Quantifying the security effectiveness of firewalls and DMZs

Firewalls and Demilitarized Zones (DMZs) are two mechanisms that have been widely employed to secure enterprise networks. Despite this, their security effectiveness has not been systematically quantified. In this paper, we make a first step towards filling this void by presenting a representational framework for investigating their security effectiveness in protecting enterprise networks. Through simulation experiments, we draw useful insights into the security effectiveness of firewalls and DMZs. To the best of our knowledge, these insights were not reported in the literature until now.

[1]  Christos Faloutsos,et al.  Epidemic thresholds in real networks , 2008, TSEC.

[2]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[3]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[4]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[5]  Christos Faloutsos,et al.  Epidemic spreading in real networks: an eigenvalue viewpoint , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[6]  Shouhuai Xu,et al.  Preventive and Reactive Cyber Defense Dynamics Is Globally Stable , 2016, IEEE Transactions on Network Science and Engineering.

[7]  Shouhuai Xu,et al.  Active cyber defense dynamics exhibiting rich phenomena , 2015, HotSoS.

[8]  Shouhuai Xu,et al.  Adaptive Epidemic Dynamics in Networks , 2013, ACM Trans. Auton. Adapt. Syst..

[9]  Raimir Holanda Filho,et al.  Model-Based Quantitative Network Security Metrics: A Survey , 2017, IEEE Communications Surveys & Tutorials.

[10]  Shouhuai Xu,et al.  Cybersecurity dynamics , 2014, HotSoS '14.

[11]  Shouhuai Xu,et al.  An Extended Stochastic Model for Quantitative Security Analysis of Networked Systems , 2012, Internet Math..

[12]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[13]  Shouhuai Xu,et al.  Characterizing the power of moving target defense via cyber epidemic dynamics , 2014, HotSoS '14.

[14]  Ray Hunt,et al.  Internet/Intranet firewall security - policy, architecture and transaction services , 1998, Comput. Commun..

[15]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[16]  Shouhuai Xu,et al.  A Stochastic Model for Quantitative Security Analyses of Networked Systems , 2016, IEEE Transactions on Dependable and Secure Computing.

[17]  Shouhuai Xu,et al.  Push- and pull-based epidemic spreading in networks: Thresholds and deeper insights , 2012, TAAS.

[18]  Manuel Suter,et al.  The Forum of Incident Response and Security Teams (FIRST) , 2008 .

[19]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[20]  XuLi,et al.  Adaptive Epidemic Dynamics in Networks , 2014 .

[21]  Marcus Pendleton,et al.  A Survey on Systems Security Metrics , 2016, ACM Comput. Surv..

[22]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[23]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[24]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[25]  Sushil Jajodia,et al.  A Suite of Metrics for Network Attack Graph Analytics , 2017 .

[26]  Shouhuai Xu,et al.  Cyber Epidemic Models with Dependences , 2015, Internet Math..

[27]  Ali A. Ghorbani,et al.  A detailed analysis of the KDD CUP 99 data set , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[28]  Shouhuai Xu,et al.  A new approach to modeling and analyzing security of networked systems , 2014, HotSoS '14.

[29]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .