The Experts below are selected from a list of 282 Experts worldwide ranked by ideXlab platform
Paul Chaignon - One of the best experts on this subject based on the ideXlab platform.
-
SOSR - Oko: Extending Open vSwitch with Stateful Filters
Proceedings of the Symposium on SDN Research, 2018Co-Authors: Paul Chaignon, Kahina Lazri, Jerome Francois, Thibault Delmas, Olivier FestorAbstract:With the Software-Defined Networking paradigm, software switches emerged as the new edge of datacenter networks. The widely adopted Open vSwitch implements the OpenFlow forwarding model; its simple match-action abstraction eases network management, while providing enough flexibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algorithms required for traffic measurement, network security, or congestion diagnosis, as it lacks a persistent state and basic arithmetic and logic operations. This paper presents Oko, an extension of Open vSwitch that enables runtime integration of Stateful Filtering and monitoring functionalities based on Berkeley Packet Filter (BPF) programs into the OpenFlow pipeline. BPF programs attached to OpenFlow rules act as intelligent filters over packets, while leaving the packets unmodified. This approach enables the transparent extension of Open vSwitch's flow caching architecture, retaining its high-performance benefits. Furthermore, the use of BPF allows for safe runtime extension and prevention of switch failures due to faulty programs. We compare our implementation based on Open vSwitch-DPDK to existing approaches with comparable isolation properties and measure a near 2x improvement of performance.
-
Oko : Extending Open vSwitch with Stateful Filters
SOSR, 2018Co-Authors: Paul ChaignonAbstract:With the Software-Defined Networking paradigm, software switches emerged as the new edge of datacenter networks. The widely adopted Open vSwitch implements the Open-Flow forwarding model; its simple match-action abstraction eases network management, while providing enough flex-ibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algo-rithms required for traffic measurement, network security, or congestion diagnosis, as it lacks a persistent state and basic arithmetic and logic operations. This paper presents Oko, an extension of Open vSwitch that enables runtime integration of Stateful Filtering and monitoring functionalities based on Berkeley Packet Filter (BPF) programs into the OpenFlow pipeline. BPF programs attached to OpenFlow rules act as intelligent filters over pack-ets, while leaving the packets unmodified. This approach enables the transparent extension of Open vSwitch's flow caching architecture, retaining its high-performance ben-efits. Furthermore, the use of BPF allows for safe runtime extension and prevention of switch failures due to faulty programs. We compare our implementation based on Open vSwitch-DPDK to existing approaches with comparable isolation properties and measure a near 2x improvement of perfor-mance.
Thomas W. Shinder - One of the best experts on this subject based on the ideXlab platform.
-
ISA 2006 Stateful Inspection and Application Layer Filtering
The Best Damn Firewall Book Period, 2007Co-Authors: Thomas W. ShinderAbstract:The ISA firewall is able to perform Stateful application layer inspection, which enables it to fully inspect the communication streams passed by it from one network to another. In contrast to Stateful Filtering where only the network and transport layer information is filtered, true Stateful inspection requires that the firewall be able to analyze and make decisions on all layers of the communication, including the most important layer, the application layer. The Web filters perform Stateful application layer inspection on communications handled by the ISA firewall's Web Proxy components. The Web Proxy handles connections for HTTP, HTTPS (SSL), and HTTP tunneled FTP connections. This chapter discusses the ISA firewall's application layer Filtering feature set. It discusses the two main types of application filters employed by the ISA firewall—access filters and security filters. Both the access filters and the security filters impose requirements that the connections meet specifications of legitimate communications using those protocols. Finally, the chapterdiscusses the ISA firewall's intrusion detection and prevention mechanisms. Common network layer attacks that can be launched against the ISA firewall and how the ISA firewall protects you against them are covered in this chapter.
-
ISA 2004 Stateful Inspection and Application Layer Filtering
How to Cheat at Configuring ISA Server 2004, 2006Co-Authors: Thomas W. ShinderAbstract:The chapter discusses the ISA firewall's application layer Filtering feature set. It focuses on the two main types of application filters employed by the ISA firewall: access filters and security filters. Both access filters and security filters impose requirements that the connections meet specifications of legitimate communications using those protocols. The ISA firewall is able to perform both Stateful Filtering and Stateful application layer inspection. The ISA firewall's Stateful Filtering feature set makes the ISA firewall a network layer Stateful firewall in the same class as any hardware firewall that performs Stateful Filtering at the network and transport layers. Stateful Filtering is often referred to as Stateful packet inspection. The chapter also discusses the ISA firewall's intrusion detection and prevention mechanisms.
Olivier Festor - One of the best experts on this subject based on the ideXlab platform.
