Abstract
Rules are used as a way of managing and configuring firewalls to fulfill security requirements in most cases. Managers have to specify their organizational security policies using low level and order-dependent rules. Furthermore, dependency of firewalls to the network topology, frequent changes in network topology (specially in dynamic networks), and lack of a method for analysis and verification of specified security policy may reduce to inconsistencies and security holes. Existence of a higher level environment for security policy specification can rectify part of the problems. In this paper we present a language for high level and formal specification of security policy in firewalls. Using the language, a security manager can configure its firewall based on his required security policy independent of the network topology. The language is used as a framework for analysis and verification of security policies. We designed and implemented a tool based on theorem proving for detecting inconsistencies, coverage, as well as applying a query on the specified policy. Results of analysis can be used to detect security vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alur R. and Henzinger T.A. Computer-Aided Verification: An Introduction to Model Building and Model Checking for Concurrent Systems. Draft, 1999.
Anderson J.P., Brand S., Gong L., and Haigh T. Firewall: An expert roundtable. IEEE Software, 14(5):60–66, September/October 1997.
Bartal Y., Mayer A., Nissim K., and Wool A. Firmato: A novel firewall management toolkit. In Proceedings of the IEEE Symposium on Security and Privacy, pages 17–31, May 1999.
Cholvy L. and Cuppens F. Analyzing consistency of security policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 103–112, May 1997.
Goubault-Larrecq J. and Mackie I. Proof Theory and Automated Deduction, volume 6 of Applied Logic Series. Kluwer Academic Publishers, Dordrecht, 1997.
Guttman J.D. Filtering postures: Local enforcement for global policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120–129, Los Alamitos, 1997.
Hoagland J. Specifying and Implementing Security Policy using LaSCO, the Language for Security Constraints on Objects. PhD thesis, The University of California Davis, Department of Computer Science, March 2000.
Manna Z. and Pnueli A. Temporal Verification of Reactive Systems: Safety. Springer-Verlang, New York, 1995.
Mayer A., Wool A., and Ziskin E. Fang: A firewall analysis engine. In Proceedings of the IEEE Symposium on Security and Privacy, pages 177–190, May 2000.
Ortalo R. Using deontic logic for security policy specification. Tech. Report 96380, LAAS-CNRS Toulouse, France, October 1996.
Peri R.V. Specification and Verification of Security Policies. PhD thesis, The University of Virginia, School of Engineering and Applied Science, January 1996.
Rezvani M. High Level Security Policy Specification in Firewalls. Master’s thesis, Dept. of Computer Engineering, Sharif University of Technology, September 2001, In Persian.
Stevens W.R. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley Professional Computing Series. Addison-Wesley, Reading, MA, USA, 1994.
Wack J.P. and Carnahan L.J. Keeping your site comfortably secure: An introduction to Internet firewalls. NIST special publication Computer security 800-10, U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology, U.S. G.P.O., Gaithersburg, MD, USA, 1994.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jalili, R., Rezvani, M. (2002). Specification and Verification of Security Policies in Firewalls. In: Shafazand, H., Tjoa, A.M. (eds) EurAsia-ICT 2002: Information and Communication Technology. EurAsia-ICT 2002. Lecture Notes in Computer Science, vol 2510. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36087-5_18
Download citation
DOI: https://doi.org/10.1007/3-540-36087-5_18
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00028-0
Online ISBN: 978-3-540-36087-2
eBook Packages: Springer Book Archive