ABSTRACT
Firewalls and Demilitarized Zones (DMZs) are two mechanisms that have been widely employed to secure enterprise networks. Despite this, their security effectiveness has not been systematically quantified. In this paper, we make a first step towards filling this void by presenting a representational framework for investigating their security effectiveness in protecting enterprise networks. Through simulation experiments, we draw useful insights into the security effectiveness of firewalls and DMZs. To the best of our knowledge, these insights were not reported in the literature until now.
- Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan. 2005. Conflict classification and analysis of distributed firewall policies. IEEE journal on selected areas in communications 23, 10 (2005), 2069--2084. Google ScholarDigital Library
- D. Chakrabarti, Y. Wang, C. Wang, J. Leskovec, and C. Faloutsos. 2008. Epidemic thresholds in real networks. ACM Trans. Inf. Syst. Secur. 10, 4 (2008), 1--26. Google ScholarDigital Library
- Geoff Chappell. {n. d.}. kernel-mode windows. https://www.geoffchappell.com/studies/windows/km/index.htm?tx=10. ({n. d.}).Google Scholar
- Gaofeng Da, Maochao Xu, and Shouhuai Xu. 2014. A New Approach to Modeling and Analyzing Security of Networked Systems. In Proceedings of the 2014 Symposium on the Science of Security (HotSoS'14). 6:1--6:12. Google ScholarDigital Library
- Rinku Dewri, Nayot Poolsappasit, Indrajit Ray, and Darrell Whitley. 2007. Optimal security hardening using multi-objective optimization on attack tree models of networks. In Proceedings of the 14th ACM conference on Computer and communications security. ACM, 204--213. Google ScholarDigital Library
- Anup K Ghosh, Aaron Schwartzbard, and Michael Schatz. 1999. Learning Program Behavior Profiles for Intrusion Detection.. In Workshop on Intrusion Detection and Network Monitoring, Vol. 51462. 1--13. Google ScholarDigital Library
- Yujuan Han, Wnelian Lu, and Shouhuai Xu. 2014. Characterizing the Power of Moving Target Defense via Cyber Epidemic Dynamics. In Proc. 2014 Symposium on the Science of Security (HotSoS'14). 10:1--10:12. Google ScholarDigital Library
- Ray Hunt. 1998. Internet/Intranet firewall security-policy, architecture and transaction services. Computer Communications 21, 13 (1998), 1107--1123. Google ScholarDigital Library
- Eric M Hutchins, Michael J Cloppert, and Rohan M Amin. 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research 1, 1 (2011), 80.Google Scholar
- Somesh Jha, Oleg Sheyner, and Jeannette Wing. 2002. Two formal analyses of attack graphs. In Computer Security Foundations Workshop, 2002. Proceedings. 15th IEEE. IEEE, 49--63. Google ScholarDigital Library
- X. Li, P. Parker, and S. Xu. 2011. A Stochastic Model for Quantitative Security Analysis of Networked Systems. IEEE Transactions on Dependable and Secure Computing 8, 1 (2011), 28--43. Google ScholarDigital Library
- Mateusz. {n. d.}. Windows WIN32K.SYS System Call Table. http://j00ru.vexillium.org/syscalls/win32k/32/. ({n. d.}).Google Scholar
- Alain Mayer, Avishai Wool, and Elisha Ziskind. 2000. Fang: A firewall analysis engine. In Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on. IEEE, 177--187. Google ScholarDigital Library
- Dan McWhorter. 2013. APT1: exposing one of China's cyber espionage units. Mandiant. com 18 (2013).Google Scholar
- David M. Nicol, William H. Sanders, and Kishor S. Trivedi. 2004. Model-Based Evaluation: From Dependability to Security. IEEE Trans. Dependable Sec. Comput. 1, 1 (2004), 48--65. Google ScholarDigital Library
- Steven Noel and Sushil Jajodia. 2017. A Suite of Metrics for Network Attack Graph Analytics. Springer International Publishing, Cham, 141--176.Google Scholar
