The document discusses and evaluates an enhanced algorithm for deploying firewall policies from an initial to target configuration. It summarizes:
1) The original "Greedy-Two-Phase Deployment" algorithm was found to be incorrect for some cases and could result in an incorrect final policy order.
2) A new "Enhanced-Greedy-Two-Phase Deployment" algorithm is proposed to address this by moving rules to their target position rather than a shifted one.
3) An evaluation of the new algorithm shows it performs the policy deployments faster than the previous best "SANITIZEIT" approach, with improvements for larger policies of up to 10,000+ rules.
Next Generation Network: Security and Architectureijsrd.com
Wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. Wireless Sensor Networks (WSN) are a most challenging and emerging technology for the Research due to their vital scope in the field coupled with their low processing power and associated low energy. As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative that these security concerns be addressed from the beginning of the system design staring with a brief overview of the sensor networks security, a review is made of and how to provide the security in the wireless sensor networks. This paper studies the security problems, Requirement, Architecture of WSN and different platform, characterized by severely constrained computational and energy resources, and an ad hoc operational environment.
The primary goal of the checklist is to make it useful and as a trusted guide for IT Auditors,Security Consultant in Network Architecture Review assignments.The checklist is drawn from numerous resources referred and my experience in network architecture reviews.Though the essentially doesn't essentially cover all elements of a network architecture review,I have tried to bring in aspects of the security element in a network architecture
HARDWARE SECURITY IN CASE OF SCAN-BASED ATTACK ON CRYPTO-HARDWAREVLSICS Design
The latest innovation technology in computing devices has given a rise of compact, speedy and economical products which also embeds cryptography hardware on-chip. This device generally holds secret key and confidential information, more attention has been given to attacks on hardware which guards such secure information. The attacker may leak secret information from symmetric crypto-hardware (AES, DES etc.) using side-channel analysis, fault injection or exploiting existing test infrastructure. This paper examines various DFT based attack implementation method applied to cryptographic hardware. The paper contains an extensive analysis of attacks based on various parameters. The countermeasures are classified and analyzed in details.
Next Generation Network: Security and Architectureijsrd.com
Wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. Wireless Sensor Networks (WSN) are a most challenging and emerging technology for the Research due to their vital scope in the field coupled with their low processing power and associated low energy. As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative that these security concerns be addressed from the beginning of the system design staring with a brief overview of the sensor networks security, a review is made of and how to provide the security in the wireless sensor networks. This paper studies the security problems, Requirement, Architecture of WSN and different platform, characterized by severely constrained computational and energy resources, and an ad hoc operational environment.
The primary goal of the checklist is to make it useful and as a trusted guide for IT Auditors,Security Consultant in Network Architecture Review assignments.The checklist is drawn from numerous resources referred and my experience in network architecture reviews.Though the essentially doesn't essentially cover all elements of a network architecture review,I have tried to bring in aspects of the security element in a network architecture
HARDWARE SECURITY IN CASE OF SCAN-BASED ATTACK ON CRYPTO-HARDWAREVLSICS Design
The latest innovation technology in computing devices has given a rise of compact, speedy and economical products which also embeds cryptography hardware on-chip. This device generally holds secret key and confidential information, more attention has been given to attacks on hardware which guards such secure information. The attacker may leak secret information from symmetric crypto-hardware (AES, DES etc.) using side-channel analysis, fault injection or exploiting existing test infrastructure. This paper examines various DFT based attack implementation method applied to cryptographic hardware. The paper contains an extensive analysis of attacks based on various parameters. The countermeasures are classified and analyzed in details.
ASHBURN, Va. – At its core, trusted-computing works to ensure that computing systems operate safely, securely, and correctly every time. Trusted computing matters at every level of operation, whether it be the processor level, software level, or system level. Each layer of a computing system ensures that a system can operate securely. Because malicious attackers are able to poke at all layers of a system, securing only one single layer often is not the most effective use of resources.
MANET is a kind of Ad Hoc network with mobile, wireless nodes. Because of its special characteristics like
dynamic topology, hop-by-hop communications and easy and quick setup, MANET faced lots of challenges
allegorically routing, security and clustering. The security challenges arise due to MANET’s selfconfiguration
and self-maintenance capabilities. In this paper, we present an elaborate view of issues in
MANET security. Based on MANET’s special characteristics, we define three security parameters for
MANET. In addition we divided MANET security into two different aspects and discussed each one in
details. A comprehensive analysis in security aspects of MANET and defeating approaches is presented. In
addition, defeating approaches against attacks have been evaluated in some important metrics. After
analyses and evaluations, future scopes of work have been presented.
An analysis of security challenges in mobile ad hoc networkscsandit
Mobile Ad Hoc Network (MANET) is a collection of wireless mobile nodes with restricted
transmission range and resources, no fixed infrastructure and quick and easy setup. Because of
special characteristics, wide-spread deployment of MANET faced lots of challenges like
security, routing and clustering. The security challenges arise due to MANETs selfconfiguration
and self-maintenance capabilities. In this paper, we present an elaborate view of
issues in MANET security. We discussed both security services and attacks in detail. Three
important parameters in MANET security are defined. Each attack has been analyses briefly
based on its own characteristics and behaviour. In addition, defeating approaches against
attacks have been evaluated in some important metrics. After analyses and evaluations, future
scopes of work have been presented
A network security detection and prevention
scheme using a combination of network taps
and aggregation devices can improve visibility
and redundancy, reduce system complexity
and diminish initial and continuing costs for
implementation.
Mobile ad-hoc network is a relatively new innovation in the field of wireless technology. These types of networks operate in the absence of fixed infrastructure, which makes them easy to deploy at any place and at any time. Mobile ad-hoc networks are highly dynamic; topology changes and link breakage happen quite frequently. Therefore, we need a security solution, which is dynamic, too. Security in Mobile Ad hoc Networks (MANETs) is an important issue in need of a solution that not only works well with a small network, but also sustains efficiency and scalability. In ad hoc environment, much of the research has been done focusing on the efficiency of the network. Therefore, there are a number of routing protocols that provide good efficiency. Considering security has radically changed the situation, for all of the existing routing protocols are designed with an assumption that the participating players and the network environment do not harm the security. It highly contradicts with the reality. Most of the secure routing protocols have the various disadvantages. In this paper a trusted solution is provided for routing in ad hoc network. The routing protocol is modified by relating the security components. Finally, the simulation results of insecure AODV are studied using simulator.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A review on software defined network security risks and challengesTELKOMNIKA JOURNAL
Software defined network is an emerging network architecture that separates the traditional
integrated control logic and data forwarding functionality into different planes, namely the control plane and
data forwarding plane. The data plane does an end-to-end data delivery. And the control plane does
the actual network traffic forwarding and routing between different network segments. In software defined
network the networking infrastructure layer is where the entire networking device, such as switches and
routers are connected with the separate controller layer with the help of standard called OpenFlow
protocol. The OpenFlow is a standard protocol that allows different vendor devices like juniper, cisco and
huawei switches to be connected to the controller. The centralization of the software defined network
(SDN) controller makes the network more flexible, manageable and dynamic, such as provisioning of
bandwidth, dynamic scale out and scale in compared to the traditional communication network, however,
the centralized SDN controller is more vulnerable to security risks such as DDOS and flow rule poisoning
attack. In this paper, we will explore the architectures, the principles of software defined network and
security risks associated with the centralized SDN controller and possible ways to mitigate these risks.
Interfirewall optimization across various administrative domain for enabling ...Editor IJMTER
Network security is usually protected by a firewall, which checks in-out packets against
a set of defined policies or rules. Hence, the overall performance of the firewall generally depend on
its rule management. For example, the performance can be decreased when there are firewall rule
anomalies. The anomalies may happen when two sets of firewall rules are overlapped or their
decision parts are both an acceptance and a denial simultaneously. Firewall optimization focuses on
either inter-firewall or intra-firewall optimization within one administrative domain where the
privacy of firewall policies is not a concern. Explore interfirewall optimization across administrative
domain for the first time. The key technical challenge is that firewall policy cannot be shared across
domains because a firewall policy contains confidential information and even potential security
holes, which can be exploited by attackers. Using interfirewall redundant rule which overcome the
prior problem and enable the interfirewall optimization across administrative domains. Also propose
the first cross domain cooperative firewall (CDCF) policy optimization protocol. The optimization
process involves cooperative computation between the two firewall without any party disclosing its
policy to the other.
Redundancy removal of rules with reordering them to increase the firewall opt...eSAT Journals
Abstract
Firewalls are widely getting used for securing the private network. Firewalls check each incoming and outgoing packets and according the rules given by network administrator and it will take the decision whether to accept or discard the packet. As per the huge requirement of services on internet the rule set becomes large and takes more time to process one packet and it affects the throughput of firewall. So firewall optimization has a great demand to get good performance. Exiting research efforts developed techniques for either intra-firewall or inter-firewall optimization within a single administrative domain. In addition, existing techniques are inefficient in reducing packet processing delay, because they optimize firewall rules by only reducing the number of rules, but lack the intelligence to decide the order of rules. This paper proposes an adaptive cross-domain firewall policy optimization technique using statistical analysis, while protecting the policy confidentiality. To the best of our knowledge, we are the first to propose a technique that dynamically decides the order of rules based on the network statistics. The proposed technique not only identifies and removes redundant rules but also identifies the order of rules in the rule set to improve the performance of the system. The optimization process involves two tasks: First, collaboratively reduce the number of rules between multiple firewalls, while protecting confidentiality of them. Second, using network usage statistics, identify the order of rules in the rule set The feasibility of the proposed technique is shown with the help of the prototype implementation. The evaluation results show the effectiveness and efficiency of the proposed solution.
Keywords: Civilization, Redundancies, Adjoining, Privacy, Stiff.
Securing the Future Safeguarding 5G Networks with Advanced Security Solutions...SecurityGen1
With the advent of 5G technology, the complexity of network security has increased exponentially. To address this challenge, specialized 5G security services have emerged to provide tailored solutions to protect your network infrastructure. These services encompass a range of offerings, including threat intelligence, risk assessment, firewall management, intrusion detection, and incident response. 5G security services go beyond traditional security measures, taking into account the unique characteristics of 5G networks such as virtualization, network slicing, and edge computing.
Elevate Safety with Security Gen: Unraveling the Power of Signaling SecuritySecurityGen1
Security Gen introduces a new era of safety with our advanced Signaling Security solutions. In an ever-changing landscape, effective communication is key to maintaining security. Our user-friendly signaling systems are designed to provide instant alerts and notifications, enhancing situational awareness for businesses and individuals alike. Whether it's for emergency response or routine monitoring, Security Gen's signaling security ensures a swift and precise flow of information, creating a secure environment tailored to your specific needs.
SecurityGen's Pioneering Approach to 5G Security ServicesSecurityGen1
SecurityGen takes a pioneering stance in the realm of 5G security, offering services that redefine the standards of digital protection. Our user-friendly solutions are meticulously crafted to address the unique challenges posed by the 5G landscape. SecurityGen's 5G Security Services encompass real-time threat monitoring, encryption protocols, and adaptive defense mechanisms to keep your network secure in the face of sophisticated cyber threats. By choosing SecurityGen, businesses can embark on their 5G journey with peace of mind, knowing that they have a reliable partner dedicated to staying ahead of the curve in cybersecurity.
