No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Research and application of next-generation firewall technique in medical network
Abstract
With the rapid development of medical informatization as well as the larger quantities of information and higher integration level, it has become a severe challenge to keep the core data confidential. In this thesis, the role of next-generation firewall in the medical network has been first introduced. Then, a medical network has been designed and an overall network building scheme aimed at the medical network has been planned based on the actual demand of a hospital. Then, VLAN has been divided and IP address has been planned to each floor. Moreover, relevant protocols and important equipment to be used have been introduced in detail, including DHCP protocol, SNMP protocol, next-generation firewall safety devices. In addition, the IP address of each area has been planned, the connectivity of LAN has been tested and the simulated attack and defense test has been taken based on the deployment principle of next-generation firewall. Furthermore, a detailed introduction of deployment of security policy as well as some common security vulnerabilities on firewall has been made. At last, the attack and defense test of firewall has been taken to prove the efficient protection function of firewall in the medical network and meanwhile prove that next-generation firewall technique could help the hospital solve the network security issues to some extent.
Most of the companies have firewalls in order to protect their internal networks and assets from the attacker of the cyber space. Firewall policies should be maintained and organized with high importance. However, considering the length of time needed in analyzing the highly complex policies and the risks of disabling firewall that may arise in case of a false policy setting. It is extremely hard to securely optimize the performance of firewalls. This paper is to suggest a visualization tool that shows the status and the types of policies applied throughout the firewalls so that such difficulties related to the maintenance of firewall policies can be resolved. The proposed tool is designed in six different angles; (1) Hierarchy-view, (2) Anomaly-view, (3) Distributed-view, (4) ANYPolicy-view, (5) SearchResult-view, and (6) Top and Bottom Used-view. The core of the overall function is to facilitate the easy identification of the policy interrelationships. The visualization tool has been tested by being applied across approximately 24 different firewall policies. The processing speed of each function, abuse detection rate were all reviewed positively. By the help of the tool, identifying the services, performance improvement, and visibility of the policy relations, which thereby will lead to better safety in preserving the assets intact. A video of the proposed visualization tool can be found on the web site: https://youtu.be/43OfHN8dteU.
A simple, closed-form solution to the Yang–Mills field equations is presented which has a non-Abelian firewall — a spherical “horizon” where the energy density diverges. By the gravity/gauge duality, this non-Abelian firewall implies the existence of a gravitational firewall. Gravitational firewalls have been proposed as a way of resolving the information loss paradox, but at the cost of violating the equivalence principle.
Phishing is the most well-known act of deceiving the Internet users, in which the ‘perpetrator’ plays a credible entity. This is done by misusing the inadequate protection provided by electronic tools, and by exploiting the ignorance of the user-object, in order to illegally obtain personal data, such as sensitive private information and passwords. This research proposes the online meta-learning firewall to prevent phishing attacks. It is a highly innovative and fully automated active safety tool that uses a long short-term memory meta-learner algorithm. This method can learn to efficiently classify using a small number of samples. At the same time, it can converge with a fairly small number of steps. The proposed system is an improvement on the k-nearest neighbor with self-adjusting memory algorithm, which is inspired by the model of short and long-term memory. The purpose of the system is to understand the nature of an unknown situation and to classify it, based on the most relevant characteristics that come directly from the unknown environment.
Today, cardiac implantable electronic devices (CIEDs), such as pacemakers and implantable cardioverter defibrillators (ICDs), play an increasingly important role in healthcare ecosystems as patient life support devices. Physicians control, program and configure CIEDs on a regular basis using a dedicated programmer device. The programmer device is open to external connections (e.g., USB, Bluetooth, etc.), and thus it is exposed to a variety of cyber-attacks by which an attacker can manipulate the programmer device’s operations and consequently harm the patient. In this paper, we present CardiWall, a novel detection and prevention system designed to protect ICDs from cyber-attacks aimed at the programmer device. Our system has six different layers of protection, leveraging medical experts’ knowledge, statistical methods, and machine learning algorithms. We evaluated the CardiWall system extensively in two comprehensive experiments. For the evaluation, we gathered data for a period of four years and used 775 benign clinical commands that are related to hundreds of different patients (obtained from different programmer devices located at Barzilai University Medical center) and 28 malicious clinical commands (created by two cardiology experts from different hospitals). The evaluation results show that only two out of the six layers proposed in CardiWall system provided a high detection capability associated with high rates of true positive, and low rates of false positive. With the configuration that provided the best harmonic mean of sensitivity and specificity (HMSS), CardiWall achieved a high true positive rate (TPR) of 91.4% and a very low false positive rate (FPR) of 1%, with an AUC of 94.7%.
Firewall is an essential device in every computer network. It needs skillful professionals to accurately configure its rules for proper functioning. To help prepare these professionals, university level students need more engaging and attractive interactive tools to develop their skills. For this regard, this paper presents the design, implementation and evaluation of "Compu Castel" educational video game that teaches firewall concepts. In addition to evaluating the impact of educational game on short-term knowledge acquisition, both, mid-term (after 2 months) and long-term (after 5 months) knowledge retention is analyzed. The results confirm that educational games affect positively short-term knowledge acquisition compared with traditional text based methods. Moreover, educational games enhance knowledge retention for mid-term and long-term periods.
Firewalls are computer systems that assess the network traffic using an ideally coherent and manageable set of rules. This study aims to provide means to measure the usability of firewall rule sets in terms of how easily IT professionals can understand and manage them. First, we conducted semi-structured interviews with system administrators wherein we obtained the usability challenges related to the management of firewall rule sets. This was followed by the analysis of related work. The interview results were combined with the findings from the related work. Accordingly, we acquired four usability attributes related to the manageability of firewalls; these were formally defined. We tested and measured the cognitive aspects related to the structure and ordering of the rules through a user study. A third user study with system administrators validated our metrics. It exhibited a very strong correlation between the metrics and how the administrators characterized usability.
Firewalls are a fundamental element of network security systems with the ability to block network data traffic flows according to pre-defined rules. Software-defined networking (SDN) technology, which can provide flexibility, elasticity, and programmability for network management, has been applied to network security systems. We propose a software-defined firewall cyber-security system, which securely gathers the firewall rules of the host/network-based firewalls through the SDN control plane, converts the collected firewall rules in the form of SDN flow rules, and deploys them on OpenFlow (OF)-enabled switches. Furthermore, we formulate an optimization problem to find appropriate OF-enabled switches to which the SDN flow rules are to be sent. The proposed firewall system makes the traffic flows that are destined to be dropped by a firewall be dropped in advance at the OF-enabled switch with the corresponding SDN flow rules. The SDN-based testbed experiments demonstrate that the proposed firewall system reduces the aggregate network traffic volume and the resource utilization of end-hosts in the network.
In recent years, with the development of computer technology and communication technology, computer networks have developed rapidly to become an indispensable part of people's lives. In the same time, network attacks have been increasing exponentially. Countries around the world have raised network security issues to the height of their national strategies, which shows the importance of network security. Firewall is an important technology for network security at present, and it is a barrier to protect the internal network. However, in the era of information explosion, the data flow of network communication is very large, due to the limitations of memory, CPU, etc., firewalls will become a communication bottleneck. Therefore, this paper introduces the idea of machine learning into the filtering rules of the decision tree, and uses the optimized decision tree C4.5 algorithm to predict the optimal ranking of the firewall filtering rule table attributes, which improves the efficiency of the firewall and thus the throughputs of the firewall.
Cascaded thermal runaway (TR) propagation is the utmost safety issue for large-format lithium-ion battery (LIB) modules because of the high risk of system fires or explosions. However, quenching TR without side effects still remains a challenge. Herein, we delivered an ultrathin smart firewall concept for avoiding the TR propagation in a LIB module. We demonstrate that the firewalls have thermally-triggered switchable thermal physical properties because of the synergistic effect of non-flammable phase change materials (NFPCM) and flexible silica nanofiber mats. Under TR condition, the firewalls give rise to multiple functions simultaneously, including cooling, fire extinguishing and thermal insulation. Consequently, the TR propagation between fully charged 50 Ah LIBs, with a transient thermal shock of up to 53 kW, is successfully suppressed by 1-mm-thick smart firewalls, yielding a maximum cell-to-cell temperature gap of 512°C. The smart firewall design provides a reliable approach to quench TR propagation in large-format LIBs, which can also be suitable for other dynamically adaptive thermal-protection applications for oil tanks, space exploration, and firefighting equipment.
Cloud computing on-demand dynamicity in nature of end-user that leads towards a hybrid cloud model deployment is called a multi-cloud. Multi-cloud is a multi-tenant and multi-vendor heterogeneous cloud platform in terms of services and security under a defined SLA (service level agreement). The diverse deployment of the multi-cloud model leads to rise in security risks. In this paper, we define a multi-cloud model with hybridization of vendor and security to increase the end-user experience. The proposed model has a heterogeneous cloud paradigm with a combination of firewall tracts to overcome rising security issues. The proposed work consists of three steps, firstly, all incoming traffic from the consumer end into five major groups called ambient. Secondly, design a next-generation firewall (NGFW) topology with a mixture of tree-based and demilitarized zone (DMZ) implications. Test implementation of designed topology performed by using a simple DMZ technique in case of vendor-specific model and NGFW on hybrid vendor based multi-cloud model. Furthermore, it also defines some advantages of NGFW to overcome these concerns. The proposed work is helpful for the new consumer to define their dynamic secure cloud services under a single SLA before adopting a multi-cloud platform. Finally, results are compared in terms of throughput and CPU utilization in both cases.
Firewalls are essential for managing and protecting computer networks. They permit specifying which packets are allowed to enter a network, and also how these packets are modified by IP address translation and port redirection. Configuring a firewall is notoriously hard, and one of the reasons is that it requires using low level, hard to interpret, configuration languages. Equally difficult are policy maintenance and refactoring, as well as porting a configuration from one firewall system to another. To address these issues we introduce a pipeline that assists system administrators in checking if: (i) the intended security policy is actually implemented by a configuration; (ii) two configurations are equivalent; (iii) updates have the desired effect on the firewall behavior; (iv) there are useless or redundant rules; additionally, an administrator can (v) transcompile a configuration into an equivalent one in a different language; and (vi) maintain a configuration using a generic, declarative language that can be compiled into different target languages. The pipeline is based on IFCL, an intermediate firewall language equipped with a formal semantics, and it is implemented in an open source tool called FWS. In particular, the first stage decompiles real firewall configurations for iptables, ipfw, pf and (a subset of) Cisco IOS into IFCL. The second one transforms an IFCL configuration into a logical predicate and uses the Z3 solver to synthesize an abstract specification that succinctly represents the firewall behavior. System administrators can use FWS to analyze the firewall by posing SQL-like queries, and update the configuration to meet the desired security requirements. Finally, the last stage allows for maintaining a configuration by acting directly on its abstract specification and then compiling it to the chosen target language. Tests on real firewall configurations show that FWS can be fruitfully used in real-world scenarios.
Firewalls remain the first line of defence for many organisations. But confidence in their ability to stop attacks is waning.
To better protect our enterprises, we must accept that firewalls have become almost redundant and look for more-effective approaches. And one proven choice is software-based segmentation, which is more adaptable to business considerations and today's workloads, says Dave Klein of Guardicore.
At $14.7bn dollars annually, firewalls are the biggest recurring expense in enterprise budgets globally.¹ Yet despite this huge spending statistic from Gartner, there seems to be no end to the number of severe breaches making headlines. While firewalls were once the first and foremost line of enterprise defence and used to do a good job, they are today no longer effective. It begs the questions – why are firewalls failing, and what do we need to do differently?
Unitary evolution makes pure state on one Cauchy surface evolve to pure state on another Cauchy surface. Outgoing Hawking radiation is the only subsystem on the late Cauchy surface. The requirement that Hawking radiation should be pure amounts to requiring purity of the subsystem when the total system is pure. We will see that this requirement will lead to firewall even in flat spacetime, and thus is invalid. Information is either stored in the entanglement between field modes inside black hole and the outgoing modes or stored in correlation between geometry and Hawking radiation when singularity is resolved by quantum gravity effects. We will give a simple argument that even in semi-classical regime, information is (at least partly) stored in correlation between geometry and Hawking radiation.
Traditional firewalls employ listed rules in both configuration and process phases to regulate network traffic. However, configuring a firewall with listed rules may create rule conflicts, and slows down the firewall. To overcome this problem, we have proposed a Tree-rule firewall in our previous study. Although the Tree-rule firewall guarantees no conflicts within its rule set and operates faster than traditional firewalls, keeping track of the state of network connections using hashing functions incurs extra computational overhead. In order to reduce this overhead, we propose a hybrid Tree-rule firewall in this paper. This hybrid scheme takes advantages of both Tree-rule firewalls and traditional listed-rule firewalls. The GUIs of our Tree-rule firewalls are utilized to provide a means for users to create conflict-free firewall rules, which are organized in a tree structure and called 'tree rules'. These tree rules are later converted into listed rules that share the merit of being conflict-free. Finally, in decision making, the listed rules are used to verify against packet header information. The rules which have matched with most packets are moved up to the top positions by the core firewall. The mechanism applied in this hybrid scheme can significantly improve the functional speed of a firewall.
The TCP/IP suite has various protocols that must be carefully
configured so that networked devices operate efficiently. Setting values
by hand is time-consuming and error-prone; moreover, several trends are
adding to the need for automated parameter configuration and
administration. The Dynamic Host Configuration Protocol, accepted as a
proposed standard by the Internet Engineering Task Force, offers a way
to automatically configure network devices that use TCP/IP. These
devices use DHCP to locate and contact servers, which return the
appropriate configuration information as data. The DHCP servers act as
agents for network administrators and automate the process of network
address allocation and parameter configuration. Addresses can be
assigned and individual addresses can be reassigned to new DHCP clients
without explicit intervention by a network administrator. The IETF's
Dynamic Host Configuration (DHC) working group is now at work adding new
features to DHCP. The author describes the group's work on DHCP in
detail, outlines the management of a DHCP service, and discusses new
DHCP features, including the version being developed for IPv6