SecSip: A Stateful Firewall for SIP-based Networks

SIP-based networks are becoming the de-facto standard for voice, video and instant messaging services. Being exposed to many threats while playing an major role in the operation of essential services, the need for dedicated security management approaches is rapidly increasing. In this paper we present an original security management approach based on a specific vulnerability aware SIP stateful firewall. Through known attack descriptions, we illustrate the power of the configuration language of the firewall which uses the capability to specify stateful objects that track data from multiple SIP elements within their lifetime. We demonstrate through measurements on a real implementation of the firewall its efficiency and performance

Performance of Network and Service Monitoring Frameworks

The efficiency and the performance of anagement systems is becoming a hot research topic within the networks and services management community. This concern is due to the new challenges of large scale managed systems, where the management plane is integrated within the functional plane and where management activities have to carry accurate and up-to-date information. We defined a set of primary and secondary metrics to measure the performance of a management approach. Secondary metrics are derived from the primary ones and quantifies mainly the efficiency, the scalability and the impact of management activities. To validate our proposals, we have designed and developed a benchmarking platform dedicated to the measurement of the performance of a JMX manager-agent based management system. The second part of our work deals with the collection of measurement data sets from our JMX benchmarking platform. We mainly studied the effect of both load and the number of agents on the scalability, the impact of management activities on the user perceived performance of a managed server and the delays of JMX operations when carrying variables values. Our findings show that most of these delays follow a Weibull statistical distribution. We used this statistical model to study the behavior of a monitoring algorithm proposed in the literature, under heavy tail delays distribution. In this case, the view of the managed system on the manager side becomes noisy and out of date

Security Analysis of Internet of Things Devices: Hands-on lab

International audienc

Powering Monitoring Analytics with ELK stack

International audienceMachine-generated data, including logs and network flows, are considerably growing and their collection, searching, and visualization is a challenging task for (a) daily administrator activities and (b) researchers aiming to better find out analytics and insights from monitoring data regarding their research goals, including amongst others security or modeling of network and systems.This tutorial introduces the open source ELK stack and its components, including Elasticsearch for deep search and data analytics, Logstash for centralized logging, log enrichment, and parsing, and Kibana for powerful and beautiful data visualizations. ELK enables the analysis and visualization of monitoring data, such as logs and netflows. The first part of the tutorial details these individual components. The second part provides guidelines for the deployment and configuration of ELK components. In the third part participants will perform hands-on practical work for collecting, processing, and enriching logs and netflows, combined with the creation of associated visualization and dashboards aspects

Extension of a network monitoring tool with IPv6 features (Ntop)

To support IPv6, most of the managed frameworks need advanced extensions. In the context of the 6net project we contribute to this evolution by extending Open Source frameworks. In this report we present our porting of a network monitoring tool called ntop to IPv6. Ntop is an open source web-based network usage monitor that enables users to track relevant network activities including network utilisation, established connections, network protocol usage and traffic classification

Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Software-defined networks (SDN) offer a high degree of programmability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications.These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy

Information Elements for device location in IPFIX

IETF Internet-DraftInternational audienceThis document defines a set of Information Elements for IP Flow Information Export (IPFIX) protocol to represent location information of any device (mobile or not) acting as an IPFIX flow exporter. The specified Information Elements support geodetic and civic location data

On the Impact of Synchronization Attacks on Distributed and Cooperative Control in Microgrid Systems

International audienceMicrogrids are adopted to provide distributed generation of renewable energy resources and scalable integration of loads. To ensure the reliability of their power system operations, distributed and cooperative control schemes are proposed by integrating communication networks at their control layers. However, the information exchanged at the communication channels is vulnerable to malicious attacks aiming to introduce voltage instability and blackouts. In this paper, we design and evaluate a novel type of attacks on the cooperative control and communication layers in microgrids, where the attacker targets the communication links between distributed generators (DGs) and manipulates the reference voltage data exchanged by their controllers. We analyze the control-theoretic and detectability properties of this attack to assess its impact on reference voltage synchronization at the different control layers of a microgrid. Results from numerical simulation are presented to demonstrate this attack, and the maximum voltage deviation and inaccurate reference voltage synchronization it causes in the microgrid

VeTo: reference manual

The SIP protocol is established as the defacto standard for media session signaling, in particular for voice-over IP services. Many research works and alert bulletins have reported various vulnerabilities in this protocol. These vulnerabilities are either inherent to the protocol specification or arise as flaws within SIP stack implementations or erroneous configurations. To protect SIP-based networks from the exploitation of such vulnerabilities, patches may be released for the implementation bugs, the SIP specification may be revisited to cover the specification errors and configuration guidelines can be issued to offer good configuration receipts to administrators. The time to patching and revisiting specification may be considerable. To overcome this problem, a first-line of defense against SIP vulnerabilities has to be developed. In a previous work, we have presented a stateful firewall architecture dedicated to SIP-based networks protection. The firewall runtime uses a domain specific language, called VeTo. Its design, syntax and semantics are described in this work.Le protocole SIP est aujourd'hui le standard de fait pour la signalisation des sessions multimédia á l'échelle de l'Internet. Plusieurs travaux ainsi que des bulletins d'alertes ont reporté l'existence des différentes vulnérabilités au niveau de ses implantations, de ses spécifications, de ses implémentations et de ses paramétrages. La protection du protocole SIP de l'exploitation de ces vulnérabilités nécessite l'application des patches au niveau de ses implantations á bien que la révision des ses spécifications et la publication de recettes de bonnes pratiques pour sa configuration. Ces actions prennent un temps considérable avant d'être menées. Afin de résoudre ces problémes, une première ligne de défense nécessite d'être mise en place. Dans un précédent travail, nous avons proposé une architecture de défense reposant sur un pare-feu dédié au protocole SIP. Ce pare-feu s'appuie sur un langage, nommé VeTo dédié á la spécification de régles de prévention contre les vulnérabilités présentes dans le protocole SIP. Ce rapport détaille la syntaxe, la sémantique et son infrastructure support

Génération automatique de politiques de sécurité pour SecSIP

Session Sécurité RéseauInternational audienceNous présentons une méthode pour la génération automatique de mesures de protection contre l'ex- ploitation des vulnérabilités connues dans le protocole SIP. Ces contres-mesures sont décrites sous forme de spécifications dans un langage dédié, nommé VeTo. Notre méthode s'appuie sur des algorithmes génétiques pour générer ces spécifications à partir d'un ensemble de messages d'exploits. Ce type d'algorithme, nous a permis de générer de manière automatique des expressions régulières qui capturent au mieux une malformation dans un message d'exploit ou une séquence malveillante de messages. Ces expressions régulières sont ensuite traduites en spécifications VeTo pour alimenter le pare-feu SecSIP dédié à la protection des environnements basés sur le protocole SIP