L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Amir R. Khakpour,Joshua W. Hulst,Zhihui Ge,Alex X. Liu,Dan Pei,Jia Wang

2011-01-01

Abstract:Firewalls are critical security devices handling all traffic in and out of a network. When under heavy load of both malicious and legitimate traffic, firewalls may be overloaded and start discarding or permitting packets without checking firewall rules, which can cause huge revenue losses or security breaches. In this paper, we study Denial of Firewalling attacks, where attackers use well-crafted traffic to effectively overwhelm a firewall. We first investigate firewall implementation characteristics that can be exploited for such attacks while treating the firewall as a black box. We conducted our studies on a testbed with three popular firewall devices. Second, given a remote firewall, we propose methods for attackers to infer the implementation of the firewall. We develop firewall fingerprinting techniques based on firewall decisions on a sequence of TCP packets with unusual flags and machine learning techniques for inferring firewall implementation. Finally, we present methods that attackers can use to generate the traffic that can effectively overload an identified remote firewall. We show that some firewalls can be easily overloaded by a small volume of carefully crafted traffic.

Junjie Shi,Yuan Zhang,Sheng Zhong

DOI: https://doi.org/10.48550/arxiv.1502.00389

2015-01-01

Abstract:Since the advent of software defined networks (SDN), there have been many attempts to outsource the complex and costly local network functionality, i.e. the middlebox, to the cloud in the same way as outsourcing computation and storage. The privacy issues, however, may thwart the enterprises' willingness to adopt this innovation since the underlying configurations of these middleboxes may leak crucial and confidential information which can be utilized by attackers. To address this new problem, we use firewall as an sample functionality and propose the first privacy preserving outsourcing framework and schemes in SDN. The basic technique that we exploit is a ground-breaking tool in cryptography, the cryptographic multilinear map. In contrast to the infeasibility in efficiency if a naive approach is adopted, we devise practical schemes that can outsource the middlebox as a blackbox after obfuscating it such that the cloud provider can efficiently perform the same functionality without knowing its underlying private configurations. Both theoretical analysis and experiments on real-world firewall rules demonstrate that our schemes are secure, accurate, and practical.

Lingbo Wei,Chi Zhang,Yanmin Gong,Yuguang Fang,Kefei Chen

DOI: https://doi.org/10.1109/GLOCOM.2016.7841497

2016-01-01

Abstract:It is increasingly common for enterprises and other organizations to outsource firewalls to public clouds in order to reduce the cost and complexity in deploying and maintaining dedicated hardware middleboxes. However, this poses a serious threat to the enterprise network security because sensitive network policies, such as firewall rules, are revealed to cloud providers, which may be leaked and exploited by attackers. In this paper, we design and implement a SE-FWaaS, a secured system that enables cloud providers to support middlebox (e.g., firewall) outsourcing while preserving the network policy confidentiality. The key ingredients in our SE-FWaaS are the distribution of the firewall primitives, namely policy checking and verdict enforcing, to two independent public clouds, and the enabling techniques of efficient firewall rule obfuscation and oblivious rule-matching. Our SE-FWaaS provides the maximum achievable level of protection of network policies by enforcing the principle of the least privilege and removing the threat of offline probing attacks. We evaluate the proposed system over real-world firewall rules and demonstrate its effectiveness and feasibility.

Wei-Yang Chiu,Weizhi Meng

2023-03-23

Abstract:Central-managed security mechanisms are often utilized in many organizations, but such server is also a security breaking point. This is because the server has the authority for all nodes that share the security protection. Hence if the attackers successfully tamper the server, the organization will be in trouble. Also, the settings and policies saved on the server are usually not cryptographically secured and ensured with hash. Thus, changing the settings from alternative way is feasible, without causing the security solution to raise any alarms. To mitigate these issues, in this work, we develop BlockFW - a blockchain-based rule sharing firewall to create a managed security mechanism, which provides validation and monitoring from multiple nodes. For BlockFW, all occurred transactions are cryptographically protected to ensure its integrity, making tampering attempts in utmost challenging for attackers. In the evaluation, we explore the performance of BlockFW under several adversarial conditions and demonstrate its effectiveness.

