Generating policy based security implementation in enterprise network: a formal framework
Pages 1 - 8
Abstract
The security management of a typical enterprise network, comprises of several network zones, is usually governed by the organizational security policy. The policy defines the service accesses (permit/deny) between various network zones. The security implementation attempts to realize the policy through sets of access control lists (ACLs) in the network interfaces. This paper presents a framework for generating the correct implementation model, given the organizational security policy and underlying network topology. There are two major challenges, namely, (i) deriving the conflict-free model of the organizational security policy and (ii) extraction of the correct ACL distributions for the network. The framework formally models the organizational security policy and generates the conflict-free policy model by resolving the policy rule conflicts. Then, ACL implementation model is extracted based on the conflict-free policy model and the underlying network topology. The efficacy of the proposed framework has been demonstrated through a case study.
References
[1]
}}Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato:A Novel Firewall Management Toolkit. ACM Transaction on Computer Systems, vol. 22(4), pp.381--420, November 2004.
[2]
}}E. S. Al-Shaer and H. H. Hamed. Discovery of Policy Anomalies in Distributed Firewalls. In Proceedings of IEEE INFOCOM'04, pp. 2605--2626, Hong Kong, China, March 2004.
[3]
}}T. E. Uribe and S. Cheung. Automatic Analysis of Firewall and Network Intrusion Detection System Con¯gurations. In ACM Workshop on Formal Methods in Security Engineering, pp. 66--71, Washington, DC, USA, October 2004.
[4]
}}L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, and P. Mohapatra. FIREMAN: A Toolkit for Firewall Modeling and Analysis. In 27th IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2006.
[5]
}}S. Matsumoto and A. Bouhoula. Automatic Verifcation of Firewall Configuration with Respect to Security Policy Requirements. In Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems (CISIS'08), pp. 123--130, Barcelona, Spain, October 2008.
[6]
}}High Level Firewall Language. http://www.hl.org/. Accessed on April 2009.
[7]
}}B. Zhang, E. S. Al-Shaer, R. Jagadeesan, J. Riely, and C. Pitcher. Specifications of A High-level Conflict-Free Firewall Policy Language for Multi-domain Networks. In 12th ACM Symposium on Access control models and Technologies (SACMAT 2007), pp. 185--194, France, June 2007.
[8]
}}CISCO: Configuring IP access lists. CISCO white papers 23602 edition, July 2007.
[9]
}}P. Matousek, J. Rab, O. Rysavy, M. Sveda. A Formal model for Network-wide Security Analysis. In Proceedings of 15th IEEE International Conference and Workshop on ECBS, Belfast, Ireland, 2008.
[10]
}}D Gabby, Ch Hogger and J Robinson eds. Temporal Logic Handbook of Logic in AI and Logic Programming, Vol. 4, Oxford University Press, Oxford, 241--350.
[11]
}}C. C. Zhang, M. Winslet, and C. A. Gunter. On the Safety and E±ciency of Firewall Policy Deployment. In 28th IEEE Symposium on Security and Privacy, pp. 33--50, Oakland, CA, USA, May 2007.
[12]
}}P. Bera, P. Dasgupta, S. K. Ghosh. A Verification framework for Analyzing Security Implementations in an Enterprise LAN In IEEE International Advance Computing Conference(IACC 09), pp 1008--1015, March 2009.
[13]
}}P. Bera, S. K. Ghosh and Pallab Dasgupta. Formal Verification of Security Policy Implementations in Enterprise Networks. In Proceedings of 5th International Conference of Information System Security (ICISS 09), LNCS 5905, pp. 117--131, Kolkata, India, December 2009.
[14]
}}P. Bera, P. Dasgupta, S. K. Ghosh Formal Analysis of Security Policy Implementations in Enterprise Networks In International Journal of Computer Networks & Communications(IJCNC), vol 1(2), pp 56--73, June 2009.
Index Terms
- Generating policy based security implementation in enterprise network: a formal framework
Recommendations
Formal Verification of Security Policy Implementations in Enterprise Networks
ICISS '09: Proceedings of the 5th International Conference on Information Systems SecurityIn enterprise networks, the management of security policies and their configurations becoming increasingly difficult due to complex security constraints of the organizations. In such networks, the overall organizational security policy (global policy) ...
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineeringA security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...
Policy Based Security Analysis in Enterprise Networks: A Formal Approach
In a typical enterprise network, there are several sub-networks or network zones corresponding to different departments or sections of the organization. These zones are interconnected through set of Layer-3 network devices (or routers). The service ...
Comments
Information & Contributors
Information
Published In
October 2010
98 pages
ISBN:9781450300933
DOI:10.1145/1866898
- General Chair:
- Tony Sager,
- Program Chairs:
- Gail-Joon Ahn,
- Krishna Kant,
- Heather Richter Lipford
Copyright © 2010 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 October 2010
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '10
Sponsor:
CCS '10: 17th ACM Conference on Computer and Communications Security 2010
October 4, 2010
Illinois, Chicago, USA
Acceptance Rates
Overall Acceptance Rate 22 of 61 submissions, 36%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 450Total Downloads
- Downloads (Last 12 months)4
- Downloads (Last 6 weeks)0
Reflects downloads up to 25 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in