Policy Based ACL Configuration Synthesis in Enterprise Networks: A Formal Approach

Due to extensive use of network services and applications, most of the enterprise networks today deploy policy based security devices (e.g. routers, firewalls, IPSec etc.) for controlling accesses to network resources based on organizational security policy. The organizational network security policy is becoming more fine-grained, where access control list (ACL) configuration depends on various constraints like, service priority, time, location etc. The major challenge that the network administrators are facing today is to determine the correct access control configurations that satisfy the organizational policy. Throughout the last two decades, a significant amount of research has been done in formally verifying the correctness and consistency of access control policy configurations in enterprise network. However, this bottom-up analysis may not be useful because of its high state-space requirement for large scale networks. In addition, this approach requires repairing sequences of misconfigurations iteratively to meet a specific requirement. This paper presents a framework for synthesizing correct and conflict-free ACL configuration model, given the global organizational security policy and underlying network topology. This framework includes two major functions: (i) deriving the conflict-free model of the organizational security policy, and (ii) extraction of the correct ACL distributions for the network. The framework formally models the organizational security policy and generates the conflict-free policy model by resolving the policy rule conflicts. Then, ACL model is extracted based on the conflict-free policy model and the underlying network topology. The efficacy of the proposed framework has been demonstrated through a case study.

[1]  Pallab Dasgupta,et al.  Policy Based Security Analysis in Enterprise Networks: A Formal Approach , 2010, IEEE Transactions on Network and Service Management.

[2]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Marianne Winslett,et al.  On the Safety and Efficiency of Firewall Policy Deployment , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[5]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[6]  Pallab Dasgupta,et al.  Integrated security analysis framework for an enterprise network - a formal approach , 2010, IET Inf. Secur..

[7]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[8]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[9]  Miroslav Svéda,et al.  A Formal Model for Network-Wide Security Analysis , 2008, 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems (ecbs 2008).

[10]  Adel Bouhoula,et al.  Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements , 2008, CISIS.