@article{LorenzClemensSchroetteretal.2022,
  author    = {Lorenz, Claas and Clemens, Vera Elisabeth and Schr{\"o}tter, Max and Schnor, Bettina},
  title     = {Continuous verification of network security compliance},
  series = {IEEE transactions on network and service management},
  volume    = {19},
  journal   = {IEEE transactions on network and service management},
  number    = {2},
  publisher = {Institute of Electrical and Electronics Engineers},
  address   = {New York},
  issn      = {1932-4537},
  doi       = {10.1109/TNSM.2021.3130290},
  pages     = {1729 -- 1745},
  year      = {2022},
  abstract  = {Continuous verification of network security compliance is an accepted need. Especially, the analysis of stateful packet filters plays a central role for network security in practice. But the few existing tools which support the analysis of stateful packet filters are based on general applicable formal methods like Satifiability Modulo Theories (SMT) or theorem prover and show runtimes in the order of minutes to hours making them unsuitable for continuous compliance verification. In this work, we address these challenges and present the concept of state shell interweaving to transform a stateful firewall rule set into a stateless rule set. This allows us to reuse any fast domain specific engine from the field of data plane verification tools leveraging smart, very fast, and domain specialized data structures and algorithms including Header Space Analysis (HSA). First, we introduce the formal language FPL that enables a high-level human-understandable specification of the desired state of network security. Second, we demonstrate the instantiation of a compliance process using a verification framework that analyzes the configuration of complex networks and devices - including stateful firewalls - for compliance with FPL policies. Our evaluation results show the scalability of the presented approach for the well known Internet2 and Stanford benchmarks as well as for large firewall rule sets where it outscales state-of-the-art tools by a factor of over 41.},
  language  = {en}
}
@misc{LorenzKiekhebenSchnor2017,
  author    = {Lorenz, Claas and Kiekheben, Sebastian and Schnor, Bettina},
  title     = {FaVe: Modeling IPv6 firewalls for fast formal verification},
  series = {International Conference on Networked Systems (NetSys) 2017},
  journal   = {International Conference on Networked Systems (NetSys) 2017},
  publisher = {IEEE},
  address   = {New York},
  doi       = {10.1109/NetSys.2017.7903956},
  pages     = {8},
  year      = {2017},
  abstract  = {As virtualization drives the automation of networking, the validation of security properties becomes more and more challenging eventually ruling out manual inspections. While formal verification in Software Defined Networks is provided by comprehensive tools with high speed reverification capabilities like NetPlumber for instance, the presence of middlebox functionality like firewalls is not considered. Also, they lack the ability to handle dynamic protocol elements like IPv6 extension header chains. In this work, we provide suitable modeling abstractions to enable both - the inclusion of firewalls and dynamic protocol elements. We exemplarily model the Linux ip6tables/netfilter packet filter and also provide abstractions for an application layer gateway. Finally, we present a prototype of our formal verification system FaVe.},
  language  = {en}
}