FPC: A New Approach to Firewall Policies Compression

Firewalls are crucial elements that enhance network security by examining the field values of every packet and deciding whether to accept or discard a packet according to the firewall policies. With the development of networks, the number of rules in firewalls has rapidly increased, consequently degrading network performance. In addition, because most real-life firewalls have been plagued with policy conflicts, malicious traffics can be allowed or legitimate traffics can be blocked. Moreover, because of the complexity of the firewall policies, it is very important to reduce the number of rules in a firewall while keeping the rule semantics unchanged and the target firewall rules conflict-free. In this study, we make three major contributions. First, we present a new approach in which a geometric model, multidimensional rectilinear polygon, is constructed for the firewall rules compression problem. Second, we propose a new scheme, Firewall Policies Compression (FPC), to compress the multidimensional firewall rules based on this geometric model. Third, we conducted extensive experiments to evaluate the performance of the proposed method. The experimental results demonstrate that the FPC method outperforms the existing approaches, in terms of compression ratio and efficiency while maintaining conflict-free firewall rules

FPC: A New Approach to Firewall Policies Compression

Firewalls are crucial elements that enhance network security by examining the field values of every packet and deciding whether to accept or discard a packet according to the firewall policies. With the development of networks, the number of rules in firewalls has rapidly increased, consequently degrading network performance. In addition, because most real-life firewalls have been plagued with policy conflicts, malicious traffics can be allowed or legitimate traffics can be blocked. Moreover, because of the complexity of the firewall policies, it is very important to reduce the number of rules in a firewall while keeping the rule semantics unchanged and the target firewall rules conflict-free. In this study, we make three major contributions. First, we present a new approach in which a geometric model, multidimensional rectilinear polygon, is constructed for the firewall rules compression problem. Second, we propose a new scheme, Firewall Policies Compression (FPC), to compress the multidimensional firewall rules based on this geometric model. Third, we conducted extensive experiments to evaluate the performance of the proposed method. The experimental results demonstrate that the FPC method outperforms the existing approaches, in terms of compression ratio and efficiency while maintaining conflict-free firewall rules

Firewall Rule Set Analysis and Visualization

abstract: A firewall is a necessary component for network security and just like any regular equipment it requires maintenance. To keep up with changing cyber security trends and threats, firewall rules are modified frequently. Over time such modifications increase the complexity, size and verbosity of firewall rules. As the rule set grows in size, adding and modifying rule becomes a tedious task. This discourages network administrators to review the work done by previous administrators before and after applying any changes. As a result the quality and efficiency of the firewall goes down. Modification and addition of rules without knowledge of previous rules creates anomalies like shadowing and rule redundancy. Anomalous rule sets not only limit the efficiency of the firewall but in some cases create a hole in the perimeter security. Detection of anomalies has been studied for a long time and some well established procedures have been implemented and tested. But they all have a common problem of visualizing the results. When it comes to visualization of firewall anomalies, the results do not fit in traditional matrix, tree or sunburst representations. This research targets the anomaly detection and visualization problem. It analyzes and represents firewall rule anomalies in innovative ways such as hive plots and dynamic slices. Such graphical representations of rule anomalies are useful in understanding the state of a firewall. It also helps network administrators in finding and fixing the anomalous rules.Dissertation/ThesisMasters Thesis Computer Science 201

ISSEC: A Socio-technical Decision Support System for Information Security Planning

The traditional notion of information security, rooted in a solidly technical foundation, has within the past decade seen wide criticism within academia - much of which has originated from the social sciences community - as being narrow and technology-centric instead of holistic and organizational in its focus. As information security awareness encompasses an ever-greater scope of organizational dynamics, it becomes necessary for us to develop design methodologies and ultimately, systems, capable of dealing practically with the complex and multifaceted nature of the decision-making of information systems security which is entailed by the emerging notions of a new paradigm for security. To this end, we present an architecture which implements a web-based multi-user decision support system (DSS) driven by an operational security model within a qualitative multi-criteria framework that utilizes AHP as its inference engine. The system is then demonstrated in action, by addressing a multi-criteria security control selection decision

ISSEC: A socio-technical DSS for information security planning

The traditional notion of information security, rooted in a solidly technical foundation, has within the past decade seen wide criticism within academia - much of which has originated from the social sciences community - as being narrow and technology-centric instead of holistic and organizational in its focus. As information security awareness encompasses an ever-greater scope of organizational dynamics, it becomes necessary for us to develop design methodologies and ultimately, systems, capable of dealing practically with the complex and multifaceted nature of the decision-making of information systems security which is entailed by the emerging notions of a new paradigm for security. To this end, we present an architecture which implements a web-based multi-user decision support system (DSS) driven by an operational security model within a qualitative multi-criteria framework that utilizes AHP as its inference engine. The system is then demonstrated in action, by addressing a multi-criteria security control selection decision

Cloud BI: Future of business intelligence in the Cloud

In self-hosted environments it was feared that business intelligence (BI) will eventually face a resource crunch situation due to the never ending expansion of data warehouses and the online analytical processing (OLAP) demands on the underlying networking. Cloud computing has instigated a new hope for future prospects of BI. However, how will BI be implemented on Cloud and how will the traffic and demand profile look like? This research attempts to answer these key questions in regards to taking BI to the Cloud. The Cloud hosting of BI has been demonstrated with the help of a simulation on OPNET comprising a Cloud model with multiple OLAP application servers applying parallel query loads on an array of servers hosting relational databases. The simulation results reflected that extensible parallel processing of database servers on the Cloud can efficiently process OLAP application demands on Cloud computing

Network-Based Detection and Prevention System against DNS-Based Attacks

Individuals and organizations rely on the Internet as an essential environment for personal or business transactions. However, individuals and organizations have been primary targets for attacks that steal sensitive data. Adversaries can use different approaches to hide their activities inside the compromised network and communicate covertly between the malicious servers and the victims. The domain name system (DNS) protocol is one of these approaches that adversaries use to transfer stolen data outside the organization\u27s network using various forms of DNS tunneling attacks. The main reason for targeting the DNS protocol is because DNS is available in almost every network, ignored, and rarely monitored. In this work, the primary aim is to design a reliable and robust network-based solution as a detection system against DNS-based attacks using various techniques, including visualization, machine learning techniques, and statistical analysis. The network-based solution acts as a DNS proxy server that provides DNS services as well as detection and prevention against DNS-based attacks, which are either embedded in malware or used as stand-alone attacking tools. The detection system works in two modes: real-time and offline modes. The real-time mode relies on the developed Payload Analysis (PA) module. In contrast, the offline mode operates based on two of the contributed modules in this dissertation, including the visualization and Traffic Analysis (TA) modules. We conducted various experiments in order to test and evaluate the detection system against simulated real-world attacks. Overall, the detection system achieved high accuracy of 99.8% with no false-negative rate. To validate the method, we compared the developed detection system against the open-source detection system, Snort intrusion detection system (IDS). We evaluated the two detection systems using a confusion matrix, including the recall, false-negatives rate, accuracy, and others. The detection system detects all case scenarios of the attacks while Snort missed 50% of the performed attacks. Based on the results, we can conclude that the detection system is significant and original improvement of the present methods used for detecting and preventing DNS-based attacks

Business Process Re-engineering and Information Security Planning: Opportunities for integration

Business process re-engineering (BPR) has come to recognize a need for the adoption of socio-technical methodologies and capabilities for knowledge representation of qualitative concerns. Security planning and decision-making has a similar need, and furthermore socio-technical methods common to BPR can be usefully applied in this capacity. The introduction of security models like Defense-in- Depth and similar efforts to recognize the organizational impact of security planning in operational security management serve as an initial step in educating security personnel and provide a more comprehensive view, but unfortunately, security decision-making has traditionally relied almost solely upon quantitative risk assessment, cost/benefit mechanisms, and related, functionalistic methodologies. This greatly limits the representational capacity of the decision process, and with it the possible dimensions of analysis in which to consider security issues. Within this paper, we briefly examine security planning and the relevant techniques of BPR and Socio-technical design, and present a framework for their integration within the context of information security. It is our contention that such methodologies can be utilized in the security decision process to facilitate representation of subjective concerns and broadly-defined issues germane to security policy, within an organizational context