Search

Your search keyword '"Network Access Control"' showing total 4,977 results
Start Over Descriptor "Network Access Control"
4,977 results on '"Network Access Control"'

1. Per-user network access control kernel module with secure multifactor authentication.

Author

Cheng, Sheng-Tzong, Horng, Gwo-Jiun, Hsu, Chih-Wei, and Su, Z.-Yu

Subjects
*MULTI-factor authentication, *ACCESS control, *COMPUTER operating system security measures, *BOTNETS, *LINUX operating systems, *COMPUTER network security
Abstract

Network attacks, such as botnets stealing sensitive data, constitute a critical concern for administrators in the Internet area. Such attacks can be prevented using a network access control (NAC) scheme. However, existing NAC mechanisms all rely on the user account mechanism provided by the operating system. Herein, we propose a protocol involving a Linux security module for user-based NAC. The module requires neither user accounts nor secure user space; it loads signed rules and keys for a user from a USB security key, securely authenticates the user, and controls network permissions directly from the Linux kernel. Moreover, we present extensions for the protocol, developed using additional authentication methods and devices (such as a smartphone), to prevent man-in-the-middle, replay, and phishing attacks. The protocol can securely authenticate users from kernel space by using USB security keys and a user smartphone despite an insecure user space, is resistant to various attacks, and can guarantee that authorized users obtain their corresponding network privileges. At the same time, the analysis of Linux operating system security enhancement technology is proposed to achieve the goal of trusting machines. Through the use of empirical algorithm analysis, enhanced virtualization technology, and other methods, the risk of hacker intrusion on information platforms is reduced in multiple aspects, and management mechanisms are used to set and use resource permissions. On the other hand, after mastering the key technologies for network blocking development in the core layer of the system, there is also an opportunity to independently build modules for the security core of operating systems in special fields and future 5G/6G SDNs. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

3. 种可编程 Slice 的 FC 路由访问控制设计与实现.

Author

王兆辉, 邓  豹, 沈剑良, and 陈  艇

Subjects
ACCESS control, SWITCHING systems (Telecommunication), AVIONICS, SECURITY management
Abstract

Copyright of Telecommunication Engineering is the property of Telecommunication Engineering and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published
2022
Full Text
View/download PDF

4. ARANAC: A Bring-Your-Own-Permissions Network Access Control Methodology for Android Devices

Author

J. A. Gomez-Hernandez, J. Camacho, J. A. Holgado-Terriza, P. Garcia-Teodoro, and G. Macia-Fernandez

Subjects
Android permissions, bring-your-own-device, mobile security, network access control, risk assessment, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

In this paper, we introduce a new methodology for network access control for Android devices based on app risk assessment. Named ARANAC (which stands for Application Risk Assessment based Network Access Control), this methodology is specially tailored for scenarios using the Bring-Your-Own-Device (BYOD) policy, where the adoption of some solutions can lead to problems in security and privacy for both the employees and the business organization. ARANAC mainly relies on the analysis of an aggregate of permissions declared in the manifests of installed applications on users’ devices. The access control scheme combines three operational modules: i) a device monitoring tool, ii) a novel permission-based risk model, and iii) an anomaly-based detection machine learning module based on a methodology (called MSNM, from Multivariate Statistical Network Monitoring) that provides both detection and diagnostic capabilities. ARANAC’s novelty is in the combination of four features. Firstly, it is privacy-aware, and thus, it does not require detailed information about installed applications but only an aggregate of permissions. Secondly, it builds a normality model by combining expert knowledge with data, capturing the behavior of a complete population of mobile devices. Thirdly, it is dynamic, as permissions are updated in real time, allowing the network to re-assess access control on a continuous basis. Finally, its diagnostic capabilities allow for giving recommendations to final users so that they are capable of mitigating their risks when accessing networks. We evaluated the approach with more than 80 Android devices at a university campus network and obtained interesting results regarding security risks in the usual deployment of device apps.

Published
2021
Full Text
View/download PDF

5. Enhancing Cyber Security in the Philippine Academe: A Risk-Based IT Project Assessment Approach.

Author

Aquino, Michael Francis M. and Noroña, Marvin I.

Subjects
INFORMATION technology, INTERNET security, FIREWALLS (Computer security), ARTIFICIAL intelligence
Abstract

Cybersecurity devices such as anti-virus, intrusion detection, and prevention system, firewall, network access control, are reactive responses to cyber-attacks because it is based on the known signature. However, security analytics and security information, and event manager are devices, that can gather data about the historical behavior of attacks and correlate it to one another. The significance of this research is to precisely predict if an attack were about to happen, many industries only act if an attack was already happening inside their network or has done significant damages already to the business. This research would significantly help industries, to gain insights on the security events on their network. Artificial Intelligence can instantly predict and suggest if a person can potentially harm based on people's record of good behavior. This can be related to a computer's normal pattern of behavior in the network and once an anomaly happens an unusual behavior can be detected. Hence, the best application of Artificial Intelligence in Cyber Security is to put out a fire before it spread out, preventing data breaches that can cause damages to people's lives and material assets. [ABSTRACT FROM AUTHOR]

Published
2021

6. The Influence of BYOD Concept on Development of Learning Process in Universities.

Author

Sokolova, Antonina Pavlovna, Gromova, Liliya Yur'evna, Tekucheva, Irina Victorovna, Kocherevskaya, Ludmila Borisovna, and Dmitrieva, Elena Grigorievna

Subjects
*LEARNING, *BRING your own device policies, *UNIVERSITIES & colleges, *HIGHER education, *MOBILE operating systems, *UNIVERSITY & college administration
Abstract

Education is one of the largest markets promoting implementation of Bring Your Own Device BYOD. The BYOD model was originated in colleges and universities, being stimulated by technologically advanced students, who demanded it, and administrators of educational entities, who agreed that allowance to get access to the network using personal devices was a competitive advantage. Nowadays this concept attracts great attention. People depend on their personal devices and want to have the opportunity to use them anywhere in order to make their life simpler and more efficient. While BYOD implementation increases, teachers determine new methods of integration of mobile devices into learning. The use of personal mobile devices of students for learning seems to be attractive for universities, since these devices would help to reduce expenses and to support teaching and learning. The research objective: to detect the level of influence of BYOD concept on learning process. In the conclsuoins authors confirm that BYOD is the dominant model in universities. [ABSTRACT FROM AUTHOR]

Published
2021
Full Text
View/download PDF

7. Types, Applications and Enhancements in Access Control.

Author

Iyengar, Vishaka, Bhowmick, Brinda, and P, Sandeep Kumar.

Subjects
ACCESS control, COMPUTER network security, PRIVATE networks, INTEGRITY
Abstract

Network Access Control broadly refers to the management of a network with respect to the devices/users that have access to it, and what they have access to. With networks serving as the backbone to all communication at various levels, be it in a private network or one owned by an organization, security of the resources that are accessible via this connection becomes increasingly important. Access control is a major aspect of this security. A powerful access control model inculcates/caters to the requirements of Confidentiality, Integrity and Accessibility. In this paper, we have surveyed the types of access control, network security and the latest schemes/protocols within it and the efficiency of these protocols. Any improvements or loopholes in the existing systems have been noted. Furthermore, we have reviewed the applications of access control in IoT systems. [ABSTRACT FROM AUTHOR]

Published
2021
Full Text
View/download PDF

8. A Comparison of PHY-Based Fingerprinting Methods Used to Enhance Network Access Control

Author

Carbino, Timothy J., Temple, Michael A., Lopez, Juan, Jr., Rannenberg, Kai, Editor-in-chief, Sakarovitch, Jacques, Series editor, Goedicke, Michael, Series editor, Tatnall, Arthur, Series editor, Neuhold, Erich J., Series editor, Pras, Aiko, Series editor, Tröltzsch, Fredi, Series editor, Pries-Heje, Jan, Series editor, Whitehouse, Diane, Series editor, Reis, Ricardo, Series editor, Murayama, Yuko, Series editor, Dillon, Tharam, Series editor, Gulliksen, Jan, Series editor, Rauterberg, Matthias, Series editor, Federrath, Hannes, editor, and Gollmann, Dieter, editor

Published
2015
Full Text
View/download PDF

9. IMPLEMENTACIJA VATROZIDA NOVE GENERACIJE U SLOŽENO POSLOVNO OKRUŽENJE PREMA NULTO-POVJERENJE MREŽNOM MODELU

Author

Vujković, Dženi and Josić, Karlo

Subjects
upravljanje mrežnim pristupom, internal firewall, segmentacija mreže, TECHNICAL SCIENCES. Computing, interni vatrozid, TEHNIČKE ZNANOSTI. Računarstvo, nulto povjerenje, zero-trust, network segmentation, network access control
Abstract

Rad prikazuje računalnu mrežu zagrebačke tvrtke srednje veličine i nedostatke zatečene u sigurnosnom dijelu postojeće implementacije servisa. Naime, sigurnost mreže korisnika najviše se oslanjala na tradicionalni pristup zaštiti koju pruža rubni vatrozid što je značilo da, ukoliko korisnik primjerice uđe pomoću VPN konekcije u mrežu, ima pravo pristupa na sve poslužitelje i ostalu opremu. Kako bi se pronađene potencijalne ranjivosti uklonile, odlučeno je pratiti najbolje prakse nulto povjerenje mrežnog modela, koje je objašenjeno u prvom dijelu rada. Drugi dio rada prikazuje implementaciju internog segmentacijskog vatrozida, od odabira istog do konfiguracije granularnih pravila filtiranja prometa. Time je omogućen najmanji funkcionalan pristup svakom zaposleniku dok je sve ostalo zabranjeno. Nadalje, rad prikazuje osnovne principe nultog povjerenja, implementaciju po koracima te daje uvid u izazove implementacije takvog rješenja. This paper shows the computer network of a medium-sized Zagreb company and shortcomings found in the security part of the existing service implementation. Namely, the security of the users' network relied mostly on the traditional approach to protection provided by the edge firewall, which meant that if, for example, the user enters the network using a VPN connection, he has the right to access all servers and other equipment. In order to remove the found potential vulnerabilities, it was decided to follow the best practices of the zero-trust network model, which was explained in the first part of the paper. The second part of the paper shows the implementation of the internal segmentation firewall, from its selection to the configuration of granular traffic filtering uses. This enables the least functional access to each employee while everything else is denied. Furthermore, the paper presents the basic principles of zero-trust, and its implementation in steps and provides an insight into the challenges of implementing such a solution.

Published
2023

12. Interoperable Remote Attestation for VPN Environments : (Work in Progress)

Author

Bente, Ingo, Hellmann, Bastian, Vieweg, Joerg, von Helden, Josef, Welzel, Arne, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Sudan, Madhu, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Vardi, Moshe Y., Series editor, Weikum, Gerhard, Series editor, Chen, Liqun, editor, and Yung, Moti, editor

Published
2011
Full Text
View/download PDF

13. Privacy Enhanced Trusted Network Connect

Author

Bente, Ingo, Vieweg, Joerg, von Helden, Josef, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Chen, Liqun, editor, and Yung, Moti, editor

Published
2010
Full Text
View/download PDF

14. 针对BYOD的网络入口边界安全研究.

Author

曲大鹏, 吴松林, 何俊, 王丹华, and 梁登玉

Abstract

Recently, the widespread application of cloud computing business platform strengthens the dependence of researchers on mobile devices. Bring your own devices ( BYOD) has become the main tendency in mobile office. To solve the problems of data leaking and malicious code in BYOD, this paper proposed a cross-platform security solution. This solution obtained the terminal attributes by applying the agentless network access control, and designed a dynamic numerical evaluation method based on vector representation for some special terminal attributes, for example, the central processing unit vacancy ratio. Therefore, the solution could accurately assess the mobile intelligent terminals entering the network, and determined these terminals into three different areas, namely trusted area, untrusted area and isolation area to assure that trusted the BYOD devices which entered the network. It achieved the network entry boundary security. The experiment results show that, comparing to the existing solutions, the solution has better effect in security state evaluation of mobile intelligence terminals and safety protective properties in data illegal access etc. [ABSTRACT FROM AUTHOR]

Published
2018
Full Text
View/download PDF

15. Etkili yöntem kullanan ağ erişim kontrolü modeli için kesirli yaklaşım

Author

Esin Ilhan

Subjects
Polymers and Plastics, Computer science, business.industry, Network Access Control, Business and International Management, business, Industrial and Manufacturing Engineering, Computer network
Abstract

In this paper, we find the solution for the system of nonlinear ordinary differential equations having fractional-order arising in network access control using fractional natural decomposition method (FNDM). The consider a model which consists of a system of five nonlinear ordinary differential equations (NODEs), which illustrate the sensor networks are interesting essentials for malicious outbreaks that attack the network with the intention of reducing the integrity, availability and confidentiality. Further, we captured the nature of FNDM results for different value of fractional order in terms of the plots. The considered scheme highly effective and structured while examining nonlinear models and which can be observed and confirm from the obtained results. Further, the conspiracies cited in plots confirm the hired fractional operator and algorithm can help to exemplify the more fascinating properties of the nonlinear system associated real-world problems.

Published
2021

16. Blockchain-enabled fog resource access and granting

Author

Gang Liu, Ting Wang, and Jinsong Wu

Subjects
Authentication, Smart contract, Computer science, End user, media_common.quotation_subject, Computer security, computer.software_genre, Credential, Negotiation, Resource (project management), Network Access Control, Resource Provider, computer, media_common
Abstract

Fog computing is a new computing paradigm for meeting ubiquitous massive access and latency-critical applications by moving the processing capability closer to end users. The geographical distribution/floating features with potential autonomy requirements introduce new challenges to the traditional methodology of network access control. In this paper, a blockchain-enabled fog resource access and granting solution is proposed to tackle the unique requirements brought by fog computing. The smart contract concept is introduced to enable dynamic, and automatic credential generation and delivery for an independent offer of fog resources. A per-transaction negotiation mechanism supports the fog resource provider to dynamically publish an offer and facilitates the choice of the preferred resource by the end user. Decentralized authentication and authorization relieve the processing pressure brought by massive access and single-point failure. Our solution can be extended and used in multi-access and especially multi-carrier scenarios in which centralized authorities are absent.

Published
2021

17. Secure Protocol for Fast Authentication in EAP-Based Wireless Networks

Author

Marin, Rafa, Zapata, Santiago, Gomez, Antonio F., Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Gervasi, Osvaldo, editor, and Gavrilova, Marina L., editor

Published
2007
Full Text
View/download PDF

18. Maintaining High Performance Communication Under Least Privilege Using Dynamic Perimeter Control

Author

Kolano, Paul Z., Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Biskup, Joachim, editor, and López, Javier, editor

Published
2007
Full Text
View/download PDF

19. Multi-Layer Extreme Learning Machine-Based Keystroke Dynamics Identification for Intelligent Keyboard

Author

Zhiyi Wu, Bin Zhang, Guangxing Niu, Zhong Lin Wang, Yongcheng Gao, and Guangquan Zhao

Subjects
Artificial neural network, Computer science, business.industry, 010401 analytical chemistry, Feature extraction, Information security, Machine learning, computer.software_genre, 01 natural sciences, 0104 chemical sciences, Identification (information), Keystroke dynamics, Network Access Control, Hyperparameter optimization, Artificial intelligence, Electrical and Electronic Engineering, business, Instrumentation, computer, Extreme learning machine
Abstract

Information security plays critical roles in modern society. However, traditional security measures like passwords, tokens and personal ID numbers only provide limited protection. Inspired by the fast training speed of extreme learning machine (ELM) and the promising feature extraction capability of extreme learning machine auto-encoder (ELM-AE), this paper proposes a keystroke dynamics identification method for intelligent keyboard (IKB) based on multi-layer extreme learning machine (ML-ELM). The IKB, as first demonstrated by Wang’s group, is a self-powered, non-mechanical perforated keyboard that converts mechanical stimuli applied to the keyboard into electrical signals without the needing an external power source. ML-ELM is a multilayer neural network stacking on top of ELM-AE. Our major contribution is to develop an accurate and efficient keystroke dynamics identification method based on ML-ELM. One significant advantage of the proposed method is that it does not rely on manual feature extraction and selection. In other words, the raw current signals obtained by IKB are directly the input to the network. The network structure is determined by grid search, which minimizes the human involvement. The other one is that the whole training process of the model does not require fine tuning, which makes the training process significantly faster than that of existing deep networks. Experimental results demonstrate that the proposed method has excellent timeliness whereas obtaining high identification accuracy. The proposed method has great potential in applications to computer or network access control, online payment, and cyber security.

Published
2021

20. 네트워크 접근제어 시스템의 보안성 메트릭 개발.

Author

이하용 and 양효식

Abstract

Network access control should be able to effectively block security threats to the IT infrastructure, such as unauthorized access of unauthorized users and terminals, and illegal access of employees to internal servers. From this perspective, it is necessary to build metrics based on relevant standards to ensure that security is being met. Therefore, it is necessary to organize the method for security evaluation of NAC according to the related standards. Therefore, this study builds a model that combines the security evaluation part of ISO / IEC 15408 (CC: Common Criteria) and ISO 25000 series to develop security metric of network access control system. For this purpose, we analyzed the quality requirements of the network access control system and developed the convergence evaluation metric for security of the two international standards. It can be applied to standardization of evaluation method for network access control system in the future by constructing evaluation model of security quality level of network access control system. [ABSTRACT FROM AUTHOR]

Published
2017
Full Text
View/download PDF

21. PANATIKI: A Network Access Control Implementation Based on PANA for IoT Devices

Author

Antonio F. Gomez Skarmeta, Rafa Marin Lopez, and Pedro Moreno Sanchez

Subjects
IoT, network access control, PANA, EAP, AAA, light-weight, Chemical technology, TP1-1185
Abstract

Internet of Things (IoT) networks are the pillar of recent novel scenarios, such as smart cities or e-healthcare applications. Among other challenges, these networks cover the deployment and interaction of small devices with constrained capabilities and Internet protocol (IP)-based networking connectivity. These constrained devices usually require connection to the Internet to exchange information (e.g., management or sensing data) or access network services. However, only authenticated and authorized devices can, in general, establish this connection. The so-called authentication, authorization and accounting (AAA) services are in charge of performing these tasks on the Internet. Thus, it is necessary to deploy protocols that allow constrained devices to verify their credentials against AAA infrastructures. The Protocol for Carrying Authentication for Network Access (PANA) has been standardized by the Internet engineering task force (IETF) to carry the Extensible Authentication Protocol (EAP), which provides flexible authentication upon the presence of AAA. To the best of our knowledge, this paper is the first deep study of the feasibility of EAP/PANA for network access control in constrained devices. We provide light-weight versions and implementations of these protocols to fit them into constrained devices. These versions have been designed to reduce the impact in standard specifications. The goal of this work is two-fold: (1) to demonstrate the feasibility of EAP/PANA in IoT devices; (2) to provide the scientific community with the first light-weight interoperable implementation of EAP/PANA for constrained devices in the Contiki operating system (Contiki OS), called PANATIKI. The paper also shows a testbed, simulations and experimental results obtained from real and simulated constrained devices.

