Adel El-Atawy

Network configuration in a box: towards end-to-end verification of network reachability and security

Recent studies show that configurations of network access control is one of the most complex and error prone network management tasks. For this reason, network misconfiguration becomes the main source for network unreachablility and vulnerability problems. In this paper, we present a novel approach that models the global end-to-end behavior of access control configurations of the entire network including routers, IPSec, firewalls, and NAT for unicast and multicast packets. Our model represents the network as a state machine where the packet header and location determines the state. The transitions in this model are determined by packet header information, packet location, and policy semantics for the devices being modeled. We encode the semantics of access control policies with Boolean functions using binary decision diagrams (BDDs). We then use computation tree logic (CTL) and symbolic model checking to investigate all future and past states of this packet in the network and verify network reachability and security requirements. Thus, our contributions in this work is the global encoding for network configurations that allows for general reachability and security property-based verification using CTL model checking. We have implemented our approach in a tool called ConfigChecker. While evaluating ConfigChecker, we modeled and verified network configurations with thousands of devices and millions of configuration rules, thus demonstrating the scalability of this approach.

Adaptive Statistical Optimization Techniques for Firewall Packet Filtering

Packet filtering plays a critical role in the performance of many network devices such as firewalls, IPSec gateways, DiffServ and QoS routers. A tremendous amount of research was proposed to optimize packet filters. However, most of the related works use deterministic techniques and do not exploit the traffic characteristics in their optimization schemes. In addition, most packet classifiers give no specific consideration for optimizing packet rejection, which is important for many filtering devices like firewalls. Our contribution in this paper is twofold. First, we present a novel algorithm for maximizing early rejection of unwanted flows without impacting other flows significantly. Second, we present a new packet filtering optimization technique that uses adaptive statistical search trees to utilize important traffic characteristics and minimize the average packet matching time. The proposed techniques timely adapt to changes in the traffic conditions by performing simple calculations for optimizing the search data structure. Our techniques are practically attractive because they exhibit simple-to-implement and easy-to-deploy algorithms. Our extensive evaluation study using Internet traces shows that the proposed techniques can significantly minimize the packet filtering time with reasonable memory space requirements.

Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance

Packet classification plays a critical role in many of the current networking technologies, and efficient yet lightweight packet classification techniques are highly crucial for their successful deployment. Most of the current packet classification techniques exploit the characteristics of classification policies, without considering the traffic behavior in optimizing their search data structures. In this paper, we present novel techniques that utilize traffic characteristics coupled with careful analysis of the policy to obtain adaptive methods that can accommodate varying traffic statistics while maintaining a high throughput. The first technique uses segmentation of the traffic space to achieve disjoint subsets of traffic properties and build bounded depth Huffman trees using the statistics collected for these segments. The second technique simplifies the structure maintenance by keeping the segments ordered in a most-recently-used (MRU) list instead of a tree. The techniques are evaluated and their performance are compared. Moreover, attacks targeting the firewall performance are discussed and corresponding protection schemes are presented.

Policy segmentation for intelligent firewall testing

Firewall development and implementation are constantly being improved to accommodate higher security and performance standards. Using reliable yet practical techniques for testing new packet filtering algorithms and firewall design implementations from a functionality point of view becomes necessary to assure the required security. In this paper, an efficient paradigm for automated testing of firewalls with respect to their internal implementation and security policies is proposed. We propose a novel firewall testing technique using policy-based segmentation of the traffic address space, which can intelligently adapt the test traffic generation to target potential erroneous regions in the firewall input space. We also show that our automated approach of test case generation, analyzing firewall logs and creating testing reports not only makes the problem solvable but also offers a significantly higher degree of confidence than random testing.

On Dynamic Optimization of Packet Matching in High-Speed Firewalls

Packet matching plays a critical role in the performance of many network devices and a tremendous amount of research has already been invested to come up with better optimized packet filters. However, most of the related works use deterministic techniques and do not exploit the traffic characteristics in their optimization schemes. In addition, most packet classifiers give no specific consideration for optimizing packet rejection, which is important for many filtering devices like firewalls. Our contribution in this paper is twofold. First, we present a novel algorithm for maximizing early rejection of unwanted flows with minimal impact on other flows. Second, we present a new packet filtering dynamic optimization technique that uses statistical search trees to utilize traffic characteristics and minimize the average packet matching time. The proposed techniques timely adapt to changes in the traffic conditions by performing simple calculations for optimizing the search data structure. Our techniques are practically attractive because they exhibit simple-to-implement and easy-to-deploy algorithms. Our extensive evaluation study using Internet traces shows that the proposed techniques can significantly minimize the packet filtering time with reasonable memory space requirements

