Detection and prevention of firewall-rule conflicts on software-defined networking

Maldonado-Lopez, Ferney A.; Calle, Eusebi; Donoso, Yezid

doi:10.1109/rndm.2015.7325238

Cited by 16 publications

(8 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Network firewalls have been extensively studied in different communication layers, such as data-link [84], [85], network [86], [87], transport [88], and application [89], [90], [91], and in different aspects, such as policy compactness [92], [93], verification [94], languages [95], conflicts [96], [97], and so on. PFIREWALL is essentially an application layer filtering system.…”

Section: Firewall-based Solutionsmentioning

confidence: 99%

PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home Privacy Protection

Chi

Zeng

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Internet of Things (IoT) platforms enable users to deploy home automation applications. Meanwhile, privacy issues arise as large amounts of sensitive device data flow out to IoT platforms. Most of the data flowing to a platform actually do not trigger automation actions, while homeowners currently have no control once devices are bound to the platform. We present PFIREWALL, a customizable data-flow control system to enhance the privacy of IoT platform users. PFIREWALL automatically generates data-minimization policies, which only disclose minimum amount of data to fulfill automation. In addition, PFIRE-WALL provides interfaces for homeowners to customize individual privacy preferences by defining user-specified policies. To enforce these policies, PFIREWALL transparently intervenes and mediates the communication between IoT devices and the platform, without modifying the platform, IoT devices, or hub. Evaluation results on four real-world testbeds show that PFIREWALL reduces IoT data sent to the platform by 97% without impairing home automation, and effectively mitigates user-activity inference/tracking attacks and other privacy risks.

show abstract

Section: Firewall-based Solutionsmentioning

confidence: 99%

PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home Privacy Protection

Chi

Zeng

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…The seminal work of Xie et al [54] introduces stateless data plane checking to which Delta-net belongs. The research that emerged from [54] can be broadly divided into offline [57,2,24,40 48,26,35,17,33] and online [27,25,55] approaches. The offline approaches encode the problem into Datalog [17,33] or logic formulas that can be checked for satisfiability by constructing a Binary Decision Diagram [57,2] or calling an SAT/SMT solver [24,40,1,34,48,23,35].…”

Section: Related Workmentioning

confidence: 99%

“…The research that emerged from [54] can be broadly divided into offline [57,2,24,40 48,26,35,17,33] and online [27,25,55] approaches. The offline approaches encode the problem into Datalog [17,33] or logic formulas that can be checked for satisfiability by constructing a Binary Decision Diagram [57,2] or calling an SAT/SMT solver [24,40,1,34,48,23,35]. By contrast, all modern online approaches [27,25,55] partition in some way the set of all network packets.…”

Section: Related Workmentioning

confidence: 99%

Delta-net: Real-time Network Verification Using Atoms

Horn¹,

Kheradmand²,

Prasad³

2017

Preprint

View full text Add to dashboard Cite

Real-time network verification promises to automatically detect violations of network-wide reachability invariants on the data plane. To be useful in practice, these violations need to be detected in the order of milliseconds, without raising false alarms. To date, most real-time data plane checkers address this problem by exploiting at least one of the following two observations: (i) only small parts of the network tend to be affected by typical changes to the data plane, and (ii) many different packets tend to share the same forwarding behaviour in the entire network. This paper shows how to effectively exploit a third characteristic of the problem, namely: similarity among forwarding behaviour of packets through parts of the network, rather than its entirety. We propose the first provably amortized quasi-linear algorithm to do so. We implement our algorithm in a new real-time data plane checker, Delta-net. Our experiments with SDN-IP, a globally deployed ONOS software-defined networking application, and several hundred million IP prefix rules generated using topologies and BGP updates from realworld deployed networks, show that Delta-net checks a rule insertion or removal in approximately 40 microseconds on average, a more than 10× improvement over the state-of-the-art. We also show that Delta-net eliminates an inherent bottleneck in the state-of-the-art that restricts its use in answering Datalog-style "what if" queries.

show abstract

“…Now, we need a tool, called a verifier, able to find (calculate) the semantic function π, G and verify if that set is empty and the minimal diagnosis of that set. We use similar tools also for validating paths on network infrastructure [12], and recently we show how to use of minimal diagnosis to detect and prevent firewall-rule conflicts on software-defined networking [13].…”

Section: Definition 6 (Policy Conflict)mentioning

confidence: 99%

Checking Multi-domain Policies in SDN

Maldonado-Lopez

Calle

Donoso

2016

INT J COMPUT COMMUN

Self Cite

View full text Add to dashboard Cite

Programmable Network like SDN allows administrators to program network infrastructure according to service demand and custom-defined policies. Network policies are interpreted by the centralized controller to define actions and rules to process the network traffic on devices that belong to a single domain. However, actual networks are multi-domain where several domains are interconnected. Then, because SDN controllers in a domain cannot define nor monitor policies in other domains, network administrators cannot ensure that their own policies, origin policies are being enforced by the domains not directly managed by them (i.e. foreign domains). We present AudiT, a multi-domain SDN policy verifier that identifies whether an origin policy is enforced by foreign domains. AudiT comprises (1) model for network topology, policies, and flows, (2) an Audit protocol to gather information about the actions performed by network devices to carry the flows of interest, and (3) a validation engine that takes that information and detects security policy violations, and (4) an extension to the OpenFlow protocol to enable external auditing. This paper presents our approach and illustrates its application using an example considering multiple SDN networks.

show abstract

Detection and prevention of firewall-rule conflicts on software-defined networking

Cited by 16 publications

References 12 publications

PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home Privacy Protection

PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home Privacy Protection

Delta-net: Real-time Network Verification Using Atoms

Checking Multi-domain Policies in SDN

Contact Info

Product

Resources

About