Protecting Your Text Messages: SecurityGen's SMS Fraud Detection SolutionsSecurityGen1
In a world where communication via text messages is integral to our daily lives, SMS fraud has become a growing concern. That's where SecurityGen comes into play. Our state-of-the-art SMS fraud detection technology is designed to safeguard your mobile communications. Using advanced algorithms and real-time analysis, SecurityGen's solution identifies and blocks fraudulent SMS messages, protecting you from phishing scams, malware, and other security threats.
ASHBURN, Va. – At its core, trusted-computing works to ensure that computing systems operate safely, securely, and correctly every time. Trusted computing matters at every level of operation, whether it be the processor level, software level, or system level. Each layer of a computing system ensures that a system can operate securely. Because malicious attackers are able to poke at all layers of a system, securing only one single layer often is not the most effective use of resources.
MANET is a kind of Ad Hoc network with mobile, wireless nodes. Because of its special characteristics like
dynamic topology, hop-by-hop communications and easy and quick setup, MANET faced lots of challenges
allegorically routing, security and clustering. The security challenges arise due to MANET’s selfconfiguration
and self-maintenance capabilities. In this paper, we present an elaborate view of issues in
MANET security. Based on MANET’s special characteristics, we define three security parameters for
MANET. In addition we divided MANET security into two different aspects and discussed each one in
details. A comprehensive analysis in security aspects of MANET and defeating approaches is presented. In
addition, defeating approaches against attacks have been evaluated in some important metrics. After
analyses and evaluations, future scopes of work have been presented.
An analysis of security challenges in mobile ad hoc networkscsandit
Mobile Ad Hoc Network (MANET) is a collection of wireless mobile nodes with restricted
transmission range and resources, no fixed infrastructure and quick and easy setup. Because of
special characteristics, wide-spread deployment of MANET faced lots of challenges like
security, routing and clustering. The security challenges arise due to MANETs selfconfiguration
and self-maintenance capabilities. In this paper, we present an elaborate view of
issues in MANET security. We discussed both security services and attacks in detail. Three
important parameters in MANET security are defined. Each attack has been analyses briefly
based on its own characteristics and behaviour. In addition, defeating approaches against
attacks have been evaluated in some important metrics. After analyses and evaluations, future
scopes of work have been presented
A network security detection and prevention
scheme using a combination of network taps
and aggregation devices can improve visibility
and redundancy, reduce system complexity
and diminish initial and continuing costs for
implementation.
Mobile ad-hoc network is a relatively new innovation in the field of wireless technology. These types of networks operate in the absence of fixed infrastructure, which makes them easy to deploy at any place and at any time. Mobile ad-hoc networks are highly dynamic; topology changes and link breakage happen quite frequently. Therefore, we need a security solution, which is dynamic, too. Security in Mobile Ad hoc Networks (MANETs) is an important issue in need of a solution that not only works well with a small network, but also sustains efficiency and scalability. In ad hoc environment, much of the research has been done focusing on the efficiency of the network. Therefore, there are a number of routing protocols that provide good efficiency. Considering security has radically changed the situation, for all of the existing routing protocols are designed with an assumption that the participating players and the network environment do not harm the security. It highly contradicts with the reality. Most of the secure routing protocols have the various disadvantages. In this paper a trusted solution is provided for routing in ad hoc network. The routing protocol is modified by relating the security components. Finally, the simulation results of insecure AODV are studied using simulator.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A review on software defined network security risks and challengesTELKOMNIKA JOURNAL
Software defined network is an emerging network architecture that separates the traditional
integrated control logic and data forwarding functionality into different planes, namely the control plane and
data forwarding plane. The data plane does an end-to-end data delivery. And the control plane does
the actual network traffic forwarding and routing between different network segments. In software defined
network the networking infrastructure layer is where the entire networking device, such as switches and
routers are connected with the separate controller layer with the help of standard called OpenFlow
protocol. The OpenFlow is a standard protocol that allows different vendor devices like juniper, cisco and
huawei switches to be connected to the controller. The centralization of the software defined network
(SDN) controller makes the network more flexible, manageable and dynamic, such as provisioning of
bandwidth, dynamic scale out and scale in compared to the traditional communication network, however,
the centralized SDN controller is more vulnerable to security risks such as DDOS and flow rule poisoning
attack. In this paper, we will explore the architectures, the principles of software defined network and
security risks associated with the centralized SDN controller and possible ways to mitigate these risks.
Interfirewall optimization across various administrative domain for enabling ...Editor IJMTER
Network security is usually protected by a firewall, which checks in-out packets against
a set of defined policies or rules. Hence, the overall performance of the firewall generally depend on
its rule management. For example, the performance can be decreased when there are firewall rule
anomalies. The anomalies may happen when two sets of firewall rules are overlapped or their
decision parts are both an acceptance and a denial simultaneously. Firewall optimization focuses on
either inter-firewall or intra-firewall optimization within one administrative domain where the
privacy of firewall policies is not a concern. Explore interfirewall optimization across administrative
domain for the first time. The key technical challenge is that firewall policy cannot be shared across
domains because a firewall policy contains confidential information and even potential security
holes, which can be exploited by attackers. Using interfirewall redundant rule which overcome the
prior problem and enable the interfirewall optimization across administrative domains. Also propose
the first cross domain cooperative firewall (CDCF) policy optimization protocol. The optimization
process involves cooperative computation between the two firewall without any party disclosing its
policy to the other.
Redundancy removal of rules with reordering them to increase the firewall opt...eSAT Journals
Abstract
Firewalls are widely getting used for securing the private network. Firewalls check each incoming and outgoing packets and according the rules given by network administrator and it will take the decision whether to accept or discard the packet. As per the huge requirement of services on internet the rule set becomes large and takes more time to process one packet and it affects the throughput of firewall. So firewall optimization has a great demand to get good performance. Exiting research efforts developed techniques for either intra-firewall or inter-firewall optimization within a single administrative domain. In addition, existing techniques are inefficient in reducing packet processing delay, because they optimize firewall rules by only reducing the number of rules, but lack the intelligence to decide the order of rules. This paper proposes an adaptive cross-domain firewall policy optimization technique using statistical analysis, while protecting the policy confidentiality. To the best of our knowledge, we are the first to propose a technique that dynamically decides the order of rules based on the network statistics. The proposed technique not only identifies and removes redundant rules but also identifies the order of rules in the rule set to improve the performance of the system. The optimization process involves two tasks: First, collaboratively reduce the number of rules between multiple firewalls, while protecting confidentiality of them. Second, using network usage statistics, identify the order of rules in the rule set The feasibility of the proposed technique is shown with the help of the prototype implementation. The evaluation results show the effectiveness and efficiency of the proposed solution.
Keywords: Civilization, Redundancies, Adjoining, Privacy, Stiff.
Securing the Future Safeguarding 5G Networks with Advanced Security Solutions...SecurityGen1
With the advent of 5G technology, the complexity of network security has increased exponentially. To address this challenge, specialized 5G security services have emerged to provide tailored solutions to protect your network infrastructure. These services encompass a range of offerings, including threat intelligence, risk assessment, firewall management, intrusion detection, and incident response. 5G security services go beyond traditional security measures, taking into account the unique characteristics of 5G networks such as virtualization, network slicing, and edge computing.
Elevate Safety with Security Gen: Unraveling the Power of Signaling SecuritySecurityGen1
Security Gen introduces a new era of safety with our advanced Signaling Security solutions. In an ever-changing landscape, effective communication is key to maintaining security. Our user-friendly signaling systems are designed to provide instant alerts and notifications, enhancing situational awareness for businesses and individuals alike. Whether it's for emergency response or routine monitoring, Security Gen's signaling security ensures a swift and precise flow of information, creating a secure environment tailored to your specific needs.
SecurityGen's Pioneering Approach to 5G Security ServicesSecurityGen1
SecurityGen takes a pioneering stance in the realm of 5G security, offering services that redefine the standards of digital protection. Our user-friendly solutions are meticulously crafted to address the unique challenges posed by the 5G landscape. SecurityGen's 5G Security Services encompass real-time threat monitoring, encryption protocols, and adaptive defense mechanisms to keep your network secure in the face of sophisticated cyber threats. By choosing SecurityGen, businesses can embark on their 5G journey with peace of mind, knowing that they have a reliable partner dedicated to staying ahead of the curve in cybersecurity.
Protecting Your Text Messages: SecurityGen's SMS Fraud Detection SolutionsSecurityGen1
In a world where communication via text messages is integral to our daily lives, SMS fraud has become a growing concern. That's where SecurityGen comes into play. Our state-of-the-art SMS fraud detection technology is designed to safeguard your mobile communications. Using advanced algorithms and real-time analysis, SecurityGen's solution identifies and blocks fraudulent SMS messages, protecting you from phishing scams, malware, and other security threats.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENTijsrd.com
Network security is essential for protecting the private and public networks such as banking and educational zones. Network can use different kinds of security mechanism. Among this firewall is one of the security mechanisms. The Firewalls are used as a protection barrier among the two different networks. The performance of firewall is mainly based on firewall policies. The firewall policies are used to decide whether the packets can be permitted or to be refused. These rules are crucial for the operation of firewall policies. The firewall policy contains erroneous configurations like rule redundancies, errors and conflicts. Such, conflicts are resolved by various mechanisms based on their errors. The following techniques are used for some error detection and correction process like cross-domain cooperative firewall, firewall compression, firewall decision diagrams, firewall verification tool and anomaly detection tools like FAME(Firewall Anomaly Management Environment),FPA(Firewall Policy Advisor, Fireman etc.
A Novel Management Framework for Policy Anomaly in Firewallijsrd.com
The advent of emerging technologies such as Web services, service-oriented architecture, and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized actions in business services. Firewalls are the most widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error-prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. We also discuss a proof-of-concept implementation of a visualization-based firewall policy analysis tool called Firewall Anomaly Management Environment (FAME). In addition, we demonstrate how efficiently our approach can discover and resolve anomalies in firewall policies through rigorous experiments using Automatic rule generation technique.
Blueprint for Cyber Security Zone ModelingITIIIndustries
The increasing need to implement on-line services for all industries has placed greater focus upon the security controls deployed to protect the corporate network. The demand for cyber security is further required when IT solutions are built to operate in the cloud. As more business activities are migrated to the on-line channel the security protection systems must cater for a variety of applications. This includes access for enterprise users who are mobile, working from home, or situated at business partner locations. One set of key security measures deployed to protect the enterprise perimeter include firewalls, network routers, and access gateways. In addition, a set of controls are also in place for cloud enabled IT solutions. Collectively these components make up a set of protection systems referred to as the security zones. In this paper, a security zone model that has been deployed in practice for the industry is presented. The zone model serves as a design blueprint to validate existing architectures or to assist in the design of new cyber security zone deployments.
In IT industry – You going to need a security certification
In the US Military or a government contractor- required in most cases
(DoD 8570.01-M) / State Department Skills Incentive Program
Short Video about Security +
Exam Objectives
Exam Content
Taking the exam
Practice Questions
Tips to Prepare
Firewall is a device or set of instruments designed to permit or deny network transmissions based upon a set of rules and regulation is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass or during the sensitive data transmission. Distributed firewalls allow enforcement of security policies on a network without restricting its topology on an inside or outside point of view. Use of a policy language and centralized delegating its semantics to all members of the networks domain support application of firewall technology for organizations, which network devices communicate over insecure channels and still allow a logical separation of hosts in- and outside the trusted domain. We introduce the general concepts of such distributed firewalls, its requirements and implications and introduce its suitability to common threats on the Internet, as well as give a short discussion on contemporary implementations.
An Effective Policy Anomaly Management Framework for FirewallsIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
Similar to PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM (20)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
1. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
DOI : 10.5121/ijnsa.2013.5412 155
PERFORMANCE EVALUATION OF ENHANCED-
GREEDY-TWO-PHASE DEPLOYMENT ALGORITHM
Kartit Ali1
1
Laboratory of Research in Informatics and Telecommunications (LRIT), Faculty of
Science, University Mohammed V-Agdal, Rabat, Morocco
alikartit@gmail.com
ABSTRACT
Firewall is one of the most widely utilized component on any network architecture, since that a deployment
is a very important step to turn the initial policy to a target policy. This operation must be done without
presenting any risks or flaws. Much research has already addressed the conflict detection of policies and
optimization, but in our paper we will focus on researches that talk about strategies for the security of
policy deployment, some researchers have proposed a number of algorithms to solve this problem, we will
discuss one of these algorithm then we propose an amelioration of this strategy. In [1], we have proposed
a correct algorithm for the deployment type I. But in this work we will study the performance evaluation of
the new solution called “Enhanced-Two-Phase-Deployment”. We show that the proposed solution is most
efficient.
KEYWORDS
Firewall Policy, Network Security, Policy Deployment, Performance Evaluation.
1. INTRODUCTION
Firewall are devices or programs controlling the flow of network circulating between hosts or
networks that use different security postures, most firewalls were deployed at network perimeters.
This does not provide sufficient protection, because it could not detect all cases and types of
attacks as well as attacks sent by an internal host to another are often not pass through network
firewalls. Because of these and other factors, network designers now often include firewall
functionality at places other than the network perimeter to provide an additional layer. One of the
functions of the firewall is to allow the establishment of some rules to determine which traffic
should be allowed or blocked on your private network. Those rules do essentially (i) permit the
connection (enable), (ii) block the connection (deny). Its principle for operation is simple; it is a
set of rules defined by an administrator based on the principle: everything that is not explicitly
allowed is prohibited, which means that these rules are part of the configuration firewall must
allow or dismiss an action or a data stream in order to establish or block a connection. Several
firewalls deploying policies containing rules more than 20K are rare in the market, and yet we
saw a firewall configured with rules for 50K. Manual configuration of these policies has clearly
become an impossible task even for guru network administrators.
These rules in general [3] are: (i) accept a connection (enabled), (ii) blocks a connection (deny).
A firewall policy deployment should have following characteristics [2]: correctness,
confidentiality, safety, and speed.
2. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
156
Correctness: A deployment is correct if it successfully implements the target policy on the
firewall. After a correct deployment the target policy becomes the running policy. Correctness is
an essential requirement for any deployment.
Confidentiality: Confidentiality refers to securing the communication between a management
tool and a firewall. It’s can be achieved by using encrypted communication protocols such as SSH
[4] and SSL [5].
Safety: We can say that the deployment is safe if no illegal packet is accepted and no legal packet
is rejected during the deployment. A naive deployment strategy may result in temporary security
breaches and/or self-Denial of Service (self-DoS). Deployment safety is a challenging and new
area of research.
Speed: A deployment should be done in the shortest time, so that the desired state of affairs is
achieved as quickly as possible. A deployment algorithm should have a good running time, so
that it is applicable even for large policies. A slow deployment is unpleasant for users and may
partly defeat the purpose of deployment [2].
In this paper we focus on type II policy editing language .We will show how far the proposed
algorithm called “Greedy-2-PhaseDeployment” can't solve all cases, then propose a correct
algorithm which can replace any initial policy by a target one, and also examine efficiency of
both algorithms by evaluating their performances to show how far the new solution is more
efficient and gives good results than the old one.
2. FIREWALL BACKGROUND
A firewall is generally placed at the borderline of the network to act as the Access Controller for
all incoming and outgoing traffic (see Figure 1). It's basically the first line of defense for any
network. The main aim of this component is to keep unwanted packets from browsing your
network. It’s is an ordered list of rules named ACL.
An ACL is an ordered set of rules, each rule is a statement concerning an action, which controls
whether a firewall denies or allows the passage of packets based on criteria found in the header of
a packet. ACLs are used to select the types of traffic to be analyzed, processed or transmitted by
other means.
Packets pass through interfaces firewall or router associated with an ACL, the ACL is checked
from top to bottom looking for a corresponding pattern of the incoming packet. The ACL applies
one or more security policies using permit or deny an action to determine the fate of the packet.
ACLs can be configured to control access to a network or subnet.
Analysis of network traffic differs depending on the type of firewall, as well authorization or
block specific instances is done by comparing the characteristics to existing policies.
Each type of firewall must essentially understand the capabilities of this latter, policy design and
firewall technology acquisition that effectively meet the needs of an organization, and in order to
protect the flow network traffic.
The filtering decision is based on a firewall policy defined by network administrator.
It is possible to use any field of IP, ICMP, UDP, or TCP headers [2]. However, these fields are
most commonly used: source port, destination port, protocol type, destination IP address and
source IP address [6].
3. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
157
Figure1. Fire-wall architecture
3. POLICY DEPLOYMENT
To keep the network in a high level of security, administrators or management tools must change
the security policy adopted in order to replace the current policy with a new one that meets the
new requirements. That is what we also called a policy deployment. Policy deployment is the
process by which policy editing commands are issued on firewall, so that the target policy
becomes the running policy. As discussed in the Introduction, a deployment must be correct and
should satisfy the following three characteristics: confidentiality, safety, and speed.
3.1. Policy Editing Languages
To deploy a user's target policy, a management tool sends editing commands to transform the
firewall's current policy and make it understandable by the firewall. The administrator will need a
language to be able to build a firewall and then run effectively in accordance with the
characteristics mentioned previously.
The set of commands that a firewall supports is called its policy editing language. Typically, a
firewall uses a subset of the following editing commands [2]:
(app r) appends rule r at the end of R.
(del r) deletes r from R.
(del i) deletes the rule at position i from R.
(ins i r) inserts r at position i.
(mov i j) moves the ith rule to the jth position in R.
Policy editing languages can be classified into two representative classes [2]: Type I and Type II.
Type I Editing
Type I editing supports only two commands, append and delete. Command (app r) adds a rule r at
the end of the political running R unless r is already in R, in this case, the command fails.
Command (del r) removes r from R, if it’s present. As type I editing can convert any political
running into any political target [2], so it is complete. Older firewalls and some recent firewalls,
such as JUNOSe 7.x [8] and FWSM 2.x [7], only support Type I editing.
4. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
158
Type II Editing
Type II languages allow random editing of firewall policy. It supports three operations: (ins i r)
inserts the rule r in the ith
rule in the running policy R, unless r is already present; (del i) removes
the ith
rule from R; (mov i j) moves the ith
rule to the jth
position in R. Type II editing can convert
any political running into any political target without rejecting legal packets or accepting illegal
packets [2], therefore, it is complete and safe in the same time. It is obvious that for a given set of
target and initial policies, a Type I deployment normally uses a lot of editing commands than an
equivalent Type II deployment. There are some examples of Type II editing firewalls like
Enterasys Matrix X [10] and SunScreen 3.1 Lite [9].
3.2. Deployment Efficiency
Deployment is more effective if it uses the minimum number of editing commands in a given
language, to successfully deploy a policy target on a firewall. Therefore for a given deployment
scenario, the most-efficient Type I deployment uses the minimum number of append and delete
commands, similarly a most-efficient Type II deployment uses the minimum number of insert,
delete and move commands. Therefore, the most-efficient deployment minimizes the overall
deployment time. Deployment efficiency for Type II languages is discussed in more detail in
Section 4.
3.3. Deployment Safety
A deployment is safe if no legal traffic is denied at any stage and no security hole is introduced
during the deployment. A temporary security hole may permit malicious traffic to pass through
the firewall that may cause serious damage to the network infrastructure.
4. TYPE II DEPLOYMENT
Type II deployment helps to modify random policy running. Therefore, for a given set of initial
and target policy, a safe type II deployment uses less editing commands than a similar Type I
deployment. If I and T have the same set of rules, then T can be regarded as a permutation of I. In
the general case, where T has some rules that are not in I and I has some rules that are not in T, a
command has to be generated to insert/delete each such rule.
4.1. Problems with Previous Algorithm
In [2], two algorithms for type II deployment are proposed. The first algorithm is a greedy two-
phase Deployment called TWOPHASEDEPLOYMENT (see Algorithm 1), while the second
algorithm is a most-efficient algorithm called SANITIZEIT. In this paper we interest to the first
algorithm. It is claimed in [2] that TWOPHASEDEPLOYMENT is correct and safe. However, it
can be shown that it is not correct even for very simple deployments. Consider the application of
TWOPHASEDEPLOYMENT to I and T given in the cases bellow.
Algorithm 1: Greedy 2-Phase Deployment.
1. TwoPhaseDeployment (I, T) {
2. /* algorithm to calculate a safe type II deployment */
3. /* to transform firewall policy I into T */
4.
5. /* Phase 1: insert and move */
6. inserts ← 0
5. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
159
7. for t ← 1 to SizeOf(T) do
8. if T[t] ∉ I then
9. IssueCommand(ins t T[t])
10. inserts ← inserts + 1
11. else
12. IssueCommand( mov IndexOf(T[t] , I) + inserts t)
13.
14. /* Phase 2: backward delete */
15. for i ← SizeOf(I) down to 1 do
16. if I[i] ∉ T then
17. IssueCommand( del i + inserts)
18. }.
Example:
I = A-M-C-L-K-E
T = L-C-E-M-B-D-F-K
R = K-F-D-B-M-L-C-E
Proof:
(a) t=1 ; indexof(T(t)=L,I)=4 ; move(4,1) ; R0= L-M-C-K-E
(b) t=2 ; indexof(T(t)=C,I)=3 ; move(3,2) ; R1=L-C-K-E
(c) t=3 ; indexof(T(t)=E,I)=4 ; move(4,3) ; R2= L-C-E
(d) t=4 ; T(t)=M ins ; R3= M-L-C-E
(e) t=5 ; T(t)=B ins ; R4= B-M-L-C-E
(f) t=6 ; T(t)=D ins ; R5=D-B-M-L-C-E
(g) t=7 ; T(t)=F ins ; R6=F-D-B-M-L-C-E
(h) t=8 ; T(t)=K ins ; R7=K-F-D-B-M-L-C-E
We can clearly observe that the order of the rules is not respected, the respect of order is very
important, so deployment does not meet the safety criterion. When you move a rule to a higher
position that causes a shift in the positions of other rules and then at the end you get a different
result from the policy target T. So deployment is not correct and does not meet the characteristics
already mentioned for the effective deployment.
4.2. Our Solution for Type II Deployment
The above problems motivate us to provide a correct, safe and efficient algorithm, called
ENHANCED-TWOPHASEDEPLOYMENT (see Algorithm 2).
Algorithm 2: ENHANCED-Greedy-2-Phase Deployment
1. ENHANCEDTwoPhaseDeployment (I, T) {
2. /* algorithm to calculate a safe type II deployment */
3. /* to transform firewall policy I into T */
4.
5. /* Phase 1: insert and move */
7. for t←1 to SizeOf(T) do
8. if T[t] ∉ I then
9. IssueCommand(ins t T[t])
11. else
12. IssueCommand( mov IndexOf(T[t] , I) t)
6. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
160
13.