-
SOSR - Oko: Extending Open vSwitch with Stateful Filters
Proceedings of the Symposium on SDN Research, 2018Co-Authors: Paul Chaignon, Kahina Lazri, Jerome Francois, Thibault Delmas, Olivier FestorAbstract:With the Software-Defined Networking paradigm, software switches emerged as the new edge of datacenter networks. The widely adopted Open vSwitch implements the OpenFlow forwarding model; its simple match-action abstraction eases network management, while providing enough flexibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algorithms required for traffic measurement, network security, or congestion diagnosis, as it lacks a persistent state and basic arithmetic and logic operations. This paper presents Oko, an extension of Open vSwitch that enables runtime integration of Stateful Filtering and monitoring functionalities based on Berkeley Packet Filter (BPF) programs into the OpenFlow pipeline. BPF programs attached to OpenFlow rules act as intelligent filters over packets, while leaving the packets unmodified. This approach enables the transparent extension of Open vSwitch's flow caching architecture, retaining its high-performance benefits. Furthermore, the use of BPF allows for safe runtime extension and prevention of switch failures due to faulty programs. We compare our implementation based on Open vSwitch-DPDK to existing approaches with comparable isolation properties and measure a near 2x improvement of performance.
Marie-laure Potet - One of the best experts on this subject based on the ideXlab platform.
-
CRITIS - Domain Specific Stateful Filtering with Worst-Case Bandwidth
Critical Information Infrastructures Security, 2017Co-Authors: Maxime Puys, Jean-louis Roch, Marie-laure PotetAbstract:Industrial systems are publicly the target of cyberattacks since Stuxnet. Nowadays they are increasingly communicating over insecure media such as Internet. Due to their interaction with the real world, it is crucial to ensure their security. In this paper, we propose a domain specific Stateful Filtering that keeps track of the value of predetermined variables. Such filter allows to express rules depending on the context of the system. Moreover, it must guarantee bounded memory and execution time to be resilient against malicious adversaries. Our approach is illustrated on an example.
-
Domain Specific Stateful Filtering with Worst-Case Bandwidth
2016Co-Authors: Maxime Puys, Jean-louis Roch, Marie-laure PotetAbstract:Industrial systems are publicly the target of cyberattacks since Stuxnet. Nowadays they are increasingly communicating over insecure media such as In-ternet. Due to their interaction with the real world, it is crucial to ensure their security. In this paper, we propose a domain specific Stateful Filtering that keeps track of the value of predetermined variables. Such filter allows to express rules depending on the context of the system. Moreover, it must guarantee bounded memory and execution time to be resilient against malicious adversaries. Our approach is illustrated on an example.
Tadashi Dohi - One of the best experts on this subject based on the ideXlab platform.
-
dependability modeling and analysis of random port hopping
Autonomic and Trusted Computing, 2012Co-Authors: Kousaburo Hari, Tadashi DohiAbstract:Since effective Denial of Service (DoS) solutions are based on the quite expensive commercial devices that perform Stateful Filtering, in general, they are not always available for stateless traffic, and are not suitable for all organizations. The random port hopping (RPH) by Badishi {\it{et al.}} (2005, 2007) provides a robust communication protocol to decentralize influences by malicious DoS attacks, and is regarded as a low-cost and dependable packet Filtering, where the port number used for communication is changed randomly. However, the RPH has not been used yet as a standard communication protocol in the real world, because the utility and limitation of RPH against general DoS attack patterns are still unclear. In this paper, we develop quantitative dependability models of RPH by means of the discrete-time Markov chain (DTMC) and refine the existing RPH protocol in terms of the communication success rate.
-
UIC/ATC - Dependability Modeling and Analysis of Random Port Hopping
2012 9th International Conference on Ubiquitous Intelligence and Computing and 9th International Conference on Autonomic and Trusted Computing, 2012Co-Authors: Kousaburo Hari, Tadashi DohiAbstract:Since effective Denial of Service (DoS) solutions are based on the quite expensive commercial devices that perform Stateful Filtering, in general, they are not always available for stateless traffic, and are not suitable for all organizations. The random port hopping (RPH) by Badishi {\it{et al.}} (2005, 2007) provides a robust communication protocol to decentralize influences by malicious DoS attacks, and is regarded as a low-cost and dependable packet Filtering, where the port number used for communication is changed randomly. However, the RPH has not been used yet as a standard communication protocol in the real world, because the utility and limitation of RPH against general DoS attack patterns are still unclear. In this paper, we develop quantitative dependability models of RPH by means of the discrete-time Markov chain (DTMC) and refine the existing RPH protocol in terms of the communication success rate.
