Abstract
Security policies are a relevant solution to protect information systems from undue accesses. In this paper, we develop a formal and rigorous automata-based approach to design and analyze security policies. The interest of our approach is that it can be used as a common basis for analyzing several aspects of security policies, instead of using a distinct approach and formalism for studying each aspect. We first develop a procedure that synthesizes automatically an automaton which implements a given security policy. Then, we apply this synthesis procedure to verify completeness of security policies and detect several types of anomalies in security policies. We also study space and time complexities of the developed procedures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Shaer, E., Hamed, H.: Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manage. 1(1), 2–10 (2004)
Karoui, K., Ben Ftima, F., Ben Ghezala, H.: Formal specification, verification and correction of security policies based on the decision tree approach. Int. J. Data Netw. Secur. 3(3), 92–111 (2013)
Madhuri, M., Rajesh, K.: Systematic detection and resolution of firewall policy anomalies. Int. J. Res. Comput. Commun. Technol. (IJRCCT) 2(12), 1387–1392 (2013)
Chen, Z., Guo, S., Duan, R.; Research on the anomaly discovering algorithm of the packet filtering rule sets. In 1st International Conference on Pervasive Computing, Signal Processing and Applications (PCSPA), Harbin, China, pp. 362–366, September 2010
Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Martinez Perez, S., Cabot, J.: Management of stateful firewall misconfiguration. Comput. Secur. 39, 64–85 (2013)
Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Moataz, T., Rimasson, X.: Handling stateful firewall anomalies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 174–186. Springer, Heidelberg (2012)
Liu, A.X., Gouda, M.G.: Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. 19(9), 1237–1251 (2008)
Liu, A.X., Gouda, M.G.: Structured firewall design. Comput. Netw. Int. J. Comput. Telecommun. Netw. 51(4), 1106–1120 (2007)
Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., Mohapatra, P.: FIREMAN: a toolkit for firewall modeling and analysis. In: IEEE Symposium on Security and Privacy (S&P), Berkeley/Oakland, May 2006
Bryant, R.E.: Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. 35(8), 677–691 (1986)
Mallouli, W., Orset, J., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules. In: 12th ACM Symposium on Access Control Models and Technologies (SACMAT), Sophia Antipolis, France, June 2007
Lee, D., Yannakakis, M.: Principles and methods of testing finite state machines - a survey. Proc. IEEE 84, 1090–1126 (1996)
El Kalam, A.A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization based access control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY), Lake Come, Italy, June 2003
Mansmann, F., Göbel, T., Cheswick, W.: Visual analysis of complex firewall configurations. In: 9th International Symposium on Visualization for Cyber Security (VizSec), Seattle, pp. 1–8, October 2012
Lu, L., Safavi-Naini, R., Horton, J., Susilo, W.: Comparing and debugging firewall rule tables. IET Inf. Secur. 1(4), 143–151 (2007)
Krombi, W., Erradi, M., Khoumsi, A.: Automata-based approach to design and analyze security policies. In: International Conference on Privacy, Security and Trust (PST), Toronto, Canada (2014)
Scarfone, K., Hauffman, P.: Guidelines on Firewalls and Firewall Policy, Recommendations of the National Institute of Standards and Technology (NIST). Special Publication 800–41, Revision 1, 2–1, September 2009
Madhavi, S., Raghu, G.: Segment generation approach for firewall policy anomaly resolution. Int. J. Comput. Sci. Inf. Technol. (IJCSIT) 5(1), 6–11 (2014)
Hu, H., Ahn, G., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012)
Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. A.W.H. Freeman, San Francisco (1979)
Elmallah, E., Gouda, M.G.: Hardness of firewall analysis. In: International Conference on NETworked sYStems (NETYS), Marrakesh, Morocco, May 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Khoumsi, A., Krombi, W., Erradi, M. (2015). A Formal Approach to Verify Completeness and Detect Anomalies in Firewall Security Policies. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-17040-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)