Hardening of network segmentation using automated referential penetration testing

Mohammed Alabbad,Neerja Mhaskar,Ridha Khedri
DOI: https://doi.org/10.1016/j.jnca.2024.103851
IF: 7.574
2024-04-01
Journal of Network and Computer Applications
Abstract:We study the problem of hardening the security of existing networks. Dynamic and static analysis are two main approaches that are used to address this problem. Dynamic analysis is performed using penetration testing. Penetration testing (short pentesting) simulates attacks on an existing and possibly dynamic network to identify its vulnerabilities without causing it any harm. Static analysis analyzes the access control policies of both network resources and firewalls without executing them. Although, dynamic and static analysis are extremely useful approaches, they also have several drawbacks. For instance, they do not identify vulnerabilities resulting from weak network segmentation, improper implementation of the Defence in Depth strategy, and an increased attack surface for a given resource or firewall. In this paper, we propose a novel approach termed as the referential penetration testing (RPT) approach to evaluate the security of networks. The RPT approach evaluates the network and checks for segmentation flaws, while checking for other traditional vulnerabilities. We then propose a novel framework, called the RPT framework, that incorporates the RPT approach to identify vulnerabilities in networks. The proposed framework is an application of the Digital Twin Technology in network security. We compare RPT to the network vulnerabilities assessment tools Nessus, OpenVAS, Qualys, Illumio, Tufin, and AlgoSec. The comparison reveals that RPT is different from the other tools on all the considered technical aspects, which indicates that it brings a novel approach to assess network segmentation. It has a very limited focus compared to the others, which makes it suitable for being used in combination with anyone of them to further enhance the robustness of the segmentation. Finally, we implement this framework in the Software Defined Network (SDN) environment and discuss its usefulness.
computer science, interdisciplinary applications, software engineering, hardware & architecture
What problem does this paper attempt to address?