56299
2022
2021
eng
1729
1745
17
2
19
article
Institute of Electrical and Electronics Engineers
New York
1
--
2021-11-24
--
Continuous verification of network security compliance
Continuous verification of network security compliance is an accepted need. Especially, the analysis of stateful packet filters plays a central role for network security in practice. But the few existing tools which support the analysis of stateful packet filters are based on general applicable formal methods like Satifiability Modulo Theories (SMT) or theorem prover and show runtimes in the order of minutes to hours making them unsuitable for continuous compliance verification. In this work, we address these challenges and present the concept of state shell interweaving to transform a stateful firewall rule set into a stateless rule set. This allows us to reuse any fast domain specific engine from the field of data plane verification tools leveraging smart, very fast, and domain specialized data structures and algorithms including Header Space Analysis (HSA). First, we introduce the formal language FPL that enables a high-level human-understandable specification of the desired state of network security. Second, we demonstrate the instantiation of a compliance process using a verification framework that analyzes the configuration of complex networks and devices - including stateful firewalls - for compliance with FPL policies. Our evaluation results show the scalability of the presented approach for the well known Internet2 and Stanford benchmarks as well as for large firewall rule sets where it outscales state-of-the-art tools by a factor of over 41.
IEEE transactions on network and service management
10.1109/TNSM.2021.3130290
1932-4537
outputup:dataSource:WoS:2022
WOS:000809410600066
Lorenz, C (corresponding author), Univ Potsdam, Dept Comp Sci, D-14469 Potsdam, Germany., cllorenz@uni-potsdam.de; clemens@uni-potsdam.de; <br /> schroetter@cs.uni-potsdam.de; schnor@cs.uni-potsdam.de
Lorenz, Claas
2022-10-14T05:37:42+00:00
sword
importub
filename=package.tar
aa72cb108ef2d6d852181c40dd9c14b2
2156349-4
2787795-4
2876140-6
false
true
Claas Lorenz
Vera Elisabeth Clemens
Max Schrötter
Bettina Schnor
eng
uncontrolled
Security
eng
uncontrolled
Tools
eng
uncontrolled
Network security
eng
uncontrolled
Engines
eng
uncontrolled
Benchmark testing;
eng
uncontrolled
Analytical models
eng
uncontrolled
Scalability
eng
uncontrolled
Network
eng
uncontrolled
security
eng
uncontrolled
compliance
eng
uncontrolled
formal
eng
uncontrolled
verification
Informatik, Wissen, Systeme
Institut für Informatik und Computational Science
Referiert
Import
14304
2004
2004
eng
article
1
--
--
--
Securing Next generation Mobile Networks
0-86341-388-9
allegro:1991-2014
10096741
Fifth IEE International Conference on 3G Mobile Communication Technologies (3G 2004) : the premier technical conference for 3G and beyond ; 18 - 20.10.2004, Savoy Place, London, UK. - London : Inst. of Electrical Engineers, 2004. 697 S. - (IEE conference publication ; 503). - ISBN: 0-86341-388-9
Thomas Scheffler
Bettina Schnor
Institut für Informatik und Computational Science
Nicht referiert
Institut für Informatik
48901
2020
2021
eng
23
1094
postprint
1
2021-01-13
2021-01-13
--
MUP
Message Queuing Telemetry Transport (MQTT) is one of the dominating protocols for edge- and cloud-based Internet of Things (IoT) solutions. When a security vulnerability of an IoT device is known, it has to be fixed as soon as possible. This requires a firmware update procedure. In this paper, we propose a secure update protocol for MQTT-connected devices which ensures the freshness of the firmware, authenticates the new firmware and considers constrained devices. We show that the update protocol is easy to integrate in an MQTT-based IoT network using a semantic approach. The feasibility of our approach is demonstrated by a detailed performance analysis of our prototype implementation on a IoT device with 32 kB RAM. Thereby, we identify design issues in MQTT 5 which can help to improve the support of constrained devices.
Postprints der Universität Potsdam : Mathematisch-Naturwissenschaftliche Reihe
Simplifying Secure Over-The-Air Update with MQTT for Constrained IoT Devices
10.25932/publishup-48901
urn:nbn:de:kobv:517-opus4-489013
1866-8372
10
<a href="http://publishup.uni-potsdam.de/48900">Bibliographieeintrag der Originalveröffentlichung/Quelle</a>
Sensors 21 (2021) 1, 10 DOI: 10.3390/s21010010
CC-BY - Namensnennung 4.0 International
Kristina Sahlmann
Vera Clemens
Michael Nowak
Bettina Schnor
Zweitveröffentlichungen der Universität Potsdam : Mathematisch-Naturwissenschaftliche Reihe
1094
eng
uncontrolled
Internet of Things
eng
uncontrolled
security
eng
uncontrolled
firmware update
eng
uncontrolled
MQTT
eng
uncontrolled
edge computing
Ingenieurwissenschaften und zugeordnete Tätigkeiten
open_access
Institut für Informatik und Computational Science
Referiert
Green Open-Access
Universität Potsdam
https://publishup.uni-potsdam.de/files/48901/pmnr1094.pdf
48900
2020
2020
eng
21
1
21
article
MDPI
Basel
1
2020-12-22
2020-11-17
--
MUP
Message Queuing Telemetry Transport (MQTT) is one of the dominating protocols for edge- and cloud-based Internet of Things (IoT) solutions. When a security vulnerability of an IoT device is known, it has to be fixed as soon as possible. This requires a firmware update procedure. In this paper, we propose a secure update protocol for MQTT-connected devices which ensures the freshness of the firmware, authenticates the new firmware and considers constrained devices. We show that the update protocol is easy to integrate in an MQTT-based IoT network using a semantic approach. The feasibility of our approach is demonstrated by a detailed performance analysis of our prototype implementation on a IoT device with 32 kB RAM. Thereby, we identify design issues in MQTT 5 which can help to improve the support of constrained devices.
Sensors
Simplifying Secure Over-The-Air Update with MQTT for Constrained IoT Devices
10.3390/s21010010
1424-8220
33374965
10
<a href="https://doi.org/10.25932/publishup-48901">Zweitveröffentlichung in der Schriftenreihe Postprints der Universität Potsdam : Mathematisch-Naturwissenschaftliche Reihe ; 1094</a>
Universität Potsdam
PA 2020_131
1673.44
WOS:000606076800001
2052857-7
Sahlmann, Kristina
Deutsche Forschungsgemeinschaft (German Research Foundation)German Research Foundation (DFG); Open Access Publication Fund of Potsdam University
CC-BY - Namensnennung 4.0 International
Kristina Sahlmann
Vera Clemens
Michael Nowak
Bettina Schnor
eng
uncontrolled
Internet of Things
eng
uncontrolled
security
eng
uncontrolled
firmware update
eng
uncontrolled
MQTT
eng
uncontrolled
edge computing
Ingenieurwissenschaften und zugeordnete Tätigkeiten
Institut für Informatik und Computational Science
Referiert
Publikationsfonds der Universität Potsdam
Gold Open-Access
11018
2007
2007
deu
article
1
--
--
--
SPIT-Erkennung, -Bekanntgabe und -Abwehr in SIP-Netzwerken
SPAM ist in den letzten Jahren zur großten Bedrohung der E-Mail-Kommunikation herangewachsen - jedoch nicht nur auf diesen Kommunikationsweg beschrankt. Mit steigender Anzahl von VoIP-Anschlüssen werden auch hier die teilnehmenden Benutzer mit SPAM-Anrufen (SPIT) konfrontiert werden. Neben derzeit diskutierten juristischen Maßnahmen müssen auch technische Abwehrmaßnahmen geschaffen werden, welche SPAM erkennen und vermeiden können. Dieser Beitrag stellt zwei Erweiterungen für das VoIP-Protokoll SIP vor, welche es erstens den Providern ermöglichen, SPIT-Einschätzungen über den Anrufer zum angerufenen Benutzer zu übermitteln und zweitens den Angerufenen die Möglichkeit geben, mit einer Kostenanforderung auf potentielle SPIT-Anrufe zu reagieren.