Published
2013
Full Text
View/download PDF

22. A Network Access Control Framework for 6LoWPAN Networks

Author

Amaro F. de Sousa, Jaime Lloret, Luís M. L. Oliveira, and Joel J. P. C. Rodrigues

Subjects
wireless sensor networks, WSN, 6LoWPAN, network access control, Chemical technology, TP1-1185
Abstract

Low power over wireless personal area networks (LoWPAN), in particular wireless sensor networks, represent an emerging technology with high potential to be employed in critical situations like security surveillance, battlefields, smart-grids, and in e-health applications. The support of security services in LoWPAN is considered a challenge. First, this type of networks is usually deployed in unattended environments, making them vulnerable to security attacks. Second, the constraints inherent to LoWPAN, such as scarce resources and limited battery capacity, impose a careful planning on how and where the security services should be deployed. Besides protecting the network from some well-known threats, it is important that security mechanisms be able to withstand attacks that have not been identified before. One way of reaching this goal is to control, at the network access level, which nodes can be attached to the network and to enforce their security compliance. This paper presents a network access security framework that can be used to control the nodes that have access to the network, based on administrative approval, and to enforce security compliance to the authorized nodes.

Published
2013
Full Text
View/download PDF

24. Providing Login and Wi-Fi Access Services With the eIDAS Network: A Practical Approach

Author

Cesare Cameroni, Diana Berbecaru, and Antonio Lioy

Subjects
General Computer Science, cybersecurity, Computer science, Internet privacy, identity management, Login, wi-fi access service, eIDAS regulation, Identity provider, login service, electronic identity, identity management, cybersecurity, network services, network access control, eIDAS, network services, eIDAS, electronic identification, General Materials Science, Service (business), Authentication, business.industry, General Engineering, Cross-border authentication, Usability, electronic identity, Service provider, Digital identity, network access control, The Internet, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, lcsh:TK1-9971
Abstract

The digital identity (or electronic identity) of a person is about being able to prove upon authentication who one is on the Internet, with a certain level of assurance, such as by means of some attributes obtained from a trustworthy Identity Provider. In Europe, the eIDAS Network allows the citizens to authenticate securely with their national credentials and to provide such personal attributes when getting access to Service Providers in a different European country. Although the eIDAS Network is more and more known, its integration with real operational services is still at an initial phase. This paper presents two eIDAS-enabled services, Login with eIDAS and Wi-Fi access with eIDAS, that we have designed, implemented, deployed, and validated at the Politecnico di Torino in Italy. The validation study involved several undergraduate students, who have run the above services with their authentication credentials and platforms and with minimal indications on their usage. The results indicate that the services were beneficial. Several advantages exist both for the users and for the Service Providers, such as resistance to some security attacks and the possibility to adopt the service without prior user registration (e.g. for short meetings, or in public places). However, some students expressed doubts about exploiting their national eID for Wi-Fi access, mainly in connection with usability and privacy issues. We discuss also these concerns, along with advantages and disadvantages of the proposed services.

Published
2020

25. Customized Network Security for Cloud Service

Author

Kaoru Ota, Guangwei Wang, Stephen S. Yau, Laurence T. Yang, Mingyu Fan, Mianxiong Dong, and Jin He

Subjects
Information Systems and Management, Computer Networks and Communications, Computer science, Network security, Computer crime, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Security information and event management, 020204 information systems, Cloud testing, 0202 electrical engineering, electronic engineering, information engineering, Computer architecture, packet delay, throughput, Middleboxes, Cloud computing security, business.industry, Complexity theory, FDCs, unified management, customized network security service, 020206 networking & telecommunications, Computer security model, Computer Science Applications, Communication networks, Security service, Hardware and Architecture, Network Access Control, business, computer, Computer network
Abstract

Modern cloud computing platforms based on virtual machine monitors (VMMs) host a variety of complex businesses which present many network security vulnerabilities. In order to protect network security for these businesses in cloud computing, nowadays, a number of middleboxes are deployed at front-end of cloud computing or parts of middleboxes are deployed in cloud computing. However, the former is leading to high cost and management complexity, and also lacking of network security protection between virtual machines while the latter does not effectively prevent network attacks from external traffic. To address the above-mentioned challenges, we introduce a novel customized network security for cloud service (CNS), which not only prevents attacks from external and internal traffic to ensure network security of services in cloud computing, but also affords customized network security service for cloud users. CNS is implemented by modifying the Xen hypervisor and proved by various experiments which showing the proposed solution can be directly applied to the extensive practical promotion in cloud computing.

Published
2020

26. PEMILIHAN SOLUSI PENERAPAN BRING YOUR OWN DEVICE (BYOD) BERDASARKAN KONTROL KEAMANANNYA

Author

Moh. Idris

Subjects
Computer science, business.industry, Bring your own device, Cloud computing, Access control, Mobile device management, Virtualization, computer.software_genre, Computer security, Security controls, Work (electrical), Network Access Control, business, computer
Abstract

The term BYOD (Bring Your Own Device) refers to the use of employees' personal devices (for example smartphones, tablets, laptops, netbooks) to do their work and manage corporate data from anywhere at any time. BYOD has been widely applied in the business world, hospitals, and education. With the ease that can be achieved by using BYOD, the security aspect is very important to consider. It starts with the security of the device to the security of company data that can be accessed by employees. Five dimensions of security control that must be considered in implementing BYOD: 1) data control; 2) access control; 3) network access control; 4) device management; 5) create a supporting framework. With the five BYOD implementation solutions presented in this study, there is only one solution that accommodates the five dimensions of BYOD security control, the use of Mobile Device Management (MDM) technology.

Published
2019

27. Managing the Shift in the Enterprise Perimeter in order to delay a Cybersecurity Breach

Author

Muyowa Mutemwa, Mfundo Masango, and Noluxolo Gcaza

Subjects
Government, business.industry, Computer science, Information technology, Computer security, computer.software_genre, Encryption, Work (electrical), Order (exchange), Network Access Control, Workforce, Enterprise private network, business, computer
Abstract

In the year, 2019, South African enterprises have seen a substantial increase in the number of cybersecurity incidents. From the public-sector to the private-sector, many enterprises have had to redirect large sums of their budgets towards responding to cybersecurity incidents that could have been averted. For most enterprises, having experienced, or seen the impact of a number of disclosed cybersecurity incidents in South Africa (SA) during 2019, the majority of enterprises had begun to strengthen their cybersecurity defenses in order to avert future cybersecurity incidents. To a large extent, most enterprises have implemented security measures such as firewalls, proxy gateways, patch management solutions, intrusions prevention or detection systems, encryption, network access control and so on. However, whilst these measures are implemented, in 2020, security architects saw a shift in the enterprise perimeter due to COVID-19 pandemic. Owing to the pandemic, on the 26th of March 2020, the South African government implemented a countrywide lock-down effectively enforcing all its citizens to stay at homes thus translating to an unintended remote workforce. During this time, employees found themselves overnight without any training working outside of the secured layered cybersecurity defenses of their enterprises. This arrangement negatively affected the security posture of many organizations. It effectively forced all enterprise employees to work from home, away from the secure enterprise network forcing information technology administrators to find ways to extend the enterprise perimeter in order to allow these inexperienced overnight remote workers to continue to securely work remotely. This article explores the consequences of the shift in the enterprise perimeter and also suggests practical technical steps that enterprises can apply in order to avert possible cybersecurity incidents.

Published
2021

28. Network Access Control

Author

Yoav Cohen and Ben Herzberg

Subjects
Access network, Data access, Computer science, Network Access Control, Computer security, computer.software_genre, computer, Data warehouse
Abstract

Network access control is quite a blunt tool, which is not necessarily a bad thing. What this means is that you want to place access controls to your data warehouse based on the network origin of the traffic. This can be a quick and effective way to reduce security risks, as well as sometimes being part of compliance requirements (to have, as well as show that you have network access policies placed on top of your data access).

Published
2021

30. 数字媒体与设计艺术类实验室管理模式探索.

Author

张琳琳, 贾云鹏, and 王一帅

Abstract

As the strong relevant between theory and practice, along with the construction of disciplines in various universities, a variety of laboratories have to he constructed. Because there is no unified model for the management of arts laboratory, each university has its successful experience and problems. In view of our experiences, this paper discusses the art laboratory management mechanism. Some methods are proposed to enhance the laboratory manager career development space, and laboratory construction. The access control system is taken as the open laboratory management method. Also, this paper further explores the art laboratory management for the future development of directions, such as management outsourcing system, use of cloud system to achieve computer hatch management, monitor and access control combined for daily management. [ABSTRACT FROM AUTHOR]

Published
2016

31. Operational Security Considerations for IPv6 Networks

Author

Kiran Kumar Chittimaneni, Enno Rey, Merike Kaeo, and Eric Vyncke

Subjects
Cloud computing security, Security service, Network Access Control, Security through obscurity, Security convergence, Network security policy, Business, Computer security model, Computer security, computer.software_genre, computer, IPv6
Abstract

Knowledge and experience on how to operate IPv4 securely is available: whether it is the Internet or an enterprise internal network. However, IPv6 presents some new security challenges. RFC 4942 describes the security issues in the protocol but network managers also need a more practical, operations-minded document to enumerate advantages and/or disadvantages of certain choices. This document analyzes the operational security issues in several places of a network (enterprises, service providers and residential users) and proposes technical and procedural mitigations techniques. Some very specific places of a network such as the Internet of Things are not discussed in this document.

Published
2021

32. Blockchain Based Network Access Control (NAC) Management Solution and Architecture

Author

Cagatay Korkuc, ve Tuncay Dogantuna, ve Doc Gazi Erkan Bostanci, and Erkan Afacan

Subjects
Product (business), business.industry, Computer science, Network Access Control, Server, Reliability (computer networking), Hash function, Redundancy (engineering), Access control, Cryptography, business, Computer network
Abstract

There are many advantages of managing services and products in the cyber security sector through a central system, but this can sometimes be a disadvantage. The adequacy of a cyber security product running on a virtual server is limited by the capacity of the virtual server. It is ideal for cyber security products to operate in a distributed structure so that they can work with redundancy and more reliably. One of these products, the network access control management solution, is a product that checks whether the devices are reliable and includes or blocks them in the network. In this study, the model and architecture of a network access control (NAC) management solution has been revealed by choosing blockchain technology because it has a distributed structure, uses cryptography and hash algorithms, and can be processed with smart contracts.

Published
2021

33. Deterministic Networking (DetNet) Security Considerations

Author

Tal Mizrahi, Ethan Grossman, and Andrew Hacker

Subjects
Engineering, business.industry, Information technology, Data loss, Computer security, computer.software_genre, Bounded function, Network Access Control, The Internet, Use case, Latency (engineering), Architecture, business, computer, Computer network
Abstract

A deterministic network is one that can carry data flows for real- time applications with extremely low data loss rates and bounded latency. Deterministic networks have been successfully deployed in real-time operational technology (OT) applications for some years (for example [ARINC664P7]). However, such networks are typically isolated from external access, and thus the security threat from external attackers is low. IETF Deterministic Networking (DetNet) specifies a set of technologies that enable creation of deterministic networks on IP-based networks of potentially wide area (on the scale of a corporate network) potentially bringing the OT network into contact with Information Technology (IT) traffic and security threats that lie outside of a tightly controlled and bounded area (such as the internals of an aircraft). These DetNet technologies have not previously been deployed together on a wide area IP-based network, and thus can present security considerations that may be new to IP- based wide area network designers. This draft, intended for use by DetNet network designers, provides insight into these security considerations. In addition, this draft collects all security- related statements from the various DetNet drafts (Architecture, Use Cases, etc) into a single location Section 7.

