David Espes

Software Defined Networking Reactive Stateful Firewall

Network security is a crucial issue of Software Defined Networking (SDN). It is probably, one of the key features for the success and the future pervasion of the SDN technology. In this perspective, we propose a SDN reactive stateful firewall. Our solution is integrated into the SDN architecture. The application filters TCP communications according to the network security policies. It records and processes the different states of connections and interprets their possible transitions into OpenFlow (OF) rules. The proposition uses a reactive behavior in order to reduce the number of OpenFlow rules in the data plane devices and to mitigate some Denial of Service (DoS) attacks like SYN Flooding. The firewall processes the Finite State Machine of network protocols so as to withdraw useless traffic not corresponding to their transitions’ conditions.

Security Issue of WirelessHART Based SCADA Systems

The security of Supervisory Control and Data Acquistition systems (SCADA) has become these last years, a major worldwide concern. Indeed, several incidents and cyber-attacks stressed the emergency to make more efforts to secure these systems which manage important economical infrastructures. The increasing use of wireless sensors also brings their security vulnerabilities. Therefore, several communication protocols were developed to meet real time and security requirements needed by this kind of systems. WirelessHART is the first approved international standard for industrial wireless devices. It implements several mechanisms to ensure hop-by-hop and end-to-end security. However, despite these mechanisms, it remains possible for an attacker to conduct an attack against such wireless networks. In this paper, we give the first description of a Sybil attack specially tailored to target WirelessHART based SCADA systems. This attack can lead to harmful consequences such as disturbing the infrastructure functioning, interrupting it or more again causing its destruction (overheating of a nuclear reactor).

Towards a CDS-based Intrusion Detection Deployment Scheme for Securing Industrial Wireless Sensor Networks

The use of wireless communication is a major trend in the so called Supervisory Control and Data Acquisition systems (SCADA). Consequently, Wireless Industrial Sensor Networks (WISN) were developed to meet real time and security requirements needed by SCADA systems. In term of security, WISN suffer from the same threats that those targeting classical WSN. Indeed, attackers mainly use wireless communication as a medium to launch these attacks. But as these networks are used to manage critical systems, consequences of such attacks can be more harmful. Therefore, additionally to the use of cryptographic and authentication mechanisms, Intrusion Detection Systems (IDS) are also used as a second line of defense. In this paper we propose an efficient IDS deployment scheme specially tailored to fit WISN characteristics. It builds a virtual wireless backbone that adds security purposes to the WISN. We also show that the proposed deployment scheme provides a good traffic monitoring capability with an acceptable number of monitoring nodes. It particularly allows detecting that a packet has been forged, deleted, modified or delayed during its transmission.

Security Analysis of WirelessHART Communication Scheme

Communication security is a major concern in industrial process management. Indeed, in addition to real-time requirements, it is very important to ensure that sensing data sent by field sensors are not altered or modified during their transmission. This is more true in Wireless Sensor Networks where communication can be hijacked and false data injected. Therefore wireless communication protocols include several security mechanisms to ensure data confidentiality and integrity. In this paper, we present an attack against WirelessHART, the leading wireless communication protocol in industrial environment. We show that an insider attacker can bypass security mechanisms and inject false commands in the network. Such attacks can have harmful economical consequences or even more can threaten human lives. We propose also some solutions that can be applied for detecting and mitigating this kind of attacks.

WirelessHART NetSIM: A WirelessHART SCADA-Based Wireless Sensor Networks Simulator

The security of SCADA systems is a major concern. Indeed, these systems are used to manage important infrastructures. However, conducting security analyzes on these systems is almost impossible. Therefore, using simulators is the best way to do that. In this paper, we describe our simulator for WirelessHART SCADA-based systems. It implements the whole protocol stack and both field devices and the Network Manager including routing and scheduling algorithms. The simulator is specially tailored to assess WirelessHART security mechanisms and to test attacks and countermeasures. It includes scenarios for testing several kinds of attacks such as sybil and denial of service (DoS) attacks. Also, new scenarios can easily be added to test other kinds of attacks.

A Proactive Stateful Firewall for Software Defined Networking

Security solutions in conventional networks are complex and costly because of the lack of abstraction, the rigidity and the heterogeneity of the network architecture. However, in Software Defined Networking (SDN), flexible, reprogrammable, robust and cost effective security solutions can be built over the architecture. In this context, we propose a SDN proactive stateful Firewall. Our solution is completely integrated into the SDN environment and it is compliant with the OpenFlow (OF) protocol. The proposed Firewall is the first implemented stateful SDN Firewall. It uses a proactive logic to mitigate some fingerprinting and DoS attacks. Furthermore, it improves the network performance by steering network communications in order to fulfil network protocol FSM (Finite State Machine). Besides, an Orchestrator layer is integrated in the Firewall in order to manage the deployment of the Firewall applications. This integration empowers the interactions with the administrator and the data plane elements. We conduct two tests to prove the validity of our concept and to show that the proposed Firewall is efficient and performant.

ULTRA-WIDEBAND POSITIONING FOR ASSISTANCE ROBOTS FOR ELDERLY

In this paper, we suggest to use low cost robots and Ultra wideband (UWB) technology in order to help elderly. In the context of the targeted application, a mobile robot is designed to remotely interact with a person acting as supervisor, and also to monitor their environment. UWB is then very helpful to ensure precise localization of the robot inside the house. First, we present our experimental robotic platform, based on of-the-shelves components, and our experimental software environment in the cloud. Then, we describe our localization approach which relies on two phases: Time of Arrival (ToA) estimation using the dirty template algorithm, and Bancroft method for the robot position estimation. Finally, our simulation results are presented and discussed.

wIDS: A Multilayer IDS for Wireless-Based SCADA Systems

The increasing use of wireless sensors networks in Supervisory Control and Data Acquisition systems (SCADA) raises the need of enforcing the security of this promising technology. Indeed, SCADA systems are used to manage critical installations that have hard security, reliability and real-time requirements. Consequently, in order to ensure Wireless Industrial Sensor Networks (WISN) security, Intrusion Detection Systems should be used as a second line of defense, in addition to sensor’s embedded security mechanisms. In this paper, we present wIDS a multilayer specification-based Intrusion Detection System specially tailored for WISN. It has a two-level detection architecture and is based on a formal description of node’s normal behavior.

wirelessOrBAC: Towards an access-control-based IDS for Wireless Sensor Networks

Nowadays, Wireless Sensor Network (WSN) is a well-established paradigm. It has a large variety of applications ranging from home to industrial applications (such as health care and military applications). However, as this kind of networks is becoming wider, more heterogeneous and interconnected, ensuring the security of these decentralized systems is also becoming more challenging. In this paper, we propose wirelessOrBAC a formal Intrusion Detection System specially tailored to enforce the security of Wireless Sensor Networks. It allows defining in a comprehensive and easy way, security rules that model accurately wireless nodes behavior. Based on the build model, Intrusion Detection tasks are performed in order to detect malicious actions.

Firewall Policies Provisioning Through SDN in the Cloud

The evolution of the digital world drives cloud computing to be a key infrastructure for data and services. This breakthrough is transforming Software Defined Networking into the cloud infrastructure backbone because of its advantages such as programmability, abstraction and flexibility. As a result, many cloud providers select SDN as a cloud network service and offer it to their customers. However, due to the rising number of network cloud providers and their security offers, network cloud customers strive to find the best provider candidate who satisfies their security requirements. In this context, we propose a negotiation and an enforcement framework for SDN firewall policies provisioning. Our solution enables customers and SDN providers to express their firewall policies and to negotiate them via an orchestrator. Then, it reinforces these security requirements using the holistic view of the SDN controllers and it deploys the generated firewall rules into the network elements. We evaluate the performance of the solution and demonstrate its advantages.