1. The document describes the configuration files for two firewalls (FW1 and FW2) that control network traffic between public hosts, a DMZ, and an internal network.
2. FW1's Netfilter/iptables configuration sets default policies to drop all traffic, then uses custom chains to allow outgoing SMTP and HTTP from the DMZ to public hosts, as well as incoming SMTP to the DMZ server, while denying access from the local network.
3. FW2's Cisco PIX configuration uses an access list to deny SMTP and HTTP connections from two specific hosts in the DMZ to the server, but permits them from other hosts in the DMZ subnet.
PLNOG 13: Piotr Głaska: Quality of service monitoring in IP networksPROIDEA
Piotr Głaska – Senior Product Manager at Huawei, Enterprise Networking department. Experienced in management, design and deployment of IP solutions, for 17 years worked for various companies as service provides, through the end-user, integrator, up to device producer. The Huawei Certified Datacom Proffesional HCDP, Cisco CCIE #15966 and HP MASE.
Topic of Presentation: Quality of service monitoring in IP networks
Language: Polish
Abstract: TBD
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Cisco Canada
IP SLA is a Cisco IOS feature available today to actively and proactively measure and report many network metrics. It is easy to use, and is supported by many existing network management applications.
PLNOG 13: Piotr Głaska: Quality of service monitoring in IP networksPROIDEA
Piotr Głaska – Senior Product Manager at Huawei, Enterprise Networking department. Experienced in management, design and deployment of IP solutions, for 17 years worked for various companies as service provides, through the end-user, integrator, up to device producer. The Huawei Certified Datacom Proffesional HCDP, Cisco CCIE #15966 and HP MASE.
Topic of Presentation: Quality of service monitoring in IP networks
Language: Polish
Abstract: TBD
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Cisco Canada
IP SLA is a Cisco IOS feature available today to actively and proactively measure and report many network metrics. It is easy to use, and is supported by many existing network management applications.
Most research and publications talk about layer 2 issues when it comes to VoIP. Over here we talk about VoIP security flaws that can be exploited without having physical access to the target network, i.e. attacks that can be, and are being launched through the Internet.
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Cisco CCNA/CCNP Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
This talk is discussing the idea, approach and possibilities of firewall rule reviews. These identify incorrect and inefficient settings in current firewall settings.
Most research and publications talk about layer 2 issues when it comes to VoIP. Over here we talk about VoIP security flaws that can be exploited without having physical access to the target network, i.e. attacks that can be, and are being launched through the Internet.
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Cisco CCNA/CCNP Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
This talk is discussing the idea, approach and possibilities of firewall rule reviews. These identify incorrect and inefficient settings in current firewall settings.
Ressource numérique Circuit électrique au primaire Erradi Mohamed
Les pages écrans de la ressource numérique "Circuit électrique" réalisée à l'aide du logiciel ActivInspire et Powepoint.
La ressource est en arabe
Réalisation: Mohamed ERRADI; F.MOQADEM; A.ABERKANE
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware
The OCCIware project aims at managing in a unified manner all layers and domains of the Cloud (XaaS), by building on the Open Cloud Computing (OCCI) standard. OCCIware Metamodel formally specifies the main OCCI concepts. Today a first EMF metamodel is defined that adds to OCCI new concepts such as Extension, Configuration, and EDataType, addressing some limitations of OCCI.
This session highlights OCCIware platform two main components:
– The OCCIware Studio Factory, allowing to produce visually customizable diagram editors for any Cloud configuration business domain modeled in OCCI using the OCCI Extension Studio, such as the flagship Docker Studio ;
– The OCCIware Runtime, based on OW2 erocci project, including the tools for deployment, supervision and administration, and allowing to federate multiple XaaS Cloud runtimes, such as the Roboconf PaaS server and the ActiveEon Cloud Automation multi-IaaS connector.
This talk includes a demonstration of the Docker connector and of how to use the OCCIware Cloud Designer to configure a real life Cloud application (a Java API server on top of a MongoDB cluster)’s business, platform and infrastructure layers seamlessly on both VirtualBox and OpenStack infrastructure.
This presentation focus on advances on Model Based System Engineering that fUML [1] brings. fUML, better known has Executable UML, provide a formalization of a subset of UML. UML, and with some extensions and adaptations SysML, can now be analysed in a formal way. That was main grief made by researchers.
First part of the presentation illustrates what is now possible by picking ideas from existing tools, notably Alloy [1] and OWL [3]. Following this path will enlighten what still must be done from researchers. It also points out how UML/SysML editors and tools can be enhanced. Indeed in current tools you can modelize activities that are not executable, you can describe Class/Block that cannot be instantiated, and so on.
The second part is about current implementation of previous ideas. It starts with a panorama of tools that can be combined, reused or adapted for the new desired features. For instance, it is possible to generate random instances of a model. Doing so helps to be confident in the model constraints. Moreover details will be given on how Topcased ease or not the integration of such a tool in its suite. For instance, it will be shown how Acceleo and ATL are used, but further details will also be given on how it integrates deeply with Topcased Editors for warnings, quick-fixes and so on.
Model Transformation: A survey of the state of the artTom Mens
Presentation about model transformation at the international summer school on Model-Driven Development for Distributed, Real-Time and Embedded Systems (MDD4DRES, 2009, Aussois, France).
Timing verification of automotive communication architecture using quantile ...RealTime-at-Work (RTaW)
Slides of a paper at ERTSS'2014 co-authored by Nicolas NAVET (University of Luxembourg), Shehnaz LOUVART (Renault), Jose VILLANUEVA (Renault), Sergio CAMPOY-MARTINEZ (Renault) and Jörn MIGGE (RealTime-at-Work). Early stage timing verification on CAN traditionally relies on simulation and schedulability analysis, also known as worst-case response time (WCRT) analysis. Despite recent progresses, the latter technique remains pessimistic especially in complex networking architectures with gateways and heterogeneous communication stacks. Indeed, there are practical cases where no exact WCRT analysis is available, and merely upper bounds on the response times can be derived, on the basis of which unnecessary conservative design choices may be made. Simulation, on the other hand, does not provide anyguarantees per se and, in the context of critical networks, should only be used along with an adequate methodology. In this paper, we argue for the use of quantiles of the response time distribution as performance
metrics providing an adjustable trade-off between safety and resource usage optimization. We discuss how the exact value of the quantile to consider should be chosen with regard to the criticality of the frames, and illustrate the approach on two typical automotive use-cases.
Cours multimédia interactif intégrant le Tableau Blanc Numérique destiné aux élèves de la 4.A.E.F.
Exemple de Ressource Numérique didactique réalisé à l'aide du logiciel ActivInspire de Promethean.
How to configure a Linux machine to be a multihomed router and what are the possible solutions for achieving Equal Cost Multipath with two or more different ISPs
Cohesive Networks Support Docs: VNS3 Trend Micro Agent Cohesive Networks
VNS3 Trend Micro Agent
The Trend Micro Agent for Linux VNS3 client servers lets users take advantage of both VNS3 Overlay Network and Trend Micro Deep Security central management platform to simplify and streamline security operations. Integrate your security functions across all of your Linux-based physical, virtual and cloud environments. NOTE: Client servers running Windows already support Trend Micro integration.
How can you configure Wireshark to always recognize port 444 as an S.pdfarkleatheray
How can you configure Wireshark to always recognize port 444 as an SSL/TLS port?
Solution
General configuration :
How to Configure Wireshark
To configure Wireshark, follow these general steps:
Step 1 Define, modify or delete a capture point.
Step 2 Activate or deactivate a capture point.
Default Wireshark Configuration
Table 58-1 shows the default Wireshark configuration.
Table 58-1
Feature
Default Wireshark Configuration
Duration
Packets Packet-length
File size
Ring file storage Buffer storage mode
Default Setting
No limit
No limit
No limit (full packet)
No limit
No
Linear
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
OL_28731-01
58-11
How to Configure Wireshark
Chapter 58
Configuring Wireshark
Defining, Modifying, or Deleting a Capture Point
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Step 7
Although listed in sequence, the steps to specify values for the options can be executed in any
order. You can also specify them in one, two, or several lines. Except for attachment points,
which can be multiple, you can replace any value with a more recent value by redefining the
same option, in the following order:
Define the name that identifies the capture point.
Specify the attachment point with which the capture point is associated.
Multiple attachment points can be specified. Range support is also available both for adding and
removing attachment points.
Define the core system filter, defined either explicitly, through ACL or through a class map.
Specify the session limit (in seconds or packets captured).
Specify the packet segment length to be retained by Wireshark.
Specify the file association, if the capture point intends to capture packets rather than merely
display them.
Specify the size of the memory buffer used by Wireshark to handle traffic bursts.
To filter the capture point, use the following commands:
Command
Purpose
[no] monitor capture mycap match {any | macmac-match-string | ipv4ipv4-match-string |
ipv6ipv6-match-string}
Defines an explicitly in-line core filter.
To remove the filter, use the no form of this command.
[no] monitor capture mycap matchmac {src-mac-addr src-mac-mask | any | hostsrc-mac-addr} |
{dest-mac-addr dest-mac-mask | any | hostdest-mac-addr}
Specifies use of a filter for MAC.
To remove the filter, use the no form of this command.
[no] monitor capture mycap match {ipv4 | ipv6} [src-prefix/length | any | hostsrc-ip-addr] [dest-
prefix/length | any | hostdest-ip-addr]
[no] monitor capture mycap match {ipv4 | ipv6} proto {tcp | udp} [src-prefix/length | any |
hostsrc-ip-addr] [eq | gt | lt | neq <0-65535>] [dest-prefix/length | any | hostdest-ip-addr] [eq | gt |
lt | neq <0-65535>]
Specifies a filter for IPv4/IPv6, use one of the formats. To remove the filters, use the no form of
this command.
To define a capture point, use the following commands:
Command
Purpose
monitor capturename [{interfacename | vlannum | control-plane} {in | out | both}
Specifies one or more attachment points with direction..
AI and Software consultants: friends or foes?Jordi Cabot
How can AI help software consultants (and what you need to keep in mind if we are open to that, especially when it comes to issues like hallucination, code vulnerabilities or ethical risks).
There is an increasing demand for embedding intelligence in software systems as part of its core set of features both in the front-end (e.g. conversational user interfaces) and back-end (e.g. prediction services). This combination is usually referred to as AI-enhanced software or, simply, smart software.
The development of smart software poses new engineering challenges, as now we need to deal with the engineering of the “traditional” components, the engineering of the “AI” ones but also of the interaction between both types that need to co-exist and collaborate.
In this talk we'll see how modeling can help tame the complexity of engineering smart software by enabling software engineers specify and generate smart software systems starting from higher-level and platform-independent modeling primitives.
But, unavoidably, these models will be more diverse and complex than our usual ones. Don't despair, we'll also see how some of these same AI techniques that are making our modeling life challenging can be turned into allies and be transformed into modeling assistants to tackle the engineering of smart software with a new breed of smart modeling tools.
Modeling should be an independent scientific disciplineJordi Cabot
Software modeling started as a paradigm to help developers build better software faster by enabling them to specify, reason and manipulate software systems at a higher-abstraction level while ignoring irrelevant low-level technical details. But this same principle manifests in any other domain that has to deal with complex systems, software-based or not. We argue that bringing to other engineering and scientific fields, our modeling expertise is a win–win opportunity where we can all learn from each other as we all model, but in complementary ways. Nevertheless, to fully unleash the benefits of this collaboration, we must go beyond individual efforts trying to adapt single techniques from one field to another. It requires a deeper reformulation of modeling as a whole. It is time for modeling to become an independent discipline where all fields of knowledge can contribute and benefit from.
¿Quién va a desarrollar las Apps del futuro? (aviso: no serán los programador...Jordi Cabot
No hay suficientes programadores profesionales para todo el software que necesita nuestra sociedad. Aquí propongo una serie de soluciones alternativas.
All Researchers Should Become EntrepreneursJordi Cabot
We often complain about the challenges associated with a fruitful research-industry collaboration. Wwe propose that researchers become entrepreneurs and play both roles at the same time. This could be the quickest way to get real feedback on the quality and impact of our research
The Software Challenges of Building Smart Chatbots - ICSE'21Jordi Cabot
Chatbots are popular solutions assisting humans in multiple fields, such as customer support or e-learning. However, building such applications has become a complex task requiring a high-level of expertise in a variety of technical domains. Chatbots need to integrate (AI-based) NLU components, but also connect to internal/external services, deploy on various platforms, etc.
The briefing will first cover the current landscape of chatbot frameworks. Then, we’ll get our hands dirty and create a few bots of increasing difficulty playing with aspects like entity recognition, sentiment analysis, event processing, or testing. By the end of the session, attendees will have all the keys to understand the main steps and obstacles to building a good chatbot.
Future Trends on Software and Systems ModelingJordi Cabot
Modeling is more popular than ever, even if sometimes hidden behind other names (e.g. low-code). But of course, we can always do better.
In this talk, I'll describe the main technical/social challenges modeling is facing and the key trends that could solve them. We'll even throw some AI, Machine Learning and bots in the mix to show how modeling can be also useful there and even more, benefit from them, to move towards a smarter modeling future.
Ingeniería del Software dirigida por modelos -Versión para incrédulosJordi Cabot
Presentación en el 2do. Foro de Ingeniería de Software
Tendencias para automatizar el desarrollo de software. Hablando de modelado de software, generación de código,...
An LSTM-Based Neural Network Architecture for Model TransformationsJordi Cabot
We propose to take advantage of the advances in Artificial Intelligence and, in particular, Long Short-Term Memory Neural Networks (LSTM), to automatically infer model transformations from sets of input-output model pairs.
Software Modeling and Artificial Intelligence: friends or foes?Jordi Cabot
See how modeling can help the AI world (e.g. a model-driven approach to build chatbots) and how AI can create smarter modeling tools (e.g. using ML to learn transformations and code generation templates)
Temporal EMF: A temporal metamodeling platformJordi Cabot
Adding a temporal layer on top modeling tools. It includes a temporal profile for EMF, temporal queries with OCL and a NoSQL HBase backend for your models
UMLtoNoSQL : From UML domain models to NoSQL DatabasesJordi Cabot
Code-generators and low-code tools need to be able to target a combination of SQL and NoSQL databases as storage mechanisms for the apps they generate. Our UMLtoNoSQL solution enables this.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
3. Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
4. Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
5. Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
6. Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)
Objects = Hosts (acting as message receivers)
Actions = Message sending to hosts with certain characteristics:
Port
Protocol
c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
7. Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)
Objects = Hosts (acting as message receivers)
Actions = Message sending to hosts with certain characteristics:
Port
Protocol
Confidentiality
c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
8. Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)
Objects = Hosts (acting as message receivers)
Actions = Message sending to hosts with certain characteristics:
Port
Protocol
Confidentiality
Integrity
c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
9. Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filtering languages
Topology: Policy enforcement distributed.
c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
10. Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filtering languages
Topology: Policy enforcement distributed.
CONSEQUENCES:
Knowing which policy is actually being enforced is a challenge
Possible security flaws
Hampers evolution
c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
11. Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filtering languages
Topology: Policy enforcement distributed.
CONSEQUENCES:
Knowing which policy is actually being enforced is a challenge
Possible security flaws
Hampers evolution
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
12. Motivation
Intranet: private hosts + administrator
DMZ providing: HTTP/HTTPS, FTP, SMTP and SSH
Public Hosts
2 firewalls controlling:
Firewall 1: traffic between public hosts and DMZ
Firewall 2: traffic between intranet and DMZ
c AtlanMod – atlanmod-contact@mines-nantes.fr 4/31
23. Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:
Its syntax
Its execution semantics
The topology has to be known to ease the understanding on the policy of
the individual firewalls.
All the firewalls have to be taken into account to derive a global policy.
c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
24. Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:
Its syntax
Its execution semantics
The topology has to be known to ease the understanding on the policy of
the individual firewalls.
All the firewalls have to be taken into account to derive a global policy.
Some numbers: M: Number of firewalls and N: Number of rules
Big companies M >> N example BNP network: M ≈ 1000, N ≈ 100
Small companies N >> M
c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
25. Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:
Its syntax
Its execution semantics
The topology has to be known to ease the understanding on the policy of
the individual firewalls.
All the firewalls have to be taken into account to derive a global policy.
Some numbers: M: Number of firewalls and N: Number of rules
Big companies M >> N example BNP network: M ≈ 1000, N ≈ 100
Small companies N >> M
Manual approach?
for corporate networks, M (potentially from different vendors) and N are big
enough to make the task very hard.
c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
26. Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c AtlanMod – atlanmod-contact@mines-nantes.fr 8/31
27. Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
Our proposal
Model-driven extraction process towards a network access-control model
representing the global policy of the system.
c AtlanMod – atlanmod-contact@mines-nantes.fr 8/31
29. Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
30. Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
Requirements: For each different rule-filtering language we need
A PSM
A parser
An injector
c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
31. Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
Requirements: For each different rule-filtering language we need
A PSM
A parser
An injector
We can obtain this by providing the language grammar to XTEXT
c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
35. Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c AtlanMod – atlanmod-contact@mines-nantes.fr 13/31
36. Approach: PSM2PIM
Simplest PIM: Ri : {conditions} → {decision}
i: order within the the conf file
condition: a set of rule matching attributes like ip source address
decision: accept or deny
c AtlanMod – atlanmod-contact@mines-nantes.fr 14/31
37. Approach: PSM2PIM
Simplest PIM: Ri : {conditions} → {decision}
i: order within the the conf file
condition: a set of rule matching attributes like ip source address
decision: accept or deny
Problems?
Highly redundant and disperse
Not suited to represent exception oriented access-control
Anomalies (positive-negative logic conflicts + execution algorithm)
c AtlanMod – atlanmod-contact@mines-nantes.fr 14/31
39. PSM2PIM
First step: Transform the PSM into the corresponding PIM
Rule shadowing: a rule R is shadowed when it never applies because another
rule with higher priority matches all the packets it may match.
Rule redundancy: a rule R is redundant when it is not shadowed and removing
it from the rule set does not change the security policy.
Rule irrelevance: a rule R is irrelevant when it is meant to match packets that
does not pass by a given firewall.
Second step: PIM refinement
Improves internal organization: Representation of exceptions
Detection of anomalies
c AtlanMod – atlanmod-contact@mines-nantes.fr 16/31
40. PSM2PIM refining algorithm 1
Algorithm 1
1: C← All Connections
2: Caccept ← Ci ∈ C (Ci .decision = Accept)
3: for each Ci ∈ Caccept do
4: Cdeny ← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci )
5: for each Cj ∈ Cdeny do
6: if Cj .order < Ci .order then
7: Create Exception
8: Remove Cj
9: else
10: Cj .IsShadowed ← true
11: end if
12: end for
13: end for
14: Cdeny ← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false)
15: for each Ci ∈ Cdeny do
16: Cj .IsRedundant ← true
17: end for
c AtlanMod – atlanmod-contact@mines-nantes.fr 17/31
41. PSM2PIM refining algorithm 1
Algorithm 1
1: C← All Connections
2: Caccept ← Ci ∈ C (Ci .decision = Accept)
3: for each Ci ∈ Caccept do
4: Cdeny ← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci )
5: for each Cj ∈ Cdeny do
6: if Cj .order < Ci .order then
7: Create Exception
8: Remove Cj
9: else
10: Cj .IsShadowed ← true
11: end if
12: end for
13: end for
14: Cdeny ← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false)
15: for each Ci ∈ Cdeny do
16: Cj .IsRedundant ← true
17: end for
c AtlanMod – atlanmod-contact@mines-nantes.fr 18/31
42. Implementation: ATL
r u l e deleteDeny{
from
s : NetworkAC ! Connection (
s . decision = #Deny and
thisModule .
→TotalExceptionRules
→ . includes ( s ) )
to
drop
t : NetworkAC ! Exception (
decision <− s . decision ,
dstPort <− s . dstPort ,
firewall <− s . firewall ,
order <− s . order ,
protocol <− s . protocol ,
source <− s . source ,
srcPort <− s . srcPort ,
target <− s . target
)
}
r u l e MarkShadowed{
from
s : NetworkAC ! Connection (
s . decision = #Deny and
thisModule . ShadowedRules .
→includes ( s ) )
to
t : NetworkAC ! Connection (
isShadowed <− true
)
}
r u l e MarkRedundant{
from
s : NetworkAC ! Connection (
s . decision = #Deny and
thisModule . ShadowedRules .
→excludes ( s )
and
thisModule .
→TotalExceptionRules
→ . excludes ( s ) )
to
t : NetworkAC ! Connection (
isRedundant <− true
)
}
c AtlanMod – atlanmod-contact@mines-nantes.fr 19/31
44. Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c AtlanMod – atlanmod-contact@mines-nantes.fr 20/31
45. PIM Aggregation
An individual firewall gives only a partial vision of the security enforced in the
whole network.
E.g., The access to the SMTP service is managed by both firewalls, one
allowing the access from the public host and one allowing the access from the
intranet.
We need to aggregate the individual models!!
REVERSIBLE: Each Connection keeps original firewall and rule ordering.
GlobalModel = Mi ∪ Mj . . . ∪ Mn
Refinement to assign types to Network Elements
c AtlanMod – atlanmod-contact@mines-nantes.fr 21/31
47. Applications: Refinement
Individual firewalls may contain only locally relevant information.
We need to discern between locally and globally relevant information!!
The global model is easier to understand
Isolate the policy from the enforcement topology
Algorithm 2
1: C← All Connections
2: E← All Exceptions
3: for each Ei ∈ E do
4: L← Ci ∈ C (Ci .firewall = Ei .firewall and Matched of Ci ⊆ matched Ei )
5: if L = ∅ then
6: Ei .IsLocal ← true
7: for each Ci ∈ L do
8: Ci .IsLocal ← true
9: end for
10: end if
11: end for
c AtlanMod – atlanmod-contact@mines-nantes.fr 23/31
48. Applications:Metrics & queries
We query our model for the existence of any connection allowing the
administrator host (111.222.2.54) to connect to the server (111.222.1.17):
c AtlanMod – atlanmod-contact@mines-nantes.fr 24/31
49. Applications:Metrics & queries
We query our model for the existence of any connection allowing the
administrator host (111.222.2.54) to connect to the server (111.222.1.17):
E v a l u a t i n g :
s e l f . c o n n e c t i o n s −>e x i s t s (
e | e . s o u r c e . i p A d d r = ’111.222.2.54 ’
a n d e . t a r g e t . i p A d d r = ’111.222.1.17 ’)
R e s u l t s :
f a l s e
c AtlanMod – atlanmod-contact@mines-nantes.fr 24/31
52. Applications:PIM 2 XACML
XACML PIM Metamodel
PolicySet A PolicySet containing a Policy is created for each firewall
in the PIM
Policy All the Connections and Exceptions belonging to a given
firewall
Rule A single connection or Exception
Subject Source NetworkElement address and source port of a given
Connection or Exception
Resource Target NetworkElement address and target port a given
Connection or Exception
Action Not mapped. The action is always the ability of sending a
message.
Condition Protocol field
Table: PIM to XACML Mappings
c AtlanMod – atlanmod-contact@mines-nantes.fr 27/31
58. Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
59. Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_
Engineering
c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
60. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
61. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
62. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
63. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
64. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
65. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
66. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
67. Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
68. Thank you!
Thank you!
Contact:
Salvador Mart´ınez
AtlanMod, INRIA and ´Ecole des Mines de Nantes
salvador.martinez perez@inria.fr
c AtlanMod – atlanmod-contact@mines-nantes.fr 31/31