An Architecture for Self-adaptive Distributed Firewall
Resumo
The notion of secure perimeter given by border firewalls ignores the possibility of attacks originating from inside the network. Although distributed firewalls allow the protection of individual hosts, the provided services might still be susceptible to attacks, as firewalls usually do not analyze application protocols. In this way, software vulnerabilities may be exploited until the problem has been fixed. From vulnerability discovery to the application of patches there is an exposure window that should be reduced. In this context, this paper presents an architecture for a distributed firewall system, in which a Vulnerability Assessment System is integrated for providing a self-adaptive mechanism capable of detecting vulnerabilities and executing actions to reduce exposure, contributing to mitigate the risk of vulnerability exploitation.Referências
Al-Shaer, E. (2014). Automated Firewall Analytics: Design, Configuration and Optimization, chapter Specification and Refinement of a Conflict-Free Distributed Firewall Configuration Language, pages 49 – 74. Springer International Publishing.
Bailey, C., Chadwick, D. W., and de Lemos, R. (2014). Self-adaptive federated authorization infrastructures. Journal of Computer and System Sciences, 80(5):935 – 952.
Bellovin, S. M. (1999). Distributed firewalls. ;login:, pages 39–47.
Chadwick, D. W. et al. (2008). PERMIS: A Modular Authorization Infrastructure. Concurr. Comput. : Pract. Exper., 20(11):1341–1357.
Cheng, B. H. et al. (2009). Software Engineering for Self-Adaptive Systems: A Research Roadmap. In Cheng, B. H., de Lemos, R., Giese, H., Inverardi, P., and Magee, J., editors, Software Engineering for Self-Adaptive Systems, pages 1–26. Springer-Verlag, Berlin, Heidelberg.
Debar, H., Thomas, Y., Cuppens, F., and Cuppens-Boulahia, N. (2007). Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology, 3(3):195 – 210.
DMTF (2016). Network policy management profile. [link]. [Online; accessed 19-June-2016].
Iglesia, D. G. D. L. and Weyns, D. (2015). Mape-k formal templates to rigorously design behaviors for self-adaptive systems. ACM Trans. Auton. Adapt. Syst., 10(3):15:1– 15:31.
Ioannidis, S., Keromytis, A. D., Bellovin, S. M., and Smith, J. M. (2000). Implementing a distributed firewall. In Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS ’00, pages 190–199, New York, NY, USA. ACM.
Kephart, J. O. and Chess, D. M. (2003). The Vision of Autonomic Computing. IEEE Computer, 36(1):41–50.
Lai, Y., Jiang, G., Li, J., and Yang, Z. (2009). Design and implementation of distributed firewall system for ipv6. In Communication Software and Networks, 2009. ICCSN ’09. International Conference on, pages 428–432.
Meng, G., Liu, Y., Zhang, J., Pokluda, A., and Boutaba, R. (2015). Collaborative security: A survey and taxonomy. ACM Comput. Surv., 48(1):1:1–1:42.
Pasquale, L. et al. (2012). SecuriTAS: A Tool for Engineering Adaptive Security. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE ’12, pages 19:1–19:4, New York, NY, USA. ACM.
Pozo, S., Varela-Vaca, A. J., and Gasca, R. M. (2009). Afpl2, an abstract language for firewall acls with nat support. In Second International Conference on Dependability (DEPEND 2009), pages 52–59.
Stallings, W. (2010). Network Security Essentials: Applications and Standards. Prentice Hall, 4th edition.
Uribe, T. E. and Cheung, S. (2004). Automatic analysis of firewall and network intrusion detection system configurations. In Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering (FMSE 2004), pages 66 – 74.
van der Ham, J., Dijkstra, F., apacz, R., and Zurawski, J. (2013). Network markup language base schema version 1. Grid Final Draft (GFD), Proposed Recommendation (R-P) GFD-R-P.206, Open Grid Forum.
Yuan, E., Esfahani, N., and Malek, S. (2014). A systematic survey of self-protecting software systems. ACM Trans. Auton. Adapt. Syst., 8(4):17:1–17:41.
Zhang, B., Al-Shaer, E., Jagadeesan, R., Riely, J., and Pitcher, C. (2007). Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT ’07, pages 185–194, New York, NY, USA. ACM.