- The Forum of Incident Response and Security Teams FIRST. 2015. The Common Vulnerability Scoring System (CVSS). (June 2015). https://www.first.org/cvssGoogle Scholar
- Marcus Pendleton, Richard Garcia-Lebron, Jin-Hee Cho, and Shouhuai Xu. 2017. A survey on systems security metrics. ACM Computing Surveys (CSUR) 49, 4 (2017), 62. Google ScholarDigital Library
- Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray. 2012. Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing 9, 1 (2012), 61--74. Google ScholarDigital Library
- A. Ramos, M. Lazar, R. H. Filho, and J. J. P. C. Rodrigues. 2017. Model-Based Quantitative Network Security Metrics: A Survey. IEEE Communications Surveys Tutorials 19, 4 (2017), 2704--2734.Google ScholarCross Ref
- Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M Wing. 2002. Automated generation and analysis of attack graphs. In Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on. IEEE, 273--284. Google ScholarDigital Library
- Deb Shinder. {n. d.}. SolutionBase: Strengthen network defenses by using a DMZ. https://www.techrepublic.com/article/solutionbase-strengthen-network-defenses-by-using-a-dmz/. ({n. d.}).Google Scholar
- Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A Ghorbani. 2009. A detailed analysis of the KDD CUP 99 data set. In Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on. IEEE, 1--6. Google ScholarDigital Library
- Y. Wang, D. Chakrabarti, C. Wang, and C. Faloutsos. 2003. Epidemic Spreading in Real Networks: An Eigenvalue Viewpoint. In Proc. of the 22nd IEEE Symposium on Reliable Distributed Systems (SRDS'03). 25--34.Google Scholar
- Avishai Wool. 2004. A quantitative study of firewall configuration errors. Computer 37, 6 (2004), 62--67. Google ScholarDigital Library
- Maochao Xu, Gaofeng Da, and Shouhuai Xu. 2015. Cyber Epidemic Models with Dependences. Internet Mathematics 11, 1 (2015), 62--92.Google ScholarCross Ref
- Maochao Xu and Shouhuai Xu. 2012. An Extended Stochastic Model for Quantitative Security Analysis of Networked Systems. Internet Mathematics 8, 3 (2012), 288--320.Google ScholarCross Ref
- Shouhuai Xu. 2014. Cybersecurity Dynamics. In Proc. Symposium on the Science of Security (HotSoS'14). 14:1--14:2. Google ScholarDigital Library
- Shouhuai Xu, Wenlian Lu, and Li Xu. 2012. Push- and Pull-based Epidemic Spreading in Arbitrary Networks: Thresholds and Deeper Insights. ACM Transactions on Autonomous and Adaptive Systems (ACM TAAS) 7, 3 (2012), 32:1--32:26. Google ScholarDigital Library
- Shouhuai Xu, Wenlian Lu, Li Xu, and Zhenxin Zhan. 2014. Adaptive Epidemic Dynamics in Networks: Thresholds and Control. ACM Transactions on Autonomous and Adaptive Systems (ACM TAAS) 8, 4 (2014), 19. Google ScholarDigital Library
- Ren Zheng, Wenlian Lu, and Shouhuai Xu. 2015. Active Cyber Defense Dynamics Exhibiting Rich Phenomena. In Proc. 2015 Symposium on the Science of Security (HotSoS'15). 2:1--2:12. Google ScholarDigital Library
- R. Zheng, W. Lu, and S. Xu. 2017. Preventive and Reactive Cyber Defense Dynamics Is Globally Stable. IEEE Transactions on Network Science and Engineering PP, 99 (2017), 1--1.Google Scholar
Index Terms
- Quantifying the security effectiveness of firewalls and DMZs
Recommendations
Quality of security metrics and measurements
Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help ...
Quantifying the security effectiveness of network diversity: poster
HoTSoS '18: Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of SecurityWe propose a systematic, fine-grained metric framework that quantifies the security effectiveness of network diversity in computer networks.
Comments