T. Fadai, S. Schrittwieser, Peter Kieseberg, M. Mulazzani
The security and privacy of our online communications heavily relies on the entity authentication mechanisms provided by SSL. Those mechanisms in turn heavily depend on the trustworthiness of a large number of companies and governmental institutions for attestation of the identity of SSL services providers. In order to offer a wide and unobstructed availability of SSL-enabled services and to remove the need to make a large amount of trust decisions from their users, operating systems and browser manufactures include lists of certification authorities which are trusted for SSL entity authentication by their products. This has the problematic effect that users of such browsers and operating systems implicitly trust those certification authorities with the privacy of their communications while they might not even realize it. The problem is further complicated by the fact that different software vendors trust different companies and governmental institutions, from a variety of countries, which leads to an obscure distribution of trust. To give insight into the trust model used by SSL this thesis explains the various entities and technical processes involved in establishing trust when using SSL communications. It furthermore analyzes the number and origin of companies and governmental institutions trusted by various operating systems and browser vendors and correlates the gathered information to a variety of indexes to illustrate that some of these trusted entities are far from trustworthy. Furthermore it points out the fact that the number of entities we trust with the security of our SSL communications keeps growing over time and displays the negative effects this might have as well as shows that the trust model of SSL is fundamentally broken.
{"title":"Trust me, I'm a Root CA! Analyzing SSL Root CAs in Modern Browsers and Operating Systems","authors":"T. Fadai, S. Schrittwieser, Peter Kieseberg, M. Mulazzani","doi":"10.1109/ARES.2015.93","DOIUrl":"https://doi.org/10.1109/ARES.2015.93","url":null,"abstract":"The security and privacy of our online communications heavily relies on the entity authentication mechanisms provided by SSL. Those mechanisms in turn heavily depend on the trustworthiness of a large number of companies and governmental institutions for attestation of the identity of SSL services providers. In order to offer a wide and unobstructed availability of SSL-enabled services and to remove the need to make a large amount of trust decisions from their users, operating systems and browser manufactures include lists of certification authorities which are trusted for SSL entity authentication by their products. This has the problematic effect that users of such browsers and operating systems implicitly trust those certification authorities with the privacy of their communications while they might not even realize it. The problem is further complicated by the fact that different software vendors trust different companies and governmental institutions, from a variety of countries, which leads to an obscure distribution of trust. To give insight into the trust model used by SSL this thesis explains the various entities and technical processes involved in establishing trust when using SSL communications. It furthermore analyzes the number and origin of companies and governmental institutions trusted by various operating systems and browser vendors and correlates the gathered information to a variety of indexes to illustrate that some of these trusted entities are far from trustworthy. Furthermore it points out the fact that the number of entities we trust with the security of our SSL communications keeps growing over time and displays the negative effects this might have as well as shows that the trust model of SSL is fundamentally broken.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115664567","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A deeper understanding of the availability of Public Safety and Security (PSS) mobile networks and their service under different conditions offers decision makers guidelines on the level of investments required and the directions to take in order to decrease the risks identified. In the study, a risk assessment model for the existing PSS mobile service is implemented for both a dedicated TETRA PSS mobile network as well as for a commercial 2G/3G mobile network operating under the current risk conditions. The probabilistic risk assessment is carried out by constructing a Bayesian Network. According to the analysis, the availability of the dedicated Finnish PSS mobile service is 99.1%. Based on the risk assessment and sensitivity analysis conducted, the most effective elements for decreasing availability risks would be duplication of the transmission links, backup of the power supply and real-time mobile traffic monitoring. With the adjustment of these key control variables, the service availability can be improved up to the level of 99.9%. The investments needed to improve the availability of the PSS mobile service from 99.1 % to 99.9% are profitable only in highly populated areas. The calculated availability of the PSS mobile service based on a purely commercial network is 98.8%. The adoption of a Bayesian Network as a risk assessment method is demonstrated to be a useful way of documenting different expert knowledge as a common belief about the risks, their magnitudes and their effects upon a Finnish PSS mobile service.
{"title":"Risk Assessment of Public Safety and Security Mobile Service","authors":"Matti J. Peltola, P. Kekolahti","doi":"10.1109/ARES.2015.65","DOIUrl":"https://doi.org/10.1109/ARES.2015.65","url":null,"abstract":"A deeper understanding of the availability of Public Safety and Security (PSS) mobile networks and their service under different conditions offers decision makers guidelines on the level of investments required and the directions to take in order to decrease the risks identified. In the study, a risk assessment model for the existing PSS mobile service is implemented for both a dedicated TETRA PSS mobile network as well as for a commercial 2G/3G mobile network operating under the current risk conditions. The probabilistic risk assessment is carried out by constructing a Bayesian Network. According to the analysis, the availability of the dedicated Finnish PSS mobile service is 99.1%. Based on the risk assessment and sensitivity analysis conducted, the most effective elements for decreasing availability risks would be duplication of the transmission links, backup of the power supply and real-time mobile traffic monitoring. With the adjustment of these key control variables, the service availability can be improved up to the level of 99.9%. The investments needed to improve the availability of the PSS mobile service from 99.1 % to 99.9% are profitable only in highly populated areas. The calculated availability of the PSS mobile service based on a purely commercial network is 98.8%. The adoption of a Bayesian Network as a risk assessment method is demonstrated to be a useful way of documenting different expert knowledge as a common belief about the risks, their magnitudes and their effects upon a Finnish PSS mobile service.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122117759","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The ISO 27001 is the most adopted international information security management standard, by several countries and industries. This paper looks closely to the impacts of cultural characteristics on different phases of developing ISO 27001, based on three levels (country, organisational, and personal), which is especially helpful for Small and Medium Enterprises (SMEs). Cultural dimensions can significantly affect organisational administration and achievements such as decision-making, innovation and new practices, work motivation, negotiation, human resource practices, and leadership. The results are mainly based on a literature review, such as Hofstede and their relationship with the ISO 27001 Annex A. The outcomes of this paper illustrate that national (country level) cultural dimensions have high impact on the success and effectiveness of the ISO 27001 development phases.
ISO 27001是多个国家和行业采用最多的国际信息安全管理标准。本文从三个层面(国家、组织和个人)密切关注文化特征对制定ISO 27001不同阶段的影响,这对中小企业(SMEs)特别有帮助。文化维度可以显著影响组织管理和成就,如决策、创新和新实践、工作动机、谈判、人力资源实践和领导力。结果主要基于文献综述,如Hofstede及其与ISO 27001附件a的关系。本文的结果表明,国家(国家层面)文化维度对ISO 27001开发阶段的成功和有效性有很大影响。
{"title":"The Effects of Cultural Dimensions on the Development of an ISMS Based on the ISO 27001","authors":"B. Shojaie, H. Federrath, I. Saberi","doi":"10.1109/ARES.2015.25","DOIUrl":"https://doi.org/10.1109/ARES.2015.25","url":null,"abstract":"The ISO 27001 is the most adopted international information security management standard, by several countries and industries. This paper looks closely to the impacts of cultural characteristics on different phases of developing ISO 27001, based on three levels (country, organisational, and personal), which is especially helpful for Small and Medium Enterprises (SMEs). Cultural dimensions can significantly affect organisational administration and achievements such as decision-making, innovation and new practices, work motivation, negotiation, human resource practices, and leadership. The results are mainly based on a literature review, such as Hofstede and their relationship with the ISO 27001 Annex A. The outcomes of this paper illustrate that national (country level) cultural dimensions have high impact on the success and effectiveness of the ISO 27001 development phases.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116810867","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
S. Kiyomoto, Toru Nakamura, Haruo Takasaki, Tatsuhiko Hirabayashi
In this paper, we introduce the concept of a privacy enhancing personal agent that manages a user's privacy policy settings and provides access control functions to ITS services. The personal agent acts as a proxy between a vehicle and service providers, and it automatically decides whether personal data can be sent to a service provider based on the privacy policy settings. The functions of the personal agent are also described. The personal agent provides a common web-based interface, and the quality of data can be controlled through anonymization levels. Our research provides a conceptual model of the personal agent and considers the design of the personal agent based on privacy requirements. Drivers can delegate their user consent role to the personal agent by configuring privacy policy settings on the personal agent. The personal agent is a key component for achieving a secure and reliable data transfer platform between vehicles and service providers.