Cryptography and Security,Computers and Society

Xiaohua Tian,Wei Liu,Yu Cheng

2015-01-01

Abstract: Bloom filter (BF) based forwarding is an effective approach to implement scalable multicasting in distributed systems. The forwarding BF carried by each packet can encode either multicast tree or destination IP addresses, which are termed as tree oriented approach (TOA) and destination oriented approach (DOA), respectively. Recent studies have indicated that TOA based protocols have serious vulnerabilities under some distributed denial-of-service (DDoS) attacks, and raised doubt about deployability of BF based multicasting. However, security analysis for DOA based protocols is still unavailable. In this paper, we present a systematic analysis of security performance of BF based multicasting. Important DDoS attacks and the corresponding defending mechanisms are studied in the context of DOA. We have positive findings that DOA, with convenient enhancement, has a robust performance in resisting a variety of DDoS attacks that can deny service of TOA based protocols. Moreover, we reveal that TOA based protocols are prone to flow duplication attack when applied in the data center network (DCN). We propose a dynamic-sized BF mechanism to defend against flow duplication attack for TOA based protocols in the DCN. Simulation results are presented to validate our theoretical analysis.

Yue Fu,Man Ho Au,Rong Du,Haibo Hu,Dagang Li

DOI: https://doi.org/10.1109/icdcs47774.2020.00154

2020-01-01

Abstract:Password-based authentication is essential to any online service. It is normally powered by a database of user credentials, for example a RADIUS server. However, even with various indexing techniques (e.g., B+-tree), password-based authentication can still be resource-consuming on large-scale systems (e.g., Internet and IoT), and is thus vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we propose a cloud-based firewall that uses Bloom filters to pre-screen and reject suspicious requests with wrong password before they reach the authentication server. The main challenge is the security of the firewall because it can be operated by a third party, so the Bloom filters might be accessed by adversaries to assist their brute-force password guessing. To ensure security, we start with the assumption of trusted cloud server and design a key-based semantic secure Bloom filter (KSSBF) for the best efficiency. We then design a generically secure Bloom filter (GSBF) for non-trusted cloud servers, which is key-independent and with strictly provable security. Through theoretical and empirical analysis, we show both of them can mitigate malicious requests without compromising the security of passwords.

Alex X. Liu,Amir R. Khakpour,Joshua W. Hulst,Zihui Ge,Dan Pei,Jia Wang

DOI: https://doi.org/10.1109/TIFS.2017.2668602

2017-01-01

Abstract:Firewalls are critical security devices handling all traffic in and out of a network. Firewalls, like other software and hardware network devices, have vulnerabilities, which can be exploited by motivated attackers. However, just like any other networking and computing devices, firewalls often have vulnerabilities that can be exploited by attackers. In this paper, first, we investigate some possible firewall fingerprinting methods and surprisingly found that these methods can achieve quite high accuracy. Second, we study what we call denial of firewalling (DoF) attacks, where attackers use carefully crafted traffic to effectively overload a firewall. To the best of our knowledge, this paper represents the first study of firewall fingerprinting and DoF attacks.

Xiaohua Tian,Jiaqi Liu,Wei Liu,Yu Cheng,Lijun Ou,Zilong Zhao

DOI: https://doi.org/10.1145/3063955.3063994

2017-01-01

Abstract:Bloom filter (BF) based forwarding is an effective approach to implement scalable multicasting. The forwarding BF carried by each packet can encode either multicast tree or destination IP addresses, which are termed as tree oriented approach (TOA) and destination oriented approach (DOA), respectively. Studies have indicated that TOA based protocols have serious vulnerabilities under some distributed denial-of-service (DDoS) attacks, and raised doubt about deployability of BF based multicasting. However, security analysis for DOA based protocols is still unavailable, and the fundamental effect of in-packet routing information on security performance of BF based multicast protocols is yet to be revealed. In this paper, we present a systematic analysis of security performance of BF based multicasting. Important DDoS attacks and the corresponding defending mechanisms are studied in the context of DOA. We have positive findings that DOA, with convenient enhancement, has a robust performance in resisting a variety of DDoS attacks that can deny service of TOA based protocols. Moreover, we reveal that TOA based protocols are prone to flow duplication attack when applied in the data center network (DCN). We propose a dynamic-sized BF mechanism to defend against flow duplication attack for TOA based protocols in the DCN. Simulation results are presented to validate our theoretical analysis.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1109/infocom.2018.8486230

