L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

Ligang Dong,Feng Luo,Weiming Wang,Ke Chen

DOI: https://doi.org/10.4028/www.scientific.net/amr.216.440

2011-01-01

Advanced Materials Research

Abstract:In order to meet the extensibility and flexibility requirement of next generation network, ForCES working group of IETF proposes an architecture with the separation of Forwarding Element and Control Element. A firewall with ForCES architecture will have enough flexibility on security function extensibility. This paper not only designs the ForCES architecture of status package inspection firewall and related LFB (Logic Functional Block), but also implements a prototype system and carries out tests and analysis. The experiment result testifies the feasibility of ForCES specification and provides the important technical parameter for the ForCES security application.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Wei Xiong

2009-01-01

Abstract:With the speedy developing of computer technology ,the consumer quantity of internet intranet rapidly increasing, and the research, implement, and application of the new service of the network. The network security of computer is becoming Important day by day, and this is a key factor which has influenced the deeply development for network. Past the security protection of the most traditional firewall mechanism However, as networks and technological development, the traditional firewall has gradually failed to meet security needs. This paper has brought traditional firewall problems Based on the Kerberos authentication Distributed firewall new architecture, preservation of traditional firewall merits on the basis of the traditional firewall solution to the hidden dangers.Among the main research work are : (1)to the Kerberos protocol to the foundation Comprehensive network security software algorithm rational use of firewall related knowledge and to the internal security of distributed network firewall systems; (2)structure is built to a modular design and the use of a simplified, based on the public key of the Kerberos protocol, transparent certification;(3)the integrated use of security authentication, access control, authorization, confidentiality, audited and centralized management and other network security technology, which not only satisfies the reliability of the system performance, Management can achieve operational flexibility. Of massive internal network users need to focus on the protection of network resources to provide a manageable, distributed network security environment.

Andriy Luntovskyy,Mykhailo Klymash

DOI: https://doi.org/10.20535/2411-2976.22017.44-48

2017-12-28

Information and Telecommunication Sciences

Abstract:Background. Modern firewall systems are compared to classical concepts. The filtering rules are analyzed on the examples of the leading solutions (presented by Gartner Inc.). The collaborative intrusion detection systems and networks as well as the threats based on the insider attacks on CIDN are examined. A common CIDN functionality catalogue is discussed. The aspects of the application of modern systems of network intrusion detection and prevention by the peculiarities of their implementation at different levels are considered in accordance with the model of ISO/OSI. Brief recommendations on the use of known network security solutions in the construction of modern infocommunication networks to overcome various types of threats, in particular DoS type, virus and social engineering, are given. Objective. The aim of the paper is to study the implementation and application of modern concepts of firewalls and collaborative network intrusion detection systems. Methods. The research was carried out based on analysis of a large number of literary sources, the theory of building information security systems and avenues of manufacturers of systems for detecting and preventing network intrusion. Results. The advanced firewalls like SMLIF, IPS, the collaborative intrusion detection systems gain in importance increasingly nowadays. They can be also deployed within the scenarios of NFC and IoT (Internet of Things). The FW and IDS are often combined into individual participating peers (LAN, WLAN, 2G-4G, NFC and Bluetooth) with possibility of collaboration and better prevention of both external and insider attacks. Conclusions. The conducted research indicates the need to improve the implementation of modern network architecture with the use of integrated systems for detecting and counteracting network attacks. Despite the wide variety of network security solutions, this area of research remains relevant and suggests that the development of new concepts for protecting network architectures meets the current state of the industry, is timely and relevant, given the wide range of capabilities and scenarios for malicious intrusions and network system impacts. Keywords: firewall; network attacks; intrusion detection systems; intrusion prevention systems; CIDN.

Simon Schütz,Henrik Abrahamsson,Bengt Ahlgren,Marcus Brunner

DOI: https://doi.org/10.1016/j.comnet.2009.10.015

IF: 5.493

2010-05-01

Computer Networks

Abstract:The Internet Protocol (IP) has been proven very flexible, being able to accommodate all kinds of link technologies and supporting a broad range of applications. The basic principles of the original Internet architecture include end-to-end addressing, global routeability and a single namespace of IP addresses that unintentionally serves both as locators and host identifiers. The commercial success and widespread use of the Internet have lead to new requirements, which include Internetworking over business boundaries, mobility and multi-homing in an untrusted environment. Our approach to satisfy these new requirements is to introduce a new Internetworking layer, the node identity layer. Such a layer runs on top of the different versions of IP, but could also run directly on top of other kinds of network technologies, such as MPLS and 2G/3G PDP contexts. This approach enables connectivity across different communication technologies, supports mobility, multi-homing, and security from ground up. This paper describes the Node Identity Architecture in detail and discusses the experiences from implementing and running a prototype.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jian Xie

2004-01-01

Abstract:It is hard for single- functioned secure products to meet the current demand,and the trend begin to change towards Integration.A frame of firewall based on Linux is discussed as to improve the ability of security control.

YANG Xin,LI Hui,QUE Jianming,MA Zhentai,LI Gengxin,YAO Yao,WANG Bin,JIANG Fuli

DOI: https://doi.org/10.11896/jsjkx.220600265

2023-01-01

Abstract:Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Jia Zongpu,Liu Shufen,Wang Guowei

DOI: https://doi.org/10.1109/SPCA.2006.297482

2006-01-01

Abstract:Firewall has many shortages, such as it cannot keep away interior attacks, it cannot provide a consistent security strategy, and it has a single bottleneck spot and invalid spot, etc. Intrusion Detection System (IDS) also has many defects, such as low detection ability, lack of effective response mechanism, poor manageability, etc. If firewall and IDS are integrated, the cooperation of them can implement the network security to a great extent: on the one hand, IDS monitors the network, provides a real-time detection of attacks from the interior and exterior, and automatically informs firewall and dynamically alters the rules of firewall once an attack is found; on the other hand, firewall loads dynamic rules to hold up the intrusion, controls the data traffic of IDS and provides the security protection of IDS. Based on constructing firewall with Iptables in the environment of Linux OS, the respective characters of firewall and IDS are analyzed. Then, the viewpoint of integrating firewall and IDS to realize the network security is proposed, and the application and algorithm of intrusion detection are systemically analyzed and designed.

Daniele Bringhenti,Francesco Pizzato,Riccardo Sisto,Fulvio Valenza

DOI: https://doi.org/10.1002/nem.2307

2024-10-22

International Journal of Network Management

Abstract:This graphical abstract shows the workflow of the proposed approach for autonomous attack mitigation through firewall reconfiguration. Packet filtering firewalls represent a main defense line against cyber attacks that target computer networks daily. However, the traditional manual approaches for their configuration are no longer applicable to next‐generation networks, which have become much more complex after the introduction of virtualization paradigms. Some automatic strategies have been investigated in the literature to change that old‐fashioned configuration approach, but they are not fully autonomous and still require several human interventions. In order to overcome these limitations, this paper proposes an autonomous approach for firewall reconfiguration where all steps are automated, from the derivation of the security requirements coming from the logs of IDSs to the deployment of the automatically computed configurations. A core component of this process is React‐VEREFOO, which models the firewall reconfiguration problem as a Maximum Satisfiability Modulo Theories problem, allowing the combination of full automation, formal verification, and optimization in a single technique. An implementation of this proposal has undergone experimental validation to show its effectiveness and performance.

computer science, information systems,telecommunications

LI Jian,WANG Ling,DONG Ke-jun,LI Jun

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.04.006

2006-01-01

Abstract:As two important technologies in the field of Network Security, there are still some problems of both Intrusion Detection System and Firewall which can't be solved. Based on brief introduction to the framework of the Network Intrusion Detection System and Linux's kernel firewall- Netfilter, this dissertation brings forward the system about the integration of NIDS and iptables, and finally describes every module's realization with analyzing both advantages and disadvantages regarding to this system.

Hui Yuan,Lei Zheng,Shuang Qiu,Xiangli Peng,Yuan Liang,Yaodong Hu,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_142

2019-04-25

Abstract:With the rapid development of the network, in recent years, the Internet has greatly improved people’s lives, and the real-time, sharing and distance-removing characteristics of network information transmission have made the operation and management of enterprises more efficient and coordinated. The basis of refinement. At the same time, various network security incidents have followed, such as hacker attacks on computer network systems, and various types of viruses, Trojans and other active attacks emerge one after another. In this regard, this paper analyzes the enterprise network security system of firewall from the perspective of enterprise network security, briefly summarizes the background, advantages and disadvantages of firewall technology, and designs and implements a client software according to the actual needs of users. The network performs real-time intelligent security monitoring. After the system design is completed, the security is tested by building a simulation platform, including qualitative testing and quantitative testing, which are divided into security and performance to verify whether the system can achieve and guarantee performance.

Marija Schufrin,Hendrik Lücke-Tieke,Jörn Kohlhammer

DOI: https://doi.org/10.1109/VizSec56996.2022.9941462

2023-01-23

Abstract:In this paper, we present our design study on developing an interactive visual firewall log analysis system in collaboration with an IT service provider. We describe the human-centered design process, in which we additionally considered hedonic qualities by including the usage of personas, psychological need cards and interaction vocabulary. For the problem characterization we especially focus on the demands of the two main clusters of requirements: high-level overview and low-level analysis, represented by the two defined personas, namely information security officer and network analyst. This resulted in the prototype of a visual analysis system consisting of two interlinked parts. One part addresses the needs for rather strategical tasks while also fulfilling the need for an appealing appearance and interaction. The other part rather addresses the requirements for operational tasks and aims to provide a high level of flexibility. We describe our design journey, the derived domain tasks and task abstractions as well as our visual design decisions, and present our final prototypes based on a usage scenario. We also report on our capstone event, where we conducted an observed experiment and collected feedback from the information security officer. Finally, as a reflection, we propose the extension of a widely used design study process with a track for an additional focus on hedonic qualities.

