Demonstrating topoS: Theorem-prover-based synthesis of secure network configurations

Diekmann, Cornelius; Korsten, Andreas; Carle, Georg

doi:10.1109/cnsm.2015.7367384

Cited by 5 publications

(9 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Diekmann et al presented a new tool named TopoS to manage network‐level access control. TopoS requires the high‐level security aims to translate them into low‐level configurations automatically.…”

Section: Formal Verification Methods In the Sdnmentioning

confidence: 99%

A systematic literature review on formal verification of software‐defined networks

Souri

Norouzi

Asghari

et al. 2019

Trans Emerging Tel Tech

View full text Add to dashboard Cite

By raising evolutionary network connections, a software‐defined network (SDN) offers a well‐managed and flexible novel network topology. The SDN efforts are provided to abstract the original network configuration for business applications and web services. Additionally, the SDN modifies the network management policies such as topology policies, deployment policies, the applicability, and infrastructure maintenance. One of the important features of the SDN is standardizing the network interfaces with the precise functional semantics in application and control flow layers. In another hand, specification and evaluation of the existing network interfaces is a main and significant challenge to prove the correctness of the configurable scenarios in the SDN approach. Recently, formal verification presents a high potential platform to evaluate the main‐layer scenarios of the SDN as the novel perspective in this area. Up to now, there is no survey and state‐of‐the‐art review on the formal verification methods in the SDN. This paper provides a systematic literature review (SLR) for the formal verification methods in the SDN in form of the SDN plans to recognize the state of the art of the open challenges. The presented SLR is classified into three main fields: application plan, data plan, and control plan approaches. The verification mechanisms are compared with each other according to the important factors such as structural properties, quality‐of‐service metrics, applied algorithms, and measurement tools.

show abstract

Section: Formal Verification Methods In the Sdnmentioning

confidence: 99%

A systematic literature review on formal verification of software‐defined networks

Souri

Norouzi

Asghari

et al. 2019

Trans Emerging Tel Tech

View full text Add to dashboard Cite

show abstract

“…Only the generation of the target configuration must be adapted. For example, topoS can also used to generate an OpenFlow configuration [11].…”

Section: Survey Of Related Academic Workmentioning

confidence: 99%

“…This article is partly based on our previously published paper [11]. Our previous publication discusses the design phase and provides a formally-verified method to translate security requirements to a security policy ( § II).…”

Section: Introductionmentioning

confidence: 99%

“…The rest of this article is structured as follows. We tell how Alice is designing the network in Section II (based on previous publication [11]). Alice deploys her setup with Docker in Section III.…”

Section: Introductionmentioning

confidence: 99%

“…We present two tools which help Alice in various situations. First, topoS [11] is a constructive, top-down greenfield approach for network security management. topoS translates high-level security goals to Linux iptables firewall configurations, which can be installed on a Docker host.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Agile Network Access Control in the Container Age

Diekmann

Naab

Korsten

et al. 2019

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Linux Containers, such as those managed by Docker, are an increasingly popular way to package and deploy complex applications. However, the fundamental security primitive of network access control for a distributed microservice deployment is often ignored or left to the network operations team. High-level application-specific security requirements are not appropriately enforced by low-level network access control lists. Apart from coarse-grained separation of virtual networks, Docker neither supports the application developer to specify nor the network operators to enforce fine-grained network access control between containers.In a fictional story, we follow DevOp engineer Alice through the lifecycle of a web application. From the initial design and software engineering through network operations and automation, we show the task expected of Alice and propose tool-support to help. As a full-stack DevOp, Alice is involved in high-level design decisions as well as low-level network troubleshooting. Focusing on network access control, we demonstrate shortcomings in today's policy management and sketch a tool-supported solution. We survey related academic work and show that many existing tools fail to bridge between the different levels of abstractions a full-stack engineer is operating on.Our toolset is formally verified using Isabell/HOL and is available as Open Source.

show abstract