Skip to main content
SpringerLink
Log in
Book cover

International Conference on Model Driven Engineering Languages and Systems

MODELS 2013: Model-Driven Engineering Languages and Systems pp 52–68Cite as

Model-Driven Extraction and Analysis of Network Security Policies

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNPSE,volume 8107)

Abstract

Firewalls are a key element in network security. They are in charge of filtering the traffic of the network in compliance with a number of access-control rules that enforce a given security policy. In an always-evolving context, where security policies must often be updated to respond to new security requirements, knowing with precision the policy being enforced by a network system is a critical information. Otherwise, we risk to hamper the proper evolution of the system and compromise its security. Unfortunately, discovering such enforced policy is an error-prone and time consuming task that requires low-level and, often, vendor-specific expertise since firewalls may be configured using different languages and conform to a complex network topology. To tackle this problem, we propose a model-driven reverse engineering approach able to extract the security policy implemented by a set of firewalls in a working network, easing the understanding, analysis and evolution of network security policies.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Building secure software: how to avoid security problems the right way. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)

    Google Scholar 

  2. Firewall Reverse Engineering project web site (2013), http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_Engineering

  3. Alam, M., Hafner, M., Breu, R.: Constraint based role based access control in the sectet-framework: A model-driven approach. J. Comput. Secur. 16(2), 223–260 (2008)

    Google Scholar 

  4. Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)

    CrossRef  Google Scholar 

  5. Bishop, M., Peisert, S.: Your security policy is what?? Technical report (2006)

    Google Scholar 

  6. Brucker, A.D., Brügger, L., Kearney, P., Wolff, B.: Verified firewall policy transformations for test-case generation. In: Third International Conference on Software Testing, Verification, and Validation (ICST), pp. 345–354. IEEE Computer Society, Los Alamitos (2010)

    CrossRef  Google Scholar 

  7. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE 2005, pp. 196–205. ACM, New York (2005)

    Google Scholar 

  8. Garcia-Alfaro, J., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)

    CrossRef  Google Scholar 

  9. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Aggregating and deploying network access control policies, pp. 532–542. IEEE Computer Society, Los Alamitos (2007)

    Google Scholar 

  10. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Management of exceptions on access control policies. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC. IFIP, vol. 232, pp. 97–108. Springer, Boston (2007)

    Google Scholar 

  11. Hughes, G., Bultan, T.: Automated verification of access control policies using a sat solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)

    CrossRef  Google Scholar 

  12. Jouault, F., Kurtev, I.: Transforming models with ATL. In: Bruel, J.-M. (ed.) MoDELS 2005. LNCS, vol. 3844, pp. 128–138. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  13. Lockhart, H., Parducci, B., Anderson, A.: OASIS XACML TC (2013)

    Google Scholar 

  14. Martínez, S., Cabot, J., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: A model-driven approach for the extraction of network access-control policies. In: Proceedings of the Workshop on Model-Driven Security, MDsec 2012, pp. 5:1–5:6. ACM (2012)

    Google Scholar 

  15. Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, SP 2000, pp. 177–187. IEEE Computer Society, Washington, DC (2000)

    CrossRef  Google Scholar 

  16. Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  17. Nelson, T., Barratt, C., Dougherty, D.J., Fisler, K., Krishnamurthi, S.: The margrave tool for firewall analysis. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–8. USENIX Association, Berkeley (2010)

    Google Scholar 

  18. Pozo, S., Gasca, R.M., Reina-Quintero, A.M., Varela-Vaca, A.J.: Confiddent: A model-driven consistent and non-redundant layer-3 firewall acl design, development and maintenance framework. Journal of Systems and Software 85(2), 425–457 (2012)

    CrossRef  Google Scholar 

  19. Russell, R.: Linux 2.4 packet filtering howto (2002), http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html

  20. Sandhu, R., Ferraiolo, D., Kuhn, R.: The nist model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-based Access Control, RBAC 2000, pp. 47–63. ACM, New York (2000)

    CrossRef  Google Scholar 

  21. Tisi, M., Martínez, S., Jouault, F., Cabot, J.: Refining Models with Rule-based Model Transformations. Rapport de recherche RR-7582, INRIA (2011)

    Google Scholar 

  22. Tongaonkar, A., Inamdar, N., Sekar, R.: Inferring higher level policies from firewall rules. In: Proceedings of the 21st Conference on Large Installation System Administration Conference, LISA 2007. LISA 2007, pp. 2:1–2:10. USENIX Association, Berkeley (2007)

    Google Scholar 

  23. Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: Proceedings of the IEEE International Conference on Web Services, ICWS 2005, pp. 561–569. IEEE Computer Society, Washington, DC (2005)

    Google Scholar 

  24. Zaliva, V.: Platform-independent firewall policy representation. CoRR, abs/0805.1886 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. AtlanMod, École des Mines de Nantes - INRIA, LINA, Nantes, France

    Salvador Martínez & Jordi Cabot

  2. Télécom Bretagne, LUSSI Department, Université Européenne de Bretagne, France

    Frédéric Cuppens & Nora Cuppens-Boulahia

  3. RST Department CNRS Samovar UMR 5157, Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Authors
  1. Salvador Martínez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joaquin Garcia-Alfaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nora Cuppens-Boulahia
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jordi Cabot
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculdade de Ciências e Tecnologia, Departamento de Informática, Universidade Nova de Lisboa, 2829-516, Caparica, Portugal

    Ana Moreira

  2. Institut für Mathematik, fortiss / Technische Universität München, Guerickestraße 25, 80805, München, Germany

    Bernhard Schätz

  3. Department of Computer Science, University of Alabama, Box 870290, 35487-0290, Tuscaloosa, AL, USA

    Jeff Gray

  4. ETSI Informática, Universidad de Málaga, Campus de Teatinos, Bulevar Louis Pasteur 35, 29071, Málaga, Spain

    Antonio Vallecillo

  5. School of Computing and Information Sciences, College of Engineering and Computing, Florida International University, 33199, Miami, FL, USA

    Peter Clarke

Rights and permissions

Reprints and Permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Martínez, S., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Cabot, J. (2013). Model-Driven Extraction and Analysis of Network Security Policies. In: Moreira, A., Schätz, B., Gray, J., Vallecillo, A., Clarke, P. (eds) Model-Driven Engineering Languages and Systems. MODELS 2013. Lecture Notes in Computer Science, vol 8107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41533-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41533-3_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41532-6

  • Online ISBN: 978-3-642-41533-3

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation