SecSip: A Stateful Firewall for SIP-based Networks

SIP-based networks are becoming the de-facto standard for voice, video and instant messaging services. Being exposed to many threats while playing an major role in the operation of essential services, the need for dedicated security management approaches is rapidly increasing. In this paper we present an original security management approach based on a specific vulnerability aware SIP stateful firewall. Through known attack descriptions, we illustrate the power of the configuration language of the firewall which uses the capability to specify stateful objects that track data from multiple SIP elements within their lifetime. We demonstrate through measurements on a real implementation of the firewall its efficiency and performance

Performance of Network and Service Monitoring Frameworks

The efficiency and the performance of anagement systems is becoming a hot research topic within the networks and services management community. This concern is due to the new challenges of large scale managed systems, where the management plane is integrated within the functional plane and where management activities have to carry accurate and up-to-date information. We defined a set of primary and secondary metrics to measure the performance of a management approach. Secondary metrics are derived from the primary ones and quantifies mainly the efficiency, the scalability and the impact of management activities. To validate our proposals, we have designed and developed a benchmarking platform dedicated to the measurement of the performance of a JMX manager-agent based management system. The second part of our work deals with the collection of measurement data sets from our JMX benchmarking platform. We mainly studied the effect of both load and the number of agents on the scalability, the impact of management activities on the user perceived performance of a managed server and the delays of JMX operations when carrying variables values. Our findings show that most of these delays follow a Weibull statistical distribution. We used this statistical model to study the behavior of a monitoring algorithm proposed in the literature, under heavy tail delays distribution. In this case, the view of the managed system on the manager side becomes noisy and out of date

Security Analysis of Internet of Things Devices: Hands-on lab

International audienc

Powering Monitoring Analytics with ELK stack

International audienceMachine-generated data, including logs and network flows, are considerably growing and their collection, searching, and visualization is a challenging task for (a) daily administrator activities and (b) researchers aiming to better find out analytics and insights from monitoring data regarding their research goals, including amongst others security or modeling of network and systems.This tutorial introduces the open source ELK stack and its components, including Elasticsearch for deep search and data analytics, Logstash for centralized logging, log enrichment, and parsing, and Kibana for powerful and beautiful data visualizations. ELK enables the analysis and visualization of monitoring data, such as logs and netflows. The first part of the tutorial details these individual components. The second part provides guidelines for the deployment and configuration of ELK components. In the third part participants will perform hands-on practical work for collecting, processing, and enriching logs and netflows, combined with the creation of associated visualization and dashboards aspects

Extension of a network monitoring tool with IPv6 features (Ntop)

To support IPv6, most of the managed frameworks need advanced extensions. In the context of the 6net project we contribute to this evolution by extending Open Source frameworks. In this report we present our porting of a network monitoring tool called ntop to IPv6. Ntop is an open source web-based network usage monitor that enables users to track relevant network activities including network utilisation, established connections, network protocol usage and traffic classification

Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Software-defined networks (SDN) offer a high degree of programmability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications.These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy

Information Elements for device location in IPFIX

IETF Internet-DraftInternational audienceThis document defines a set of Information Elements for IP Flow Information Export (IPFIX) protocol to represent location information of any device (mobile or not) acting as an IPFIX flow exporter. The specified Information Elements support geodetic and civic location data

Génération automatique de politiques de sécurité pour SecSIP

Session Sécurité RéseauInternational audienceNous présentons une méthode pour la génération automatique de mesures de protection contre l'ex- ploitation des vulnérabilités connues dans le protocole SIP. Ces contres-mesures sont décrites sous forme de spécifications dans un langage dédié, nommé VeTo. Notre méthode s'appuie sur des algorithmes génétiques pour générer ces spécifications à partir d'un ensemble de messages d'exploits. Ce type d'algorithme, nous a permis de générer de manière automatique des expressions régulières qui capturent au mieux une malformation dans un message d'exploit ou une séquence malveillante de messages. Ces expressions régulières sont ensuite traduites en spécifications VeTo pour alimenter le pare-feu SecSIP dédié à la protection des environnements basés sur le protocole SIP

Using COPS for managing Active Network Nodes

We propose a Common Open Policy Service (COPS) based architecture to manage Active Network Elements. We use the generic term Active Elements to refer to any active network component on a node, such as an Execution Environment (EE), an Active Application (AA) or any component of an EE or an AA. Our approach consists in the definition of a new client type, called COPS-ANEL- , for the COPS protocol to support the management of these active network elements. The client type supports both the Outsourcing and the Provisionning models of COPS to achieve admission control, configuration and monitoring of Active Elements. We define a set of policies for the two models to be applied when an event occurs on the Execution Environement and needs a response from the policy server. By using a COPS-based management, an active network provider can control and monitor active elements. Our clients have been plugged into the FLAME Execution Environment, an active networking platform developed in our research group

On the Impact of Synchronization Attacks on Distributed and Cooperative Control in Microgrid Systems

International audienceMicrogrids are adopted to provide distributed generation of renewable energy resources and scalable integration of loads. To ensure the reliability of their power system operations, distributed and cooperative control schemes are proposed by integrating communication networks at their control layers. However, the information exchanged at the communication channels is vulnerable to malicious attacks aiming to introduce voltage instability and blackouts. In this paper, we design and evaluate a novel type of attacks on the cooperative control and communication layers in microgrids, where the attacker targets the communication links between distributed generators (DGs) and manipulates the reference voltage data exchanged by their controllers. We analyze the control-theoretic and detectability properties of this attack to assess its impact on reference voltage synchronization at the different control layers of a microgrid. Results from numerical simulation are presented to demonstrate this attack, and the maximum voltage deviation and inaccurate reference voltage synchronization it causes in the microgrid