Skip to main content

Model-Driven Extraction and Analysis of Network Security Policies

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNPSE,volume 8107)

Abstract

Firewalls are a key element in network security. They are in charge of filtering the traffic of the network in compliance with a number of access-control rules that enforce a given security policy. In an always-evolving context, where security policies must often be updated to respond to new security requirements, knowing with precision the policy being enforced by a network system is a critical information. Otherwise, we risk to hamper the proper evolution of the system and compromise its security. Unfortunately, discovering such enforced policy is an error-prone and time consuming task that requires low-level and, often, vendor-specific expertise since firewalls may be configured using different languages and conform to a complex network topology. To tackle this problem, we propose a model-driven reverse engineering approach able to extract the security policy implemented by a set of firewalls in a working network, easing the understanding, analysis and evolution of network security policies.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-41533-3_4
  • Chapter length: 17 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-642-41533-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   143.00
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Building secure software: how to avoid security problems the right way. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)

    Google Scholar 

  2. Firewall Reverse Engineering project web site (2013), http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_Engineering

  3. Alam, M., Hafner, M., Breu, R.: Constraint based role based access control in the sectet-framework: A model-driven approach. J. Comput. Secur. 16(2), 223–260 (2008)

    Google Scholar 

  4. Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)

    CrossRef  Google Scholar 

  5. Bishop, M., Peisert, S.: Your security policy is what?? Technical report (2006)

    Google Scholar 

  6. Brucker, A.D., Brügger, L., Kearney, P., Wolff, B.: Verified firewall policy transformations for test-case generation. In: Third International Conference on Software Testing, Verification, and Validation (ICST), pp. 345–354. IEEE Computer Society, Los Alamitos (2010)

    CrossRef  Google Scholar 

  7. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE 2005, pp. 196–205. ACM, New York (2005)

    Google Scholar 

  8. Garcia-Alfaro, J., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)

    CrossRef  Google Scholar 

  9. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Aggregating and deploying network access control policies, pp. 532–542. IEEE Computer Society, Los Alamitos (2007)

    Google Scholar 

  10. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Management of exceptions on access control policies. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC. IFIP, vol. 232, pp. 97–108. Springer, Boston (2007)

    Google Scholar 

  11. Hughes, G., Bultan, T.: Automated verification of access control policies using a sat solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)

    CrossRef  Google Scholar 

  12. Jouault, F., Kurtev, I.: Transforming models with ATL. In: Bruel, J.-M. (ed.) MoDELS 2005. LNCS, vol. 3844, pp. 128–138. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  13. Lockhart, H., Parducci, B., Anderson, A.: OASIS XACML TC (2013)

    Google Scholar 

  14. Martínez, S., Cabot, J., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: A model-driven approach for the extraction of network access-control policies. In: Proceedings of the Workshop on Model-Driven Security, MDsec 2012, pp. 5:1–5:6. ACM (2012)

    Google Scholar 

  15. Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, SP 2000, pp. 177–187. IEEE Computer Society, Washington, DC (2000)

    CrossRef  Google Scholar 

  16. Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  17. Nelson, T., Barratt, C., Dougherty, D.J., Fisler, K., Krishnamurthi, S.: The margrave tool for firewall analysis. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–8. USENIX Association, Berkeley (2010)

    Google Scholar 

  18. Pozo, S., Gasca, R.M., Reina-Quintero, A.M., Varela-Vaca, A.J.: Confiddent: A model-driven consistent and non-redundant layer-3 firewall acl design, development and maintenance framework. Journal of Systems and Software 85(2), 425–457 (2012)

    CrossRef  Google Scholar 

  19. Russell, R.: Linux 2.4 packet filtering howto (2002), http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html

  20. Sandhu, R., Ferraiolo, D., Kuhn, R.: The nist model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-based Access Control, RBAC 2000, pp. 47–63. ACM, New York (2000)

    CrossRef  Google Scholar 

  21. Tisi, M., Martínez, S., Jouault, F., Cabot, J.: Refining Models with Rule-based Model Transformations. Rapport de recherche RR-7582, INRIA (2011)

    Google Scholar 

  22. Tongaonkar, A., Inamdar, N., Sekar, R.: Inferring higher level policies from firewall rules. In: Proceedings of the 21st Conference on Large Installation System Administration Conference, LISA 2007. LISA 2007, pp. 2:1–2:10. USENIX Association, Berkeley (2007)

    Google Scholar 

  23. Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: Proceedings of the IEEE International Conference on Web Services, ICWS 2005, pp. 561–569. IEEE Computer Society, Washington, DC (2005)

    Google Scholar 

  24. Zaliva, V.: Platform-independent firewall policy representation. CoRR, abs/0805.1886 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Martínez, S., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Cabot, J. (2013). Model-Driven Extraction and Analysis of Network Security Policies. In: Moreira, A., Schätz, B., Gray, J., Vallecillo, A., Clarke, P. (eds) Model-Driven Engineering Languages and Systems. MODELS 2013. Lecture Notes in Computer Science, vol 8107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41533-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41533-3_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41532-6

  • Online ISBN: 978-3-642-41533-3

  • eBook Packages: Computer ScienceComputer Science (R0)