Misconfiguration in Firewalls and Network Access Controls: Literature Review

Firewalls and network access controls play important roles in security control and protection. Those firewalls may create an incorrect sense or state of protection if they are improperly configured. One of the major configuration problems in firewalls is related to misconfiguration in the access control roles added to the firewall that will control network traffic. In this paper, we evaluated recent research trends and open challenges related to firewalls and access controls in general and misconfiguration problems in particular. With the recent advances in next-generation (NG) firewalls, firewall roles can be auto-generated based on networks and threats. Nonetheless, and due to the large number of roles in any medium to large networks, roles’ misconfiguration may occur for several reasons and will impact the performance of the firewall and overall network and protection efficiency

Sistema open-source de alta-disponibilidade de segurança de redes

Due to the growing number of cyber-attacks and the overall digital world knowledge, there is an urgent need to improve cyber security systems. Some of the measures implemented in these systems use network monitoring systems. This document regards a security system with a similar approach focused on prevention and reaction to a shortage of service. It is an Open-Source solution aiming to prevent DDoS attacks and adapt a network to realtime failures through smart configurations of security devices like Firewalls and Load-Balancers. The system is capable of periodically monitoring the state of the devices, as well as reconfiguring routing policies and packet filtering rules in scenarios of cyber attacks. Moreover, it provides an interface of interaction with the network admin to deliver data regarding the state of the security equipment and the connection between them, enhancing traffic flow analysis and preventive implementation of traffic filtering rules in Firewalls. As for technologies, these changes in the machines were designed to be implemented in IPTables and NFTables to be compatible with most Linux distributions. The monitoring and reconfiguration process was automated with Python scripts and SSH connections. The whole testing scenario was developed while being simulated with GNS3 and Virtualbox, interacting with a physical computer hosting the system. All functionalities defined along the document were tested and showed positive results.Atualmente, devido ao crescente número de ataques informáticos e conhecimento geral do mundo digital, existe uma necessidade urgente de aprimorar medidas de segurança informática. Algumas destas medidas passam por implementar mecanismos de monitorização da rede. Esta dissertação aborda um sistema de segurança que implementa um mecanismo semelhante, com capacidade de prevenção e reação a possíveis falhas. Foca-se na implementação de uma solução Open-Source com vista a prevenir ataques DDoS e adaptar uma rede a dificuldades vividas em realtime, através de configurações inteligentes de equipamento de segurança como Load-Balancers e Firewalls. O sistema é capaz de monitorizar periodicamente o estado destas máquinas, bem como reconfigurar poltíticas de encaminhamento e regras de filtro de tráfego em cenários de falha de funcionamento de equipamento devido a ciber ataques. Mais ainda, providencia uma interface de interação com o administrador de rede para fornecer dados acerca de cada máquina e das ligações que constituem a infrastrutura de segurança, potenciando uma análise dos fluxos de tráfego e aplicação de regras de filtragem em Firewalls. No que toca a tecnologias, foram preparadas configurações tanto em IPTables como NFTables, com vista a ser compatível com o maio número de distribuições de Linux possível. O processo de monitorização e a implementação novas regras é automatizado através da linguagem Python e ligações SSH. O cenário de testes foi simulado em máquinas virtuais através dos softwares VirtualBox e GNS3, interagindo com o sistema implementado num computador real, e todas as funcionalidades definidas ao longo do documento poderam ser testadas com resultados positivos.Mestrado em Engenharia de Computadores e Telemátic

Optimising Firewall Performance in Dynamic Networks

More and more devices connect to the internet, this means that a lot sensitive information will be stored in various networks. In order to secure this information and manage the large amount of inevitable network traffic that these devices create, an optimised firewall is needed. In order to meet this demand, the thesis proposes two algorithms for solving the problem. The first algorithm will minimise the rule matching time by using a simple condition for performing swapping that both preserves the firewall consistency, the firewall integrity and ensures a greedy reduction of the matching time. The solution is novel in itself and can be considered as a generalisation of the algorithm proposed by Fulp in the paper 'Optimization of network firewall policies using ordered sets and directed acyclical graphs'. The second algorithm will read the network traffic and provide network statistics to the first algorithm. The solution is a novel modification of the algorithm by Oommen and Rueda in the paper 'Stochastic learning-based weak estimation of multinomial random variables and its applications to pattern recognition in non-stationary environments'. It will be shown that both algorithms, through experiments, are able to satisfy the problem of optimising a firewall

