A formal logic approach to firewall packet filtering analysis and generation

Govaerts, John; Bandara, Arosha K.; Curran, Kevin

doi:10.1007/s10462-009-9147-0

Cited by 14 publications

(13 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Creating a visual representation of the connections between switches and routers is a common step in any structure analysis process. Topological interconnection represented by formal graphs is also often necessary for research in the domains of network modeling [32], [48] or attack graph generation [49], [37]. "A connection" between two switches, for example, is represented as a property chain between two individuals of the managed network component concept in the IO (see Listing 2).…”

Section: Io Use Casesmentioning

confidence: 99%

IO: An Interconnected Asset Ontology in Support of Risk Management Processes

Birkholz

Sieverdingbeck

Sohr

et al. 2012

2012 Seventh International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Asset information obtained via infrastructure analysis is essential for developing and establishing risk management. However, information about assets acquired by existing infrastructure analysis processes is often incomplete or lacking in detail, especially concerning their interconnected topology. In this paper, we present the Interconnected-asset Ontology, IO, as a step towards a standardized representation of detailed asset information. The utilization of an asset ontology as a machine-readable representation supports the automation of risk management processes and the standardization of asset information reduces redundant acquisition processes that are often found in practice.

show abstract

Section: Io Use Casesmentioning

confidence: 99%

IO: An Interconnected Asset Ontology in Support of Risk Management Processes

Birkholz

Sieverdingbeck

Sohr

et al. 2012

2012 Seventh International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…The first works ( [2], [25], [13]) proposed firewall management methodologies which could be exclusively applied to networks where any security function was a hardware appliance. Later, formal verification techniques have been exploited to provide correctness assurance after the automated computation of firewall configurations ( [12], [5], [17], [22], [1]). Then, after the advent of softwarization in networking, this research path has found new relevance ( [20], [8], [9], [6]) and currently has become an important research trend in network security.…”

Section: Related Workmentioning

confidence: 99%

Short Paper

Bringhenti

Marchetto

Sisto

et al. 2020

Proceedings of the 2nd Workshop on Cyber-Security Arms Race

View full text Add to dashboard Cite

Data confidentiality, integrity and authentication are security properties which are often enforced with the generation of secure channels, such as Virtual Private Networks, over unreliable network infrastructures. Traditionally, the configuration of the systems responsible of encryption operations is performed manually. However, the advent of software-based paradigms, such as Software-Defined Networking and Network Functions Virtualization, has introduced new arms races. In particular, even though network management has become more flexible, the increased complexity of virtual networks is making manual operations unfeasible and leading to errors which open the path to a large number of cyber attacks. A possible solution consists in reaching a trade-off between flexibility and complexity, by automatizing the configuration of the channel protection systems through policy refinement. In view of these considerations, this paper proposes a preliminary study for an innovative methodology to automatically allocate and configure channel protection systems in virtualized networks. The proposed approach would be based on the formulation of a MaxSMT problem and it would be the first to combine automation, formal verification and optimality in a single technique. CCS CONCEPTS • Security and privacy → Formal security models; Security protocols; Privacy-preserving protocols; • Networks → Security protocols; Network management.

show abstract

“…However, all these three works exclusively target traditional networks, and do not offer either optimality or formal verification. Formal mathematical models have been, instead, presented in [14] and [15], where formal methodologies are used to automatically compute firewall configuration. However, in both cases these techniques work only in specific cases, not related to virtualized networks: [14] follows the syntax of IPChains and Cisco's PIX, whereas [15]'s technique has been validated only with SCADA-firewall configuration.…”

Section: Related Workmentioning

confidence: 99%

Introducing programmability and automation in the synthesis of virtual firewall rules

Bringhenti

Marchetto

Sisto

et al. 2020

2020 6th IEEE Conference on Network Softwarization (NetSoft)

View full text Add to dashboard Cite

The rise of new forms of cyber-threats is mostly due to the extensive use of virtualization paradigms and the increasing adoption of automation in the software life-cycle. To address these challenges we propose an innovative framework that leverages the intrinsic programmability of the cloud and software-defined infrastructures to improve the effectiveness and efficiency of reaction mechanisms. In this paper, we present our contributions with a demonstrative use case in the context of Kubernetes. By means of this framework, developers of cybersecurity appliances will not have any more to care about how to react to events or to struggle to define any possible security tasks at design time. In addition, automatic firewall ruleset generation provided by our framework will mostly avoid human intervention, hence decreasing the time to carry out them and the likelihood of errors. We focus our discussions on technical challenges: definition of common actions at the policy level and their translation into configurations for the heterogeneous set of security functions by means of a use case.

show abstract

A formal logic approach to firewall packet filtering analysis and generation

Cited by 14 publications

References 44 publications

IO: An Interconnected Asset Ontology in Support of Risk Management Processes

IO: An Interconnected Asset Ontology in Support of Risk Management Processes

Short Paper

Introducing programmability and automation in the synthesis of virtual firewall rules

Contact Info

Product

Resources

About