{"title":"Static Analysis of Packet Forwarding and Filtering Configurations in Industrial Networks","authors":"M. Cheminod, L. Seno","doi":"10.1109/WFCS57264.2023.10144115","DOIUrl":null,"url":null,"abstract":"Securing industrial networked infrastructures has become increasingly important since the growth in their connectivity brought by production digitalization and the diffusion of paradigms such as Industrial Internet of Things (IIoT). Network segmentation is considered best practice to protect these networks from outside/inside cyber-attacks. To this purpose, network devices equipped with forwarding/filtering capabilities need to be suitably configured and deployed for the enforcement of segment-related security policies. Configuration of these devices in today industrial networked infrastructures is typically the result of a mix of manual and automated processes and, given the heterogeneity of devices and configuration languages, as well as of the supported applications and related requirements, it is often hard to make sure of its correctness and impact, e.g., on traffic latency. In this paper, a model is proposed to jointly describe network forwarding and filtering configuration. Techniques are then provided to perform static analyses such as verification of reachability intents and configuration equivalence, as well as the estimation of the latency introduced for handling specific traffic.","PeriodicalId":345607,"journal":{"name":"2023 IEEE 19th International Conference on Factory Communication Systems (WFCS)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-04-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE 19th International Conference on Factory Communication Systems (WFCS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WFCS57264.2023.10144115","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Securing industrial networked infrastructures has become increasingly important since the growth in their connectivity brought by production digitalization and the diffusion of paradigms such as Industrial Internet of Things (IIoT). Network segmentation is considered best practice to protect these networks from outside/inside cyber-attacks. To this purpose, network devices equipped with forwarding/filtering capabilities need to be suitably configured and deployed for the enforcement of segment-related security policies. Configuration of these devices in today industrial networked infrastructures is typically the result of a mix of manual and automated processes and, given the heterogeneity of devices and configuration languages, as well as of the supported applications and related requirements, it is often hard to make sure of its correctness and impact, e.g., on traffic latency. In this paper, a model is proposed to jointly describe network forwarding and filtering configuration. Techniques are then provided to perform static analyses such as verification of reachability intents and configuration equivalence, as well as the estimation of the latency introduced for handling specific traffic.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