Abstracting network policies

Almost every human activity in recent years relies either directly or indirectly on the smooth and efficient operation of the Internet. The Internet is an interconnection of multiple autonomous networks that work based on agreed upon policies between various institutions across the world. The network policies guiding an institution’s computer infrastructure both internally (such as firewall relationships) and externally (such as routing relationships) are developed by a diverse group of lawyers, accountants, network administrators, managers amongst others. Network policies developed by this group of individuals are usually done on a white-board in a graph-like format. It is however the responsibility of network administrators to translate and configure the various network policies that have been agreed upon. The configuration of these network policies are generally done on physical devices such as routers, domain name servers, firewalls and other middle boxes. The manual configuration process of such network policies is known to be tedious, time consuming and prone to human error which can lead to various network anomalies in the configuration commands. In recent years, many research projects and corporate organisations have to some level abstracted the network management process with emphasis on network devices (such as Cisco VIRL) or individual network policies (such as Propane). [Continues.]</div

How to accelerate your internet : a practical guide to bandwidth management and optimisation using open source software

xiii, 298 p. : ill. ; 24 cm.Libro ElectrónicoAccess to sufficient Internet bandwidth enables worldwide electronic collaboration, access to informational resources, rapid and effective communication, and grants membership to a global community. Therefore, bandwidth is probably the single most critical resource at the disposal of a modern organisation. The goal of this book is to provide practical information on how to gain the largest possible benefit from your connection to the Internet. By applying the monitoring and optimisation techniques discussed here, the effectiveness of your network can be significantly improved

Use of Service Oriented Architecture for Scada Networks

Supervisory Control and Data Acquisition (SCADA) systems involve the use of distributed processing to operate geographically dispersed endpoint hardware components. They manage the control networks used to monitor and direct large-scale operations such as utilities and transit systems that are essential to national infrastructure. SCADA industrial control networks (ICNs) have long operated in obscurity and been kept isolated largely through strong physical security. Today, Internet technologies are increasingly being utilized to access control networks, giving rise to a growing concern that they are becoming more vulnerable to attack. Like SCADA, distributed processing is also central to cloud computing or, more formally, the Service Oriented Architecture (SOA) computing model. Certain distinctive properties differentiate ICNs from the enterprise networks that cloud computing developments have focused on. The objective of this project is to determine if modern cloud computing technologies can be also applied to improving dated SCADA distributed processing systems. Extensive research was performed regarding control network requirements as compared to those of general enterprise networks. Research was also conducted into the benefits, implementation, and performance of SOA to determine its merits for application to control networks. The conclusion developed is that some aspects of cloud computing might be usefully applied to SCADA systems but that SOA fails to meet ICN requirements in a certain essential areas. The lack of current standards for SOA security presents an unacceptable risk to SCADA systems that manage dangerous equipment or essential services. SOA network performance is also not sufficiently deterministic to suit many real-time hardware control applications. Finally, SOA environments cannot as yet address the regulatory compliance assurance requirements of critical infrastructure SCADA systems

Conflict detection in software-defined networks

The SDN architecture facilitates the flexible deployment of network functions. While promoting innovation, this architecture induces yet a higher chance of conflicts compared to conventional networks. The detection of conflicts in SDN is the focus of this work. Restrictions of the formal analytical approach drive our choice of an experimental approach, in which we determine a parameter space and a methodology to perform experiments. We have created a dataset covering a number of situations occurring in SDN. The investigation of the dataset yields a conflict taxonomy composed of various classes organized in three broad types: local, distributed and hidden conflicts. Interestingly, hidden conflicts caused by side-effects of control applications‘ behaviour are completely new. We introduce the new concept of multi-property set, and the ·r (“dot r”) operator for the effective comparison of SDN rules. With these capable means, we present algorithms to detect conflicts and develop a conflict detection prototype. The evaluation of the prototype justifies the correctness and the realizability of our proposed concepts and methodologies for classifying as well as for detecting conflicts. Altogether, our work establishes a foundation for further conflict handling efforts in SDN, e.g., conflict resolution and avoidance. In addition, we point out challenges to be explored. Cuong Tran won the DAAD scholarship for his doctoral research at the Munich Network Management Team, Ludwig-Maximilians-Universität München, and achieved the degree in 2022. He loves to do research on policy conflicts in networked systems, IP multicast and alternatives, network security, and virtualized systems. Besides, teaching and sharing are also among his interests