Abstract
Packet filtering in firewall either accepts or denies packets based upon a set of predefined rules called firewall policy. In recent years, time-based firewall policies are widely used in many firewalls such as CISCO ACLs. Firewall policy is always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. It is difficult to maintain the consistency of normal firewall policy and security policy, not to mention time-based firewall policy and security policy. Even though there are many analysis methods for security policy and firewall policy, they cannot deal with time constraint. To resolve this problem, we firstly represent time-based security policy and firewall policy as logical formulas, and then use satisfiability modulo theories (SMT) solver Z3 to verify them and analyze inconsistency. We have implemented a prototype system to verify our proposed method, experimental results showed the effectiveness.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Cisco PIX Firewall Release Notes. https://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn634.html
Linux man page. http://linux.die.net/man/8/iptables
Yin, Y., Xu, X., Katayama, Y., Takahashi, N.: Inconsistency detection system for security policy and rewall policy. In: 2010 First International Conference on Networking and Computing, pp. 294–297. IEEE (2011)
Yin, Y., Xu, J., Takahashi, N.: Verifying consistency between security policy and firewall policy by using a constraint satisfaction problem server. In: Zhang, Y. (ed.) Future Wireless Networks and Information Systems. LNEE, vol. 144, pp. 135–145. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27326-1_18
Sugar: a SAT-based Constraint Solver. http://bach.istc.kobe-u.ac.jp/sugar/
Thanasegaran, S., Tateiwa, Y., Katayama, Y., Takahashi, N.: Design and implementation of conflict detection system for time-based firewall policies. J. Next Gener. Inf. Technol. 2(4), 24–39 (2011)
Z3 Theorem Prover. https://github.com/Z3Prover/z3/wiki
Moura, L.D., Bjørner, N.: Z3: an efficient SMT solver. In: Proceedings of the Theory and practice of software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 337–340 (2008)
Z3 C API. https://z3prover.github.io/api/html/group__capi.html
Wool, A.: Trends in firewall configuration errors: measuring the holes in swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)
Al-Shaer, E.: Automated Firewall Analytics Design, Configuration and Optimization. Springer, Heidelberg (2014)
Hu, H., Ahn, G., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Secure Comput. 9(3), 318–331 (2012)
Jeffrey, A., Samak, T.: Model checking firewall policy configurations. In: IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 60–67 (2009)
Bouhoula, A., Yazidi, A.: A security policy query engine for fully automated resolution of anomalies in firewall configurations. In: IEEE 15th International Symposium on Network Computing and Applications, pp. 76–80 (2016)
Matsumoto, S., Bouhoula, A.: Automatic verification of firewall configuration with respect to security policy requirements. In: Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems, pp. 123–130 (2008)
Youssef, N.B., Bouhoula, A., Jacquemard, F.: Automatic verification of conformance of firewall configurations to security policies. In: IEEE Symposium on Computers and Communications, pp. 526–531 (2009)
Dutertre, B., Moura, L.D.: The YICES SMT solver. http://gauss.ececs.uc.edu/Courses/c626/lectures/SMT/tool-paper.pdf
Ranathunga, D., Roughan, M., Kernick, P., Falkner, N.: Malachite: firewall policy comparison. In: IEEE Symposium on Computers and Communication, pp. 310–317 (2016)
Cupens, F., Cuppens-Boulahia, N., Sans, T., Miege, A.: A formal approach to specify and deploy a network security policy. In: Second Workshop on Formal Aspects in Security and Trust, pp. 203–218 (2004)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: a novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)
Acknowledgments
This research was partially supported by National scholarship for studying abroad of China Scholarship Council (CSC); National Natural Science Foundation of China (No. 60973122, 61572256).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Yin, Y., Tateiwa, Y., Wang, Y., Katayama, Y., Takahashi, N. (2017). Inconsistency Analysis of Time-Based Security Policy and Firewall Policy. In: Duan, Z., Ong, L. (eds) Formal Methods and Software Engineering. ICFEM 2017. Lecture Notes in Computer Science(), vol 10610. Springer, Cham. https://doi.org/10.1007/978-3-319-68690-5_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-68690-5_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68689-9
Online ISBN: 978-3-319-68690-5
eBook Packages: Computer ScienceComputer Science (R0)