Ranking-Based Optimal Resource Allocation in Peer-to-Peer Networks

This paper presents a theoretic framework of optimal resource allocation and admission control for peer-to-peer networks. Peers behavioral rankings are incorporated into the resource allocation and admission control to provide differentiated services and even to block peers with bad rankings. These peers may be free-riders or suspicious attackers. A peer improves her ranking by contributing resources to the P2P system or deteriorates her ranking by consuming services. Therefore, the ranking-based resource allocation provides necessary incentives for peers to contribute their resources to the P2P systems. We define a utility function which captures the best wish for the source peer to serve competing peers, who request services from the source peer. Although the utility function is convex, Harsanyi-type social welfare functions are devised to obtain a unique optimal resource allocation that achieves max-min fairness. The parameters used in our model can be derived from the nature of the services or chosen by the source peer. No private information is required to reveal from individual peers. This prevents selfish peers to play the system strategically and cheat the resource allocation mechanism for their own benefits. The resource allocation and admission control are fully distributed and linearly scalable.

Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks

A major threat to data networks is based on the fact that some traffic can be expensive to classify and filter as it will undergo a longer than average list of filtering rules before being rejected by the default deny rule. An attacker with some information about the access-control list (ACL) deployed at a firewall or an intrusion detection and prevention system (IDS/IPS) can craft packets that will have maximum cost. In this paper, we present a technique that is light weight, traffic-adaptive and can be deployed on top of any filtering mech- anism to pre-filter unwanted expensive traffic. The technique utilizes Internet traffic characteristics coupled with a special carefully tuned representation of the policy to generate early defense policies. We use Boolean expressions built as binary decision diagrams (BDD) to represent relaxed versions of the policy that are faster to evaluate. Moreover, it is guaranteed that the technique will not add an overhead that will not be compensated by the gain in filtering time in the underlying filtering method. Evaluation has shown considerable savings to the overall filtering process, thus saving the firewall processing power and increasing overall throughput. Also, the overhead changes according to the traffic behavior, and can be tuned to guarantee its worst case time cost. regarding malicious activities. A filtering technique that is capable of performing regardless of the number of criteria fields will prove useful in a wide variety of devices. In this paper, we will describe an early filtering/decision technique that reduces the packet matching cost by a dy- namically changed pre-filtering phase that resides before the original firewall matching technique. Special consideration was given to having minimal on-line operations and reasonable overhead periodic maintenance. While in this paper we focus on firewalls, the technique is applicable to any device that performs packet matching based on a predefined deterministic policy. The actual implementation was written and deployed as a plug-in for the standard IPTables firewall. The technique is triggered prior to the start of the regular matching, and if a packet needs further processing it is passed to the next layer,

An Automated Framework for Validating Firewall Policy Enforcement

The implementation of network security devices such as firewalls and IDSs are constantly being improved to accommodate higher security and performance standards. Using reliable and yet practical techniques for testing the functionality of firewall devices particularly after new filtering implementation or optimization becomes necessary to assure required security. Generating random traffic to test the functionality of firewall matching is inefficient and inaccurate as it requires an exponential number of test cases for a reasonable coverage. In addition, in most cases the policies used during testing are limited and manually generated representing fixed policy profiles. In this paper, we present a framework for automatic testing of the firewall policy enforcement or implementation using efficient random traffic and policy generation techniques. Our framework is a two-stage architecture that provides a satisfying coverage of the firewall operational states. A large variety of policies are randomly generated according to custom profiles and also based on the grammar of the access control list. Testing packets are then generated intelligently and proportional to the critical regions of the generated policies to validate the firewall enforcement for such policies. We describe our implementation of the framework based on Cisco IOS, which includes the policy generation, test cases generation, capturing and analyzing firewall out put, and creating detailed test reports. Our evaluation results show that the automated security testing is not only achievable but it also offers a dramatically higher degree of confidence than random or manual testing.

Building Covert Channels over the Packet Reordering Phenomenon

New modes of communication have shown themselves to be needed for more secure and private types of data. Steganography or data-hiding through covert channels can be highly motivated by today’s security requirements and various needs of applications. Moreover, the amount of information in the Internet traffic is not bounded by what is contained in packets payload; there is considerable hidden capacity within packets and flows characteristics to build robust and stealthy covert channels. In this paper, we propose using the packet reordering phenomenon as the media to carry a hidden channel. As a naturally occurring behavior of packets traveling the Internet, it can as well be induced to send a signal to the receiving end. Specific permutations are selected to enhance the reliability of the channel, while their distribution was selected to imitate real traffic and increase stealthiness. The robustness of such channel is analyzed, and its bandwidth is calculated. A simple tool is implemented to communicate over the natural phenomenon of packet reordering. Reliability and capacity of the techniques are evaluated and promising results show the potential of the proposed approach.

Automated pseudo-live testing of firewall configuration enforcement

Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.