An Inconsistency Detection Method for Security Policy and Firewall Policy Based on CSP Solver

被引：1

作者：

Yin, Yi ^{[1
,2
]}

Tateiwa, Yuichiro ^{[3
]}

Wang, Yun ^{[1
]}

Katayama, Yoshiaki ^{[3
]}

Takahashi, Naohisa ^{[3
]}

机构：

[1] Southeast Univ, Sch Comp Sci & Engn, Nanjing, Jiangsu, Peoples R China

[2] Nanjing Normal Univ, Sch Comp Sci & Technol, Nanjing, Jiangsu, Peoples R China

[3] Nagoya Inst Technol, Grad Sch Engn, Dept Comp Sci & Engn, Nagoya, Aichi, Japan

来源：

CLOUD COMPUTING AND SECURITY, PT II | 2017年 / 10603卷

基金：

中国国家自然科学基金;

关键词：

Security policy; Firewall policy; CSP problem;

D O I：

10.1007/978-3-319-68542-7_13

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined rules called firewall policy. Firewall policy always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. The design of firewall policy should be consistent with security policy. If firewall policy is not consistent with security policy, firewall policy may violate the intentions of security policy, which is the reason that result in critical security vulnerabilities. This paper extends our previous method, which represented security policy and firewall policy as Constraint Satisfaction Problem (CSP) and used a CSP solver Sugar only to verify whether they are consistent. In this paper, we propose a method to detect and resolve inconsistencies of firewall policy and security policy. We have implemented a prototype system to verify our proposed method, experimental results show the effectiveness.

引用

页码：147 / 161

页数：15

共 50 条

[41] Dynamic Policy-Based Routing using Firewall Rules
Tantipongsakul, Kavin
Khunkitti, Akharin
2009 THIRD UKSIM EUROPEAN SYMPOSIUM ON COMPUTER MODELING AND SIMULATION (EMS 2009), 2009, : 540 - 545
[42] Content Security Policy (CSP) as countermeasure to Cross Site Scripting (XSS) attacks
Dolnak, Ivan
2017 15TH IEEE INTERNATIONAL CONFERENCE ON EMERGING ELEARNING TECHNOLOGIES AND APPLICATIONS (ICETA 2017), 2017, : 99 - 102
[43] Policy-based proactive monitoring of security policy performance
Bogdanov, Vitaly
Kotenko, Igor
COMPUTER NETWORK SECURITY, PROCEEDINGS, 2007, 1 : 197 - +
[44] Policy conflict detection method based on model checking
Wu, D., 1600, Univ. of Electronic Science and Technology of China (42):
[45] A security policy and Network Cartography based Intrusion Detection and Prevention Systems
Meharouech, Sourour
Bouhoula, Adel
Abbes, Tarek
JOURNAL OF INFORMATION ASSURANCE AND SECURITY, 2009, 4 (04): : 279 - 291
[46] Distributed Firewall Policy Based on Traffic Engineering in Software Defined Network
Sill Jiugen
Wang Ji
Zhang Jing
Xu Hao
JOURNAL OF ELECTRONICS & INFORMATION TECHNOLOGY, 2019, 41 (01) : 91 - 98
[47] Security Policy Conflict Detection for Distributed System
Zhang, AiJuan
Ji, Cheng
Wang, Jian
ADVANCED RESEARCH ON MATERIAL ENGINEERING, CHEMISTRY AND BIOINFORMATICS, PTS 1 AND 2 (MECB 2011), 2011, 282-283 : 173 - +
[48] Enterprise network: Security enhancement and policy management using next-generation firewall (ngfw)
Arefin M.T.
Uddin M.R.
Evan N.A.
Alam M.R.
Lecture Notes on Data Engineering and Communications Technologies, 2021, 66 : 753 - 769
[49] A novel method of constituting network security policy based on attack graphs
Ma, Junchun
Wang, Yongjun
Sun, Jiyin
Ma, J. (chenshan1223@126.com), 1600, Inst. of Scientific and Technical Information of China (22): : 374 - 381
[50] UML based Security Function Policy Verification Method for Requirements Specification
Noro, Atsushi
Matsuura, Saeko
2013 IEEE 37TH ANNUAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE (COMPSAC), 2013, : 832 - 833

← 1 2 3 4 5 →