Skip to main content
SpringerLink
Log in

A Formal Approach for Network Security Policy Relevancy Checking

  • Conference paper
  • First Online:
Network and System Security (NSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10394))

Included in the following conference series:

  • 3120 Accesses

Abstract

Security components such as firewalls, IDS and IPS, are the mainstay and the most widely adopted technology for protecting networks. These security components are configured according to a global security policy. An error in a security policy either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which, in turn, could lead to irreparable consequences. It has been observed that most security policies on the Internet are poorly designed and have many misconfigurations. In this paper, we propose a formal process to specify, verify and correct the security policy using the decision tree formalism, which consists of four steps. First, we define the security policy specifications and write it in a natural language. Second, the security policy will be translated into a formal language. Third, we verify the security policy correctness. If this latter is plugged with anomalies, we correct it in the last step.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: Proceedings of IEEE INFOCOM 2004, pp. 2605–2615 (2004)

    Google Scholar 

  2. Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun. (JSAC) 23(10), 2069–2084 (2005)

    Article  Google Scholar 

  3. Al-Shaer, E., Hamed, H.: Firewall policy advisor for anomaly detection and rule editing. In: IEEE/IFIP Integrated Management IM 2003 (2003)

    Google Scholar 

  4. Ben Ftima, F., Karoui, K., Ben Ghezala, H.: Misconfigurations discovery between distributed security policies using the mobile agent approach. In: Proceedings of ACM “The 11th International Conference on Information Integration and Web-based Applications & Services” (iiWAS 2009), Kuala Lampur, Malaysia (2009)

    Google Scholar 

  5. Karoui, K., Ben Ftima, F., Ben Ghezala, H.: A multi-agent framework for anomalies detection on distributed firewalls using data mining techniques. In: Cao, L. (ed.) Data Mining and Multi-agent Integration, pp. 267–278. Springer, Boston, MA (2009). doi:10.1007/978-1-4419-0522-2_18

    Chapter  Google Scholar 

  6. Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proceedings of 6th Nordic Workshop on Secure IT-Systems (NordSec 2001) (2001)

    Google Scholar 

  7. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Analysis of policy anomalies on distributed network security setups. In: Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS 2006), Hamburg, Germany (2006)

    Google Scholar 

  8. Gouda, M., Liu, A.X.: A model of stateful firewalls and its properties. In: Proceedings of IEEE International Conference on Dependable Systems and Networks (DSN 2005), pp. 320–327 (2005)

    Google Scholar 

  9. Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of IPsec and VPN security policies. In: Proceedings of 13th IEEE International Conference on Network Protocols (ICNP 2005), pp. 259–278 (2005)

    Google Scholar 

  10. Liu, A.X.: Firewall policy verification and troubleshooting. In: Proceedings of IEEE International Conference on Communications (ICC) (2008)

    Google Scholar 

  11. Liu, A.X., Gouda, M.: Complete redundancy detection in firewalls. In: Proceedings of 19th Annual IFIP Conference Data and Applications Security, pp. 196–209 (2005)

    Google Scholar 

  12. Pornavalai, S.P., Chomsiri, T.: Analyzing firewall policy with relational algebra and its application. In: Australian Telecommunication Networks and Applications Conference (ATNAC 2004), Australia (2004)

    Google Scholar 

  13. Ben Ftima, F.: Thesis: Test des composants de sécurité distribués (2016)

    Google Scholar 

  14. Karoui, K.B., Ben Ftima, F., Ben Ghezala, H.: Distributed firewalls and IDS interoperability checking based on a formal approach. Int. J. Comput. Netw. Commun. 5(5), 95–115 (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. RIADI Laboratory, ENSI, University of La Manouba, La Manouba, Tunisia

    Fakher Ben Ftima, Kamel Karoui & Henda Ben Ghezala

Authors
  1. Fakher Ben Ftima
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kamel Karoui
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Henda Ben Ghezala
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fakher Ben Ftima .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zheng Yan

  2. Eurecom, Sophia Antipolos, Valbonne, France

    Refik Molva

  3. Warsaw University of Technology, Warsaw, Poland

    Wojciech Mazurczyk

  4. Aalto University, Espoo, Finland

    Raimo Kantola

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Ben Ftima, F., Karoui, K., Ben Ghezala, H. (2017). A Formal Approach for Network Security Policy Relevancy Checking. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_42

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64701-2_42

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64700-5

  • Online ISBN: 978-3-319-64701-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation