Specification and Verification of Security Policies in Firewalls

  • Rasool Jalili
  • Mohsen Rezvani
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2510)


Rules are used as a way of managing and configuring firewalls to fulfill security requirements in most cases. Managers have to specify their organizational security policies using low level and order-dependent rules. Furthermore, dependency of firewalls to the network topology, frequent changes in network topology (specially in dynamic networks), and lack of a method for analysis and verification of specified security policy may reduce to inconsistencies and security holes. Existence of a higher level environment for security policy specification can rectify part of the problems. In this paper we present a language for high level and formal specification of security policy in firewalls. Using the language, a security manager can configure its firewall based on his required security policy independent of the network topology. The language is used as a framework for analysis and verification of security policies. We designed and implemented a tool based on theorem proving for detecting inconsistencies, coverage, as well as applying a query on the specified policy. Results of analysis can be used to detect security vulnerabilities.


Firewall Formal Specification Security Policy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alur R. and Henzinger T.A. Computer-Aided Verification: An Introduction to Model Building and Model Checking for Concurrent Systems. Draft, 1999.Google Scholar
  2. 2.
    Anderson J.P., Brand S., Gong L., and Haigh T. Firewall: An expert roundtable. IEEE Software, 14(5):60–66, September/October 1997.Google Scholar
  3. 3.
    Bartal Y., Mayer A., Nissim K., and Wool A. Firmato: A novel firewall management toolkit. In Proceedings of the IEEE Symposium on Security and Privacy, pages 17–31, May 1999.Google Scholar
  4. 4.
    Cholvy L. and Cuppens F. Analyzing consistency of security policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 103–112, May 1997.Google Scholar
  5. 5.
    Goubault-Larrecq J. and Mackie I. Proof Theory and Automated Deduction, volume 6 of Applied Logic Series. Kluwer Academic Publishers, Dordrecht, 1997.zbMATHGoogle Scholar
  6. 6.
    Guttman J.D. Filtering postures: Local enforcement for global policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120–129, Los Alamitos, 1997.Google Scholar
  7. 7.
    Hoagland J. Specifying and Implementing Security Policy using LaSCO, the Language for Security Constraints on Objects. PhD thesis, The University of California Davis, Department of Computer Science, March 2000.Google Scholar
  8. 8.
    Manna Z. and Pnueli A. Temporal Verification of Reactive Systems: Safety. Springer-Verlang, New York, 1995.Google Scholar
  9. 9.
    Mayer A., Wool A., and Ziskin E. Fang: A firewall analysis engine. In Proceedings of the IEEE Symposium on Security and Privacy, pages 177–190, May 2000.Google Scholar
  10. 10.
    Ortalo R. Using deontic logic for security policy specification. Tech. Report 96380, LAAS-CNRS Toulouse, France, October 1996.Google Scholar
  11. 11.
    Peri R.V. Specification and Verification of Security Policies. PhD thesis, The University of Virginia, School of Engineering and Applied Science, January 1996.Google Scholar
  12. 12.
    Rezvani M. High Level Security Policy Specification in Firewalls. Master’s thesis, Dept. of Computer Engineering, Sharif University of Technology, September 2001, In Persian.Google Scholar
  13. 13.
    Stevens W.R. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley Professional Computing Series. Addison-Wesley, Reading, MA, USA, 1994.Google Scholar
  14. 14.
    Wack J.P. and Carnahan L.J. Keeping your site comfortably secure: An introduction to Internet firewalls. NIST special publication Computer security 800-10, U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology, U.S. G.P.O., Gaithersburg, MD, USA, 1994.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Rasool Jalili
    • 1
  • Mohsen Rezvani
    • 1
  1. 1.Department of Computer EngineeringSharif University of TechnologyTehranIran

Personalised recommendations