3,543 research outputs found
Directed Security Policies: A Stateful Network Implementation
Large systems are commonly internetworked. A security policy describes the
communication relationship between the networked entities. The security policy
defines rules, for example that A can connect to B, which results in a directed
graph. However, this policy is often implemented in the network, for example by
firewalls, such that A can establish a connection to B and all packets
belonging to established connections are allowed. This stateful implementation
is usually required for the network's functionality, but it introduces the
backflow from B to A, which might contradict the security policy. We derive
compliance criteria for a policy and its stateful implementation. In
particular, we provide a criterion to verify the lack of side effects in linear
time. Algorithms to automatically construct a stateful implementation of
security policy rules are presented, which narrows the gap between
formalization and real-world implementation. The solution scales to large
networks, which is confirmed by a large real-world case study. Its correctness
is guaranteed by the Isabelle/HOL theorem prover.Comment: In Proceedings ESSS 2014, arXiv:1405.055
Secure management of logs in internet of things
Ever since the advent of computing, managing data has been of extreme
importance. With innumerable devices getting added to network infrastructure,
there has been a proportionate increase in the data which needs to be stored.
With the advent of Internet of Things (IOT) it is anticipated that billions of
devices will be a part of the internet in another decade. Since those devices
will be communicating with each other on a regular basis with little or no
human intervention, plethora of real time data will be generated in quick time
which will result in large number of log files. Apart from complexity
pertaining to storage, it will be mandatory to maintain confidentiality and
integrity of these logs in IOT enabled devices. This paper will provide a brief
overview about how logs can be efficiently and securely stored in IOT devices.Comment: 6 pages, 1 tabl
Applying Formal Methods to Networking: Theory, Techniques and Applications
Despite its great importance, modern network infrastructure is remarkable for
the lack of rigor in its engineering. The Internet which began as a research
experiment was never designed to handle the users and applications it hosts
today. The lack of formalization of the Internet architecture meant limited
abstractions and modularity, especially for the control and management planes,
thus requiring for every new need a new protocol built from scratch. This led
to an unwieldy ossified Internet architecture resistant to any attempts at
formal verification, and an Internet culture where expediency and pragmatism
are favored over formal correctness. Fortunately, recent work in the space of
clean slate Internet design---especially, the software defined networking (SDN)
paradigm---offers the Internet community another chance to develop the right
kind of architecture and abstractions. This has also led to a great resurgence
in interest of applying formal methods to specification, verification, and
synthesis of networking protocols and applications. In this paper, we present a
self-contained tutorial of the formidable amount of work that has been done in
formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial
Packet flow analysis in IP networks via abstract interpretation
Static analysis (aka offline analysis) of a model of an IP network is useful
for understanding, debugging, and verifying packet flow properties of the
network. There have been static analysis approaches proposed in the literature
for networks based on model checking as well as graph reachability. Abstract
interpretation is a method that has typically been applied to static analysis
of programs. We propose a new, abstract-interpretation based approach for
analysis of networks. We formalize our approach, mention its correctness
guarantee, and demonstrate its flexibility in addressing multiple
network-analysis problems that have been previously solved via tailor-made
approaches. Finally, we investigate an application of our analysis to a novel
problem -- inferring a high-level policy for the network -- which has been
addressed in the past only in the restricted single-router setting.Comment: 8 page
APMEC: An Automated Provisioning Framework for Multi-access Edge Computing
Novel use cases and verticals such as connected cars and human-robot
cooperation in the areas of 5G and Tactile Internet can significantly benefit
from the flexibility and reduced latency provided by Network Function
Virtualization (NFV) and Multi-Access Edge Computing (MEC). Existing frameworks
managing and orchestrating MEC and NFV are either tightly coupled or completely
separated. The former design is inflexible and increases the complexity of one
framework. Whereas, the latter leads to inefficient use of computation
resources because information are not shared. We introduce APMEC, a dedicated
framework for MEC while enabling the collaboration with the management and
orchestration (MANO) frameworks for NFV. The new design allows to reuse
allocated network services, thus maximizing resource utilization. Measurement
results have shown that APMEC can allocate up to 60% more number of network
services. Being developed on top of OpenStack, APMEC is an open source project,
available for collaboration and facilitating further research activities
- …