Specification and Verification of Security Policies in Firewalls

Jalili, Rasool; Rezvani, Mohsen

doi:10.1007/3-540-36087-5_18

Rasool Jalili⁷ &
Mohsen Rezvani⁷

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2510))

Included in the following conference series:

Eurasian Conference on Information and Communication Technology

348 Accesses
2 Citations

Abstract

Rules are used as a way of managing and configuring firewalls to fulfill security requirements in most cases. Managers have to specify their organizational security policies using low level and order-dependent rules. Furthermore, dependency of firewalls to the network topology, frequent changes in network topology (specially in dynamic networks), and lack of a method for analysis and verification of specified security policy may reduce to inconsistencies and security holes. Existence of a higher level environment for security policy specification can rectify part of the problems. In this paper we present a language for high level and formal specification of security policy in firewalls. Using the language, a security manager can configure its firewall based on his required security policy independent of the network topology. The language is used as a framework for analysis and verification of security policies. We designed and implemented a tool based on theorem proving for detecting inconsistencies, coverage, as well as applying a query on the specified policy. Results of analysis can be used to detect security vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Alur R. and Henzinger T.A. Computer-Aided Verification: An Introduction to Model Building and Model Checking for Concurrent Systems. Draft, 1999.
Google Scholar
Anderson J.P., Brand S., Gong L., and Haigh T. Firewall: An expert roundtable. IEEE Software, 14(5):60–66, September/October 1997.
Google Scholar
Bartal Y., Mayer A., Nissim K., and Wool A. Firmato: A novel firewall management toolkit. In Proceedings of the IEEE Symposium on Security and Privacy, pages 17–31, May 1999.
Google Scholar
Cholvy L. and Cuppens F. Analyzing consistency of security policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 103–112, May 1997.
Google Scholar
Goubault-Larrecq J. and Mackie I. Proof Theory and Automated Deduction, volume 6 of Applied Logic Series. Kluwer Academic Publishers, Dordrecht, 1997.
MATH Google Scholar
Guttman J.D. Filtering postures: Local enforcement for global policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120–129, Los Alamitos, 1997.
Google Scholar
Hoagland J. Specifying and Implementing Security Policy using LaSCO, the Language for Security Constraints on Objects. PhD thesis, The University of California Davis, Department of Computer Science, March 2000.
Google Scholar
Manna Z. and Pnueli A. Temporal Verification of Reactive Systems: Safety. Springer-Verlang, New York, 1995.
Google Scholar
Mayer A., Wool A., and Ziskin E. Fang: A firewall analysis engine. In Proceedings of the IEEE Symposium on Security and Privacy, pages 177–190, May 2000.
Google Scholar
Ortalo R. Using deontic logic for security policy specification. Tech. Report 96380, LAAS-CNRS Toulouse, France, October 1996.
Google Scholar
Peri R.V. Specification and Verification of Security Policies. PhD thesis, The University of Virginia, School of Engineering and Applied Science, January 1996.
Google Scholar
Rezvani M. High Level Security Policy Specification in Firewalls. Master’s thesis, Dept. of Computer Engineering, Sharif University of Technology, September 2001, In Persian.
Google Scholar
Stevens W.R. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley Professional Computing Series. Addison-Wesley, Reading, MA, USA, 1994.
Google Scholar
Wack J.P. and Carnahan L.J. Keeping your site comfortably secure: An introduction to Internet firewalls. NIST special publication Computer security 800-10, U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology, U.S. G.P.O., Gaithersburg, MD, USA, 1994.
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Computer Engineering, Sharif University of Technology, Tehran, Iran
Rasool Jalili & Mohsen Rezvani

Authors

Rasool Jalili
View author publications
You can also search for this author in PubMed Google Scholar
Mohsen Rezvani
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Faculty of Mathematics and Computer Science Computer Science Department, Shahid Bahonar University, 22 Bahman Bulvard, Kerman, Iran
Hassan Shafazand
Fraunhofer IPSI, Dolivostr. 15, 64293, Darmstadt, Germany
Hassan Shafazand
Institute of Software Technology, Vienna University of Technology, Favoritenstr. 9/188, 1040, Vienna, Austria
A. Min Tjoa

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Jalili, R., Rezvani, M. (2002). Specification and Verification of Security Policies in Firewalls. In: Shafazand, H., Tjoa, A.M. (eds) EurAsia-ICT 2002: Information and Communication Technology. EurAsia-ICT 2002. Lecture Notes in Computer Science, vol 2510. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36087-5_18

Download citation

DOI: https://doi.org/10.1007/3-540-36087-5_18
Published: 10 October 2002
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00028-0
Online ISBN: 978-3-540-36087-2
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics