Formal security policy implementations in network firewalls

Network security should be based around formal security policies. From high-level natural language, non-technical, policies created by management, down to device and vendor specific policies, or configurations, written by network system administrators. There exists a multitude of research into policy-based network systems which has been undertaken. This paper provides an overview of the different type of policies relating to security in networks, and a taxonomy of the research into systems which have been proposed to support the network administrators in difficult tasks of creating, managing and deploying these policies.

[1]  Sabrina De Capitani di Vimercati,et al.  Access Control Policies, Models, and Mechanisms , 2011, Encyclopedia of Cryptography and Security.

[2]  Yusuf Bhaiji Ccie professional development series network security technologies and solutions , 2008 .

[3]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[4]  E. Al-Shaer,et al.  Firewall Policy Advisor for anomaly discovery and rule editing , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[5]  Tomás E. Uribe,et al.  Automatic analysis of firewall and network intrusion detection system configurations , 2004, FMSE '04.

[6]  Matt Bishop,et al.  Your Security Policy is What , 2006 .

[7]  R. Sekar,et al.  Inferring Higher Level Policies from Firewall Rules , 2007, LISA.

[8]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.

[9]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[10]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[11]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[12]  Roger Villemaire,et al.  A Formal Validation Model for the Netconf Protocol , 2004, DSOM.

[13]  Ehab Al-Shaer,et al.  PolicyVis: Firewall Security Policy Visualization and Inspection , 2007, LISA.

[14]  Ehab Al-Shaer,et al.  An Automated Framework for Validating Firewall Policy Enforcement , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[15]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[16]  Jim Boyle,et al.  Accept-Ranges : bytes Content-Length : 55967 Connection : close Content-Type : text / plain Internet Draft , 2012 .

[17]  Marcus J. Ranum,et al.  Web Security Sourcebook , 1997 .

[18]  Kirstie Hawkey,et al.  Guidelines for designing IT security management tools , 2008, CHiMiT '08.

[19]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[20]  Joshua D. Guttman,et al.  Security Goals: Packet Trajectories and Strand Spaces , 2000, FOSAD.

[21]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[22]  E. Al-Shaer,et al.  Design and Implementation of Firewall Policy Advisor Tools , 2004 .

[23]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[24]  Hyong S. Kim,et al.  To Automate or Not to Automate: On the Complexity of Network Configuration , 2008, 2008 IEEE International Conference on Communications.

[25]  Scott Hazelhurst Algorithms for Analysing Firewall and Router Access Lists , 2000, ArXiv.

[26]  Georg Carle,et al.  Using Netconf for Configuring Monitoring Probes , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[27]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[28]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Susan Hinrichs,et al.  Policy-based management: bridging the gap , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[30]  Bob Blakley,et al.  The Emperor's old armor , 1996, NSPW '96.

[31]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[32]  Marshall Abrams,et al.  Abstraction and Refinement of Layered Security Policy , 2006 .

[33]  Scott Hazelhurst,et al.  BINARY DECISION DIAGRAM REPRESENTATIONS OF FIREWALL AND ROUTER ACCESS LISTS , 1998 .

[34]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[35]  Tina Wong On the Usability of Firewall Configuration , 2008 .

[36]  Theodore Tryfonas,et al.  From risk analysis to effective security management: towards an automated approach , 2004, Inf. Manag. Comput. Secur..

[37]  Avishai Wool,et al.  Offline firewall analysis , 2006, International Journal of Information Security.

[38]  Robert M. Marmorstein,et al.  A Tool for Automated iptables Firewall Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[39]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[40]  Eben M. Haber,et al.  Design guidelines for system administration tools developed through ethnographic field studies , 2007, CHIMIT '07.

[41]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1990, RFC.

[42]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[43]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[44]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[45]  Martín Casado,et al.  Practical declarative network management , 2009, WREN '09.

[46]  Rafael M. Gasca,et al.  AFPL, an Abstract Language Model for Firewall ACLs , 2008, ICCSA.

[47]  S. Pozo,et al.  AFPL2, an Abstract Language for Firewall ACLs with NAT Support , 2009, 2009 Second International Conference on Dependability.

[48]  Marianne Swanson,et al.  SP 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems , 1996 .

[49]  Albert G. Greenberg,et al.  Configuration management at massive scale: system design and experience , 2007, IEEE Journal on Selected Areas in Communications.

[50]  Vitaly Osipov,et al.  Chapter 12 – Cisco Secure Policy Manager , 2002 .

[51]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[52]  S.M. Bellovin,et al.  Network firewalls , 1994, IEEE Communications Magazine.

[53]  James Won-Ki Hong,et al.  XML-based configuration management for IP network devices , 2004, IEEE Communications Magazine.

[54]  Ehab Al-Shaer,et al.  Management and translation of filtering security policies , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[55]  1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, May 4-6, 1992 , 1992, IEEE Symposium on Security and Privacy.

[56]  Ehab Al-Shaer,et al.  Analysis of firewall policy rules using traffic mining techniques , 2010, Int. J. Internet Protoc. Technol..

[57]  M. C. McChesney Banking in cyberspace: an investment in itself , 1997 .

[58]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[59]  Albert G. Greenberg,et al.  The cutting EDGE of IP router configuration , 2004, Comput. Commun. Rev..

[60]  Elinor M. Madigan,et al.  The cost of non-compliance: when policies fail , 2004, SIGUCCS '04.

[61]  Ehab Al-Shaer,et al.  Global Verification and Analysis of Network Access Control Configuration , 2008 .