2018-01-01

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. FlowCloak imposes only a 0.3 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Hualong Sheng,Lingbo Wei,Chi Zhang,Xia Zhang

DOI: https://doi.org/10.1109/nana.2016.37

2016-01-01

Abstract:Firewall is the critical first line of defense against cyber attacks. In order to improve security and performance, modern enterprises have to deploy and manage their own firewalls. But the firewall infrastructure is expensive and complex to manage, thus enterprises begin to outsource their firewalls to the cloud to reduce firewall management and deployment costs. The current firewall outsourcing schemes require enterprises to fully trust the cloud. However, firewall policies are confidential information of enterprises, and enterprises do not want to reveal them to the cloud. Such privacy issues hinder the adoption of cloud-based firewall service. With the development of cloud computing, more and more enterprises migrate their IT systems to the cloud (we call these enterprises the IaaS-based enterprises). In this paper, we propose a privacy-preserving firewall outsourcing scheme for a new architecture, in which an IaaS-based enterprise outsources its firewall policies to another cloud. We implement a prototype of our scheme and the experimental results demonstrate the feasibility and performance of our scheme.

Harleen Kaur,Omid MahdiEbadati E.,M. Afshar Alm

DOI: https://doi.org/10.48550/arXiv.1201.4555

2012-01-22

Abstract:The stimulate of this research seeks collaboration of firewalls which, could reach to the capability of distributed points of security policy; the front-end entity may much interact by the invaders so the separation between this entity and back-end entity to make the secure domain protection is necessary; collaborative security entity has the various task in the organization and there is a certain security policy to apply in; the entities like DPFF have to be protected from outsiders. Firewalls are utilized typically to be the main layer of security in the network framework. The research is presented the particular segment of the proposed framework that DPFF based on the developed iptable firewall to be the layers of defense, which is protected front and backend of the framework with a dynamic security and policy update to control the framework's safeguard through proposed portion approach algorithm that utilize to reduce the traffic and efficiency in detection and policy update mechanism. The policy update mechanism for DPFF is given the way of its employment. The complete framework signifies a distributed firewall, where the administrator configures the policy rules set, which could be separately or else from administration nodes' side.

Networking and Internet Architecture,Cryptography and Security

Zheyuan Cheng,Mo-Yuen Chow

DOI: https://doi.org/10.1109/tsg.2021.3113287

IF: 10.275

2021-01-01

IEEE Transactions on Smart Grid

Abstract:The cybersecurity of the distributed AC optimal power flow (ACOPF) against false data injection attacks (FDIA) is investigated in this paper. A collaborative distributed ACOPF solver, rooted in the dual decomposition concept, is first formulated, based on which a theoretical framework is then developed to model the distributed ACOPF and its cybersecurity in the presence of FDIA. Under this proposed cybersecurity framework, a reputation-based peer-to-peer trust management system (TMS) is proposed to secure the resilience of the system against FDIA. Finally, the proposed TMS is validated on the IEEE 69-bus benchmark system. The primary contribution of this paper is the proposed holistic resilience framework, in which the FDIA is analytically assessed and effectively defended. In the analytical results, we have established two key propositions: the FDIA generally has one degree of freedom; and the FDIA can be effectively detected and mitigated using the proposed TMS with one-hop redundancy.

Wei Xiong

2009-01-01

Abstract:With the speedy developing of computer technology ,the consumer quantity of internet intranet rapidly increasing, and the research, implement, and application of the new service of the network. The network security of computer is becoming Important day by day, and this is a key factor which has influenced the deeply development for network. Past the security protection of the most traditional firewall mechanism However, as networks and technological development, the traditional firewall has gradually failed to meet security needs. This paper has brought traditional firewall problems Based on the Kerberos authentication Distributed firewall new architecture, preservation of traditional firewall merits on the basis of the traditional firewall solution to the hidden dangers.Among the main research work are : (1)to the Kerberos protocol to the foundation Comprehensive network security software algorithm rational use of firewall related knowledge and to the internal security of distributed network firewall systems; (2)structure is built to a modular design and the use of a simplified, based on the public key of the Kerberos protocol, transparent certification;(3)the integrated use of security authentication, access control, authorization, confidentiality, audited and centralized management and other network security technology, which not only satisfies the reliability of the system performance, Management can achieve operational flexibility. Of massive internal network users need to focus on the protection of network resources to provide a manageable, distributed network security environment.

Andrew Prout,William Arcand,David Bestor,Bill Bergeron,Chansup Byun,Vijay Gadepally,Matthew Hubbell,Michael Houle,Michael Jones,Peter Michaleas,Lauren Milechin,Julie Mullen,Antonio Rosa,Siddharth Samsi,Albert Reuther,Jeremy Kepner

DOI: https://doi.org/10.1109/HPEC.2016.7761641

2016-07-11

Abstract:HPC systems traditionally allow their users unrestricted use of their internal network. While this network is normally controlled enough to guarantee privacy without the need for encryption, it does not provide a method to authenticate peer connections. Protocols built upon this internal network must provide their own authentication. Many methods have been employed to perform this authentication. However, support for all of these methods requires the HPC application developer to include support and the user to configure and enable these services. The user-based firewall capability we have prototyped enables a set of rules governing connections across the HPC internal network to be put into place using Linux netfilter. By using an operating system-level capability, the system is not reliant on any developer or user actions to enable security. The rules we have chosen and implemented are crafted to not impact the vast majority of users and be completely invisible to them.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Duan Haixin,Wu Jianping,Li Xing

2001-01-01

Abstract:Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which therefore increases largely the throughput of firewalls.

Kamal Chandra Reddy,Ankit Tharwani,Ch.Vamshi Krishna,Lakshminarayanan.V

DOI: https://doi.org/10.48550/arXiv.1312.4188

2013-12-16

Abstract:Firewalls use a rule database to decide which packets will be allowed from one network onto another thereby implementing a security policy. In high-speed networks as the inter-arrival rate of packets decreases, the latency incurred by a firewall increases. In such a scenario, a single firewall become a bottleneck and reduces the overall throughput of the network.A firewall with heavy load, which is supposed to be a first line of defense against attacks, becomes susceptible to Denial of Service (DoS) attacks. Many works are being done to optimize <a class="link-external link-http" href="http://firewalls.This" rel="external noopener nofollow">this http URL</a> paper presents our implementation of different parallel firewall models on General-Purpose Graphics Processing Unit (GPGPU). We implemented the parallel firewall architecture proposed in and introduced a new model that can effectively exploit the massively parallel computing capabilities of GPGPU.

Distributed, Parallel, and Cluster Computing

Dinesha Ranathunga,Matthew Roughan,Paul Tune,Phil Kernick,Nick Falkner

DOI: https://doi.org/10.48550/arXiv.1902.05689

2019-02-15

Abstract:Firewall configuration is critical, yet often conducted manually with inevitable errors, leaving networks vulnerable to cyber attack [40]. The impact of misconfigured firewalls can be catastrophic in Supervisory Control and Data Acquisition (SCADA) networks. These networks control the distributed assets of industrial systems such as power generation and water distribution systems. Automation can make designing firewall configurations less tedious and their deployment more reliable. In this paper, we propose ForestFirewalls, a high-level approach to configuring SCADA firewalls. Our goals are three-fold. We aim to: first, decouple implementation details from security policy design by abstracting the former; second, simplify policy design; and third, provide automated checks, pre and post-deployment, to guarantee configuration accuracy. We achieve these goals by automating the implementation of a policy to a network and by auto-validating each stage of the configuration process. We test our approach on a real SCADA network to demonstrate its effectiveness.

Cryptography and Security