544 Hits in 0.82 sec

Verified iptables Firewall Analysis and Verification

Cornelius Diekmann, Lars Hupel, Julius Michaelis, Maximilian Haslbeck, Georg Carle
2018 Journal of automated reasoning  
This article summarizes our efforts around the formally verified static analysis of iptables rulesets using Isabelle/HOL.  ...  We build our work around a formal semantics of the behavior of iptables firewalls.  ...  We thank the network administrators for contributing and agreeing to publish their firewall configurations. Lars Noschinski contributed proofs to the formalization of the IP address space.  ... 
doi:10.1007/s10817-017-9445-1 pmid:30069072 pmcid:PMC6044321 fatcat:jgqymzilcbdfpk5xwov7igpilq

Semantics-Preserving Simplification of Real-World Firewall Rule Sets [chapter]

Cornelius Diekmann, Lars Hupel, Georg Carle
2015 Lecture Notes in Computer Science  
This is due to the complex chain model used by iptables, but also to the vast amount of possible match conditions that occur in real-world firewalls, many of which are not understood by academic and open  ...  However, we found that none of the available tools could handle typical, real-world iptables rulesets.  ...  We thank Julius Michaelis for contributing his Shorewall firewall. We express our gratitude to both for agreeing to publish their firewalls.  ... 
doi:10.1007/978-3-319-19249-9_13 fatcat:mln2demhqndo7loxmfmarj23gm

A Stateful Mechanism for the Tree-Rule Firewall

Thawatchai Chomsiri, Xiangjian He, Priyadarsi Nanda, Zhiyuan Tan
2014 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications  
commercial and open source firewalls including IPTABLES, the most popular firewall.  ...  The experimental results show that our model performs more efficiently in comparison with the Netfilter/IPTABLES.  ...  FIREWALL IMPLEMENTATION AND EXPERIMENTAL ANALYSIS We implement the Tree-rule firewall using C language on Linux Cent OS 6.3, and conduct experiments on real network environments.  ... 
doi:10.1109/trustcom.2014.20 dblp:conf/trustcom/ChomsiriHNT14 fatcat:tm57b522ovd67luvuusakamrre

Agile Network Access Control in the Container Age

Cornelius Diekmann, Johannes Naab, Andreas Korsten, Georg Carle
2018 IEEE Transactions on Network and Service Management  
Our toolset is formally verified using Isabell/HOL and is available as Open Source.  ...  Horizontal Enhancements: Most analysis tools make simplifying assumptions about the underlying network boxes. Diekmann et al. [19] present simplification of iptables firewalls.  ...  She also verifies the generated iptables rules with fffuu.  ... 
doi:10.1109/tnsm.2018.2889009 fatcat:zwrjmvyvi5hv5fa5impjeq4try

Analysis of Performance and Efficiency of Hardware and Software Firewalls

Wojciech Konikiewicz, Marcin Markowski
2017 Journal of Applied Computer Science Methods  
We report results of experiments, present analysis and formulate a few practical conclusions.  ...  Firewalls are key elements of network security infrastructure.  ...  The goal of this work is to perform a comparative analysis of three types of firewall: two hardware solutions (Cisco ASA and Juniper), software solution installed on Linux (IPTables) and the virtual one  ... 
doi:10.1515/jacsm-2017-0003 fatcat:s2nyyx2wuvdvflrx3mfjivtaku

Certifying spoofing-protection of firewalls

Cornelius Diekmann, Lukas Schwaighofer, Georg Carle
2015 2015 11th International Conference on Network and Service Management (CNSM)  
We present an algorithm to certify IP spoofing protection of firewall rulesets. The algorithm is machine-verifiably proven sound and its use is demonstrated in real-world scenarios.  ...  Cisco PIX) firewall systems. II. RELATED WORK There are several popular static firewall analysis tools.  ...  For Linux netfilter/iptables firewalls [11] , we present an algorithm to certify spoofing protection of a ruleset.  ... 
doi:10.1109/cnsm.2015.7367354 dblp:conf/cnsm/DiekmannSC15 fatcat:mogx2ivia5h2zi6eerqfcnyaha

Model-Driven Extraction and Analysis of Network Security Policies [chapter]

Salvador Martínez, Joaquin Garcia-Alfaro, Frédéric Cuppens, Nora Cuppens-Boulahia, Jordi Cabot
2013 Lecture Notes in Computer Science  
To tackle this problem, we propose a model-driven reverse engineering approach able to extract the security policy implemented by a set of firewalls in a working network, easing the understanding, analysis  ...  Firewalls are a key element in network security. They are in charge of filtering the traffic of the network in compliance with a number of access-control rules that enforce a given security policy.  ...  of this kind of firewall access-control policies.  ... 
doi:10.1007/978-3-642-41533-3_4 fatcat:xgvdkyv2bnc6rm2ag665scguuu

Expert Rules of Firewall: A Technique to Construct and Modified a Set of Rules

Koh May Fern, Sharipah Setapa
2015 International Journal of Information and Education Technology  
Firewall always changing based on organizational policy and will make a respective person in charge of firewall take a long time to amend and verify the rule.  ...  The rule is applied to the firewall based on specific parameter.  ...  Pattern which derived from the analysis can be manipulated to design another pattern for ease of use. II.  ... 
doi:10.7763/ijiet.2015.v5.644 fatcat:yj3kqvkpkbgz7jg6x6rznjoymq

Provably Secure Networks: Methodology and Toolset for Configuration Management [article]

Cornelius Diekmann
2017 arXiv   pre-print
Our second tool facilitates the analysis of existing iptables configurations. Combined, the two form a powerful toolset.  ...  Using the Isabelle interactive proof assistant, we develop two automated, formally verified tools which help uncovering and preventing bugs in network-level access control configurations.  ...  We thank all the (anonymous) administrators who donated their firewall configs to our research. I would like express my gratitude to Prof. Dr.-Ing.  ... 
arXiv:1708.08228v1 fatcat:ljgwja2k6jgunl5g45jnptqx5m

Model Checking Firewall Policy Configurations

Alan Jeffrey, Taghrid Samak
2009 2009 IEEE International Symposium on Policies for Distributed Systems and Networks  
Existing techniques for firewall policy analysis are based on decision diagrams, most normally reduced ordered Binary Decision Diagrams (BDDs).  ...  In this paper, we show that the extra structure provided by BDDs is not necessary for firewall policy analysis, and that SAT solvers are sufficient.  ...  [3] , a dynamic network analysis is performed to verify security properties in networks with changing topologies.  ... 
doi:10.1109/policy.2009.32 dblp:conf/policy/JeffreyS09 fatcat:wz4qdo5j75bs7oecxze34rgeeu

Language-Independent Synthesis of Firewall Policies

Chiara Bodei, Pierpaolo Degano, Letterio Galletta, Riccardo Focardi, Mauro Tempesta, Lorenzo Veronese
2018 2018 IEEE European Symposium on Security and Privacy (EuroS&P)  
the firewall behavior and the NAT.  ...  Configuring and maintaining a firewall configuration is notoriously hard.  ...  In [29] the Margrave policy analyzer is applied to the analysis of IOS firewalls.  ... 
doi:10.1109/eurosp.2018.00015 dblp:conf/eurosp/BodeiDGFTV18 fatcat:krdeuifjjzagzfwhvuopvrndvy

SERA: SEgment Routing Aware Firewall for Service Function Chaining scenarios

Ahmed Abdelsalam, Stefano Salsano, Francois Clad, Pablo Camarillo, Clarence Filsfils
2018 2018 IFIP Networking Conference (IFIP Networking) and Workshops  
We present the design and implementation of the SERA (SEgment Routing Aware) firewall, which extends the Linux iptables firewall.  ...  In its basic mode the SERA firewall works like the legacy iptables firewall (it can reuse an identical set of rules), but with the great advantage that it can operate on the SR encapsulated packets with  ...  From the requirements, we design the architecture of the proposed SEgment Routing Aware (SERA) firewall, which extends the iptables firewall.  ... 
doi:10.23919/ifipnetworking.2018.8697021 dblp:conf/networking/AbdelsalamSCCF18 fatcat:h65bv2irjzdzlkf63ioot2cljm

Management of Exceptions on Access Control Policies [chapter]

J. G. Alfaro, F. Cuppens, N. Cuppens-Boulahia
2007 IFIP International Federation for Information Processing  
., deployment of permissions and prohibitions on firewalls through singlehanded positive or negative condition attributes).  ...  We then point out to the necessity of full expressiveness for combining both negative and positive conditions on firewall languages in order to improve this management of exceptions on access control policies  ...  We shall observe that in order to deploy this example over a firewall based on Netfilter we should first verify whether its version of IPTables has been patched to properly manage ranges.  ... 
doi:10.1007/978-0-387-72367-9_9 fatcat:j4dcuyfarrb57a2oiw4j4wbms4

Demilitarized network to secure the data stored in industrial networks

José R. Nuñez Alvarez, Yelena Pérez Zamora, Israel Benítez Pina, Eliana Noriega Angarita
2021 International Journal of Power Electronics and Drive Systems (IJPEDS)  
In addition, the characteristics, configurations, methods, and rules of DMZs and firewalls are shown, select the configuration with three multi-legged firewalls as the most appropriate for our application  ...  This paper presents the design and simulation of a demilitarized network (DMZ) using firewalls to control access to all the information that is stored in the servers of the industrial network of the Hermanos  ...  Firewall configuration in iptables Linux To define the application-type firewall rules, the iptables tool was used that defines the security policies for packet filtering and which takes into account 2  ... 
doi:10.11591/ijece.v11i1.pp611-619 fatcat:gwtovqznsveqrhyufyhg3qqdte

Management of stateful firewall misconfiguration

Joaquin Garcia-Alfaro, Frédéric Cuppens, Nora Cuppens-Boulahia, Salvador Martinez, Jordi Cabot
2013 Computers & security  
Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone.  ...  Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems.  ...  Notice that the analysis technique could also verify that all possible paths are covered, i.e., verifying redundant stateful rules covering the automaton as a whole.  ... 
doi:10.1016/j.cose.2013.01.004 fatcat:hweorplxdzainntslov6yjdim4
« Previous Showing results 1 — 15 out of 544 results