ABSTRACT
The security management of a typical enterprise network, comprises of several network zones, is usually governed by the organizational security policy. The policy defines the service accesses (permit/deny) between various network zones. The security implementation attempts to realize the policy through sets of access control lists (ACLs) in the network interfaces. This paper presents a framework for generating the correct implementation model, given the organizational security policy and underlying network topology. There are two major challenges, namely, (i) deriving the conflict-free model of the organizational security policy and (ii) extraction of the correct ACL distributions for the network. The framework formally models the organizational security policy and generates the conflict-free policy model by resolving the policy rule conflicts. Then, ACL implementation model is extracted based on the conflict-free policy model and the underlying network topology. The efficacy of the proposed framework has been demonstrated through a case study.
- }}Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato:A Novel Firewall Management Toolkit. ACM Transaction on Computer Systems, vol. 22(4), pp.381--420, November 2004. Google ScholarDigital Library
- }}E. S. Al-Shaer and H. H. Hamed. Discovery of Policy Anomalies in Distributed Firewalls. In Proceedings of IEEE INFOCOM'04, pp. 2605--2626, Hong Kong, China, March 2004.Google ScholarCross Ref
- }}T. E. Uribe and S. Cheung. Automatic Analysis of Firewall and Network Intrusion Detection System Con¯gurations. In ACM Workshop on Formal Methods in Security Engineering, pp. 66--71, Washington, DC, USA, October 2004. Google ScholarDigital Library
- }}L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, and P. Mohapatra. FIREMAN: A Toolkit for Firewall Modeling and Analysis. In 27th IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2006. Google ScholarDigital Library
- }}S. Matsumoto and A. Bouhoula. Automatic Verifcation of Firewall Configuration with Respect to Security Policy Requirements. In Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems (CISIS'08), pp. 123--130, Barcelona, Spain, October 2008.Google Scholar
- }}High Level Firewall Language. http://www.hl.org/. Accessed on April 2009.Google Scholar
- }}B. Zhang, E. S. Al-Shaer, R. Jagadeesan, J. Riely, and C. Pitcher. Specifications of A High-level Conflict-Free Firewall Policy Language for Multi-domain Networks. In 12th ACM Symposium on Access control models and Technologies (SACMAT 2007), pp. 185--194, France, June 2007. Google ScholarDigital Library
- }}CISCO: Configuring IP access lists. CISCO white papers 23602 edition, July 2007.Google Scholar
- }}P. Matousek, J. Rab, O. Rysavy, M. Sveda. A Formal model for Network-wide Security Analysis. In Proceedings of 15th IEEE International Conference and Workshop on ECBS, Belfast, Ireland, 2008. Google ScholarDigital Library
- }}D Gabby, Ch Hogger and J Robinson eds. Temporal Logic Handbook of Logic in AI and Logic Programming, Vol. 4, Oxford University Press, Oxford, 241--350. Google ScholarDigital Library
- }}C. C. Zhang, M. Winslet, and C. A. Gunter. On the Safety and E±ciency of Firewall Policy Deployment. In 28th IEEE Symposium on Security and Privacy, pp. 33--50, Oakland, CA, USA, May 2007. Google ScholarDigital Library
- }}P. Bera, P. Dasgupta, S. K. Ghosh. A Verification framework for Analyzing Security Implementations in an Enterprise LAN In IEEE International Advance Computing Conference(IACC 09), pp 1008--1015, March 2009.Google Scholar
- }}P. Bera, S. K. Ghosh and Pallab Dasgupta. Formal Verification of Security Policy Implementations in Enterprise Networks. In Proceedings of 5th International Conference of Information System Security (ICISS 09), LNCS 5905, pp. 117--131, Kolkata, India, December 2009. Google ScholarDigital Library
- }}P. Bera, P. Dasgupta, S. K. Ghosh Formal Analysis of Security Policy Implementations in Enterprise Networks In International Journal of Computer Networks & Communications(IJCNC), vol 1(2), pp 56--73, June 2009. Google ScholarDigital Library
Index Terms
- Generating policy based security implementation in enterprise network: a formal framework
Recommendations
Formal Verification of Security Policy Implementations in Enterprise Networks
ICISS '09: Proceedings of the 5th International Conference on Information Systems SecurityIn enterprise networks, the management of security policies and their configurations becoming increasingly difficult due to complex security constraints of the organizations. In such networks, the overall organizational security policy (global policy) ...
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineeringA security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...
Policy Based Security Analysis in Enterprise Networks: A Formal Approach
In a typical enterprise network, there are several sub-networks or network zones corresponding to different departments or sections of the organization. These zones are interconnected through set of Layer-3 network devices (or routers). The service ...
Comments