Then, the distributed firewall configurations in the involved data centers are defined according to the network topology expressed using cloud calculus. We show how our verification problem can be reduced to a constraint satisfaction problem that once solved allows reasoning about firewall traffic filtering preservation. Similarly, we present our approach to the verification of intrusion detection monitoring preservation as well as IPsec traffic protection preservation using constraint satisfaction problem. We derive a set of constraints that compare security configurations before and after migration. The obtained constraints are formulated as constraint satisfaction problems and then submitted to a SAT solver, namely Sugar, in order to verify security preservation properties and to pinpoint the configuration errors, if any, before the actual migration of the security context and the virtual machine. In addition, we present case studies for the given security mechanisms in order to show the applicability and usefulness of our framework, and demonstrate the scalability of our approach

Firewall Policy Diagram: Novel Data Structures and Algorithms for Modeling, Analysis, and Comprehension of Network Firewalls

Firewalls, network devices, and the access control lists that manage traffic are very important components of modern networking from a security and regulatory perspective. When computers were first connected, they were communicating with trusted peers and nefarious intentions were neither recognized nor important. However, as the reach of networks expanded, systems could no longer be certain whether the peer could be trusted or that their intentions were good. Therefore, a couple of decades ago, near the widespread adoption of the Internet, a new network device became a very important part of the landscape, i.e., the firewall with the access control list (ACL) router. These devices became the sentries to an organization's internal network, still allowing some communication; however, in a controlled and audited manner. It was during this time that the widespread expansion of the firewall spawned significant research into the science of deterministically controlling access, as fast as possible. However, the success of the firewall in securing the enterprise led to an ever increasing complexity in the firewall as the networks became more inter-connected. Over time, the complexity has continued to increase, yielding a difficulty in understanding the allowed access of a particular device. As a result of this success, firewalls are one of the most important devices used in network security. They provide the protection between networks that only wish to communicate over an explicit set of channels, expressed through the protocols, traveling over the network. These explicit channels are described and implemented in a firewall using a set of rules, where the firewall implements the will of the organization through these rules, also called a firewall policy. In small test environments and networks, firewall policies may be easy to comprehend and understand; however, in real world organizations these devices and policies must be capable of handling large amounts of traffic traversing hundreds or thousands of rules in a particular policy. Added to that complexity is the tendency of a policy to grow substantially more complex over time; and the result is often unintended mistakes in comprehending the complex policy, possibly leading to security breaches. Therefore, the need for an organization to unerringly and deterministically understand what traffic is allowed through a firewall, while being presented with hundreds or thousands of rules and routes, is imperative. In addition to the local security policy represented in a firewall, the modern firewall and filtering router involve more than simply deciding if a packet should pass through a security policy. Routing decisions through multiple network interfaces involving vendor-specific constructs such as zones, domains, virtual routing tables, and multiple security policies have become the more common type of device found in the industry today. In the past, network devices were separated by functional area (ACL, router, switch, etc.). The more recent trend has been for these capabilities to converge and blend creating a device that goes far beyond the straight-forward access control list. This dissertation investigates the comprehension of traffic flow through these complex devices by focusing on the following research topics: - Expands on how a security policy may be processed by decoupling the original rules from the policy, and instead allow a holistic understanding of the solution space being represented. This means taking a set of constraints on access (i.e., firewall rules), synthesizing them into a model that represents an accept and deny space that can be quickly and accurately analyzed. - Introduces a new set of data structures and algorithms collectively referred to as a Firewall Policy Diagram (FPD). A structure that is capable of modeling Internet Protocol version 4 packet (IPv4) solution space in memory efficient, mathematically set-based entities. Using the FPD we are capable of answering difficult questions such as: what access is allowed by one policy over another, what is the difference in spaces, and how to efficiently parse the data structure that represents the large search space. The search space can be as large as 288; representing the total values available to the source IP address (232), destination IP address (232), destination port (216), and protocol (28). The fields represent the available bits of an IPv4 packet as defined by the Open Systems Interconnection (OSI) model. Notably, only the header fields that are necessary for this research are taken into account and not every available IPv4 header value. - Presents a concise, precise, and descriptive language called Firewall Policy Query Language (FPQL) as a mechanism to explore the space. FPQL is a Backus Normal Form (Backus-Naur Form) (BNF) compatible notation for a query language to do just that sort of exploration. It looks to translate concise representations of what the end user needs to know about the solution space, and extract the information from the underlying data structures. - Finally, this dissertation presents a behavioral model of the capabilities found in firewall type devices and a process for taking vendor-specific nuances to a common implementation. This includes understanding interfaces, routes, rules, translation, and policies; and modeling them in a consistent manner such that the many different vendor implementations may be compared to each other

SketchLib: enabling efficient sketch-based monitoring on programmable switches

CNS-2107086 - National Science Foundation; CNS-2106946 - National Science FoundationPublished versio

Advancing SDN from OpenFlow to P4: a survey

Software-defined Networking (SDN) marked the beginning of a new era in the field of networking by decoupling the control and forwarding processes through the OpenFlow protocol. The Next Generation SDN is defined by Open Interfaces and full programmability of the data plane. P4 is a domain-specific language that fulfills these requirements and has known wide adoption over recent years from Academia and Industry. This work is an extensive survey of the P4 language covering domains of application, a detailed overview of the language, and future directions