Packet flow analysis in IP networks via abstract interpretation

Static analysis (aka offline analysis) of a model of an IP network is useful for understanding, debugging, and verifying packet flow properties of the network. There have been static analysis approaches proposed in the literature for networks based on model checking as well as graph reachability. Abstract interpretation is a method that has typically been applied to static analysis of programs. We propose a new, abstract-interpretation based approach for analysis of networks. We formalize our approach, mention its correctness guarantee, and demonstrate its flexibility in addressing multiple network-analysis problems that have been previously solved via tailor-made approaches. Finally, we investigate an application of our analysis to a novel problem -- inferring a high-level policy for the network -- which has been addressed in the past only in the restricted single-router setting.Comment: 8 page

Directed Security Policies: A Stateful Network Implementation

Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover.Comment: In Proceedings ESSS 2014, arXiv:1405.055

A Modified Hybrid Port Knocking Technique for Host Authentication A Review

The main objective is to develop and assess the performance of a replacement PK technique, which may avert all kinds of port attacks and meets all network security necessities. Port knock is a crucial conception to secure services provided by the servers. By a predefined port knock sequence server establish whether or not the request could be a legitimate request for a service. The new technique uti lizes three acknowledge ideas, these are: port - knocking (PK), steganography, and mutual authentication, therefore, it mentioned because the hybrid port - knocking (HPK) technique. It are often used for host authentication to form native services invisible from port scanning, giv e an additional layer of security. During this paper presents analyzing the network sec urity concept of Port knock and assess their quality as firewall authentication mechanisms for gap network ports or activity bound actions on servers. This paper is developing and evaluating the performance of a replacement proposed modified hybrid port kn ock (MHPK) technique with proposed encryption/decryption technique. The planned technique is to stop completely different - different kinds of port attack and fulfill the complete security demand for network. Planned technique is that the combination of 4 i deas, this are port knocks (PK), symmetric key encryption/decryption, steganography and mutual authentication. Primarily it the improved modification of hybrid port knocking therefore; it observed because the modified hybrid port - knocking (MHPK) technique

Distributed Perimeter Firewall Policy Management Framework

Title from PDF of title page viewed January 9, 2018Dissertation advisor: Vijay KumarVitaIncludes bibliographical references (pages 66-72)Thesis (Ph.D.)--School of Computing and Engineering. University of Missouri--Kansas City, 2017A perimeter firewall is the first line of defense that stops unwanted packets (based on defined firewall policies) entering the organization that deploys it. In the real world, every organization maintains a perimeter firewall between internet (which could be untrusted) and its own network (private network). In addition, organizations maintain internal firewalls to safeguard individual departments and data center servers based on various security and privacy requirements. In general, if we consider firewall setup in multinational organization's network environment, every branch has perimeter firewall and a set of internal firewalls. Every branch has its own security policies defined based on its specific security requirements, type of information, information processing systems, location-based compliance requirements, etc. As the branches of the multinational organizations span across the globe, managing the policies at every branch and ensuring the compliance and consistency of security policies are quite complex. Any misconfiguration of firewall policies even at a single branch may pose risk to the overall organization in terms of financial loss and reputation. In this dissertation, we present our framework to automate the policy management of distributed perimeter firewalls of a multi-national organization. We introduce new categories of policies to support centralized management of distributed firewalls and to ensure consistency and compliance of organizational and location-based policies. We define procedures for the initialization of firewall policies and policy updates. Our scheme is highly automatic that needs minimum human intervention to incorporate a set of new policies or update existing policies in distributed firewalls.Introduction -- Literature review -- Distributed perimeter firewall policy management -- Efficient design of Firewall temporal policies -- Identification of unsafe locations in IP and cellular based networks -- Conclusion and future wor

Formal analysis of firewall policies

This dissertation describes a technique for formally analyzing a firewall security policy using a quasi-reduced multiway decision diagram model. The analysis allows a system administrator to detect and repair errors in the configuration of the firewall without a tedious manual inspection of the firewall rules.;We present four major contributions. First, we describe a set of algorithms for representing a firewall rule set as a multi-way decision diagram and for solving logical queries against that model. We demonstrate the application of these techniques in a tool for analyzing iptables firewalls. Second, we present an extension of our work that enables analysis of systems of connected firewalls and firewalls that use network address translation and other packet mangling rules. Third, we demonstrate a technique for decomposing a network into classes of equivalent hosts. These classes can be used to detect errors in a firewall policy without apriori knowledge of potential vulnerabilities. They can also be used with other firewall testing techniques to ensure comprehensive coverage of the test space. Fourth, we discuss a strategy for partially automating repair of the firewall policy through the use of counterexamples and rule history.;Using these techniques, a system administrator can detect and repair common firewall errors, such as typos, out-of-order rules, and shadowed rules. She can also develop a specification of the behaviors of the firewall and validate the firewall policy against that specification