Skip to main content
SpringerLink
Log in

Inconsistency Analysis of Time-Based Security Policy and Firewall Policy

  • Conference paper
  • First Online:
Formal Methods and Software Engineering (ICFEM 2017)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10610))

Included in the following conference series:

Abstract

Packet filtering in firewall either accepts or denies packets based upon a set of predefined rules called firewall policy. In recent years, time-based firewall policies are widely used in many firewalls such as CISCO ACLs. Firewall policy is always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. It is difficult to maintain the consistency of normal firewall policy and security policy, not to mention time-based firewall policy and security policy. Even though there are many analysis methods for security policy and firewall policy, they cannot deal with time constraint. To resolve this problem, we firstly represent time-based security policy and firewall policy as logical formulas, and then use satisfiability modulo theories (SMT) solver Z3 to verify them and analyze inconsistency. We have implemented a prototype system to verify our proposed method, experimental results showed the effectiveness.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Cisco PIX Firewall Release Notes. https://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn634.html

  2. Linux man page. http://linux.die.net/man/8/iptables

  3. Yin, Y., Xu, X., Katayama, Y., Takahashi, N.: Inconsistency detection system for security policy and rewall policy. In: 2010 First International Conference on Networking and Computing, pp. 294–297. IEEE (2011)

    Google Scholar 

  4. Yin, Y., Xu, J., Takahashi, N.: Verifying consistency between security policy and firewall policy by using a constraint satisfaction problem server. In: Zhang, Y. (ed.) Future Wireless Networks and Information Systems. LNEE, vol. 144, pp. 135–145. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27326-1_18

    Google Scholar 

  5. Sugar: a SAT-based Constraint Solver. http://bach.istc.kobe-u.ac.jp/sugar/

  6. Thanasegaran, S., Tateiwa, Y., Katayama, Y., Takahashi, N.: Design and implementation of conflict detection system for time-based firewall policies. J. Next Gener. Inf. Technol. 2(4), 24–39 (2011)

    Article  Google Scholar 

  7. Z3 Theorem Prover. https://github.com/Z3Prover/z3/wiki

  8. Moura, L.D., Bjørner, N.: Z3: an efficient SMT solver. In: Proceedings of the Theory and practice of software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 337–340 (2008)

    Google Scholar 

  9. Z3 C API. https://z3prover.github.io/api/html/group__capi.html

  10. Wool, A.: Trends in firewall configuration errors: measuring the holes in swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)

    Article  Google Scholar 

  11. Al-Shaer, E.: Automated Firewall Analytics Design, Configuration and Optimization. Springer, Heidelberg (2014)

    Google Scholar 

  12. Hu, H., Ahn, G., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Secure Comput. 9(3), 318–331 (2012)

    Article  Google Scholar 

  13. Jeffrey, A., Samak, T.: Model checking firewall policy configurations. In: IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 60–67 (2009)

    Google Scholar 

  14. Bouhoula, A., Yazidi, A.: A security policy query engine for fully automated resolution of anomalies in firewall configurations. In: IEEE 15th International Symposium on Network Computing and Applications, pp. 76–80 (2016)

    Google Scholar 

  15. Matsumoto, S., Bouhoula, A.: Automatic verification of firewall configuration with respect to security policy requirements. In: Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems, pp. 123–130 (2008)

    Google Scholar 

  16. Youssef, N.B., Bouhoula, A., Jacquemard, F.: Automatic verification of conformance of firewall configurations to security policies. In: IEEE Symposium on Computers and Communications, pp. 526–531 (2009)

    Google Scholar 

  17. Dutertre, B., Moura, L.D.: The YICES SMT solver. http://gauss.ececs.uc.edu/Courses/c626/lectures/SMT/tool-paper.pdf

  18. Ranathunga, D., Roughan, M., Kernick, P., Falkner, N.: Malachite: firewall policy comparison. In: IEEE Symposium on Computers and Communication, pp. 310–317 (2016)

    Google Scholar 

  19. Cupens, F., Cuppens-Boulahia, N., Sans, T., Miege, A.: A formal approach to specify and deploy a network security policy. In: Second Workshop on Formal Aspects in Security and Trust, pp. 203–218 (2004)

    Google Scholar 

  20. Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: a novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)

    Article  Google Scholar 

Download references

Acknowledgments

This research was partially supported by National scholarship for studying abroad of China Scholarship Council (CSC); National Natural Science Foundation of China (No. 60973122, 61572256).

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, Southeast University, Nanjing, China

    Yi Yin & Yun Wang

  2. School of Computer Science and Technology, Nanjing Normal University, Nanjing, China

    Yi Yin

  3. Department of Computer Science and Engineering, Graduate School of Engineering, Nagoya Institute of Technology, Nagoya, Japan

    Yuichiro Tateiwa, Yoshiaki Katayama & Naohisa Takahashi

Authors
  1. Yi Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuichiro Tateiwa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yun Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yoshiaki Katayama
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Naohisa Takahashi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yi Yin .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zhenhua Duan

  2. University of Oxford, Oxford, United Kingdom

    Luke Ong

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Yin, Y., Tateiwa, Y., Wang, Y., Katayama, Y., Takahashi, N. (2017). Inconsistency Analysis of Time-Based Security Policy and Firewall Policy. In: Duan, Z., Ong, L. (eds) Formal Methods and Software Engineering. ICFEM 2017. Lecture Notes in Computer Science(), vol 10610. Springer, Cham. https://doi.org/10.1007/978-3-319-68690-5_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-68690-5_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-68689-9

  • Online ISBN: 978-3-319-68690-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation