Complete analysis of configuration rules to guarantee reliable network security policies

The use of different network security components, such as firewalls and network intrusion detection systems (NIDSs), is the dominant method to monitor and guarantee the security policy in current corporate networks. To properly configure these components, it is necessary to use several sets of security rules. Nevertheless, the existence of anomalies between those rules, particularly in distributed multi-component scenarios, is very likely to degrade the network security policy. The discovery and removal of these anomalies is a serious and complex problem to solve. In this paper, we present a complete set of mechanisms for such a management.

[1]  Mohamed G. Gouda,et al.  Complete Redundancy Detection in Firewalls , 2005, DBSec.

[2]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[3]  Nora Cuppens-Boulahia,et al.  Aggregating and Deploying Network Access Control Policies , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[4]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[5]  Chris Scollo,et al.  Professional PHP Programming , 1999 .

[6]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  Stephen Northcutt,et al.  Network intrusion detection , 2003 .

[9]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[10]  Nora Cuppens-Boulahia,et al.  Management of Exceptions on Access Control Policies , 2007, SEC.

[11]  Andy Fox,et al.  Cisco Secure PIX Firewalls , 2001 .

[12]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[13]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  N. Cuppens,et al.  Detection and Removal of Firewall Misconfiguration , 2019 .

[15]  Jesus M. Castagnetto,et al.  Professional PHP Programming , 1999 .

[16]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[17]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[18]  Juan M. Estévez-Tapiador,et al.  Concepts and Attitudes for Internet Security (A review of Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin). , 2003 .

[19]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[20]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[21]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[22]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).