Abstract
Firewalls are key security components in computer networks. They filter network traffics based on an ordered list of filtering rules. Firewall configurations must be correct and complete with respect to security policies. Security policy is a set of predicates, which is a high level description of traffic controls. In this paper, we propose an automatic method to verify the correctness of firewall configuration. We have defined a boolean formula representation of security policy. With the boolean formula representations of security policy and firewall configuration, we can formulate the condition that ensures correctness of firewall configuration. We use SAT solver to check the validity of the condition. If the configuration is not correct, our method produces an example of packet to help users to correct the configuration. We have implemented a prototype verifier and had some experimental results. The first results were very promising.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hamdi, H., Bouhoula, A., Mosbah, M.: A declarative approach for easy specification and automated enforcement of security policy. International Journal of Computer Science and Network Security 8(2), 60–71 (2008)
Abou El Kalam, A., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miége, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2003) (June 2003)
Senn, D., Basin, D.A., Caronni, G.: Firewall conformance testing. In: Khendek, F., Dssouli, R. (eds.) TestCom 2005. LNCS, vol. 3502, pp. 226–241. Springer, Heidelberg (2005)
Darmaillacq, V., Fernandez, J.C., Groz, R., Mounier, L., Richier, J.L.: Test generation for network security rules. In: Uyar, M.Ü., Duale, A.Y., Fecko, M.A. (eds.) TestCom 2006. LNCS, vol. 3964, pp. 341–356. Springer, Heidelberg (2006)
Abbes, T., Bouhoula, A., Rusinowitch, M.: Inference System for Detecting Firewall Filtering Rules Anomalies. In: Proceedings of the 23rd Annual ACM Symposium on Applied Computing, Fortaleza, Ceara, Brazil, pp. 2122–2128 (March 2008)
Hazelhurst, S.: Algorithms for analysing firewall and router access lists. CoRR cs.NI/0008006 (2000)
Eén, N., Sörensson, N.: An extensible sat-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Matsumoto, S., Bouhoula, A. (2009). Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements. In: Corchado, E., Zunino, R., Gastaldo, P., Herrero, Á. (eds) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS’08. Advances in Soft Computing, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88181-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-88181-0_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88180-3
Online ISBN: 978-3-540-88181-0
eBook Packages: EngineeringEngineering (R0)