Published
2021

34. Efficient Provisioning of Security Service Function Chaining Using Network Security Defense Patterns

Author

Mohamed Cheriet, Makan Pourzandi, Yosr Jarraya, and Alireza Shameli-Sendi

Subjects
Information Systems and Management, Cloud computing security, Computer Networks and Communications, business.industry, Network security, Computer science, Distributed computing, 020206 networking & telecommunications, Provisioning, Cloud computing, 02 engineering and technology, Computer security model, Security information and event management, Computer Science Applications, Security service, Hardware and Architecture, Network Access Control, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Computer network
Abstract

Network functions virtualization intertwined with software-defined networking opens up great opportunities for flexible provisioning and composition of network functions, known as network service chaining. In the cloud, this allows providers to create service chains tuned to each application type while optimizing resources’ utilization. This is particularly useful to accommodate different tenants’ applications with different security needs. However, considering security provisioning from the single perspective of resources optimization may lead to deployment solutions that do not comply with well-known security-related best practices and recommendations. In this paper, we propose network security defense patterns (NSDP) aimed at leveraging the best practice and know-how from the security experts and at capturing various security constraints to efficiently select compliant security functions’ deployment options. The placement problem being a NP-Hard problem to solve, we also propose a scalable networking and computing resources aware optimization framework to efficiently provision different NSDPs. We further show the feasibility of implementing NSDPs in the cloud infrastructure through the integration of our approach into an open source cloud framework, namely OpenStack, in our test laboratory. The simulation results show the effectiveness of our approach in selecting an optimal placement of the security functions for large data centers with hundreds of thousands of computing nodes, while complying with the predefined security constraints and improving the scalability compared to the current placement algorithms.

Published
2019

36. AccConF: An Access Control Framework for Leveraging In-Network Cached Data in the ICN-Enabled Wireless Edge

Author

Satyajayant Misra, Travis Mick, Nahid Ebrahimi Majd, Frank Natividad, Reza Tourani, and Hong Huang

Subjects
Computer access control, Distributed System Security Architecture, business.industry, Computer science, Network Access Control, Server, The Internet, Access control, Internet traffic, Electrical and Electronic Engineering, business, Authentication server, Computer network
Abstract

The fast-growing Internet traffic is increasingly becoming content-based and driven by mobile users, with users more interested in data rather than its source. This has precipitated the need for an information-centric Internet architecture. Research in information-centric networks (ICNs) have resulted in novel architectures, e.g., CCN/NDN, DONA, and PSIRP/PURSUIT; all agree on named data based addressing and pervasive caching as integral design components. With network-wide content caching, enforcement of content access control policies become non-trivial. Each caching node in the network needs to enforce access control policies with the help of the content provider. This becomes inefficient and prone to unbounded latencies especially during provider outages. In this paper, we propose an efficient access control framework for ICN, which allows legitimate users to access and use the cached content directly, and does not require verification/authentication by an online provider authentication server or the content serving router. This framework would help reduce the impact of system down-time from server outages and reduce delivery latency by leveraging caching while guaranteeing access only to legitimate users. Experimental/simulation results demonstrate the suitability of this scheme for all users, but particularly for mobile users, especially in terms of the security and latency overheads.

Published
2019

37. Cryptography-Based Misbehavior Detection and Trust Control Mechanism for Opportunistic Network Systems

Author

Arun Kumar, Sanjay Kumar Dhurandher, and Mohammad S. Obaidat

Subjects
Computer Networks and Communications, Computer science, media_common.quotation_subject, Access control, Cryptography, 02 engineering and technology, Computer security, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, Selfishness, Electrical and Electronic Engineering, Protocol (object-oriented programming), media_common, Authentication, business.industry, 020206 networking & telecommunications, Computer Science Applications, Control and Systems Engineering, Network Access Control, Scalability, 020201 artificial intelligence & image processing, Computational trust, business, computer, Information Systems, Computer network
Abstract

Opportunistic networks (OppNets) are a subclass of delay tolerant networks and are characterized by intermittent end-to-end connections. The sparsity in the network and the resource constraint of devices always restricts the use of cryptographic solutions for security needs in the OppNets for thwarting selfishness of the nodes. The trust-based mechanisms are capable of providing social security in terms of access control in the network. But the trust-based protocols do not solve the problem of isolating, avoiding, and detecting the malicious intent nodes with the provision of security services such as authentication, confidentiality, and message integrity through cryptographic means. In this work, a robust and scalable infrastructure based security overlay is designed over the base trust-based routing for detecting malicious nodes and providing security services through the established cryptographic mechanism. The proposed security-based algorithm is general enough to accommodate and use latest cryptographic techniques in trust-based routing for ensuring more participation through building confidence in the network. The simulation results are taken using ONE simulator and the results confirm that the application of security overlay above the base trust-based protocol helps in increasing the average performance by 35%.

Published
2018

38. Research on Computer Network Information Security Problems and Prevention Based on Wireless Sensor Network

Author

Hanling Wu and Haiwei Wu

Subjects
Market research, Firewall (construction), business.industry, Order (exchange), Computer science, Network Access Control, Information security, Encryption, business, Modernization theory, Wireless sensor network, Computer network
Abstract

With the continuous improvement of China’s scientific and technological level, computer network has become an indispensable part of people’s daily life. It can not only effectively improve the efficiency of production and life, and shorten the distance between people, but also further promote the speed of China’s social and economic development, which has a positive impact on the realization of China’s modernization. Under the new information security demand environment at present, we should pay attention to the related information security work and formulate effective security measures and strategies. In order to effectively prevent these information security problems, people should actively adopt firewall technology, encryption technology, network access control technology and network virus prevention technology for effective protection. This paper analyzes the security problems in the application of wireless sensor networks and explores the mechanism of defending information security, hoping to strengthen the security and stability of wireless sensor networks through effective measures, so that people can better enjoy the convenience brought by the network age.

Published
2021

39. Impacts of Replace Venerable Iptables and Embrace Nftables in a new futuristic Linux firewall framework

Author

Ravi Shankar Yadav and Praveen Likhar

Subjects
business.industry, Network security, Computer science, 020206 networking & telecommunications, 020207 software engineering, Access control, 02 engineering and technology, Computer security, computer.software_genre, Telecommunications network, Firewall (construction), Network Access Control, Scalability, 0202 electrical engineering, electronic engineering, information engineering, business, computer
Abstract

Firewall is a cardinal element in network security paradigm, where it is a measure for providing network access control. Iptables/netfilter is the most popular Linux firewall and over the time iptables has been extensively evolved and extended but as a result of this it became complex. Fundamental design limitations of iptables and its inherent problems are hindrance for its scalability and performance. This paper presents impeding factors in development of iptables and discusses about nftables, a new futuristic Linux firewall framework. It brings out nftables design approach for overcoming the limitations of iptables. This paper also expatiate comparison of iptables and nftables frameworks on different aspects and discusses results and analysis of our experimentations, to find out “Is it right time to embrace nftables over iptables?”

Published
2021

40. Assessment System for Residual Risks of Information Leakage in Incident Countermeasures

Author

Hirokazu Hasegawa, Hiroki Takakura, and Tomohiro Noda

Subjects
Network administrator, File server, Countermeasure, Risk analysis (engineering), Computer science, business.industry, Network Access Control, Information leakage, Directory service, Access control, business, Host (network)
Abstract

Recent targeted attacks make it difficult for us to protect our corporate resources. Therefore, we need to focus not on protecting against intrusion but on mitigating the intrusion. We previously propose a countermeasure support system, which recommends proper countermeasures against targeted attacks. However, this system does not take into account lateral movement from hosts where bridgeheads are established. In this paper, we propose a countermeasure assessment system based on residual risks of information leakage. This system calculates the risk of a host on the basis of network access control and host behavior. It also calculates the importance of resources in terms of access control that describes access of authorized personnel to file servers and the roles of the personnel. Using this information, this system analyzes the residual risks of information leakage after the countermeasure is applied and presents it to the network administrator. This system allows network administrators to choose countermeasures for incidents in terms of residual risks that cannot be covered with previous systems.

Published
2021

41. 基于ARP的局域网主机管理系统设计与实现.

Author

霍迎秋, 彭楚风, and 王露璐

Abstract

To manage the host in a local network effectively, this paper makes an analysis of the ARP protocol, and develops a local network host management system based on A)P. The overall design of tlie management system and flow charts of major models are provided. In addition, some functional tests are done, the result demonstrates that this management system can manage host of the local network effectively and meets the host management requirement. [ABSTRACT FROM AUTHOR]

Published
2015

42. Heterogeneous Network Selection Algorithm Based on Reinforcement Learning

Author

Shouming Wei, Sheng Yu, Chenguang He, and Weixiao Meng

Subjects
Service (systems architecture), Terminal (electronics), Computer science, Distributed computing, Network Access Control, Reinforcement learning, Selection algorithm, Session (web analytics), Heterogeneous network, Selection (genetic algorithm)
Abstract

In the current network environment, multiple wireless access technologies coexist. In order to meet the needs of various services in heterogeneous networks, in order to enable each user to select the most appropriate network to provide services and adapt to the dynamic changes of the network environment, this paper defines the markov decision-making process of network selection based on reinforcement learning, taking the heterogeneous network constructed by PDT and B-trunC as the background A network access control algorithm based on reinforcement learning is proposed, which fully considers the service type of session and the mobility of terminal, and realizes the adaptability of network selection.

Published
2021

43. Near-field chipless-RFID system with high data capacity for security and authentication applications

Author

Ferran Martin, Cristian Herrojo, Eloi Ramon, Javier Mata-Contreras, Ferran Paredes, and Alba Nunez

Subjects
Authentication, Radiation, business.industry, Computer science, 010401 analytical chemistry, Electrical engineering, 020206 networking & telecommunications, 02 engineering and technology, Condensed Matter Physics, Computer security, computer.software_genre, 01 natural sciences, Microstrip, 0104 chemical sciences, Chipless RFID, Distributed System Security Architecture, Authentication protocol, Network Access Control, 0202 electrical engineering, electronic engineering, information engineering, Radio-frequency identification, Electrical and Electronic Engineering, business, computer, Envelope detector
Abstract

A high data capacity chipless radio frequency identification (chipless-RFID) system, useful for security and authentication applications, is presented in this paper. Reading is based on the near-field coupling between the tag, a chain of identical split-ring resonators (SRRs) printed on a (typically flexible) dielectric substrate (e.g., liquid crystal polymer, plastic, and paper), and the reader. Encoding is achieved by the presence or absence of SRRs at predefined (equidistant) positions in the chain, and tag identification (ID) is based on sequential bit reading. Namely, the tag must be longitudinally displaced, at short distance, over the reader, a microstrip line loaded with an SRR and fed by a harmonic signal. By this means, the harmonic signal is amplitude modulated, and the (ID) code is contained in the envelope function, which can be obtained by means of an envelope detector. With this system, tag reading requires proximity with the reader, but this is not an issue in many applications within the domain of security and authentication (e.g., secure paper for corporate documents and certificates). Several circularly shaped 40-bit encoders (implemented in a commercial microwave substrate), and the corresponding reader, are designed and fabricated as proof-of-concept demonstrators. Strategies for programming the tags and a first proof-of-concept chipless-RFID tag fabricated on plastic substrate through inkjet printing are included in this paper.

Published
2021

44. Efficient Semantic Representation of Network Access Control Configuration for Ontology-based Security Analysis

Author

Jürgen Beyerer and Florian Patzer

Subjects
Security analysis, Information retrieval, Computer science, Network Access Control, DATA processing & computer science, Security Analysis, Semantic representation, Security Ontology, ddc:004, Ontology (information science), Ontology-based Security Analysis
Abstract

Assessing countermeasures and the sufficiency of security-relevant configurations within networked system architectures is a very complex task. Even the configuration of single network access control (NAC) instances can be too complex to analyse manually. Therefore, model-based approaches have manifested themselves as a solution for computer-aided configuration analysis. Unfortunately, current approaches suffer from various issues like coping with configuration-language heterogeneity or the analysis of multiple NAC instances as one overall system configuration, which is the case for the maturity of analysis goals. In this paper, we show how deriving and modelling NAC configurations��� effects solves the majority of these issues by allowing generic and simplified security analysis and model extension. The paper further presents the underlying modelling strategy to create such configuration effect representations (hereafter referred to as effective configuration) and explains how analyses based on previous approaches can still be performed. Moreover, the linking between rule representations and effective configuration is demonstrated, which enables the tracing of issues, found in the effective configuration, back to specific rules. Copyright �� 2021 by SCITEPRESS ��� Science and Technology Publications, Lda. All rights reserved

Published
2021

45. Network Access Control

Author

Jason Garbis and Jerry W. Chapman

Subjects
Firewall (construction), business.industry, Computer science, Network Access Control, Network level, business, Value (mathematics), Computer network, Zero (linguistics)
Abstract

We’re addressing Network Access Control (NAC) solutions separately from the Firewall, DNS, and Load Balancer solutions we covered in Chapter 6 for two reasons: First, to give vendors credit—NAC solutions represent early (and ongoing) attempts at achieving some of the principles of Zero Trust—specifically, the ability to enforce identity-centric access policies at the network level. Second, NAC deployments are generally going to be impacted as organizations deploy a modern Zero Trust architecture—the value and importance of NAC (as an established category) is going to be diminished, replaced by the more effective ability of Zero Trust to serve as a broader and more capable network access control solution.

Published
2021

46. A Holistic Protection Based on Network Access Control.

Author

Fan, Yanfang, Li, Dong, Xie, Yongqiang, Xu, Bo, and Wang, Haifei

Abstract

With the heterogeneous threats of network ongoing, the problems of network security become more and more intractable, besides, the compatibility issues of security protection-equipments are emerging in endlessly. Thus, the unified treat management has been a research hotpot currently. In this paper, based on analyzing the status quo of UTM (unified treat management), as well as the performance detects of related equipments, we present the NAC-UTM, a holistic protection scheme of intranet, which combines UTM with technology of network access control. The emphasis of our research is to illustrate the operating principle of UTM-NAC scheme, and then we verify the superiority of this scheme with a simplified experiment. The test result indicates that our solution could greatly promote performance of UTM equipments. [ABSTRACT FROM PUBLISHER]

Published
2012
Full Text
View/download PDF

47. Survey on network access control technology in MANETs.

Author

Amiri, Ehsan, Afshar, Elham, Naji, Hamid Reza, and Ardekani, Mahdi Maleknasab

Abstract

Using Mobile Ad hoc Networks (MANETs) is growing with advances in technology. MANETs consist of few nodes with constrict resources and without any special structure. Each node can be connected to other nodes in its own transition rate. Network access control with respect to the development of networks is very important. In this paper, we explain the Network Access Control (NAC), the mechanism of action in the networks and also compare some NAC vendors. We briefly describe four network access control protocols for MANET and also compare them in terms of efficiency, communication complexity, overhead, and the techniques which is used. In the other part we describe the attacks in MANETs. [ABSTRACT FROM PUBLISHER]

Published
2012
Full Text
View/download PDF

48. Mobile Firewall.

Author

Guangrui Fu, Daichi Funato, Wood, Jonathan, and Toshiro Kawahara

Subjects
FIREWALLS (Computer security), COMPUTER network security, NETWORK PC (Computer), WIRELESS communications, TELECOMMUNICATION systems
Published
2003

49. Palmtrie

Author

Hirochika Asai

Subjects
Matching (statistics), Computer science, Network packet, Network security, business.industry, 020206 networking & telecommunications, 02 engineering and technology, Network operations center, Firewall (construction), 020204 information systems, Network Access Control, 0202 electrical engineering, electronic engineering, information engineering, business, Access control list, Blossom algorithm, Computer network
Abstract

Network security has become crucial to our society and industry. A firewall is an essential function in network operations for security enhancement. Network access control lists (ACLs) have been used to describe multi-layer security rules to determine whether a packet is passed or dropped by the firewall. An entry in ACLs contains so-called don't care bits, and consequently, ACL matching is generalized as a ternary matching problem. As ternary matching typically relies on dedicated hardware, high-performance ternary matching with commodity CPUs is challenging. We propose a practical algorithm for network ACL matching trie, named Palmtrie, that allows the multi-bit stride extension to achieve better performance. We evaluate the Palmtrie using synthetic ACLs that emulate an existing campus network and Internet backbone policies. The evaluation results demonstrate that the Palmtrie outperforms the existing ACL matching algorithms on extensive ACLs. For example, the lookup performance of the optimized Palmtrie achieves 4.76 times faster than the algorithm implemented in the widely used library (DPDK) for the scanning attack traffic on an ACL with one million entries. We also prove that the Palmtrie solves the problem with the build time of data structures in the existing algorithms.

Published
2020

50. A domain-specific language for filtering in application-level gateways

Author

Christoph Reichenbach and Hampus Balldin

Subjects
SQL, Domain-specific language, Correctness, Network packet, Network security, business.industry, Computer science, Programming language, computer.file_format, packet filtering, computer.software_genre, filtering language, domain-specific languages, Application domain, Network Access Control, Computer Science, network security, Executable, business, computer, computer.programming_language
Abstract

Application-level packet filtering is a technique for network access control in which an “application-level gateway” intercepts network packets at the application level (e.g., HTTP, FTP), scans them for security concerns and optionally logs, rewrites or discards them. Existing application-level filters express their filtering rules in general-purpose languages, which limits the correctness guarantees available for them. We present the first declarative language for application-level network filtering, developed at Advenica AB. Our DSL uses security assertions to express properties that packets must have to be allowed through the network (e.g., “IMAP packet contains no executable attachment” or “SQL reply contains only explicitly permitted columns”), along with remedies that either reject or rewrite undesirable packets. We have designed the language around the needs of network filter developers, with a focus on correctness: our language can statically verify several properties of filter programs, such as well-formedness of the outcome, confluence, and termination, with the help of an off-the-shelf SMT solver. Our initial results show that the language can express many typical filtering tasks, closely maps to the application domain, and provides strong correctness guarantees.

Published
2020

Catalog

Books, media, physical & digital resources
See catalog results