{"title":"Personal Agent for Services in ITS","authors":"S. Kiyomoto, Toru Nakamura, Haruo Takasaki, Tatsuhiko Hirabayashi","doi":"10.1109/ARES.2015.16","DOIUrl":"https://doi.org/10.1109/ARES.2015.16","url":null,"abstract":"In this paper, we introduce the concept of a privacy enhancing personal agent that manages a user's privacy policy settings and provides access control functions to ITS services. The personal agent acts as a proxy between a vehicle and service providers, and it automatically decides whether personal data can be sent to a service provider based on the privacy policy settings. The functions of the personal agent are also described. The personal agent provides a common web-based interface, and the quality of data can be controlled through anonymization levels. Our research provides a conceptual model of the personal agent and considers the design of the personal agent based on privacy requirements. Drivers can delegate their user consent role to the personal agent by configuring privacy policy settings on the personal agent. The personal agent is a key component for achieving a secure and reliable data transfer platform between vehicles and service providers.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"54 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129829551","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
O. Kulyk, Stephan Neumann, Jurlind Budurushi, M. Volkamer, R. Haenni, Reto E. Koenig, Philémon von Bergen
Efficiency is the bottleneck of many cryptographic protocols towards their practical application in different contexts. This holds true also in the context of electronic voting, where cryptographic protocols are used to ensure a diversity of security requirements, e.g. Secrecy and integrity of cast votes. A new and promising application area of electronic voting is boardroom voting, which in practice takes place very frequently and often on simple issues such as approving or refusing a budget. Hence, it is not a surprise that a number of cryptographic protocols for boardroom voting have been already proposed. In this work, we introduce a security model adequate for the boardroom voting context. Further, we evaluate the efficiency of four boardroom voting protocols, which to best of our knowledge are the only boardroom voting protocols that satisfy our security model. Finally, we compare the performance of these protocols in different election settings.
{"title":"Efficiency Evaluation of Cryptographic Protocols for Boardroom Voting","authors":"O. Kulyk, Stephan Neumann, Jurlind Budurushi, M. Volkamer, R. Haenni, Reto E. Koenig, Philémon von Bergen","doi":"10.1109/ARES.2015.75","DOIUrl":"https://doi.org/10.1109/ARES.2015.75","url":null,"abstract":"Efficiency is the bottleneck of many cryptographic protocols towards their practical application in different contexts. This holds true also in the context of electronic voting, where cryptographic protocols are used to ensure a diversity of security requirements, e.g. Secrecy and integrity of cast votes. A new and promising application area of electronic voting is boardroom voting, which in practice takes place very frequently and often on simple issues such as approving or refusing a budget. Hence, it is not a surprise that a number of cryptographic protocols for boardroom voting have been already proposed. In this work, we introduce a security model adequate for the boardroom voting context. Further, we evaluate the efficiency of four boardroom voting protocols, which to best of our knowledge are the only boardroom voting protocols that satisfy our security model. Finally, we compare the performance of these protocols in different election settings.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131696871","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Effective measures against natural disasters are needed worldwide, and the jurisdiction assignment of evacuation shelters during natural disasters is one such measure. In this paper, we discuss two evacuation cases involving tourist accommodations as temporary shelters. One involves evacuation to the closest shelter, and the other involves using our previously proposed optimization method for assigning jurisdiction for shelters. The impact of tourist accommodations on evacuee overflow for each case was investigated. We also explain that tourist accommodations as temporary shelter reduce the evacuee overflow at shelters by using a numerical example. We argue that its impact is limited by giving an example of a city in Japan where the evacuation and residential areas are widely spaced.
{"title":"Impacts of Tourist Accommodations as Temporal Shelter on Evacuee Overflow for the Reassignment of Shelters Jurisdiction","authors":"Yu Ichifuji, N. Koide, N. Sonehara","doi":"10.1109/ARES.2015.66","DOIUrl":"https://doi.org/10.1109/ARES.2015.66","url":null,"abstract":"Effective measures against natural disasters are needed worldwide, and the jurisdiction assignment of evacuation shelters during natural disasters is one such measure. In this paper, we discuss two evacuation cases involving tourist accommodations as temporary shelters. One involves evacuation to the closest shelter, and the other involves using our previously proposed optimization method for assigning jurisdiction for shelters. The impact of tourist accommodations on evacuee overflow for each case was investigated. We also explain that tourist accommodations as temporary shelter reduce the evacuee overflow at shelters by using a numerical example. We argue that its impact is limited by giving an example of a city in Japan where the evacuation and residential areas are widely spaced.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"74 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116307834","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Current computer forensics tools have some limitations on anti-forensics attacks, cloud computing, and a large increase in the size of forensics targets. To solve these problems, this paper proposes a system that preserves storage data on virtual machines by acquiring all data sectors with time stamps. The proposed system can restore a previous state of a block device at any date and time that is specified by an investigator. The proposed system aims to monitor users' behavior in Infrastructure-as-a-Service (IaaS) cloud platforms. This paper also presents a rapid file detection system that finds a target file from a large collection of the acquired data sectors by using sector-hashes and parallel distributed processing. This system enables investigators to track and to find a target file that is related to incidents or crimes in the cloud. First, this paper reports the preliminary experiments of a sector-hash based file detection method on three major operating systems for evaluating its effectiveness. We present a design and an implementation of the proposed monitoring and target file detection system by using Xen hypervisor and MapReduce. We report results of its performance evaluation. Finally, we discuss possible methods to improve the performance and the limitations of the current proposed mechanism.
{"title":"Evaluation of a Sector-Hash Based Rapid File Detection Method for Monitoring Infrastructure-as-a-Service Cloud Platforms","authors":"Manabu Hirano, Hayate Takase, Koki Yoshida","doi":"10.1109/ARES.2015.15","DOIUrl":"https://doi.org/10.1109/ARES.2015.15","url":null,"abstract":"Current computer forensics tools have some limitations on anti-forensics attacks, cloud computing, and a large increase in the size of forensics targets. To solve these problems, this paper proposes a system that preserves storage data on virtual machines by acquiring all data sectors with time stamps. The proposed system can restore a previous state of a block device at any date and time that is specified by an investigator. The proposed system aims to monitor users' behavior in Infrastructure-as-a-Service (IaaS) cloud platforms. This paper also presents a rapid file detection system that finds a target file from a large collection of the acquired data sectors by using sector-hashes and parallel distributed processing. This system enables investigators to track and to find a target file that is related to incidents or crimes in the cloud. First, this paper reports the preliminary experiments of a sector-hash based file detection method on three major operating systems for evaluating its effectiveness. We present a design and an implementation of the proposed monitoring and target file detection system by using Xen hypervisor and MapReduce. We report results of its performance evaluation. Finally, we discuss possible methods to improve the performance and the limitations of the current proposed mechanism.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123633216","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yi Zhang, Xiangyang Luo, Chunfang Yang, Dengpan Ye, Fenlin Liu
Current typical adaptive Steganography algorithms cannot extract the embedded secret messages correctly after compression. In order to solve this problem, a JPEG-compression resistant adaptive steganography algorithm is proposed. Utilizing the relationship between DCT coefficients, the domain of messages embedding is determined. The modifying magnitude of different DCT coefficients can be determined according to the quality factors of JPEG compression. To ensure the completely correct extraction of embedded messages after JPEG compression, the RS codes is used to encode the messages to be embedded. Besides, based on the current energy function in the PQe steganography and the distortion function in J-UNIWARD Steganography, the corresponding distortion value of DCT coefficients is calculated. With the help of that, STCs is used to embed the encoded messages into the DCT coefficients, which have a smaller distortion value. The experimental results under different quality factors of JPEG compression and different payloads demonstrate that the proposed algorithm not only has a high correct rate of extracted messages after JPEG compression, which increases from about 60% to nearly 100% comparing with J-UNIWARD steganography under quality factor 75 of JPEG compression, but also has a strong detection resistant performance.
{"title":"A JPEG-Compression Resistant Adaptive Steganography Based on Relative Relationship between DCT Coefficients","authors":"Yi Zhang, Xiangyang Luo, Chunfang Yang, Dengpan Ye, Fenlin Liu","doi":"10.1109/ARES.2015.53","DOIUrl":"https://doi.org/10.1109/ARES.2015.53","url":null,"abstract":"Current typical adaptive Steganography algorithms cannot extract the embedded secret messages correctly after compression. In order to solve this problem, a JPEG-compression resistant adaptive steganography algorithm is proposed. Utilizing the relationship between DCT coefficients, the domain of messages embedding is determined. The modifying magnitude of different DCT coefficients can be determined according to the quality factors of JPEG compression. To ensure the completely correct extraction of embedded messages after JPEG compression, the RS codes is used to encode the messages to be embedded. Besides, based on the current energy function in the PQe steganography and the distortion function in J-UNIWARD Steganography, the corresponding distortion value of DCT coefficients is calculated. With the help of that, STCs is used to embed the encoded messages into the DCT coefficients, which have a smaller distortion value. The experimental results under different quality factors of JPEG compression and different payloads demonstrate that the proposed algorithm not only has a high correct rate of extracted messages after JPEG compression, which increases from about 60% to nearly 100% comparing with J-UNIWARD steganography under quality factor 75 of JPEG compression, but also has a strong detection resistant performance.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122171975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we present an analysis of HTTP traffic in a large-scale environment which uses network flow monitoring extended by parsing HTTP requests. In contrast to previously published analyses, we were the first to classify patterns of HTTP traffic which are relevant to network security. We described three classes of HTTP traffic which contain brute-force password attacks, connections to proxies, HTTP scanners, and web crawlers. Using the classification, we were able to detect up to 16 previously undetectable brute-force password attacks and 19 HTTP scans per day in our campus network. The activity of proxy servers and web crawlers was also observed. Symptoms of these attacks may be detected by other methods based on traditional flow monitoring, but detection using the analysis of HTTP requests is more straightforward. We, thus, confirm the added value of extended flow monitoring in comparison to the traditional method.
{"title":"Security Monitoring of HTTP Traffic Using Extended Flows","authors":"M. Husák, P. Velan, Jan Vykopal","doi":"10.1109/ARES.2015.42","DOIUrl":"https://doi.org/10.1109/ARES.2015.42","url":null,"abstract":"In this paper, we present an analysis of HTTP traffic in a large-scale environment which uses network flow monitoring extended by parsing HTTP requests. In contrast to previously published analyses, we were the first to classify patterns of HTTP traffic which are relevant to network security. We described three classes of HTTP traffic which contain brute-force password attacks, connections to proxies, HTTP scanners, and web crawlers. Using the classification, we were able to detect up to 16 previously undetectable brute-force password attacks and 19 HTTP scans per day in our campus network. The activity of proxy servers and web crawlers was also observed. Symptoms of these attacks may be detected by other methods based on traditional flow monitoring, but detection using the analysis of HTTP requests is more straightforward. We, thus, confirm the added value of extended flow monitoring in comparison to the traditional method.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"142 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116653988","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jordan Cropper, Johanna Ullrich, P. Frühwirt, E. Weippl
Cloud computing is playing an ever larger role in the IT infrastructure. The migration into the cloud means that we must rethink and adapt our security measures. Ultimately, both the cloud provider and the customer have to accept responsibilities to ensure security best practices are followed. Firewalls are one of the most critical security features. Most IaaS providers make firewalls available to their customers. In most cases, the customer assumes a best-case working scenario which is often not assured. In this paper, we studied the filtering behavior of firewalls provided by five different cloud providers. We found that three providers have firewalls available within their infrastructure. Based on our findings, we developed an open-ended firewall monitoring tool which can be used by cloud customers to understand the firewall's filtering behavior. This information can then be efficiently used for risk management and further security considerations. Measuring today's firewalls has shown that they perform well for the basics, although may not be fully featured considering fragmentation or stateful behavior.
{"title":"The Role and Security of Firewalls in IaaS Cloud Computing","authors":"Jordan Cropper, Johanna Ullrich, P. Frühwirt, E. Weippl","doi":"10.1109/ARES.2015.50","DOIUrl":"https://doi.org/10.1109/ARES.2015.50","url":null,"abstract":"Cloud computing is playing an ever larger role in the IT infrastructure. The migration into the cloud means that we must rethink and adapt our security measures. Ultimately, both the cloud provider and the customer have to accept responsibilities to ensure security best practices are followed. Firewalls are one of the most critical security features. Most IaaS providers make firewalls available to their customers. In most cases, the customer assumes a best-case working scenario which is often not assured. In this paper, we studied the filtering behavior of firewalls provided by five different cloud providers. We found that three providers have firewalls available within their infrastructure. Based on our findings, we developed an open-ended firewall monitoring tool which can be used by cloud customers to understand the firewall's filtering behavior. This information can then be efficiently used for risk management and further security considerations. Measuring today's firewalls has shown that they perform well for the basics, although may not be fully featured considering fragmentation or stateful behavior.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"65 8","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114003827","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: