2,035 research outputs found
A model for the analysis of security policies in service function chains
Two emerging architectural paradigms, i.e., Software Defined Networking (SDN)
and Network Function Virtualization (NFV), enable the deployment and management
of Service Function Chains (SFCs). A SFC is an ordered sequence of abstract
Service Functions (SFs), e.g., firewalls, VPN-gateways,traffic monitors, that
packets have to traverse in the route from source to destination. While this
appealing solution offers significant advantages in terms of flexibility, it
also introduces new challenges such as the correct configuration and ordering
of SFs in the chain to satisfy overall security requirements. This paper
presents a formal model conceived to enable the verification of correct policy
enforcements in SFCs. Software tools based on the model can then be designed to
cope with unwanted network behaviors (e.g., security flaws) deriving from
incorrect interactions of SFs in the same SFC
Performance of an annual combustor designed for a low-cost turbojet engine
Performance tests were conducted on a combustor designed for use in a low-cost turbojet engine. Low-cost features included the use of very inexpensive simplex fuel nozzles and combustor liners of perforated sheet material. Combustion efficiencies at the altitude-cruise and sea-level design points were approximately 94 and 96 percent, respectively. The combustor isothermal total-pressure loss was 8.8 percent at the altitude-cruise-condition diffuser-inlet Mach number of 0.335. The combustor-exit temperature pattern factor was less than 0.3 at the altitude-cruise, sea-level-cruise, and sea-level-static design conditions. The combustor-exit average radial temperature profiles at all conditions were in very good agreement with the design profile. The intense mixing required because of the very high combustor heat-release rate had an adverse effect on ignition capability at altitude windmilling design conditions
A Proposal for Dynamic Access Lists for TCP/IP Packet Filering
The use of IP filtering to improve system security is well established, and
although limited in what it can achieve has proved to be efficient and
effective.
In the design of a security policy there is always a trade-off between
usability and security. Restricting access means that legitimate use of the
network is prevented; allowing access means illegitimate use may be allowed.
Static access list make finding a balance particularly stark -- we pay the
price of decreased security 100% of the time even if the benefit of increased
usability is only gained 1% of the time.
Dynamic access lists would allow the rules to change for short periods of
time, and to allow local changes by non-experts. The network administrator can
set basic security guide-lines which allow certain basic services only. All
other services are restricted, but users are able to request temporary
exceptions in order to allow additional access to the network. These exceptions
are granted depending on the privileges of the user.
This paper covers the following topics: (1) basic introduction to TCP/IP
filtering; (2) semantics for dynamic access lists and; (3) a proposed protocol
for allowing dynamic access; and (4) a method for representing access lists so
that dynamic update and look-up can be done efficiently performed.Comment: 12 pages. Shortened version appeared in SAICSIT 200
Bank Regulation: Will Regulators Catch Up with the Market?
Legislation on financial services modernization has taken on special urgency since the banking industry is transforming itself through mergers stretching across financial services and across countries. Phil Gramm (R-Tex.), the new chairman of the Senate Banking Committee, has made bank regulatory reform his "number-one priority." A review of historical and contemporary evidence shows how market forces can address concerns about consumer protection and the soundness of the financial system. The financial services modernization legislation thus should repeal the 1933 Glass-Steagall Act and reform the 1956 Bank Holding Company Act,allow banks to structure their new activities through operating subsidiaries or affiliates,reduce the "moral hazard" of federal deposit insurance by mimicking private bond covenants, andnot raise any new regulatory barriers
Secure Remote Control and Configuration of FPX Platform in Gigabit Ethernet Environment
Because of its flexibility and high performance, reconfigurable logic functions implemented on the Field-programmable Port Extender (FPX ) are well suited for implementing network processing such as packet classification, filtering and intrusion detection functions. This project focuses on two key aspects of the FPX system. One is providing a Gigabit Ethernet interface by designing logic for a FPGA which is located on a line card. Address Resolution Protocol (ARP) packets are handled in hardware and Ethernet frames are processed and transformed into cells suitable for standard FPX application. The other effort is to provide a secure channel to enable remote control and configuration of the FPX system through public internet. A suite of security hardware cores were implemented that include the Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), Hashed Message Authentication Code (HMAC), Message Digest Version 5 (MD5) and Secure Hash Algorithm (SHA-1). An architecture and an associated protocol have been developed which provide a secure communication channel between a control console and a hardware-based reconfigurable network node. This solution is unique in that it does not require a software process to run on the network stack, so that it has both higher performance and prevents the node from being hacked using traditional vulnerabilities found in common operating systems. The mechanism can be applied to the design and implementation of re-motely managed FPX systems. A hardware module called the Secure Control Packet Processor (SCPP) has been designed for a FPX based firewall. It utilizes AES or 3DES in Error Propagation Block Chaining (EPBC) mode to ensure data confidentiality and data integrity. There is also an authenticated engine that uses HMAC. to generate the acknowledgments. The system can protect the FPX system against attacks that may be sent over the control and configuration channel. Based on this infrastructure, an enhanced protocol is addressed that provides higher efficiency and can defend against replay attack. To support that, a control cell encryption module was designed and tested in the FPX system
Applying Formal Methods to Networking: Theory, Techniques and Applications
Despite its great importance, modern network infrastructure is remarkable for
the lack of rigor in its engineering. The Internet which began as a research
experiment was never designed to handle the users and applications it hosts
today. The lack of formalization of the Internet architecture meant limited
abstractions and modularity, especially for the control and management planes,
thus requiring for every new need a new protocol built from scratch. This led
to an unwieldy ossified Internet architecture resistant to any attempts at
formal verification, and an Internet culture where expediency and pragmatism
are favored over formal correctness. Fortunately, recent work in the space of
clean slate Internet design---especially, the software defined networking (SDN)
paradigm---offers the Internet community another chance to develop the right
kind of architecture and abstractions. This has also led to a great resurgence
in interest of applying formal methods to specification, verification, and
synthesis of networking protocols and applications. In this paper, we present a
self-contained tutorial of the formidable amount of work that has been done in
formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial
- …