Collaborative enforcement of firewall policies in virtual private networks

The widely deployed Virtual Private Network (VPN) tech-nology allows roaming users to build an encrypted tunnel to a VPN server, which henceforth allows roaming users to access some resources as if that computer is residing on their home organization’s network. Although the VPN technol-ogy is very useful, it imposes security threats to the remote network because their firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we pro-pose VGuard, a framework that allows a policy owner and a request owner to collaboratively determine whether the re-quest satisfies the policy without the policy owner knowing the request and the request owner knowing the policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same num-ber, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a firewall policy to non-overlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Fire-wall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but also orders of mag-nitude more efficient. On real-life firewall policies, for pro-cessing packets, our experimental results show that VGuard is 552 times faster than CDCF on one party and 5035 times faster than CDCF on the other party

Dynamic Trust Management

Trust management forms the basis for communicating policy among system elements and demands credential checking for access to all virtual private service resources—along with careful evaluation of credentials against specified policies—before a party can be trusted

Infrastructure as a service: exploring network access control challenges

Cloud Computing Infrastructure as a Service (IaaS) is a great model for outsourcing IT infrastructure. It is built to offer fascinating features to support business development, such as elasticity, multi-tenancy, configurability and dynamicity. However, IaaS faces security challenges on account of its flexible nature. For this article, we studied the IaaS characteristics and investigated their related security challenges. We then elaborated these security challenges by exploring the security threats on live virtual machine migration as it is one of the main IaaS operations. We found that proper access control techniques and models are a critical element in enhancing IaaS and mitigating the identified security threats. Therefore, we investigated and contrasted the implemented and the proposed firewall architectures in IaaS as a firewall is a basic security appliance that enforces access control. We also explored and contrasted the proposed access control models in the IaaS. It was found that the traditional firewalls and access control models were not sufficient for IaaS. Therefore, there is a need to develop a proper access control model and enforcement techniques to mitigate IaaS security threats. Based on the security research trend and the results obtained in this articles exploration, we endorse an IaaS access control system built on a computational intelligent approach

De-perimeterisation as a cycle: tearing down and rebuilding security perimeters

If an organisation wants to secure its IT assets, where should the security mechanisms be placed? The traditional view is the hard-shell model, where an organisation secures all its assets using a fixed security border: What is inside the security perimeter is more or less trusted, what is outside is not. Due to changes in technologies, business processes and their legal environments this approach is not adequate anymore.\ud This paper examines this process, which was coined de-perimeterisation by the Jericho Forum.\ud In this paper we analyse and define the concepts of perimeter and de-perimeterisation, and show that there is a long term trend in which de-perimeterisation is iteratively accelerated and decelerated. In times of accelerated de-perimeterisation, technical and organisational changes take place by which connectivity between organisations and their environment scales up significantly. In times of deceleration, technical and organisational security measures are taken to decrease the security risks that come with de-perimeterisation, a movement that we call re-perimeterisation. We identify the technical and organisational mechanisms that facilitate de-perimeterisation and re-perimeterisation, and discuss the forces that cause organisations to alternate between these two movements

Electronic security - risk mitigation in financial transactions : public policy issues

This paper builds on a previous series of papers (see Claessens, Glaessner, and Klingebiel, 2001, 2002) that identified electronic security as a key component to the delivery of electronic finance benefits. This paper and its technical annexes (available separately at http://www1.worldbank.org/finance/) identify and discuss seven key pillars necessary to fostering a secure electronic environment. Hence, it is intended for those formulating broad policies in the area of electronic security and those working with financial services providers (for example, executives and management). The detailed annexes of this paper are especially relevant for chief information and security officers responsible for establishing layered security. First, this paper provides definitions of electronic finance and electronic security and explains why these issues deserve attention. Next, it presents a picture of the burgeoning global electronic security industry. Then it develops a risk-management framework for understanding the risks and tradeoffs inherent in the electronic security infrastructure. It also provides examples of tradeoffs that may arise with respect to technological innovation, privacy, quality of service, and security in designing an electronic security policy framework. Finally, it outlines issues in seven interrelated areas that often need attention in building an adequate electronic security infrastructure. These are: 1) The legal framework and enforcement. 2) Electronic security of payment systems. 3) Supervision and prevention challenges. 4) The role of private insurance as an essential monitoring mechanism. 5) Certification, standards, and the role of the public and private sectors. 6) Improving the accuracy of information on electronic security incidents and creating better arrangements for sharing this information. 7) Improving overall education on these issues as a key to enhancing prevention.Knowledge Economy,Labor Policies,International Terrorism&Counterterrorism,Payment Systems&Infrastructure,Banks&Banking Reform,Education for the Knowledge Economy,Knowledge Economy,Banks&Banking Reform,International Terrorism&Counterterrorism,Governance Indicators

Virtual Private Services: Coordinated Policy Enforcement for Distributed Applications

Large scale distributed applications combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security issues, caused by the complexity of the operating environment. In particular, policies at multiple layers and locations force conventional mechanisms such as firewalls and compartmented file storage into roles where they are clumsy and failure-prone. Our approach relies on two functional divisions. First, we split policy specification and policy enforcement, providing local autonomy within the constraints of the global security policy. Second, we create virtual security domains each with its own security policy. Every domain has an associated set of privileges and permissions restricting it to the resources it needs to use and the services it must perform. Virtual private services ensure security and privacy policies are adhered to through coordinated policy enforcement points

IaaS-cloud security enhancement: an intelligent attribute-based access control model and implementation

The cloud computing paradigm introduces an efficient utilisation of huge computing resources by multiple users with minimal expense and deployment effort compared to traditional computing facilities. Although cloud computing has incredible benefits, some governments and enterprises remain hesitant to transfer their computing technology to the cloud as a consequence of the associated security challenges. Security is, therefore, a significant factor in cloud computing adoption. Cloud services consist of three layers: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud computing services are accessed through network connections and utilised by multi-users who can share the resources through virtualisation technology. Accordingly, an efficient access control system is crucial to prevent unauthorised access. This thesis mainly investigates the IaaS security enhancement from an access control point of view. [Continues.

A Novel Hybrid Security Framework (HSF) with Vshield Based Firewall to Secure Cloud Computing Environment

Cloud Computing is an emerging technology that provides an enormous amount of computing resources which includes networks, servers and storages which are accessed through the internet. In addition it allows useful provisioning of the resources based on the user’s demands. A crucial aspect of cloud computing infrastructure is to provide secure and reliable services.  The main challenge lies in the security issues is to reduce the impact of third party attacks in the cloud computing environment. Hence a novel Hybrid Security Framework(HSF) based on Reinforcement Learning (RL) Methodology with Vshield Firewall is proposed for securing the cloud environment.  The RL method is used for deep packet inspection and VShiled based firewall is established to deny the attacks which are malicious when authenticating the signature of incoming packets. The bipartite pattern matching approach is integrated with the RL method to verify the signatures for obtaining the decisions quickly.  The simulation results shows that the hybrid security framework is effective when compared with the existing methods by considering response time, resource utilization and denial of malicious attacks.  This indicates that our proposed framework achieves not only better security but also attains better efficiency in cloud computing environment