Modeling and Simulation Firewall Using Colored Petri Net

Similar documents
Firewall Design Principles

Local-Area Network -LAN

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Based on Computer Networking, 4 th Edition by Kurose and Ross

Cornerstones of Security

Level 2 Routing: LAN Bridges and Switches

Introduction. What is a Remote Console? What is the Server Service? A Remote Control Enabled (RCE) Console

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Basic Network Configuration

Firewalls P+S Linux Router & Firewall 2013

Post-Class Quiz: Telecommunication & Network Security Domain

Implementation of Virtual Local Area Network using network simulator

CSET 4750 Computer Networks and Data Communications (4 semester credit hours) CSET Required IT Required

Lab VI Capturing and monitoring the network traffic

Lab Developing ACLs to Implement Firewall Rule Sets

Firewalls. Ahmad Almulhem March 10, 2012

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Networking Devices. Lesson 6

SSVP SIP School VoIP Professional Certification

Understand Wide Area Networks (WANs)

Top-Down Network Design

Local Area Networks transmission system private speedy and secure kilometres shared transmission medium hardware & software

Lecture 1. Lecture Overview. Intro to Networking. Intro to Networking. Motivation behind Networking. Computer / Data Networks

Overview - Using ADAMS With a Firewall

Agenda. Distributed System Structures. Why Distributed Systems? Motivation

Overview - Using ADAMS With a Firewall

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Computer Networks/DV2 Lab

Chapter 4 Firewall Protection and Content Filtering

Computer Networks. Definition of LAN. Connection of Network. Key Points of LAN. Lecture 06 Connecting Networks

A Model Design of Network Security for Private and Public Data Transmission

Chapter 8 Security Pt 2

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CORPORATE NETWORKING

Understanding IP Faxing (Fax over IP)

FIREWALLS IN NETWORK SECURITY

Communication Systems Internetworking (Bridges & Co)

Firewall Architecture

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FIREWALLS & CBAC. philip.heimer@hh.se

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Performance Evaluation of Wired and Wireless Local Area Networks

CTS2134 Introduction to Networking. Module Network Security

524 Computer Networks

8. Firewall Design & Implementation

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Network Basics GRAPHISOFT. for connecting to a BIM Server (version 1.0)

Security in Wireless Local Area Network

Virtual LANs. or Raj Jain

Understanding IP Faxing (Fax over IP)

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

MANAGING NETWORK COMPONENTS USING SNMP

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Architecture Overview

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Configuring DHCP Snooping

FIREWALL ARCHITECTURES

Security Technology White Paper

Packet Sniffing on Layer 2 Switched Local Area Networks

Cisco Network Performance Evaluation Using Packet Tracer

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

Security Labs in OPNET IT Guru

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Ethernet. Ethernet Frame Structure. Ethernet Frame Structure (more) Ethernet: uses CSMA/CD

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Architecture of distributed network processors: specifics of application in information security systems

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Firewalls, IDS and IPS

Module 15: Network Structures

Security Technology: Firewalls and VPNs

FIREWALL AND NAT Lecture 7a

co Characterizing and Tracing Packet Floods Using Cisco R

Protecting and controlling Virtual LANs by Linux router-firewall

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Chapter 4 Customizing Your Network Settings

Lecture 6 Types of Computer Networks and their Topologies Three important groups of computer networks: LAN, MAN, WAN

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

ADSL or Asymmetric Digital Subscriber Line. Backbone. Bandwidth. Bit. Bits Per Second or bps

Configuring DHCP Snooping and IP Source Guard

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

HP Switches Controlling Network Traffic

Chapter 9A. Network Definition. The Uses of a Network. Network Basics

Firewalls. Chapter 3

Network Security Topologies. Chapter 11

Three Key Design Considerations of IP Video Surveillance Systems

Network Troubleshooting with the LinkView Classic Network Analyzer

Chapter 2 TCP/IP Networking Basics

Transcription:

