Skip to main content
SpringerLink
Log in

Complete analysis of configuration rules to guarantee reliable network security policies

  • SPECIAL ISSUE PAPER
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The use of different network security components, such as firewalls and network intrusion detection systems (NIDSs), is the dominant method to monitor and guarantee the security policy in current corporate networks. To properly configure these components, it is necessary to use several sets of security rules. Nevertheless, the existence of anomalies between those rules, particularly in distributed multi-component scenarios, is very likely to degrade the network security policy. The discovery and removal of these anomalies is a serious and complex problem to solve. In this paper, we present a complete set of mechanisms for such a management.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abou el Kalam, A., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization based access control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks, pp. 120–131 Lake Come, (2003)

  2. Adiseshu, H., Suri, S., Parulkar, G.: Detecting and resolving packet filter conflicts. In: 19th Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 3, pp. 1203–1212, Tel-Aviv, (2000)

  3. Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N.: Aggregating and deploying network access control policies. In: 1st Symposium on Frontiers in Availability, Reliability and Security (FARES), 2nd International Conference on Availability, Reliability and Security (ARES2007), Vienna, pp 532–539 (2007)

  4. Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N.: Management of exceptions on access control policies. In: 22nd IFIP TC-11 International Information Security Conference (IFIPsec2007), South Africa, May 2007, pp. 97–108. IFIP, Springer, Kluwer (2007)

  5. Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM’04, vol. 4, pp. 2605–2616, Hong Kong (2004)

  6. Al-Shaer E.S., Hamed H.H. and Masum H. (2005). Conflict classification and analysis of distributed firewall policies. IEEE J. Select. Areas Commun. 23(10): 2069–2084

    Article  Google Scholar 

  7. Al-Shaer E.S. and Hamed H.H. (2006). Taxonomy of conflicts in network security policies. IEEE Commun. Magazine 44(3): 134–141

    Article  Google Scholar 

  8. Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: a novel firewall management toolkit. In: IEEE Symposium on Security and Privacy, pp. 17–31, Oakland (1999)

  9. Castagnetto, J., et al.: Professional PHP Programming. Wrox Press Inc, ISBN 1-86100-296-3 (1999)

  10. Chapman D. and Fox A. (2001). Cisco Secure PIX Firewalls. Cisco Press, Dublin

    Google Scholar 

  11. Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley, (2003)

  12. Cisco Systems, Inc.: Cisco Security Manager Product Information. [Online]. Available from: http://cisco.com/go/csmanager

  13. Cuppens, F., Cuppens-Boulahia, N., Alfaro, J.G.: Detection and removal of firewall misconfiguration. In: Proceedings of the 2005 IASTED International Conference on Communication, Network and Information Security, vol. 1, pp. 154–162, (2005)

  14. Cuppens, F., Cuppens-Boulahia, N., Alfaro, J.G.: Misconfiguration management of network security components. In: Proceedings of the 7th International Symposium on System and Information Security, Sao Paulo (2005)

  15. Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miege, A.: A formal approach to specify and deploy a network security policy. In: Second Workshop on Formal Aspects in Security and Trust, pp. 203–218, Toulouse (2004)

  16. Gupta, P.: Algorithms for routing lookups and packet classification. PhD Thesis. Department of Computer Science, Stanford University (2000)

  17. Hassan, A., Hudec, L.: Role based network security model: a forward step towards firewall management. In: Workshop on Security of Information Technologies, Algiers (2003)

  18. Kurland, V.: Firewall builder. White Paper (2003)

  19. Liu, A.X., Gouda, M.G.: Complete redundancy detection in firewalls. In: 19th Annual IFIP Conference on Data and Applications Security (DBSec-05), pp. 196–209, Storrs, (2005)

  20. MITRE Corp.: Common Vulnerabilities and Exposures. [Online]. Available from: http://cve.mitre.org/

  21. Northcutt, S.: Network Intrusion Detection: An analyst’s Hand Book, 3rd edn. New Riders Publishing (2002)

  22. Open Security Foundation.: Open Source Vulnerability Database. [Online]. Available from: http://osvdb.org/

  23. Reed, D.: IP Filter. [Online]. Available from: http://coombs.anu.edu.au/~avalon/ip-filter.html

  24. Roesch, M.: Snort: lightweight intrusion detection for networks. In: 13th USENIX Systems Administration Conference, Seattle (1999)

  25. Sandhu R., Coyne E.J., Feinstein H.L. and Youman C.E. (1996). Role-based access control models. IEEE Comput. 29(2): 38–47

    Google Scholar 

  26. Skybox Security, Inc.: Security Risk Management and Network Change Management Solution from Skybox Security

  27. Welte, H., Kadlecsik, J., Josefsson, M., McHardy, P., et al.: The netfilter project: firewalling, nat and packet mangling for linux 2.4x and 2.6.x. [Online]. Available from: http://www.netfilter.org/

  28. Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C., Mohapatra, P.: FIREMAN: a toolkit for FIREwall Modeling and ANalysis. In: IEEE Symposium on Security and Privacy, pp. 199–213, Oakland (2006)

Download references

Author information

Authors and Affiliations

  1. GET-ENST Bretagne, 02, rue de la Châtaigneraie, CS 17607, 35576, Cesson Sévigné Cedex, France

    J. G. Alfaro, N. Boulahia-Cuppens & F. Cuppens

  2. UOC, Rambla Poble Nou 156, 08018, Barcelona, Spain

    J. G. Alfaro

Authors
  1. J. G. Alfaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. N. Boulahia-Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. F. Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to J. G. Alfaro.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Alfaro, J.G., Boulahia-Cuppens, N. & Cuppens, F. Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7, 103–122 (2008). https://doi.org/10.1007/s10207-007-0045-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0045-7

Keywords

Search

Navigation