Model-Driven Extraction and Analysis of Network Security Policies

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8107)


Firewalls are a key element in network security. They are in charge of filtering the traffic of the network in compliance with a number of access-control rules that enforce a given security policy. In an always-evolving context, where security policies must often be updated to respond to new security requirements, knowing with precision the policy being enforced by a network system is a critical information. Otherwise, we risk to hamper the proper evolution of the system and compromise its security. Unfortunately, discovering such enforced policy is an error-prone and time consuming task that requires low-level and, often, vendor-specific expertise since firewalls may be configured using different languages and conform to a complex network topology. To tackle this problem, we propose a model-driven reverse engineering approach able to extract the security policy implemented by a set of firewalls in a working network, easing the understanding, analysis and evolution of network security policies.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Building secure software: how to avoid security problems the right way. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)Google Scholar
  2. 2.
    Firewall Reverse Engineering project web site (2013),
  3. 3.
    Alam, M., Hafner, M., Breu, R.: Constraint based role based access control in the sectet-framework: A model-driven approach. J. Comput. Secur. 16(2), 223–260 (2008)Google Scholar
  4. 4.
    Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)CrossRefGoogle Scholar
  5. 5.
    Bishop, M., Peisert, S.: Your security policy is what?? Technical report (2006)Google Scholar
  6. 6.
    Brucker, A.D., Brügger, L., Kearney, P., Wolff, B.: Verified firewall policy transformations for test-case generation. In: Third International Conference on Software Testing, Verification, and Validation (ICST), pp. 345–354. IEEE Computer Society, Los Alamitos (2010)CrossRefGoogle Scholar
  7. 7.
    Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE 2005, pp. 196–205. ACM, New York (2005)Google Scholar
  8. 8.
    Garcia-Alfaro, J., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)CrossRefGoogle Scholar
  9. 9.
    Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Aggregating and deploying network access control policies, pp. 532–542. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  10. 10.
    Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Management of exceptions on access control policies. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC. IFIP, vol. 232, pp. 97–108. Springer, Boston (2007)Google Scholar
  11. 11.
    Hughes, G., Bultan, T.: Automated verification of access control policies using a sat solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)CrossRefGoogle Scholar
  12. 12.
    Jouault, F., Kurtev, I.: Transforming models with ATL. In: Bruel, J.-M. (ed.) MoDELS 2005. LNCS, vol. 3844, pp. 128–138. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Lockhart, H., Parducci, B., Anderson, A.: OASIS XACML TC (2013)Google Scholar
  14. 14.
    Martínez, S., Cabot, J., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: A model-driven approach for the extraction of network access-control policies. In: Proceedings of the Workshop on Model-Driven Security, MDsec 2012, pp. 5:1–5:6. ACM (2012)Google Scholar
  15. 15.
    Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, SP 2000, pp. 177–187. IEEE Computer Society, Washington, DC (2000)CrossRefGoogle Scholar
  16. 16.
    Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Nelson, T., Barratt, C., Dougherty, D.J., Fisler, K., Krishnamurthi, S.: The margrave tool for firewall analysis. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–8. USENIX Association, Berkeley (2010)Google Scholar
  18. 18.
    Pozo, S., Gasca, R.M., Reina-Quintero, A.M., Varela-Vaca, A.J.: Confiddent: A model-driven consistent and non-redundant layer-3 firewall acl design, development and maintenance framework. Journal of Systems and Software 85(2), 425–457 (2012)CrossRefGoogle Scholar
  19. 19.
    Russell, R.: Linux 2.4 packet filtering howto (2002),
  20. 20.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The nist model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-based Access Control, RBAC 2000, pp. 47–63. ACM, New York (2000)CrossRefGoogle Scholar
  21. 21.
    Tisi, M., Martínez, S., Jouault, F., Cabot, J.: Refining Models with Rule-based Model Transformations. Rapport de recherche RR-7582, INRIA (2011)Google Scholar
  22. 22.
    Tongaonkar, A., Inamdar, N., Sekar, R.: Inferring higher level policies from firewall rules. In: Proceedings of the 21st Conference on Large Installation System Administration Conference, LISA 2007. LISA 2007, pp. 2:1–2:10. USENIX Association, Berkeley (2007)Google Scholar
  23. 23.
    Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: Proceedings of the IEEE International Conference on Web Services, ICWS 2005, pp. 561–569. IEEE Computer Society, Washington, DC (2005)Google Scholar
  24. 24.
    Zaliva, V.: Platform-independent firewall policy representation. CoRR, abs/0805.1886 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.AtlanMod, École des Mines de Nantes - INRIA, LINANantesFrance
  2. 2.Télécom Bretagne, LUSSI DepartmentUniversité Européenne de BretagneFrance
  3. 3.RST Department CNRS Samovar UMR 5157Télécom SudParisEvryFrance

Personalised recommendations