World Applied Sciences Journal 15 (6): 826-830, 2011 ISSN 1818-4952 IDOSI Publications, 2011 Modeling and Simulation Firewall Using Colored Petri Net 1 2 Behnam Barzegar and Homayun Motameni 1 Department of Computer Engineering, Nowshahr Branch, Islamic Azad University, Nowshahr, Iran 2 Department of Computer Engineering, Sari Branch, Islamic Azad University, Sari, Iran Abstract: In this paper the methodology of firewalled LAN models construction in the form of Colored Petri Net is introduced and model the ACL (Access Control List ) in firewalls as the first form of defense for the simulation and analysis of the model the Design/CPN Tools is used The components of the model are Firewall, Switch, Hub, Server and Workstation. Key words: Firewall Simulation ACL Access Control List CPN Petri Net Lan INTRODUCTION The graphic features of CPNs specify the applicability and visualization of the modeled Data communications networks have become an system. Furthermore, synchronous and asynchronous infrastructure resource for businesses corporations, events present their prioritized relations and structural government agencies and academic institutions. adaptive effects. The main difference between CPNs Computer networking, however, is not without risks as and Petri Nets (PN) is that in CPNs the elements are Howard [1] illustrates in his analysis of over 4000 security separable but in PNs they are not. Coloured indicates the incidents on the Internet between 1989 and 1995. elements specific feature. The relation between CPNs and Firewall technology is one mechanism to protect ordinary PNs is analogous to high level programming against network based attack methods. A balanced languages to an assembly code (Low level programming approach to network protection draws from several other language). fields, such as physical security, personnel security, Theoretically, CPNs have precise computational operations security, communication security and social power but practically since high level programming mechanisms [2]. languages have better structural specifications, they have Classically, firewall technology has been applied to greater modeling power. TCP/IP (transmission control protocol, internet protocol, CPN s drawback is its non-adaptivity [4] internetworks. Firewalls are used to guard and isolate therefore it is not possible to access the previous connected segments of internetworks. "Inside" network information available in CPNs. If there is more than one domains are protected against "outside" untrusted transition activated then each transition can be networks, or parts of network are protected against other considered as the next shot. This Coloured Petri Net s parts. Various architectures for firewalls have been characteristic indicates that since several events occur published and built, such as filtering routers, or concurrently and event incidences are not similar, then application level proxy services. In this paper a packet when events occur they do not change by time and this filtering firewall with ACL (Access control List) models by phenomenon is in contrast with the real and dynamic Colored Petri net. world. Simulation would be similar to execution of the Coloured Petri Net (CPN) is a tool by which validation main program. of discrete-event systems are studied and modeled. CPNs are used to analyze and obtain significant and Coloured Petri Nets: The coloured petri net is a language useful information from the structure and dynamic for modeling and evaluating of system that co-processing performance of the modeled system. Coloured Petri Nets connection and synchronization play the main rule in mainly focus on synchronization, concurrency and it. This language is a complex of petri net with ML asynchronous events [3]. programming language [3,5]. Corresponding Author: Behnam Barzegar, Department of Computer Engineering, Nowshahr Branch, Islamic Azad University, Nowshahr, Iran. 826

CPN model is an executive model system that shows However, one LAN can be connected to other LANs position of a system and incidents which cause change in over any distance via telephone lines and radio waves. A position of system. system of LANs connected in this way is called a wide- CPN Tools is also a suitable tool for editing, area network (WAN). modeling, analysis of space of position and analysis of Most LANs connect workstations and personal operation of CPN models. graph of Petri net is a method computers. Each node (individual computer ) in a LAN for showing of structure of Petri nets that two shapes are has its own CPU with which it executes programs, but it in them. also is able to access data and devices anywhere on the These places and transitions connect to each LAN. This means that many users can share expensive other by arcs. when an arc connects from a transition to devices, such as laser printers, as well as data. Users can a place, it means, the place will be the exit of the also use the LAN to communicate with each other, by mentioned transition and if an arc be drawn from a place sending e-mail or engaging in chat sessions. to a transition, it means, that place will be entrance of the Figure 1 shown a model of sample LAN we used in mentioned transition. For description of Petri net action, this paper. the elements of the model are sub models of: tokens add to this graph, too. Firewall, Switch, Hub, Server and Workstation. In this it causes, concept of position be defined in this sample LAN, workstation is used to produce traffic in graph. Number of these tokens in the whole graph and network and send request to the servers. switch navigate manner of their distribution among places, determines the network traffic to the right port and avoid packet collision. position of Petri net, which called it a petri net marking. firewall analyse input/output packets and filter A formal definition of CPN is as follows [3]: unauthorized packets by rules exist in Access Control List.hub get the firewall output packets and deliver them A Coloured PN (CPN) is a 6-tuple CPN (P,T,C, I, I, M 0) to server2 and server3. Servers response to the incoming where: packets by sending 2 response packet to sender's address.server2 and server3 are protected by ACL firewall P = {p1, p2,..., pn} denotes a finite and non-empty set and server1 operate in network without any protection. of places, T = {t1, t2,..., tm} denotes a finite and non-empty set Model of Firewall: The modeled firewall shown in of transitions, P T =Ø, Figure 2 is a full duplex ACL firewall. Packets come to C is a colour function that assigns a finite and non- firewall from in places and firewall control unit, control empty set of colors to each place and a finite and packets Source IP and Destination IP and mark them as a non-empty set of modes to each transition. authorized or unauthorized packet based on ACL rules by I and I denote the backward and forward incidence checking ACL place. functions defined by P T, such that I (p,t),i (p,t) In the next step Block Packet transition block the [C(t) >C(p)MS],v(p,t) P T². unauthorized packets and Pass transition fire to send out Mo denotes a function defined on P, describing the authorized packets if there is any authorized marked initial marking such that Mo (p) C(p)MS. packet exist in firewall buffers. Firewall: A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communication to pass. One form of defense for every network connected to the internet is Access Control List. These lists reside on routers or firewalls and determine which machines (that is, which IP addresses) can use the sub network and in what directions. Model of LAN: LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. Fig. 1: Model of LAN 827

Fig. 2: Model of Firewall MAC address of the host is represented by the integer number. Moreover, content of the frame is not considered. Data type l2 describes the frames of the network, data type sw represents the switching table records and data type swch describes the switched frames waiting for output buffer allocation. Places PortX In and PortX Out represent input and output buffers of port X accordingly. Place mac table models the switching table; each token in this place represents the record of the switching table. Place Buffer corresponds to the switched frames buffer. Transitions InX model the processing of input frames. The frame is extracted from the input buffer only in cases where the switching table contains a record with an address that equals the destination address of the frame; during the frame displacement the target port number is stored in the buffer. Fig. 3: Model of Switch State field represent authorized (state = true) and unauthorized (state = false) packets in firewall. Model of Switch: To construct the model for a network switch we shall consider separate input and output frame buffers for each port and a common buffer of the switched frames. A model of the switch presented in Figure 3. Hosts disposition according to Figure 1 was used for the testing of the model. Fig. 4: Model of Hub 828

Fig. 5: Model of Workstation Transitions OutX model the displacement of switched frames to output ports buffers. Fixed time delays are assigned to the operations of the switching and the writing of the frame to the output buffer. Fig. 6: Model of Server color mac=int; color ip=int; color sw=product mac * port; color ci=product mac * ip; color firewall_buffer=product mac * mac * ip * ip * BOOL; var src, dst, macsw, ownmac:mac; var srcip,dstip,ownip, acl_src, acl_dst:ip; color port=int; color l2=product mac * mac * ip * ip; color swch=product mac * mac * port * ip * ip; color acl=product ip * ip * BOOL; color hub_buffer=product product mac * mac * ip * ip * port; var prt:port; var state:bool; Fig. 7: Model of whole Network 829

Model of Hub: To distribute packets in a small LAN it is address is held in the place Remote. Transition Exec common to use hubs and in this work hub is used to models the execution of the workstation s request by the deliver firewall output packets to servers (Server2 and server. As a result of the execution request the server Server3) and servers (Server2 and Server3) responses generates a random number of the response frames that to firewall's input port. Hubs repeats all incoming data to are held in the place Reply. all outgoing ports except sender's port because the Then these frames are transmitted into the network operate in the first layer of network and they have by the transition Send. The assembly of the general local not MAC Table to save addresses. InX transition area network model is implemented by the union of the fires when at least one packet exist in InX place and it places LAN of workstations and servers for each of the send 2 packets (each for one port) with the same segments. The model of the switch is attached to the information as incoming packet to the hub's buffer. OutX models of segments by means of additional transitions transition send packets to OutX place(port). Figure 4 ReceiveX and SendX accepting frames into the input shows a Hub model. buffer and transmitting frames from the output buffer accordingly for each switch port. Model of Server and Workstation: To investigate the frames flow transmitting through the local area network CONCLUSION and to estimate the network response time it is necessary to supply the model constructed with the models of In the present work the technology of an ACL terminal devices attached to the network. The general Firewall was studied. the structure of ACL firewall, static model assembling may be provided by means of union MAC table Switches and Hubs was described and a (fusion) of places. simple model of workstation and server was shown. we On the peculiarity of the traffic s form we shall saw firewall's Access Control List efficiency by model it separate workstations and servers. For an accepted in CPN. degree of elaboration, we shall consider the periodically As the future work it is good to simulate DMZ and repeated requests of the workstations to the servers with other technologies in firewalls. the random uniform distributed delays. On reply to accepted request the server sends a few REFERENCES packets to the address of the requested workstation. The number of packets sent and the time delays are the 1. Howard, J.D., 1997. An Analysis Of Security uniform distributed random values. Incidents On The Internet 1989-1995. PhD thesis, A model of workstation is represented in Figure 5. Carnegie Mellon. Place LAN models the segment of the local area network 2. Icove, D., K. Seger and W. VonStorch, 1995. that the workstation is attached to. Computer Crime. O Reilley and Associates, Inc., The workstation listens to the network by means of Sebastopol, California. a transition Receive that receives frames with the 3. Jensen, K., L. Michael Kristensen and L. Wells, 2007. destination address that equals the own address of the Coloured Petri Nets and CPN Tools for modeling and workstation saved in the place Own. The processing of validation of concurrent systems. International received frames is represented by the simple absorption Journal of Software Tools Technology Transfer, of them. pp: 213-254. The workstation sends periodic requests to the 4. Asar, A., M. Zhou and R.J. Caudill, 2005. server by means of transition Send. The servers Making Petri Nets Adaptive: A Critical Review. addresses are held in the place Remote. The sending IEEE Networking, Sensing and Control Proceedings, of the frame is implemented only if the LAN segment pp: 644-649. is free. 5. Albert, K., K. Jensen and R. Shapiro, 1989. It operates by checking of the place LAN for the lack Design/CPN: A Tool Package Supporting the Use of of tokens. In such a manner we may interact with a few Colored Nets. Petri Net Newsletter, pp: 22-35. servers holding their addresses in the place Remote. A model of the server is represented in Figure 6. The listening of the network is similar to the model of the workstation but is distinct in that the frame s source 830

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information