The Experts below are selected from a list of 360 Experts worldwide ranked by ideXlab platform
Abdallah Shami - One of the best experts on this subject based on the ideXlab platform.
-
on the security of sdn a completed secure and scalable framework using the software defined perimeter
IEEE Access, 2019Co-Authors: Ahmed Sallam, Ahmed Refaey, Abdallah ShamiAbstract:The widespread adoption and evolution of Software Defined Networking (SDN) have enabled the service providers to successfully simplify network management. Along with the traffic explosion, there is decreasing CAPEX and OPEX as well as an increase in the average revenue per user. However, this wide adoption of SDNs is posing real challenges and concerns in terms of security aspects. The main challenges are how to provide proper authentication, access control, data privacy, and data integrity among others for the API-driven orchestration of network routing. Herein, the Software Defined Perimeter (SDP) is proposed as a framework to provide an orchestration of connections. The expectation is a framework that restricts network access and connections between objects on the SDN-enabled network infrastructures. There are several potential benefits as a result of the integration between SDP systems and SDNs. In particular, it provides a completely scalable and managed security solution. Consequently, it leads to flexible deployment that can be tailored to fit the need of any generic network security perimeter. The proposed Integrated frameworks are examined through virtualized network testbeds. The testing results demonstrate that the proposed framework is malleable to both Port Scanning (PS) attack and Denial of Service (DoS) bandwidth attack. In addition, it clarifies some interesting potential integration points between the SDP systems and SDNs to further research in this area.
-
Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks
IEEE Network, 2019Co-Authors: Abdallah Moubayed, Ahmed Refaey, Abdallah ShamiAbstract:The boom in the evolution and adoption of new technologies, architectures, and paradigms such as cloud computing, SDN, and NFV in recent years has led to a new set of security and privacy challenges and concerns. These challenges/ concerns include proper authentication, access control, data privacy, and data integrity, among others. SDP has been proposed as a security model/framework to protect modern networks in a dynamic manner. This framework follows a need-to-know model where a device's identity is first verified and authenticated before gaining access to the application infrastructure. In this article, a brief discussion of the security and privacy challenges/concerns facing modern cloud-based networks is presented along with some of the related work from the literature. The SDP concept, architecture, possible implementations, and challenges are described. An SDP-based framework adopting a client-gateway architecture is proposed with its performance being evaluated using a virtualized network testbed for an internal enterprise scenario as a use case. To the best of our knowledge, no previous work has provided a quantitative performance evaluation of such a framework. Performance evaluation results show that the SDP-secured network is resilient to denial of service attacks and Port Scanning attacks despite needing longer initial connection setup time. The achieved results confirm the promising potential of SDP as a security model/framework that can dynamically protect current and future networks.
Tzicker Chiueh - One of the best experts on this subject based on the ideXlab platform.