978-3-540-69961-3
allegro:1991-2014
10102440
Kommunikation in Verteilten Systemen (KiVS) 2007 / Hrsg.: Torsten Braun ; Georg Carle ; Burkhard Stiller. - Berlin : Springer, 2007. - XIII, 322 S. - ISBN 978-3-540-69961-3. - (Informatik aktuell)
Stefan Liske
Klaus Rebensburg
Bettina Schnor
Institut für Informatik und Computational Science
Institut für Informatik
12362
2006
2006
eng
article
1
--
--
--
Loaded: Server Load Balancing for IPv6
With the next generation Internet protocol IPv6 at the horizon, it is time to think about how applications can migrate to IPv6. Web traffic is currently one of the most important applications in the Internet. The increasing popularity of dynamically generated content on the World Wide Web, has created the need for fast web servers. Server clustering together with server load balancing has emerged as a promising technique to build scalable web servers. The paper gives a short overview over the new features of IPv6 and different server load balancing technologies. Further, we present and evaluate Loaded, an user-space server load balancer for IPv4 and IPv6 based on Linux.
0-7695-2622-5
allegro:1991-2014
10102437
International Conference on Networking and Services (ICNS'06) : Proceedings. - Los Alamitos, CA, USA : IEEE Computer Society, 2006. - ISBN 0-7695-2622-5. - S. 8
Sven Friedrich
Sebastian Krahmer
Lars Schneidenbach
Bettina Schnor
Institut für Informatik und Computational Science
Institut für Informatik
11019
2007
2007
eng
article
1
--
--
--
Design Issues in the Implementation of MPI2 One Sided Communication in Ethernet based Networks
In current research, one sided communication of the MPI2 standard is pushed as a promising technique [6, 7, 10, 18]. But measurements of applications and MPI2 primitives show a different picture [17]. In this paper we analyze de sign issues of MPI2 one sided communication and its im plementations. We focus on asynchronous communication for parallel applications in Ethernet cluster environments. Further, one sided communication is compared to two sided communication. This paper will prove that the key problem to performance is not only the implementation of MPI2 one sided communication - it is the design.
978-0-88986-637-9
allegro:1991-2014
10102439
Proceedings of the IASTED International Conference on Parallel and Distributed Computing and Networks as part of the 25the IASTED International Multi-conference on Applied Informatics (PDCN 2007) / Hrsg.: Helmar Burkhart. - Anaheim : ACTA Press, 2007. - ISBN 978-0-88986-637-9. - S. 100 - 134
Lars Schneidenbach
Bettina Schnor
Institut für Informatik und Computational Science
Institut für Informatik
10998
2007
2007
eng
article
1
--
--
--
Fine-grained Security Management in a Service-oriented Grid Architecture
http://www.cyfronet.krakow.pl/cgw06/presentations/c4-3.pdf
978-0-387-72811-7
allegro:1991-2014
10102438
Integration of Research in Grid Systems : Achievements in European Research on Grid Systems : Proceedings of the second CoreGRID Integration Workshop, CGIW' 2006) / Hrsg.: Sergei Gorlatch ; Marian Bubak ; Thierry Priol. - Berlin : Springer, 2007. - 280 S. - ISBN 978-0-387-72811-7
A. Hoheisel
S. Müller
Bettina Schnor
Institut für Informatik und Computational Science
Institut für Informatik
13481
2005
2005
eng
article
1
--
--
--
Privacy Requirements for Embedded Sensor Devices
This paper analyses data privacy issues as they arise from different deployment scenarios for networks that use embedded sensor devices. Maintaining data privacy in pervasive environments requires the management and implementation of privacy protection measures close to the data source. We propose a set of atomic privacy parameters that is generic enough to form specific privacy classes and might be applied directly at the embedded sensor device.
978-3-800729-09-8
allegro:1991-2014
10102430
PIMRC 2005 : the 16th Annual IEEE International Symposium on Personal Indoor and Mobile Radio Communications, Berlin, Germany, September 11 - 14, 2005 / Berlin : VDE, 2005. - CD-ROM. - (VOL. 2). - ISBN 978-3-800729-09-8. - S. 790 - 794
Thomas Scheffler
Bettina Schnor
Institut für Informatik und Computational Science
Institut für Informatik
12381
2006
2006
eng
article
1
--
--
--
Grid Security for Fault Tolerant Grid Applications
978-1-880843-60-4
allegro:1991-2014
10102436
Parallel and Distributed Computing and Systems (PDCS-2006), ISCA 19th International Conference on Parallel and Distributed Computing Systems, September 20-11, 2006 / Hrsg.: Peterson, Gregory D. - San Francisco, California, USA : ISCA, 2006. - ISBN 978-1-880843-60-4. - S. 76 - 83
Nicole Hallama
André Luckow
Bettina Schnor
Institut für Informatik und Computational Science
Institut für Informatik