TY - JOUR A1 - Lorenz, Claas A1 - Clemens, Vera Elisabeth A1 - Schrötter, Max A1 - Schnor, Bettina T1 - Continuous verification of network security compliance JF - IEEE transactions on network and service management N2 - Continuous verification of network security compliance is an accepted need. Especially, the analysis of stateful packet filters plays a central role for network security in practice. But the few existing tools which support the analysis of stateful packet filters are based on general applicable formal methods like Satifiability Modulo Theories (SMT) or theorem prover and show runtimes in the order of minutes to hours making them unsuitable for continuous compliance verification. In this work, we address these challenges and present the concept of state shell interweaving to transform a stateful firewall rule set into a stateless rule set. This allows us to reuse any fast domain specific engine from the field of data plane verification tools leveraging smart, very fast, and domain specialized data structures and algorithms including Header Space Analysis (HSA). First, we introduce the formal language FPL that enables a high-level human-understandable specification of the desired state of network security. Second, we demonstrate the instantiation of a compliance process using a verification framework that analyzes the configuration of complex networks and devices - including stateful firewalls - for compliance with FPL policies. Our evaluation results show the scalability of the presented approach for the well known Internet2 and Stanford benchmarks as well as for large firewall rule sets where it outscales state-of-the-art tools by a factor of over 41. KW - Security KW - Tools KW - Network security KW - Engines KW - Benchmark testing; KW - Analytical models KW - Scalability KW - Network KW - security KW - compliance KW - formal KW - verification Y1 - 2021 U6 - https://doi.org/10.1109/TNSM.2021.3130290 SN - 1932-4537 VL - 19 IS - 2 SP - 1729 EP - 1745 PB - Institute of Electrical and Electronics Engineers CY - New York ER - TY - JOUR A1 - Scheffler, Thomas A1 - Schnor, Bettina T1 - Securing Next generation Mobile Networks Y1 - 2004 SN - 0-86341-388-9 ER - TY - GEN A1 - Sahlmann, Kristina A1 - Clemens, Vera A1 - Nowak, Michael A1 - Schnor, Bettina T1 - MUP BT - Simplifying Secure Over-The-Air Update with MQTT for Constrained IoT Devices T2 - Postprints der Universität Potsdam : Mathematisch-Naturwissenschaftliche Reihe N2 - Message Queuing Telemetry Transport (MQTT) is one of the dominating protocols for edge- and cloud-based Internet of Things (IoT) solutions. When a security vulnerability of an IoT device is known, it has to be fixed as soon as possible. This requires a firmware update procedure. In this paper, we propose a secure update protocol for MQTT-connected devices which ensures the freshness of the firmware, authenticates the new firmware and considers constrained devices. We show that the update protocol is easy to integrate in an MQTT-based IoT network using a semantic approach. The feasibility of our approach is demonstrated by a detailed performance analysis of our prototype implementation on a IoT device with 32 kB RAM. Thereby, we identify design issues in MQTT 5 which can help to improve the support of constrained devices. T3 - Zweitveröffentlichungen der Universität Potsdam : Mathematisch-Naturwissenschaftliche Reihe - 1094 KW - Internet of Things KW - security KW - firmware update KW - MQTT KW - edge computing Y1 - 2021 U6 - http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:kobv:517-opus4-489013 SN - 1866-8372 IS - 1094 ER - TY - JOUR A1 - Sahlmann, Kristina A1 - Clemens, Vera A1 - Nowak, Michael A1 - Schnor, Bettina T1 - MUP BT - Simplifying Secure Over-The-Air Update with MQTT for Constrained IoT Devices JF - Sensors N2 - Message Queuing Telemetry Transport (MQTT) is one of the dominating protocols for edge- and cloud-based Internet of Things (IoT) solutions. When a security vulnerability of an IoT device is known, it has to be fixed as soon as possible. This requires a firmware update procedure. In this paper, we propose a secure update protocol for MQTT-connected devices which ensures the freshness of the firmware, authenticates the new firmware and considers constrained devices. We show that the update protocol is easy to integrate in an MQTT-based IoT network using a semantic approach. The feasibility of our approach is demonstrated by a detailed performance analysis of our prototype implementation on a IoT device with 32 kB RAM. Thereby, we identify design issues in MQTT 5 which can help to improve the support of constrained devices. KW - Internet of Things KW - security KW - firmware update KW - MQTT KW - edge computing Y1 - 2020 U6 - https://doi.org/10.3390/s21010010 SN - 1424-8220 VL - 21 IS - 1 PB - MDPI CY - Basel ER - TY - JOUR A1 - Liske, Stefan A1 - Rebensburg, Klaus A1 - Schnor, Bettina T1 - SPIT-Erkennung, -Bekanntgabe und -Abwehr in SIP-Netzwerken N2 - SPAM ist in den letzten Jahren zur großten Bedrohung der E-Mail-Kommunikation herangewachsen - jedoch nicht nur auf diesen Kommunikationsweg beschrankt. Mit steigender Anzahl von VoIP-Anschlüssen werden auch hier die teilnehmenden Benutzer mit SPAM-Anrufen (SPIT) konfrontiert werden. Neben derzeit diskutierten juristischen Maßnahmen müssen auch technische Abwehrmaßnahmen geschaffen werden, welche SPAM erkennen und vermeiden können. Dieser Beitrag stellt zwei Erweiterungen für das VoIP-Protokoll SIP vor, welche es erstens den Providern ermöglichen, SPIT-Einschätzungen über den Anrufer zum angerufenen Benutzer zu übermitteln und zweitens den Angerufenen die Möglichkeit geben, mit einer Kostenanforderung auf potentielle SPIT-Anrufe zu reagieren. Y1 - 2007 SN - 978-3-540-69961-3 ER - TY - JOUR A1 - Friedrich, Sven A1 - Krahmer, Sebastian A1 - Schneidenbach, Lars A1 - Schnor, Bettina T1 - Loaded: Server Load Balancing for IPv6 N2 - With the next generation Internet protocol IPv6 at the horizon, it is time to think about how applications can migrate to IPv6. Web traffic is currently one of the most important applications in the Internet. The increasing popularity of dynamically generated content on the World Wide Web, has created the need for fast web servers. Server clustering together with server load balancing has emerged as a promising technique to build scalable web servers. The paper gives a short overview over the new features of IPv6 and different server load balancing technologies. Further, we present and evaluate Loaded, an user-space server load balancer for IPv4 and IPv6 based on Linux. Y1 - 2006 SN - 0-7695-2622-5 ER - TY - JOUR A1 - Schneidenbach, Lars A1 - Schnor, Bettina T1 - Design Issues in the Implementation of MPI2 One Sided Communication in Ethernet based Networks N2 - In current research, one sided communication of the MPI2 standard is pushed as a promising technique [6, 7, 10, 18]. But measurements of applications and MPI2 primitives show a different picture [17]. In this paper we analyze de sign issues of MPI2 one sided communication and its im plementations. We focus on asynchronous communication for parallel applications in Ethernet cluster environments. Further, one sided communication is compared to two sided communication. This paper will prove that the key problem to performance is not only the implementation of MPI2 one sided communication - it is the design. Y1 - 2007 SN - 978-0-88986-637-9 ER - TY - JOUR A1 - Hoheisel, A. A1 - Müller, S. A1 - Schnor, Bettina T1 - Fine-grained Security Management in a Service-oriented Grid Architecture Y1 - 2007 UR - http://www.cyfronet.krakow.pl/cgw06/presentations/c4-3.pdf SN - 978-0-387-72811-7 ER - TY - JOUR A1 - Scheffler, Thomas A1 - Schnor, Bettina T1 - Privacy Requirements for Embedded Sensor Devices N2 - This paper analyses data privacy issues as they arise from different deployment scenarios for networks that use embedded sensor devices. Maintaining data privacy in pervasive environments requires the management and implementation of privacy protection measures close to the data source. We propose a set of atomic privacy parameters that is generic enough to form specific privacy classes and might be applied directly at the embedded sensor device. Y1 - 2005 SN - 978-3-800729-09-8 ER - TY - JOUR A1 - Hallama, Nicole A1 - Luckow, André A1 - Schnor, Bettina T1 - Grid Security for Fault Tolerant Grid Applications Y1 - 2006 SN - 978-1-880843-60-4 ER - TY - JOUR A1 - Schneidenbach, Lars A1 - Schnor, Bettina T1 - Migration of MPI Applications to IPv6 Networks Y1 - 2005 SN - 0-88986-468-3 ER - TY - JOUR A1 - Luckow, André A1 - Schnor, Bettina T1 - Migol : a Fault Tolerant Service Framework for Grid Computing : Evolution to WSRF (2006) Y1 - 2006 ER - TY - JOUR A1 - Friedrich, Sven A1 - Krahmer, Sebastian A1 - Schneidenbach, Lars A1 - Schnor, Bettina T1 - Loaded : Server Load Balancing for IPv6 Y1 - 2004 ER - TY - JOUR A1 - Vandenhouten, Ralf A1 - Behrens, Thomas A1 - Schnor, Bettina T1 - Entwicklung eines Gatewaysystems für telematikbasiertes Gerätemonitoring Y1 - 2004 SN - 0949-8214 ER - TY - BOOK A1 - Feider, Henryk A1 - Schnor, Bettina T1 - PCG-Agreement Dokument T3 - Technischer Bericht Y1 - 2004 SN - 0946-7580 PB - Universität Potsdam, Institut für Informatik CY - Potsdam ER - TY - JOUR A1 - Ciaccio, Giuseppe A1 - Ehlert, Marco A1 - Schnor, Bettina T1 - Exploiting gigabit ethernet capacity for cluster applications N2 - In this paper we report about the recently completed porting of GAMMA to the Netgear GA621 Gigabit Ethernet adapter, and provide a comparison among GAMMA, MPI/GAMMA, TCP/IP, and MPICH/TCP, based on the Netgear GA621 and the older Netgear GA620 network adapters and using different device drivers, in a Gigabit Ethernet cluster of PCs running Linux 2.4. GAMMA (the Genoa Active Message MAchine) is a lightweight messaging system based on an Active Message-like paradigm, originally designed for efficient exploitation of Fast Ethernet interconnects. The comparison includes simple latency/hspace{0pt}bandwidth evaluation of the messaging systems on both adapters, as well as performance comparisons based on the NAS NPB and an end-user fluid dynamics application called Modular Ocean Model (MOM). The analysis of results provides useful hints concerning the efficient use of Gigabit Ethernet with clusters of PCs. In particular, it emerges that GAMMA on the GA621 adapter, with a combination of low end-to-end latency (8.5 $mu$s) and high throughput (118.4 MByte/s), provides a performing, cost-effective alternative to proprietary high-speed networks, e.g.~Myrinet, for a wide range of cluster computing applications. Y1 - 2002 SN - 0-7695-1591-6 ER - TY - JOUR A1 - Jeske, Janin A1 - Luckow, André A1 - Schnor, Bettina T1 - Reservation-based Resource-Brokering for Grid Computing N2 - In this paper we present the design and implementation of the Migol brokering framework. Migol is a Grid middleware, which addresses the fault-tolerance of long-running and compute-intensive applications. The framework supports e. g. the automatic and transparent recovery respectively the migration of applications. Another core feature of Migol is the discovery, selection, and allocation of resources using advance reservation. Grid broker systems can significantly benefit from advance reservation. With advance reservation brokers and users can obtain execution guarantees from local resource management systems (LRM) without requiring detailed knowledge of current and future workloads or of the resource owner's policies. Migol's Advance Reservation Service (ARS) provides an adapter layer for reservation capabilities of different LRMs, which is currently not provided by existing Grid middleware platforms. Further, we propose a shortest expected delay (SED) strategy for scheduling of advance reservations within the Job Broker Service. SED needs information about the earliest start time of an application. This is currently not supported by LRMs. We added this feature for PBSPro. Migol depends on Globus and its security infrastructure. Our performance experiments show the substantial overhead of this serviceoriented approach. Y1 - 2007 UR - http://edoc.mpg.de/316626 ER - TY - JOUR A1 - Lanfermann, Gerd A1 - Schnor, Bettina A1 - Seidel, Edward T1 - Characterizing Grids N2 - We present a new data model approach to describe the various objects that either represent the Grid infrastructure or make use of it. The data model is based on the experiences and experiments conducted in heterogeneous Grid environments. While very sophisticated data models exist to describe and characterize e.g. compute capacities or web services, we will show that a general description, which combines {em all} of these aspects, is needed to give an adequate representation of objects on a Grid. The Grid Object Description Language (GODsL)} is a generic and extensible approach to unify the various aspects that an object on a Grid can have. GODsL provides the content for the XML based communication in Grid migration scenarios, carried out in the GridLab project. We describe the data model architecture on a general level and focus on the Grid application scenarios. Y1 - 2003 SN - 1-4020-7418-2 ER - TY - JOUR A1 - Friedrich, Sven A1 - Schneidenbach, Lars A1 - Schnor, Bettina T1 - SLIBNet : Server Load Balancing for InfiniBand Networks N2 - Today, InfiniBand is an evolving high speed interconnect technology to build high performance computing clusters, that achieve top 10 rankings in the current top 500 of the worldwide fastest supercomputers. Network interfaces (called host channel adapters) provide transport layer services over connections and datagrams in reliable or unreliable manner. Additionally, InfiniBand supports remote direct memory access (RDMA) primitives that allow for one- sided communication. Using server load balancing together with a high performance cluster makes it possible to build a fast, scalable, and reliable service infrastructure. We have designed and implemented a scalable load balancer for InfiniBand clusters called SLIBNet. Our investigations show that the InfiniBand architecture offers features which perfectly support load balancing. We want to thank the Megware Computer GmbH for providing us an InfiniBand switch to realize a server load balancing testbed. Y1 - 2005 ER - TY - JOUR A1 - Feider, Henryk A1 - Schnor, Bettina A1 - Dramlitsch, Thomas T1 - Gridmake : the missing link for compilation in the Grid N2 - In order to take full advantage of Grid environments, applications need to be able to run on various heterogeneous platforms. Distributed runs across several clusters or supercomputers for example, require matching binaries at each site. Thus, at some stage, each Grid enabled application needs to be recompiled for every platform. Up to now, creating matching binaries on different platforms was a manual, sequential, slow, and very error-prone process. Developers had to log into each machine, transfer source code, check consistency and recompile if necessary. This cumbersome procedure is surely one reason for the (still existing) lack of production Grid computing. Gridmake, a tool to automate and speed up this procedure is presented in this paper. Y1 - 2003 ER -