14. /* Phase 2: backward delete */
15. for i←SizeOf(I) down to 1 do
16. if I[i] ∉ T then
17. IssueCommand( del i )
18. }.
The previous example can be reused to prove the truth of the change because they have two
inserts at the end and since they are the last operations, they should normally lead to good
positioning or insertion in the lead will disordering target.
Example:
I = A-M-C-L-K-E
T = L-C-E-M-B-D-F-K
R = L-C-E-M-B-D-F-K
Proof:
t=1 ; indexof(T(t)=L,I)=4 ; move(4,1) ; R0= L-M-C-K-E
t=2 ; indexof(T(t)=C,I)=3 ; move(3,2) ; R1=L-C-K-E
t=3 ; indexof(T(t)=E,I)=4 ; move(4,3) ; R2= L-C-E
t=4 ; T(t)=M ins(M,4) ; R3= L-C-E-M
t=5 ; T(t)=B ins(B,5) ; R4= L-C-E-M-B
t=6 ; T(t)=D ins(D,6) ; R5= L-C-E-M-B-D
t=7 ; T(t)=F ins(F,7) ; R6= L-C-E-M-B-D-F
t=8 ; T(t)=K ins (K,8) ; R7= L-C-E-M-B-D-F-K
5. PERFORMANCE EVALUATION OF THE NEW ALGORITHM
We try to follow the identical set of test cases as in [2] to evaluate the performance of Enhanced-
Greedy-2-PhaseDeployment. Thus, we use four firewall policies with 2000, 5000, 10000, and
25000 rules. We perform five different tests for each policy. We implemented the new algorithm
in C++ in order to test and evaluate the performance of it. All tests are performed on HP with
Intel(R) Core(TM) 4 DUO CPU 3.00Ghz (2 CPUs) processor and 6GB of RAM. We use a
firewall simulator that is configured to match the performance of a ASA 525 firewall and connect
to it over a 100Mb Ethernet link. We run each test case 10 times and then record the average for
Enhanced-Greedy-2-PhaseDeployment and SANITIZEIT algorithm combined with diff. The
results of each test on policies 1-4 are shown in the table below (see Table 1). While the column
SI specifies the total time taken by diff and SANITIZEIT algorithm given in [2] for computing a
safe deployment, the time taken by Enhanced-Greedy-2-PhaseDeployment is specified in the
column EG2PD.
Table 1. Results of Experiments (in seconds).
Tests
Policy1
(size=2000)
Policy2
(size=5000)
Policy3
(size=10000)
Policy4
(size=25000)
EG2PD SI EG2PD SI EG2PD SI EG2PD SI
Test 1 0,0054 0,0110 0,0140 0,0216 0,0213 0,0360 0,0622 0,1750
Test 2 0,0051 0,0110 0,0169 0,0266 0,0152 0,0390 0,0630 0,1290
Test 3 0,0046 0,0360 0,0162 0,0450 0,0142 0,0533 0,0620 0,3310
7. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
161
Test 4 0,0045 0,0380 0,0165 0,2300 0,0135 1,1330 0,0623 9,6450
Test 5 0,00471 0,0687 0,0142 0,3280 0,1323 3,2440 0,0642 15,0660
It is obvious that Enhanced-Greedy-2-PhaseDeployment takes a fraction of second to calculate
most efficient and safe deployment for policies as long as Policy 4. In addition, Enhanced-
Greedy-2-PhaseDeployment generates a safe and most efficient deployment much quicker than
the SANITIZEIT algorithm combined with diff. However, it might not be appropriate to directly
draw conclusion for tests 2-5 as no details are given about nature of changes in [2]. For instance,
consider Test 5 on Policy 4, 90% edit distance means 22600 commands need to be issued to turn
initial policy to target policy. If 22,600 insert commands are required that means T has 47,600
rules, while if 22,600 delete commands are required then T has only 2600 rules. Therefore,
reliable comparison can only be done if size of initial policy and target policy used in [2] is
known, so that policies of same size could be used for testing Enhanced-Greedy-2-
PhaseDeployment. However, Test 1 consists only 10 changes and it can be used to compare the
two algorithms.
Figure 1. Comparison of Enhanced-Greedy-2-PhaseDeployment and SanitizeIT for Test 1
From the curve illustrated in Figure 2, it can be concluded that Enhanced-Greedy-2-
PhaseDeployment is more efficient than SANITIZEIT and the running time is close to linear.
Furthermore, SANITIZEIT appears to have a polynomial running time. This effect is more
notable in case of test 5 and Policy 4, where SI takes almost 15 seconds to compute a deployment
sequence.
6. CONCLUSION
Firewall policy deployment is a new large subject and error-prone task; several researchers have
proposed strategies in order to update a policy while respecting the safety and efficiency criteria,
but still don’t propose an efficient one, which gives good results in all cases.
In this paper, we have shown that recent approaches [2] to firewall policy deployment contain
critical errors. Indeed, these approaches can introduce temporary security holes that permit illegal
traffic and/or interrupt network services by blocking legal traffic during a deployment. We have
proposed for type II policy editing languages the efficient and safe algorithm called Enhanced-
International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
161
Test 4 0,0045 0,0380 0,0165 0,2300 0,0135 1,1330 0,0623 9,6450
Test 5 0,00471 0,0687 0,0142 0,3280 0,1323 3,2440 0,0642 15,0660
It is obvious that Enhanced-Greedy-2-PhaseDeployment takes a fraction of second to calculate
most efficient and safe deployment for policies as long as Policy 4. In addition, Enhanced-
Greedy-2-PhaseDeployment generates a safe and most efficient deployment much quicker than
the SANITIZEIT algorithm combined with diff. However, it might not be appropriate to directly
draw conclusion for tests 2-5 as no details are given about nature of changes in [2]. For instance,
consider Test 5 on Policy 4, 90% edit distance means 22600 commands need to be issued to turn
initial policy to target policy. If 22,600 insert commands are required that means T has 47,600
rules, while if 22,600 delete commands are required then T has only 2600 rules. Therefore,
reliable comparison can only be done if size of initial policy and target policy used in [2] is
known, so that policies of same size could be used for testing Enhanced-Greedy-2-
PhaseDeployment. However, Test 1 consists only 10 changes and it can be used to compare the
two algorithms.
Figure 1. Comparison of Enhanced-Greedy-2-PhaseDeployment and SanitizeIT for Test 1
From the curve illustrated in Figure 2, it can be concluded that Enhanced-Greedy-2-
PhaseDeployment is more efficient than SANITIZEIT and the running time is close to linear.
Furthermore, SANITIZEIT appears to have a polynomial running time. This effect is more
notable in case of test 5 and Policy 4, where SI takes almost 15 seconds to compute a deployment
sequence.
6. CONCLUSION
Firewall policy deployment is a new large subject and error-prone task; several researchers have
proposed strategies in order to update a policy while respecting the safety and efficiency criteria,
but still don’t propose an efficient one, which gives good results in all cases.
In this paper, we have shown that recent approaches [2] to firewall policy deployment contain
critical errors. Indeed, these approaches can introduce temporary security holes that permit illegal
traffic and/or interrupt network services by blocking legal traffic during a deployment. We have
proposed for type II policy editing languages the efficient and safe algorithm called Enhanced-
International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
161
Test 4 0,0045 0,0380 0,0165 0,2300 0,0135 1,1330 0,0623 9,6450
Test 5 0,00471 0,0687 0,0142 0,3280 0,1323 3,2440 0,0642 15,0660
It is obvious that Enhanced-Greedy-2-PhaseDeployment takes a fraction of second to calculate
most efficient and safe deployment for policies as long as Policy 4. In addition, Enhanced-
Greedy-2-PhaseDeployment generates a safe and most efficient deployment much quicker than
the SANITIZEIT algorithm combined with diff. However, it might not be appropriate to directly
draw conclusion for tests 2-5 as no details are given about nature of changes in [2]. For instance,
consider Test 5 on Policy 4, 90% edit distance means 22600 commands need to be issued to turn
initial policy to target policy. If 22,600 insert commands are required that means T has 47,600
rules, while if 22,600 delete commands are required then T has only 2600 rules. Therefore,
reliable comparison can only be done if size of initial policy and target policy used in [2] is
known, so that policies of same size could be used for testing Enhanced-Greedy-2-
PhaseDeployment. However, Test 1 consists only 10 changes and it can be used to compare the
two algorithms.
Figure 1. Comparison of Enhanced-Greedy-2-PhaseDeployment and SanitizeIT for Test 1
From the curve illustrated in Figure 2, it can be concluded that Enhanced-Greedy-2-
PhaseDeployment is more efficient than SANITIZEIT and the running time is close to linear.
Furthermore, SANITIZEIT appears to have a polynomial running time. This effect is more
notable in case of test 5 and Policy 4, where SI takes almost 15 seconds to compute a deployment
sequence.
6. CONCLUSION
Firewall policy deployment is a new large subject and error-prone task; several researchers have
proposed strategies in order to update a policy while respecting the safety and efficiency criteria,
but still don’t propose an efficient one, which gives good results in all cases.
In this paper, we have shown that recent approaches [2] to firewall policy deployment contain
critical errors. Indeed, these approaches can introduce temporary security holes that permit illegal
traffic and/or interrupt network services by blocking legal traffic during a deployment. We have
proposed for type II policy editing languages the efficient and safe algorithm called Enhanced-
8. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013
162
Greedy-2-PhaseDeployment. This algorithm is approximatively linear, most-efficient and safe.
Our experimental results showed that this algorithm does not add any overhead and it is practical
even for very large policies. We will work on the second algorithm called SANITIZEIT to
improve it.
REFERENCES
[1] A. Kartit and M. El Marraki “On the Correctness of Firewall Policy Deployment”, Journal of
Theoretical and Applied Information Technology, ISSN: 1992-8645, Volume 19, n°1, pages 22 – 27,
15th September 2010.
[2] C. C. Zhang, M. Winslett, and C. A. Gunter. On the Safety and Efficiency of Firewall Policy
Deployment. In SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages
33–50,Washington, DC, USA, 2007. IEEE Computer Society.
[3] S. Karen and H. Paul, “Guidelines on Firewalls and Firewall Policy”, NIST Recommendations, SP
800-41, July, 2008.
[4] T. Yl¨onen. SSH: secure login connections over the internet. In SSYM’96: Proceedings of the 6th
conference on USENIX Security Symposium, Focusing on Applications of Cryptography, pages 4–4,
Berkeley, CA, USA, 1996. USENIX Association.
[5] D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In WOEC’96: Proceedings of the 2nd
conference on Proceedings of the Second USENIX Workshop on Electronic Commerce, pages 4–4,
Berkeley, CA, USA, 1996. USENIX Association.
[6] S. Cobb. ICSA Firewall Policy Guide v2.0. Technical report, NCSA Security White Paper Series,
1997.
[7] Cisco Security Manager. http://www.cisco.com/en/US/products/ps6498/index.html.
[8] JuniperNetwork and SecurityManager. http://www.juniper.net/us/en/local/pdf/datasheets/1100018
en.pdf.
[9] M. Englund. Securing systems with host-based firewalls. In Sun BluePrints Online, September 2001.
[10] Entrasys Matrix X Core Router. http://www.entrasys.com/products/routing/x/.
Authors
Ali KARTIT is a doctor in computer network security at the Faculty of Sciences of Rabat.
His research area covers security policies of firewalls, the Intrusion detection systems
(IDS / IPS) and security in the cloud environment.