Analysis of security impact of making mShield an IPv4 to IPv6 converter box

info:eu-repo/semantics/acceptedVersio

The HSS/SNiC : a conceptual framework for collapsing security down to the physical layer

This work details the concept of a novel network security model called the Super NIC (SNIC) and a Hybrid Super Switch (HSS). The design will ultimately incorporate deep packet inspection (DPI), intrusion detection and prevention (IDS/IPS) functions, as well as network access control technologies therefore making all end-point network devices inherently secure. The SNIC and HSS functions are modelled using a transparent GNU/Linux Bridge with the Netfilter framework

A Comprehensive Survey on the Most Important IPv4aaS IPv6 Transition Technologies, their Implementations and Performance Analysis

As the central public IPv4 address pool has already been exhausted, the deployment of IPv6 has become inevitable. However, the users still require IPv4 Internet access due to some IPv4-only applications. The IPv4aaS (IPv4-as-a-Service) IPv6 transition technologies facilitate that ISPs provide IPv4 service to their customers while using only IPv6 in their access and core networks. This paper discusses the widely used IPv4aaS IPv6 transition technologies in ISP/enterprise networks; we explain their operations, advantages, properties and consider their performances. There are currently many IPv6 transition technologies, nevertheless, in this paper, the five most prominent IPv4aaS IPv6 transition technologies are discussed, namely 464XLAT, Dual-Stack Lite, Lightweight 4over6, MAP-E, and MAP-T. Moreover, the deployment and implementations of these technologies are being analysed and inspected. This paper also overviews the benchmarking methodology for IPv6 transition technologies and surveys several papers that investigated metrics and tools utilized in analysing the performance of different IPv6 transition technologies

Flexible Network Monitoring with FLAME

Increases in scale, complexity, dependency and security for networks have motivated increased automation of activities such as network monitoring. We have employed technology derived from active networking research to develop a series of network monitoring systems, but unlike most previous work, made application needs the priority over infrastructure properties. This choice has produced the following results: (1) the techniques for general infrastructure are both applicable and portable to specific applications such as network monitoring; (2) tradeoffs can benefit our applications while preserving considerable flexibility; and (3) careful engineering allows applications with open architectures to perform competitively with custom-built static implementations. These results are demonstrated via measurements of the lightweight active measurement environment (LAME), its successor, flexible LAME (FLAME), and their application to monitoring for performance and security

Konfiguraationhallinnan datan käyttö verkkoinfrastruktuurin hallintaan

Configuration management software running on nodes solves problems such as configuration drift on the nodes themselves, but the necessary node configuration data can also be utilized in managing network infrastructure, for example to reduce configuration errors by facilitating node life cycle management. Many configuration management software systems depend on a working network, but we can utilize the data to create large parts of the network infrastructure configuration itself using node data from the configuration management system before the nodes themselves are provisioned, as well as remove obsolete configuration as nodes are decommissioned.Konfiguraationhallintajärjestelmien käyttö ratkaisee tietoliikenneverkon solmuilla (node) esiintyviä ongelmia kuten konfiguraation ajelehtimista, mutta konfiguraationhallintaan vaadittua tietovarastoa voidaan käyttää myös verkkoinfrastruktuurin hallinnassa, esimerkiksi vähentämään konfiguraatiovirheitä helpottamalla solmujen elinkaaren hallintaa. Useat konfiguraationhallintaohjelmistot vaativat toimivan verkon, mutta suuria osia verkkoinfrastruktuurin konfiguraatiosta voidaan luoda käyttäen konfiguraatiohallinnan tietovarastoa ennen kuin solmuja pystytetään, sekä voidaan varmistaa vanhentuneen konfiguraation poistuminen solmuja alas ajattaessa

Tagging Data In The Network Stack: mbuf tags

We describe the mbuf tag API, a mechanism for tagging data as they flow through the network stack. Originally introduced in OpenBSD, mbuf tags were initially intended for use by the IPsec stack. The API has matured enough to be used by several other kernel components, and formed the basis for the FreeBSD mbuf tags. We present the API, discuss its various uses in the OpenBSD network stack, and describe some plans for future work. Our goal is to demonstrate the flexibility of this relatively simple mechanism and expose it to other kernel developers

HyPaFilter - A versatile hybrid FPGA packet filter

With network traffic rates continuously growing, security systems like firewalls are facing increasing challenges to process incoming packets at line speed without sacrificing protection. Accordingly, specialized hardware firewalls are increasingly used in high-speed environments. Hardware solutions, though, are inherently limited in terms of the complexity of the policies they can implement, often forcing users to choose between throughput and comprehensive analysis. On the contrary, complex rules typically constitute only a small fraction of the rule set. This motivates the combination of massively parallel, yet complexity-limited specialized circuitry with a slower, but semantically powerful software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. We therefore discuss approaches for partitioning and transforming rule sets for hybrid packet processing, and propose HyPaFilter, a hybrid classification system based on tailored circuitry on an FPGA as an accelerator for a Linux netfilter firewall. Our evaluation demonstrates 30-fold performance gains in comparison to software-only processing.Horizon 2020 (Grant ID: SSICLOPS project, 644866)This is the author accepted manuscript. The final version is available from the Association for Computing Machinery via http://dx.doi.org/10.1145/2881025.288103