Inconsistency Analysis of Time-Based Security Policy and Firewall Policy

被引：2

作者：

Yin, Yi ^{[1
,2
]}

Tateiwa, Yuichiro ^{[3
]}

Wang, Yun ^{[1
]}

Katayama, Yoshiaki ^{[3
]}

Takahashi, Naohisa ^{[3
]}

机构：

[1] Southeast Univ, Sch Comp Sci & Engn, Nanjing, Jiangsu, Peoples R China

[2] Nanjing Normal Univ, Sch Comp Sci & Technol, Nanjing, Jiangsu, Peoples R China

[3] Nagoya Inst Technol, Grad Sch Engn, Dept Comp Sci & Engn, Nagoya, Aichi, Japan

来源：

FORMAL METHODS AND SOFTWARE ENGINEERING, ICFEM 2017 | 2017年 / 10610卷

基金：

中国国家自然科学基金;

关键词：

Security policy; Firewall policy; Time-based rules; Satisfiability modulo theories;

D O I：

10.1007/978-3-319-68690-5_27

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Packet filtering in firewall either accepts or denies packets based upon a set of predefined rules called firewall policy. In recent years, time-based firewall policies are widely used in many firewalls such as CISCO ACLs. Firewall policy is always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. It is difficult to maintain the consistency of normal firewall policy and security policy, not to mention time-based firewall policy and security policy. Even though there are many analysis methods for security policy and firewall policy, they cannot deal with time constraint. To resolve this problem, we firstly represent time-based security policy and firewall policy as logical formulas, and then use satisfiability modulo theories (SMT) solver Z3 to verify them and analyze inconsistency. We have implemented a prototype system to verify our proposed method, experimental results showed the effectiveness.

引用

页码：447 / 463

页数：17

共 50 条

[41] A Flexible Policy-Based Firewall Management Framework
Wu Jin-hua
Chen Xiao-su
Zhao Yi-zhu
Ni Jun
PROCEEDINGS OF THE 2008 INTERNATIONAL CONFERENCE ON CYBERWORLDS, 2008, : 192 - 194
[42] Malachite: Firewall Policy Comparison
Ranathunga, Dinesha
Roughan, Matthew
Kernick, Phil
Falkner, Nick
2016 IEEE SYMPOSIUM ON COMPUTERS AND COMMUNICATION (ISCC), 2016, : 310 - 317
[43] Design and Implementation for the Firewall Policy Analysis and Configuration Tools
Shi, Jian
Deng, Song
Lin, Weimin
Zhang, Tao
Ma, Yuanyuan
Li, Weiwei
ADVANCES IN MECHATRONICS AND CONTROL ENGINEERING II, PTS 1-3, 2013, 433-435 : 1597 - 1602
[44] Policy-based networking: applications to firewall management
Caldeira, F
Monteiro, E
ANNALS OF TELECOMMUNICATIONS, 2004, 59 (1-2) : 38 - 54
[45] STATEFUL FIREWALL POLICY QUERIES
Wang, Wei
Qin, Zheng
THIRD INTERNATIONAL CONFERENCE ON COMPUTER ENGINEERING AND TECHNOLOGY (ICCET 2011), 2011, : 941 - 947
[46] Firewall policy verification and troubleshooting
Liu, Alex X.
COMPUTER NETWORKS, 2009, 53 (16) : 2800 - 2809
[47] Eliminating Correlations in Firewall Policy
Wang, Gang
Lin, Yaping
Li, Jinguo
Yao, Xin
2012 THIRD INTERNATIONAL CONFERENCE ON THEORETICAL AND MATHEMATICAL FOUNDATIONS OF COMPUTER SCIENCE (ICTMF 2012), 2013, 38 : 195 - 203
[48] Firewall policy diagram: Structures for firewall behavior comprehension
Clark, Patrick G
Agah, Arvin
International Journal of Network Security, 2015, 17 (02) : 150 - 159
[49] Alert analysis using data mining for security policy server in policy based network security management
Jeong, KJ
Shin, MS
Moon, HS
Ryu, KH
Kim, KY
SAM'03: PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON SECURITY AND MANAGEMENT, VOLS 1 AND 2, 2003, : 219 - 225
[50] A Security Policy Query Engine for Fully Automated Resolution of Anomalies in Firewall Configurations
Bouhoula, Ahmed
Yazidi, Anis
15TH IEEE INTERNATIONAL SYMPOSIUM ON NETWORK COMPUTING AND APPLICATIONS (IEEE NCA 2016), 2016, : 76 - 80

← 1 2 3 4 5 →