Learning to Customize Network Security Rules

Security is a major concern for organizations who wish to leverage cloud computing. In order to reduce security vulnerabilities, public cloud providers offer firewall functionalities. When properly configured, a firewall protects cloud networks from cyber-attacks. However, proper firewall configuration requires intimate knowledge of the protected system, high expertise and on-going maintenance. As a result, many organizations do not use firewalls effectively, leaving their cloud resources vulnerable. In this paper, we present a novel supervised learning method, and prototype, which compute recommendations for firewall rules. Recommendations are based on sampled network traffic meta-data (NetFlow) collected from a public cloud provider. Labels are extracted from firewall configurations deemed to be authored by experts. NetFlow is collected from network routers, avoiding expensive collection from cloud VMs, as well as relieving privacy concerns. The proposed method captures network routines and dependencies between resources and firewall configuration. The method predicts IPs to be allowed by the firewall. A grouping algorithm is subsequently used to generate a manageable number of IP ranges. Each range is a parameter for a firewall rule. We present results of experiments on real data, showing ROC AUC of 0.92, compared to 0.58 for an unsupervised baseline. The results prove the hypothesis that firewall rules can be automatically generated based on router data, and that an automated method can be effective in blocking a high percentage of malicious traffic.Comment: 5 pages, 5 figures, one tabl

Security Technology by Using Firewall for Smart Grid

Due to the increasing development of computer systems and information networks, power grids should change extensively too. Nowadays, substantial movement has begun to implement the Smart Grid industry around the world. Since with the creation of smart electricity grids, it is possible to access the internal network from the external spaces, it is also necessary to protect information and data against unauthorized access. Therefore, a firewall should be used for information security. The firewall based on existing security regulations, decides which data is incoming to the network or going out of the network. Considering the discussions of passive defense topics at the national level and also the high importance of information security in Smart Grids, in this paper, in addition to examining the Firewalls, its advantages and disadvantages are also stated. Although the firewall has a major role in establishing security, and its installation and appropriate configuration can only be one of the primary activities in this field, we should also take advantage of other security mechanisms to enhance the security of the Smart Grid

Security Technology by using Firewall for Smart Grid

Due to the increasing development of computer systems and information networks, power grids should change extensively too. Nowadays, substantial movement has begun to implement the Smart Grid industry around the world. Since with the creation of smart electricity grids, it is possible to access the internal network from the external spaces, it is also necessary to protect information and data against unauthorized access. Therefore, a firewall should be used for information security. The firewall based on existing security regulations, decides which data is incoming to the network or going out of the network. Considering the discussions of passive defense topics at the national level and also the high importance of information security in Smart Grids, in this paper, in addition to examining the Firewalls, its advantages and disadvantages are also stated. Although the firewall has a major role in establishing security, and its installation and appropriate configuration can only be one of the primary activities in this field, we should also take advantage of other security mechanisms to enhance the security of the Smart Grid

Handling Stateful Firewall Anomalies

Part 4: Access ControlInternational audienceA security policy consists of a set of rules designed to protect an information system. To ensure this protection, the rules must be deployed on security components in a consistent and non-redundant manner. Unfortunately, an empirical approach is often adopted by network administrators, to the detriment of theoretical validation. While the literature on the analysis of configurations of first generation (stateless) firewalls is now rich, this is not the case for second and third generation firewalls, also known as stateful firewalls. In this paper, we address this limitation, and provide solutions to analyze and handle stateful firewall anomalies and misconfiguration

Misconfiguration in Firewalls and Network Access Controls: Literature Review

Firewalls and network access controls play important roles in security control and protection. Those firewalls may create an incorrect sense or state of protection if they are improperly configured. One of the major configuration problems in firewalls is related to misconfiguration in the access control roles added to the firewall that will control network traffic. In this paper, we evaluated recent research trends and open challenges related to firewalls and access controls in general and misconfiguration problems in particular. With the recent advances in next-generation (NG) firewalls, firewall roles can be auto-generated based on networks and threats. Nonetheless, and due to the large number of roles in any medium to large networks, roles’ misconfiguration may occur for several reasons and will impact the performance of the firewall and overall network and protection efficiency

Definition of Data Sharing Agreements (The case of Spanish Data Protection Law)

Electronic sharing of data among different parties, includ- ing groups of organizations and/or individuals, while protecting their legitimate rights on these data, is a key both for business and societal transactions. However, data sharing clauses are usually specified in legal documents that are far from being amenable of automated processing by the electronic platform that should enforce them. Furthermore, different parties usually pursue different interests. This may lead to conflicts that need to be solved for the agreements to succeed. Addressing this prob- lem, in this paper we i) discuss a proposal for the definition of a machine processable electronic data sharing multilateral contract (e-DSA); ii) re- call a controlled natural language (CNL4DSA) developed for expressing e-DSA clauses, in particular, authorizations and obligations policies on data; iii) instantiate a resolution process that can solve potential con- flicts posed by different stakeholders? clauses, e.g., legal, organizational, and end-users? clauses, according to specific criteria. We illustrate our approach on a realistic e-Health scenario derived from one described by a Spanish medical institution. The main novelty of this paper are the ref- erence to the Spanish Data Protection Law (S)DPL as the basic source of policies regulating data exchange and the idea of a multi-step e-DSA definition phase that incrementally increases the contract granularity. To the best of our knowledge, this is one of the first attempts to investi- gate how a real DPL can be translated into privacy rules electronically manageable by a devoted e-DSA-based infrastructure.?

Towards Safer Information Sharing in the Cloud

Web interactions usually require the exchange of personal and confidential information for a variety of purposes, including enabling business transactions and the provisioning of services. A key issue affecting these interactions is the lack of trust and control on how data is going to be used and processed by the entities that receive it. In the traditional world, this problem is addressed by using contractual agreements, those are signed by the involved parties, and law enforcement. This could be done electronically as well but, in ad- dition to the trust issue, there is currently a major gap between the definition of legal contracts regulat- ing the sharing of data, and the software infrastructure required to support and enforce them. How to enable organisations to provide more automation in this pro- cess? How to ensure that legal contracts can be actually enforced by the underlying IT infrastructure? How to enable end-users to express their preferences and con- straints within these contracts? This article describes our R&D work to make progress towards addressing this gap via the usage of electronic Data Sharing Agree- ments (e-DSA). The aim is to share our vision, discuss the involved challenges and stimulate further research and development in this space. We specifically focus on a cloud scenario because it provides a rich set of?use cases involving interactions and information shar- ing among multiple stakeholders, including users and service providers.?