Inconsistency Analysis of Time-Based Security Policy and Firewall Policy

被引：2

作者：

Yin, Yi ^{[1
,2
]}

Tateiwa, Yuichiro ^{[3
]}

Wang, Yun ^{[1
]}

Katayama, Yoshiaki ^{[3
]}

Takahashi, Naohisa ^{[3
]}

机构：

[1] Southeast Univ, Sch Comp Sci & Engn, Nanjing, Jiangsu, Peoples R China

[2] Nanjing Normal Univ, Sch Comp Sci & Technol, Nanjing, Jiangsu, Peoples R China

[3] Nagoya Inst Technol, Grad Sch Engn, Dept Comp Sci & Engn, Nagoya, Aichi, Japan

来源：

FORMAL METHODS AND SOFTWARE ENGINEERING, ICFEM 2017 | 2017年 / 10610卷

基金：

中国国家自然科学基金;

关键词：

Security policy; Firewall policy; Time-based rules; Satisfiability modulo theories;

D O I：

10.1007/978-3-319-68690-5_27

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Packet filtering in firewall either accepts or denies packets based upon a set of predefined rules called firewall policy. In recent years, time-based firewall policies are widely used in many firewalls such as CISCO ACLs. Firewall policy is always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. It is difficult to maintain the consistency of normal firewall policy and security policy, not to mention time-based firewall policy and security policy. Even though there are many analysis methods for security policy and firewall policy, they cannot deal with time constraint. To resolve this problem, we firstly represent time-based security policy and firewall policy as logical formulas, and then use satisfiability modulo theories (SMT) solver Z3 to verify them and analyze inconsistency. We have implemented a prototype system to verify our proposed method, experimental results showed the effectiveness.

引用

页码：447 / 463

页数：17

共 50 条

[11] A compositional event & time-based policy model
Janicke, Helge
Cau, Antonio
Siewe, Francois
Zedan, Hussein
Jones, Kevin
SEVENTH IEEE INTERNATIONAL WORKSHOP ON POLICIES FOR DISTRIBUTED SYSTEMS AND NETWORKS, PROCEEDINGS, 2006, : 173 - +
[12] Firewall analysis with policy-based host classification
Marmorstein, Robert
Kearns, Phil
LISA 06: USENIX ASSOCIATION PROCEEDINGS OF THE 20TH LARGE INSTALLATION SYSTEM ADMINISTRATION CONFERENCE, 2006, : 41 - +
[13] The Optimal Monetary Policy Rule Based on Time Inconsistency
Song, Yang Xin
Zhao, Li
PROCEEDINGS OF THE 2009 INTERNATIONAL CONFERENCE ON PUBLIC ECONOMICS AND MANAGEMENT ICPEM 2009, VOL 7: CLUSTER ANALYSIS, 2009, : 425 - 428
[14] A Time-Based Policy for Empty Container Management by Consignees
Legros, Benjamin
Bouchery, Yann
Fransoo, Jan
PRODUCTION AND OPERATIONS MANAGEMENT, 2019, 28 (06) : 1503 - 1527
[15] Automatic conflict analysis and resolution of traffic filtering policy for firewall and Security Gateway
Ferraresi, Simone
Pesic, Stefano
Trazza, Livia
Baiocchi, Andrea
2007 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS, VOLS 1-14, 2007, : 1304 - +
[16] Firewall Policy Reconnaissance: Techniques and Analysis
Ali, Muhammad Qasim
Al-Shaer, Ehab
Samak, Taghrid
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, 2014, 9 (02) : 296 - 308
[17] A policy of inconsistency and hypocrisy: United Kingdom social security policy and European citizenship
Larkin, Philip
JOURNAL OF SOCIAL WELFARE AND FAMILY LAW, 2009, 31 (01) : 33 - 45
[18] Internet/Intranet firewall security - policy, architecture and transaction services
Hunt, R
COMPUTER COMMUNICATIONS, 1998, 21 (13) : 1107 - 1123
[19] Automatic Verification of Firewall Configurations with respect to Security Policy Requirements
Matsumoto, Soutaro
Bouhoula, Adel
JOURNAL OF INFORMATION ASSURANCE AND SECURITY, 2009, 4 (04): : 640 - 647
[20] Bullwhip effect in time-based VMI consolidation replenishment policy
Zhang, Li-Bo
Han, Yu-Qi
Chen, Jie
Yu, Zhe
Jisuanji Jicheng Zhizao Xitong/Computer Integrated Manufacturing Systems, CIMS, 2006, 12 (09): : 1516 - 1523

← 1 2 3 4 5 →