Abstract
Access control policies play a critical role in the security of enterprise networks deployed with variety of policy-based devices (e.g., routers, firewalls, and IPSec). Usually, the security policies are configured in the network devices in a distributed fashion through sets of access control lists (ACL). However, the increasing complexity of access control configurations due to larger networks and longer policies makes configuration errors inevitable. Incorrect policy configuration makes the network vulnerable to different attacks and security breaches. In this paper, we present an imperative framework, namely, ConfigLEGO, that provides an open programming platform for building the network security configuration globally and analyzing it systematically. The ConfigLEGO engine uses Binary Decision Diagram (BDD) to build a Boolean model that represents the global system behaviors including all possible interaction between various components in extensible and scalable manner. Our tool also provides a C/C++ API as a software wrapper on top of the BDD engine to allow users in defining topology, configurations, and reachability, and then analyzing in various abstraction levels, without requiring knowledge of BDD representation or operations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Al-Shaer, E.S., Hamed, H.H.: Discovery of Policy Anomalies in Distributed Firewalls. In: Proceedings of IEEE INFOCOM 2004, Hong Kong, China, pp. 2605–2626 (March 2004)
Chen, X., Mao, Y., Mao, Z.M., Van der Merwe, J.: Declarative Configuration Management for Complex and Dynamic Networks. In: Proceedings of ACM CoNEXT (2010)
Al-Shaer, E., Marrero, W., El-Atway, A., AlBadani, K.: Network Configuration in a Box: Towards End-to-End Verification of Network Reachability and Security. In: Proceedings of ICNP 2009, Princeton, NY, USA, pp. 123–132 (2009)
Lind-Nielsen, J.: The BuDDy OBDD package, http://sourceforge.net/projects/buddy/
Zhang, B., Al-Shaer, E.S., Jagadeesan, R., Riely, J., Pitcher, C.: Specifications of A High-level Conflict-Free Firewall Policy Language for Multi-domain Networks. In: Proceedings of ACM SACMAT 2007, France, pp. 185–194 (June 2007)
Narain, S., Levin, G., Malik, S., Kaul, V.: Declarative Infrastructure Configuration Synthesis and Debugging. Journal of Network and Systems Management 16, 235–258 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Al-Haj, S., Bera, P., Al-Shaer, E. (2012). Build and Test Your Own Network Configuration. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_33
Download citation
DOI: https://doi.org/10.1007/978-3-642-31909-9_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31908-2
Online ISBN: 978-3-642-31909-9
eBook Packages: Computer ScienceComputer Science (R0)