A specification method for analyzing fine grained network security mechanism configurations

Quick evolution, heterogeneity, interdependence between equipment, and many other factors induce high complexity to network security analysis. Although several approaches have proposed different analysis tools, achieving this task requires experienced and proficient security administrators who can handle all these parameters. The challenge is not to propose a temporary solution but to offer a building block for this large domain, though no approach can be optimal for all tasks. In previous papers, we have proposed a novel formal model of equipment configuration built on data flow attribute-based approach to detect network security conflicts. In this paper, we extend the previous proposed model in order to make it more generic by proving it can handle microscopic analysis. We define a formal analysis method for network security mechanisms. Therefore, we specify our approach in Colored Petri Networks to automate the conflicts analysis and test it on a fine-grained firewall scenario.

[1]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[2]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[3]  Stere Preda Reliable context aware security policy deployment - applications to IPv6 environments , 2010 .

[4]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[5]  Frank Wm. Tompa,et al.  A Unified Conflict Resolution Algorithm , 2007, Secure Data Management.

[6]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[7]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[8]  Romain Laborde,et al.  Implementation of a Formal Security Policy Refinement Process in WBEM Architecture , 2007, Journal of Network and Systems Management.

[9]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[10]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[11]  Nora Cuppens-Boulahia,et al.  Handling Stateful Firewall Anomalies , 2012, SEC.

[12]  El Khoury Hicham,et al.  A generic data flow security model , 2011 .

[13]  Romain Laborde,et al.  A Formal Data Flow-Oriented Model For Distributed Network Security Conflicts Detection , 2012, ICNS 2012.

[14]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2008, IEEE Trans. Parallel Distributed Syst..