-
CTCP: A transparent centralized TCP/IP architecture for network security
2015Co-Authors: Fu-hau Hsu, Tzicker ChiuehAbstract:Many network security problems can be solved in a cen-tralized TCP (CTCP) architecture, in which an organiza-tion’s edge router transparently proxies every TCP con-nection between an internal host and an external host on the Internet. This paper describes the design, implemen-tation, and evaluation of a CTCP router prototype that is built on the Linux kernel. By redirecting all packets target-ing at non-existent or non-open-to-public Ports to a CTCP socket which pretends to be the original receivers, CTCP could confirm the real identification of the packet sources, collect suspicious traffic from them, and make an illusion that the scanned target Ports are all open, thus renders Port Scanning an useless effort. Under CTCP architecture, external hosts only interacts with a secure CTCP router; therefore, any OS fingerprinting attempt and DoS/DDoS attack targeting at TCP/IP implementation bugs could be thwarted. Moreover, By further checking traffic originat-ing from confirmed scanners, the CTCP router can ac-tually identify buffer overflow attack traffic. Finally, the CTCP router solves the TCP connection hijacking problem by introducing an additional check on the sequence number filed of incoming packets. Despite providing a rich variety of protection, the CTCP architecture does not incur much overhead. On a 1.1GHz Pentium-3 machine with gigabit Ethernet interfaces, the throughput of the CTCP router is 420.3 Mbits/sec, whereas the throughput of a generic Linux router on the same hardware is only 409.1 Mbits/sec. 1
-
ctcp a transparent centralized tcp ip architecture for network security
Annual Computer Security Applications Conference, 2004Co-Authors: Tzicker ChiuehAbstract:Many nework security problems can be solved in a centralized TCP (CTCP) architecture, in which an organization's edge router transparently proxies every TCP connection between an internal host and an external host on the Internet. This paper describes the design, implementation, and evaluation of a CTCP router prototype that is built on the Linux kernel. By redirecting all packets targeting at nonexistent or nonopen-to-public Ports to a CTCP socket which pretends to be the original receivers, CTCP could confirm the real identification of the packet sources, collect suspicious traffic from them, and make an illusion that the scanned target Ports are all open, thus renders Port Scanning an useless effort. Under CTCP architecture, external hosts only interacts with a secure CTCP router; therefore, any OS fingerprinting attempt and DoS/DDoS attack targeting at TCP/IP implementation bugs could be thwarted. Moreover, By further checking traffic originating from confirmed scanners, the CTCP router can actually identify buffer overflow attack traffic. Finally, the CTCP router solves the TCP connection hijacking problem by introducing an additional check on the sequence number filed of incoming packets. Despite providing a rich variety of protection, the CTCP architecture does not incur much overhead. On a 1.1 GHz Pentium-3 machine with gigabit Ethernet interfaces, the throughput of the CTCP router is 420.3 Mbits/sec, whereas the throughput of a generic Linux router on the same hardware is only 409.1 Mbits/sec.
Ahmed Refaey - One of the best experts on this subject based on the ideXlab platform.
-
on the security of sdn a completed secure and scalable framework using the software defined perimeter
IEEE Access, 2019Co-Authors: Ahmed Sallam, Ahmed Refaey, Abdallah ShamiAbstract:The widespread adoption and evolution of Software Defined Networking (SDN) have enabled the service providers to successfully simplify network management. Along with the traffic explosion, there is decreasing CAPEX and OPEX as well as an increase in the average revenue per user. However, this wide adoption of SDNs is posing real challenges and concerns in terms of security aspects. The main challenges are how to provide proper authentication, access control, data privacy, and data integrity among others for the API-driven orchestration of network routing. Herein, the Software Defined Perimeter (SDP) is proposed as a framework to provide an orchestration of connections. The expectation is a framework that restricts network access and connections between objects on the SDN-enabled network infrastructures. There are several potential benefits as a result of the integration between SDP systems and SDNs. In particular, it provides a completely scalable and managed security solution. Consequently, it leads to flexible deployment that can be tailored to fit the need of any generic network security perimeter. The proposed Integrated frameworks are examined through virtualized network testbeds. The testing results demonstrate that the proposed framework is malleable to both Port Scanning (PS) attack and Denial of Service (DoS) bandwidth attack. In addition, it clarifies some interesting potential integration points between the SDP systems and SDNs to further research in this area.
-
Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks
IEEE Network, 2019Co-Authors: Abdallah Moubayed, Ahmed Refaey, Abdallah ShamiAbstract:The boom in the evolution and adoption of new technologies, architectures, and paradigms such as cloud computing, SDN, and NFV in recent years has led to a new set of security and privacy challenges and concerns. These challenges/ concerns include proper authentication, access control, data privacy, and data integrity, among others. SDP has been proposed as a security model/framework to protect modern networks in a dynamic manner. This framework follows a need-to-know model where a device's identity is first verified and authenticated before gaining access to the application infrastructure. In this article, a brief discussion of the security and privacy challenges/concerns facing modern cloud-based networks is presented along with some of the related work from the literature. The SDP concept, architecture, possible implementations, and challenges are described. An SDP-based framework adopting a client-gateway architecture is proposed with its performance being evaluated using a virtualized network testbed for an internal enterprise scenario as a use case. To the best of our knowledge, no previous work has provided a quantitative performance evaluation of such a framework. Performance evaluation results show that the SDP-secured network is resilient to denial of service attacks and Port Scanning attacks despite needing longer initial connection setup time. The achieved results confirm the promising potential of SDP as a security model/framework that can dynamically protect current and future networks.
Ahmed Sallam - One of the best experts on this subject based on the ideXlab platform.
-
on the security of sdn a completed secure and scalable framework using the software defined perimeter
IEEE Access, 2019Co-Authors: Ahmed Sallam, Ahmed Refaey, Abdallah ShamiAbstract:The widespread adoption and evolution of Software Defined Networking (SDN) have enabled the service providers to successfully simplify network management. Along with the traffic explosion, there is decreasing CAPEX and OPEX as well as an increase in the average revenue per user. However, this wide adoption of SDNs is posing real challenges and concerns in terms of security aspects. The main challenges are how to provide proper authentication, access control, data privacy, and data integrity among others for the API-driven orchestration of network routing. Herein, the Software Defined Perimeter (SDP) is proposed as a framework to provide an orchestration of connections. The expectation is a framework that restricts network access and connections between objects on the SDN-enabled network infrastructures. There are several potential benefits as a result of the integration between SDP systems and SDNs. In particular, it provides a completely scalable and managed security solution. Consequently, it leads to flexible deployment that can be tailored to fit the need of any generic network security perimeter. The proposed Integrated frameworks are examined through virtualized network testbeds. The testing results demonstrate that the proposed framework is malleable to both Port Scanning (PS) attack and Denial of Service (DoS) bandwidth attack. In addition, it clarifies some interesting potential integration points between the SDP systems and SDNs to further research in this area.
Vassilios G Vassilakis - One of the best experts on this subject based on the ideXlab platform.
-
implementing an intrusion detection and prevention system using software defined networking defending against Port Scanning and denial of service attacks
Journal of Network and Computer Applications, 2019Co-Authors: Celyn Birkinshaw, Elpida Rouka, Vassilios G VassilakisAbstract:Abstract Over recent years, we have observed a significant increase in the number and the sophistication of cyber attacks targeting home users, businesses, government organizations and even critical infrastructure. In many cases, it is imPortant to detect attacks at the very early stages, before significant damage can be caused to networks and protected systems, including accessing sensitive data. To this end, cybersecurity researchers and professionals are exploring the use of Software-Defined Networking (SDN) technology for efficient and real-time defense against cyberattacks. SDN enables network control to be logically centralised by decoupling the control plane from the data plane. This feature enables network programmability and has the potential to almost instantly block network traffic when some malicious activity is detected. In this work, we design and implement an Intrusion Detection and Prevention System (IDPS) using SDN. Our IDPS is a software-application that monitors networks and systems for malicious activities or security policy violations and takes steps to mitigate such activity. We specifically focus on defending against Port-Scanning and Denial of Service (DoS) attacks. However, the proposed design and detection methodology has the potential to be expanded to a wide range of other malicious activities. We have implemented and tested two connection-based techniques as part of the IDPS, namely the Credit-Based Threshold Random Walk (CB-TRW) and Rate Limiting (RL). As a mechanism to defend against Port-Scanning, we outline and test our Port Bingo (PB) algorithm. Furthermore, we include QoS as a DoS attack mitigation, which relies on flow-statistics from a network switch. We conducted extensive experiments in a purpose-built testbed environment. The experimental results show that the launched Port-Scanning and DoS attacks can be detected and stopped in real-time. Finally, the rate of false positives can be kept sufficiently low by tuning the threshold parameters of the detection algorithms.