Human-Computer Interaction,Cryptography and Security,Computers and Society

Daniele Bringhenti,Guido Marchetto,Riccardo Sisto,Fulvio Valenza,Jalolliddin Yusupov

DOI: https://doi.org/10.1109/tdsc.2022.3160293

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The configuration of security functions in computer networks is still typically performed manually, which likely leads to security breaches and long re-configuration times. This problem is exacerbated for modern networks based on network virtualization, because their complexity and dynamics make a correct manual configuration practically unfeasible. This article focuses on packet filters, i.e., the most common firewall technology used in computer networks, and it proposes a new methodology to automatically define the allocation scheme and configuration of packet filters in the logical topology of a virtual network. The proposed method is based on solving a carefully designed partial weighted Maximum Satisfiability Modulo Theories problem by means of a state-of-the-art solver. This approach formally guarantees the correctness of the solution, i.e., that all security requirements are satisfied, and it minimizes the number of needed firewalls and firewall rules. This methodology is extensively evaluated using different metrics and tests on both synthetic and real use cases, and compared to the state-of-the-art solutions, showing its superiority.

computer science, information systems, software engineering, hardware & architecture

Ali Nadim Alhaj,Narottam Das Patel,Ajeet Singh,Rohit Kumar Bondugula,Mohsin Furkh Dar,Jameel Ahamed

DOI: https://doi.org/10.1504/ijsnet.2024.141613

2024-09-28

International Journal of Sensor Networks

Abstract:The rapid expansion of networks has given rise to numerous challenges and issues. In recent years, one idea that has captivated researchers is segregating the forwarding and control levels, which emerged with software-defined networking (SDN) frameworks. Despite centralised management and network administration advantages, SDN networks have encountered several issues, with safety and reliability being the most prominent. This paper proposes a comprehensive robust security architecture for SDN networks that consists of modular components. Each module addresses a specific security challenge, and by integrating these security solutions, we aim to establish a cohesive security framework for SDN. Furthermore, we propose a robust security algorithm capable of effectively mitigating critical security attacks such as DDoS, ARP, and MITM. Our approach involves developing a multi-level security algorithm to counteract most DDoS attacks, while also devising a real-time algorithm specifically designed to handle ARP attacks, including request-replay-ARP DoS attacks.

computer science, information systems,telecommunications

Peng Qian-la,Zhitang Li

2003-01-01

Abstract:Vulnerability exists in distributed systems for their loosely-coupled structures in physical distribution. Within the system, membership is dynamic and data transfer is insecure. Thus the security problem of a distributed system itself occurs. In the case of a distributed firewall system, this paper presents a secure framework and a practical mechanism, which finally implements the security of the system itself.

Amir R. Khakpour,Joshua W. Hulst,Zihui Ge,Alex X. Liu,Dan Pei,Jia Wang

DOI: https://doi.org/10.1109/INFCOM.2012.6195544

2012-01-01

Abstract:Firewalls are critical security devices handling all traffic in and out of a network. Firewalls, like other software and hardware network devices, have vulnerabilities, which can be exploited by motivated attackers. However, because firewalls are usually placed in the network such that they are transparent to the end users, it is very hard to identify them and use their corresponding vulnerabilities to attack them. In this paper, we study firewall fingerprinting, in which one can use firewall decisions on TCP packets with unusual flags and machine learning techniques for inferring firewall implementation.

Xiaorong Gao

2003-01-01

Abstract:With the constant development of the application of computer network, the network security is more and more important. This paper discusses the key techniques of network security and shows how to build a firewall based on Linux. Besides, it gives prospects for the development of future firewall.

Alex X. Liu,Amir R. Khakpour,Joshua W. Hulst,Zihui Ge,Dan Pei,Jia Wang

DOI: https://doi.org/10.1109/TIFS.2017.2668602

2017-01-01

Abstract:Firewalls are critical security devices handling all traffic in and out of a network. Firewalls, like other software and hardware network devices, have vulnerabilities, which can be exploited by motivated attackers. However, just like any other networking and computing devices, firewalls often have vulnerabilities that can be exploited by attackers. In this paper, first, we investigate some possible firewall fingerprinting methods and surprisingly found that these methods can achieve quite high accuracy. Second, we study what we call denial of firewalling (DoF) attacks, where attackers use carefully crafted traffic to effectively overload a firewall. To the best of our knowledge, this paper represents the first study of firewall fingerprinting and DoF attacks.