Skip to main content
SpringerLink
Log in

A Formal Approach to Verify Completeness and Detect Anomalies in Firewall Security Policies

  • Conference paper
  • First Online:
Book cover Foundations and Practice of Security (FPS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8930))

Included in the following conference series:

Abstract

Security policies are a relevant solution to protect information systems from undue accesses. In this paper, we develop a formal and rigorous automata-based approach to design and analyze security policies. The interest of our approach is that it can be used as a common basis for analyzing several aspects of security policies, instead of using a distinct approach and formalism for studying each aspect. We first develop a procedure that synthesizes automatically an automaton which implements a given security policy. Then, we apply this synthesis procedure to verify completeness of security policies and detect several types of anomalies in security policies. We also study space and time complexities of the developed procedures.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Al-Shaer, E., Hamed, H.: Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manage. 1(1), 2–10 (2004)

    Article  Google Scholar 

  2. Karoui, K., Ben Ftima, F., Ben Ghezala, H.: Formal specification, verification and correction of security policies based on the decision tree approach. Int. J. Data Netw. Secur. 3(3), 92–111 (2013)

    Google Scholar 

  3. Madhuri, M., Rajesh, K.: Systematic detection and resolution of firewall policy anomalies. Int. J. Res. Comput. Commun. Technol. (IJRCCT) 2(12), 1387–1392 (2013)

    Google Scholar 

  4. Chen, Z., Guo, S., Duan, R.; Research on the anomaly discovering algorithm of the packet filtering rule sets. In 1st International Conference on Pervasive Computing, Signal Processing and Applications (PCSPA), Harbin, China, pp. 362–366, September 2010

    Google Scholar 

  5. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Martinez Perez, S., Cabot, J.: Management of stateful firewall misconfiguration. Comput. Secur. 39, 64–85 (2013)

    Article  Google Scholar 

  6. Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Moataz, T., Rimasson, X.: Handling stateful firewall anomalies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 174–186. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  7. Liu, A.X., Gouda, M.G.: Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. 19(9), 1237–1251 (2008)

    Article  Google Scholar 

  8. Liu, A.X., Gouda, M.G.: Structured firewall design. Comput. Netw. Int. J. Comput. Telecommun. Netw. 51(4), 1106–1120 (2007)

    MATH  Google Scholar 

  9. Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., Mohapatra, P.: FIREMAN: a toolkit for firewall modeling and analysis. In: IEEE Symposium on Security and Privacy (S&P), Berkeley/Oakland, May 2006

    Google Scholar 

  10. Bryant, R.E.: Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. 35(8), 677–691 (1986)

    Article  MATH  Google Scholar 

  11. Mallouli, W., Orset, J., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules. In: 12th ACM Symposium on Access Control Models and Technologies (SACMAT), Sophia Antipolis, France, June 2007

    Google Scholar 

  12. Lee, D., Yannakakis, M.: Principles and methods of testing finite state machines - a survey. Proc. IEEE 84, 1090–1126 (1996)

    Article  Google Scholar 

  13. El Kalam, A.A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization based access control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY), Lake Come, Italy, June 2003

    Google Scholar 

  14. Mansmann, F., Göbel, T., Cheswick, W.: Visual analysis of complex firewall configurations. In: 9th International Symposium on Visualization for Cyber Security (VizSec), Seattle, pp. 1–8, October 2012

    Google Scholar 

  15. Lu, L., Safavi-Naini, R., Horton, J., Susilo, W.: Comparing and debugging firewall rule tables. IET Inf. Secur. 1(4), 143–151 (2007)

    Article  Google Scholar 

  16. Krombi, W., Erradi, M., Khoumsi, A.: Automata-based approach to design and analyze security policies. In: International Conference on Privacy, Security and Trust (PST), Toronto, Canada (2014)

    Google Scholar 

  17. Scarfone, K., Hauffman, P.: Guidelines on Firewalls and Firewall Policy, Recommendations of the National Institute of Standards and Technology (NIST). Special Publication 800–41, Revision 1, 2–1, September 2009

    Google Scholar 

  18. Madhavi, S., Raghu, G.: Segment generation approach for firewall policy anomaly resolution. Int. J. Comput. Sci. Inf. Technol. (IJCSIT) 5(1), 6–11 (2014)

    Google Scholar 

  19. Hu, H., Ahn, G., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012)

    Article  Google Scholar 

  20. Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. A.W.H. Freeman, San Francisco (1979)

    MATH  Google Scholar 

  21. Elmallah, E., Gouda, M.G.: Hardness of firewall analysis. In: International Conference on NETworked sYStems (NETYS), Marrakesh, Morocco, May 2014

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, University of Sherbrooke, Sherbrooke, Canada

    Ahmed Khoumsi

  2. ENSIAS, Mohammed V University, Rabat, Morocco

    Wadie Krombi & Mohammed Erradi

Authors
  1. Ahmed Khoumsi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wadie Krombi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammed Erradi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmed Khoumsi .

Editor information

Editors and Affiliations

  1. TELECOM Bretagne, Cesson Sévigné, France

    Frédéric Cuppens

  2. TELECOM SudParis, Evry, France

    Joaquin Garcia-Alfaro

  3. Dalhousie University, Halifax, Nova Scotia, Canada

    Nur Zincir Heywood

  4. University of Calgary, Calgary, Canada

    Philip W. L. Fong

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Khoumsi, A., Krombi, W., Erradi, M. (2015). A Formal Approach to Verify Completeness and Detect Anomalies in Firewall Security Policies. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17040-4_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17039-8

  • Online ISBN: 978-3-319-17040-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation