A Formal Data Flow-Oriented Model For Distributed Network Security Conflicts Detection

Network security is inherently a distributed function that involves the coordination of a set of devices, each device affording its specific security features. The complexity of this task resides in the number, the nature, and the interdependence of the mechanisms. Any security service can interfere with others creating a breach in the whole network security. We propose a formal data flow oriented model to detect network security conflicts. Network security services are represented by specific abstract functions that can modify the data flow. We have specified our model in hierarchical Colored Petri Nets to automate the conflicts detection analysis. This approach has been tested on various NAPT/IPsec scenarios to prove that without any a priori knowledge these conflicts can be detected.

[1]  Stephen T. Kent IP Authentication Header (AH) , 2013 .

[2]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[3]  Bernard Aboba,et al.  IPsec-Network Address Translation (NAT) Compatibility Requirements , 2004, RFC.

[4]  Pyda Srisuresh,et al.  Traditional IP Network Address Translator (Traditional NAT) , 2001, RFC.

[5]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[6]  Romain Laborde,et al.  A generic data flow security model , 2011, 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG).

[7]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[8]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[9]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[10]  Romain Laborde,et al.  Implementation of a Formal Security Policy Refinement Process in WBEM Architecture , 2007, Journal of Network and Systems Management.

[11]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[12]  Lars Michael Kristensen,et al.  Coloured Petri Nets - Modelling and Validation of Concurrent Systems , 2009 .

[13]  Romain Laborde,et al.  Towards a Formal Data Flow Oriented Model for Network Security Policies Analysis , 2011, 2011 Conference on Network and Information Systems Security.

[14]  Stere Preda Reliable context aware security policy deployment - applications to IPv6 environments , 2010 .

[15]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.