6 research outputs found
Packet flow analysis in IP networks via abstract interpretation
Static analysis (aka offline analysis) of a model of an IP network is useful
for understanding, debugging, and verifying packet flow properties of the
network. There have been static analysis approaches proposed in the literature
for networks based on model checking as well as graph reachability. Abstract
interpretation is a method that has typically been applied to static analysis
of programs. We propose a new, abstract-interpretation based approach for
analysis of networks. We formalize our approach, mention its correctness
guarantee, and demonstrate its flexibility in addressing multiple
network-analysis problems that have been previously solved via tailor-made
approaches. Finally, we investigate an application of our analysis to a novel
problem -- inferring a high-level policy for the network -- which has been
addressed in the past only in the restricted single-router setting.Comment: 8 page
Directed Security Policies: A Stateful Network Implementation
Large systems are commonly internetworked. A security policy describes the
communication relationship between the networked entities. The security policy
defines rules, for example that A can connect to B, which results in a directed
graph. However, this policy is often implemented in the network, for example by
firewalls, such that A can establish a connection to B and all packets
belonging to established connections are allowed. This stateful implementation
is usually required for the network's functionality, but it introduces the
backflow from B to A, which might contradict the security policy. We derive
compliance criteria for a policy and its stateful implementation. In
particular, we provide a criterion to verify the lack of side effects in linear
time. Algorithms to automatically construct a stateful implementation of
security policy rules are presented, which narrows the gap between
formalization and real-world implementation. The solution scales to large
networks, which is confirmed by a large real-world case study. Its correctness
is guaranteed by the Isabelle/HOL theorem prover.Comment: In Proceedings ESSS 2014, arXiv:1405.055
A Modified Hybrid Port Knocking Technique for Host Authentication A Review
The main objective is to develop and assess the performance of a replacement PK technique, which may avert all kinds of port attacks and meets all network security necessities. Port knock is a crucial conception to secure services provided by the servers. By a predefined port knock sequence server establish whether or not the request could be a legitimate request for a service. The new technique uti lizes three acknowledge ideas, these are: port - knocking (PK), steganography, and mutual authentication, therefore, it mentioned because the hybrid port - knocking (HPK) technique. It are often used for host authentication to form native services invisible from port scanning, giv e an additional layer of security. During this paper presents analyzing the network sec urity concept of Port knock and assess their quality as firewall authentication mechanisms for gap network ports or activity bound actions on servers. This paper is developing and evaluating the performance of a replacement proposed modified hybrid port kn ock (MHPK) technique with proposed encryption/decryption technique. The planned technique is to stop completely different - different kinds of port attack and fulfill the complete security demand for network. Planned technique is that the combination of 4 i deas, this are port knocks (PK), symmetric key encryption/decryption, steganography and mutual authentication. Primarily it the improved modification of hybrid port knocking therefore; it observed because the modified hybrid port - knocking (MHPK) technique
Distributed Perimeter Firewall Policy Management Framework
Title from PDF of title page viewed January 9, 2018Dissertation advisor: Vijay KumarVitaIncludes bibliographical references (pages 66-72)Thesis (Ph.D.)--School of Computing and Engineering. University of Missouri--Kansas City, 2017A perimeter firewall is the first line of defense that stops unwanted packets (based on
defined firewall policies) entering the organization that deploys it. In the real world, every
organization maintains a perimeter firewall between internet (which could be untrusted) and
its own network (private network). In addition, organizations maintain internal firewalls to
safeguard individual departments and data center servers based on various security and privacy
requirements. In general, if we consider firewall setup in multinational organization's network
environment, every branch has perimeter firewall and a set of internal firewalls. Every branch
has its own security policies defined based on its specific security requirements, type of
information, information processing systems, location-based compliance requirements, etc. As
the branches of the multinational organizations span across the globe, managing the policies at
every branch and ensuring the compliance and consistency of security policies are quite
complex. Any misconfiguration of firewall policies even at a single branch may pose risk to
the overall organization in terms of financial loss and reputation.
In this dissertation, we present our framework to automate the policy management of
distributed perimeter firewalls of a multi-national organization. We introduce new categories
of policies to support centralized management of distributed firewalls and to ensure
consistency and compliance of organizational and location-based policies. We define
procedures for the initialization of firewall policies and policy updates. Our scheme is highly
automatic that needs minimum human intervention to incorporate a set of new policies or
update existing policies in distributed firewalls.Introduction -- Literature review -- Distributed perimeter firewall policy management -- Efficient design of Firewall temporal policies -- Identification of unsafe locations in IP and cellular based networks -- Conclusion and future wor
Formal analysis of firewall policies
This dissertation describes a technique for formally analyzing a firewall security policy using a quasi-reduced multiway decision diagram model. The analysis allows a system administrator to detect and repair errors in the configuration of the firewall without a tedious manual inspection of the firewall rules.;We present four major contributions. First, we describe a set of algorithms for representing a firewall rule set as a multi-way decision diagram and for solving logical queries against that model. We demonstrate the application of these techniques in a tool for analyzing iptables firewalls. Second, we present an extension of our work that enables analysis of systems of connected firewalls and firewalls that use network address translation and other packet mangling rules. Third, we demonstrate a technique for decomposing a network into classes of equivalent hosts. These classes can be used to detect errors in a firewall policy without apriori knowledge of potential vulnerabilities. They can also be used with other firewall testing techniques to ensure comprehensive coverage of the test space. Fourth, we discuss a strategy for partially automating repair of the firewall policy through the use of counterexamples and rule history.;Using these techniques, a system administrator can detect and repair common firewall errors, such as typos, out-of-order rules, and shadowed rules. She can also develop a specification of the behaviors of the firewall and validate the firewall policy against that specification