Abstract
It is a challenging task for network administrators to correctly implement corporate security policies in a large network environment. Much of the security policy enforcement at the network level involves configuring the packet classification strategies using Access Control List (ACL). A gateway device performing traffic filtering can deploy ACLs with thousands of rules. Due to the difficulties of ACL configuration language, large ACLs can easily become redundant, inconsistent, and difficult to optimise or even understand. This problem is augmented by extrinsic factors such as administrator turnovers, unstructured and ill-planned topology changes. With multiple routers in the topology, all of the ACLs need to be configured in a consistent manner to enforce the corporate security policy. In such an environment, manual examination of ACLs to ensure security policy is implemented correctly is a nearly impossible task.
In this paper, we propose a novel framework to automate ACL analysis, thus greatly simplifying the network administrator’s task of implementing and verifying corporate security policies. A set of algorithms is introduced to detect and remove redundant rules, discover and repair inconsistent rules, merge overlapping or adjacent rules, map an ACL with complex interleaving permit/deny rules to a more readable form consisting of all permits or denies, and finally compute a meta-ACL profile based on all ACLs along a network path. When applied to traffic filtering ACLs, the meta-profile provides insights to the administrator as to what traffic will flow successfully from source to destination. Based on the ideas presented in this paper, we’ve developed a generic library called ACLA (ACL Analyser).
Key words
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35413-2_36
Download to read the full chapter text
Chapter PDF
References
Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato: A Novel Firewall Management Toolkit. IEEE Symp. on Security and Privacy, Oakland, CA 1999.
J. L. Bentley. Multidimensional binary search trees used for associative searching. Commun. ACM, 18: 509–517, 1975.
J. L. Bentley. Solutions to Klee rectangle problems. Technical report, Carnegie-Mellon Univ., Pittsburgh, PA, 1977.
J. L. Bentley. Decomposable searching problems. Inform. Process. Lett., 8: 244–251, 1979.
Cisco Secure Policy Manager 2.2, 2000. http://www.cisco.corn/warrilpubliciccipdisow/amptnni.
Cisco Secure Scanner 2.0, May, 1999. http://www.cisco.corn/univercdiccitd/doc/pcatinssq.ltm.
H. Edelsbrunner. A new approach to rectangle intersections, part I. Int. J. Computer Mathematics, 13: 209–219, 1983.
H. Edelsbrunner. A new approach to rectangle intersections, part II. Int. J. Computer Mathematics, 13: 221–229, 1983.
M. Freiss. Protecting Networks with SATAN. Reilly Associates, Inc., 1998.
J. D. Guttman. Filtering postures: Local enforcement for global policies. Proc. IEEE Symp. on Security and Privacy, Oakland, CA 1997.
S. Hinrichs, `Policy-Based Management: Bridging the Gap’: Annual Computer Security Applications Conference. Scottsdale, AZ, 1999.
Interconnecting Cisco Network Devices: Student Guide, 1999.
Internet Security Systems Internet Scanner, 2000. http://docurnents.iss.net/literat re/1nternetScanneriis ps.pdf.
D. Lomet and B. Salzberg. The hB-tree: A multiattribute indexing method with good guaranteed performance. ACM Transactions on Database Systems,15(4):625658, 1990.
A. Mayer, A. Wool, and E. Ziskind. Fang: A Firewall Analysis Engine. IEEE Symp. on Security and Privacy, Oakland, CA 2000.
Nessus 1.0.6, Nov. 2000. http://www.nessus.ort.
Network Associates Cybercop Scanner, 2000. http://www.pgp.corniproductsicybercqp-scannerldefault.asm
J. Nievergelt, H. Hinterberger, and K. Sevcik. The grid file: An adaptable, symmetric multikey file structure. ACM Transactions on Database Systems, 9 (1): 257–276, 1984.
SATAN, Apr. 1995. http://www.es.ruu.1ucert-lresatan.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Qian, J., Hinrichs, S., Nahrstedt, K. (2001). ACLA: A Framework for Access Control List (ACL) Analysis and Optimization. In: Steinmetz, R., Dittman, J., Steinebach, M. (eds) Communications and Multimedia Security Issues of the New Century. IFIP — The International Federation for Information Processing, vol 64. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35413-2_18
Download citation
DOI: https://doi.org/10.1007/978-0-387-35413-2_18
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-4811-6
Online ISBN: 978-0-387-35413-2
eBook Packages: Springer Book Archive