Zhang, Z. and Shen, H. (2009). M-aid: An adaptive middleware built upon anomaly detectors for intrusion detection and rational response. ACM Trans. Auton. Adapt. Syst., 4(4):24:1 – 24:35.
Bailey, C., Chadwick, D. W., and de Lemos, R. (2014). Self-adaptive federated authorization infrastructures. Journal of Computer and System Sciences, 80(5):935 – 952.
Bellovin, S. M. (1999). Distributed firewalls. ;login:, pages 39–47.
Chadwick, D. W. et al. (2008). PERMIS: A Modular Authorization Infrastructure. Concurr. Comput. : Pract. Exper., 20(11):1341–1357.
Cheng, B. H. et al. (2009). Software Engineering for Self-Adaptive Systems: A Research Roadmap. In Cheng, B. H., de Lemos, R., Giese, H., Inverardi, P., and Magee, J., editors, Software Engineering for Self-Adaptive Systems, pages 1–26. Springer-Verlag, Berlin, Heidelberg.
Debar, H., Thomas, Y., Cuppens, F., and Cuppens-Boulahia, N. (2007). Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology, 3(3):195 – 210.
DMTF (2016). Network policy management profile. [link]. [Online; accessed 19-June-2016].
Iglesia, D. G. D. L. and Weyns, D. (2015). Mape-k formal templates to rigorously design behaviors for self-adaptive systems. ACM Trans. Auton. Adapt. Syst., 10(3):15:1– 15:31.
Ioannidis, S., Keromytis, A. D., Bellovin, S. M., and Smith, J. M. (2000). Implementing a distributed firewall. In Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS ’00, pages 190–199, New York, NY, USA. ACM.
Kephart, J. O. and Chess, D. M. (2003). The Vision of Autonomic Computing. IEEE Computer, 36(1):41–50.
Lai, Y., Jiang, G., Li, J., and Yang, Z. (2009). Design and implementation of distributed firewall system for ipv6. In Communication Software and Networks, 2009. ICCSN ’09. International Conference on, pages 428–432.
Meng, G., Liu, Y., Zhang, J., Pokluda, A., and Boutaba, R. (2015). Collaborative security: A survey and taxonomy. ACM Comput. Surv., 48(1):1:1–1:42.
Pasquale, L. et al. (2012). SecuriTAS: A Tool for Engineering Adaptive Security. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE ’12, pages 19:1–19:4, New York, NY, USA. ACM.
Pozo, S., Varela-Vaca, A. J., and Gasca, R. M. (2009). Afpl2, an abstract language for firewall acls with nat support. In Second International Conference on Dependability (DEPEND 2009), pages 52–59.
Stallings, W. (2010). Network Security Essentials: Applications and Standards. Prentice Hall, 4th edition.
Uribe, T. E. and Cheung, S. (2004). Automatic analysis of firewall and network intrusion detection system configurations. In Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering (FMSE 2004), pages 66 – 74.
van der Ham, J., Dijkstra, F., apacz, R., and Zurawski, J. (2013). Network markup language base schema version 1. Grid Final Draft (GFD), Proposed Recommendation (R-P) GFD-R-P.206, Open Grid Forum.
Yuan, E., Esfahani, N., and Malek, S. (2014). A systematic survey of self-protecting software systems. ACM Trans. Auton. Adapt. Syst., 8(4):17:1–17:41.
Zhang, B., Al-Shaer, E., Jagadeesan, R., Riely, J., and Pitcher, C. (2007). Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT ’07, pages 185–194, New York, NY, USA. ACM.
Zhang, Z. and Shen, H. (2009). M-aid: An adaptive middleware built upon anomaly detectors for intrusion detection and rational response. ACM Trans. Auton. Adapt. Syst., 4(4):24:1 – 24:35.
Publicado
07/11/2016
Como Citar
COSTA JÚNIOR, Edmilson P. da; MEDEIROS, Silas T.; SILVA, Carlos Eduardo da; MADRUGA, Marcos.
An Architecture for Self-adaptive Distributed Firewall. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 16. , 2016, Niterói.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 338-351.
DOI: https://doi.org/10.5753/sbseg.2016.19318.