End-to-end Verification of QoS Policies

Abstract—Configuring a large number of routers and network devices to achieve quality of service (QoS) goals is a challenging task. In a differentiated services (DiffServ) environment, traffic flows are assigned specific classes of service, and service level agreements (SLA) are enforced at routers within each domain. We present a model for QoS configurations that facilitates efficient property-based verification. Network configuration is given as a set of policies governing each device. The model efficiently checks the required properties against the current configuration using computation tree logic (CTL) model checking. By symbolically modeling possible decision paths for different flows from source to destination, properties can be checked at each hop, and assessments can be made on how closely configurations adhere to the specified agreement. The model also covers configuration debugging given a specific QoS violation. Efficiency and scalability of the model are analyzed for policy per-hop behavior (PHB) parameters over large network configurations. I

Energy consumption models and predictions for large-scale systems

International audienceResponsible, efficient and well-planned power consumption is becoming a necessity for monetary returns and scalability of computing infrastructures. While there is a variety of sources from which power data can be obtained, analyzing this data is an intrinsically hard task. In this paper, we propose a data analysis pipeline that can handle the large-scale collection of energy consumption logs, apply sophisticated modeling to enable accurate prediction, and evaluate the efficiency of the analysis approach. We present the analysis of a power consumption data set collected over a 6-month period from two clusters of the Grid'5000 experimentation platform used in production. To solve the large data challenge, we used Hadoop with Pig data processing to generate a summary of the data that provides basic statistical aggregations, over different time scales. The aggregate data is then analyzed as a time series using sophisticated modeling methods with R statistical software. Energy models from such large dataset can help in understanding the evolution of consumption patterns, predicting future energy trends, and providing basis for generalizing the energy models to similar large-scale systems

Firewall policy reconstruction by active probing: An attacker’s view

Abstract — Having a firewall policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper we show how an attacker can reconstruct a firewall’s policy by probing the firewall by sending tailored packets into a network and forming an idea of what the policy looks like. We present two approaches of compiling this information into a policy that can be arbitrary close to the original one used in the deployed firewall. The first approach is based on region growing from single firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the firewall’s rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed. I

An automated framework for validating firewall policy enforcement

The implementation of network security devices such as firewalls and IDSs are constantly being improved to accommodate higher security and performance standards. Using reliable and yet practical techniques for testing the functionality of firewall devices particularly after new filtering implementation or optimization becomes necessary to assure proven security. Generating random traffic to test the functionality of firewall matching is inefficient and inaccurate as it requires an exponential number of test cases for a reasonable coverage. In addition, in most cases the policies used during testing are limited and manually generated representing fixed policy profiles. In this paper, we present a framework for automatic testing of the firewall policy enforcement or implementation using efficient random traffic and policy generation techniques. Our framework is a two-stage architecture that provides a satisfying coverage of the firewall operational states. A large variety of policies are randomly generated according to custom profiles and also based on the grammar of the access control list. Testing packets are then generated intelligently and proportional to the critical regions of the generated policies to validate the firewall enforcement for such policies. We describe our implementation of the framework based on Cisco IOS, which includes the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that the automated security testing is not only achievable but it also offers a dramatically higher degree of confidence than random or manual testing. I