Abstract
Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined rules called firewall policy. Firewall policy always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. The design of firewall policy should be consistent with security policy.
If firewall policy is not consistent with security policy, firewall policy may violate the intentions of security policy, which is the reason that result in critical security vulnerabilities. This paper extends our previous method, which represented security policy and firewall policy as Constraint Satisfaction Problem (CSP) and used a CSP solver Sugar only to verify whether they are consistent. In this paper, we propose a method to detect and resolve inconsistencies of firewall policy and security policy. We have implemented a prototype system to verify our proposed method, experimental results show the effectiveness.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Yin, Y., Xu, X., Katayama, Y., Takahashi, N.: Inconsistency detection system for security policy and firewall policy. In: 2010 First International Conference on Networking and Computing, pp. 294–297. IEEE (2011)
Yin, Y., Xu, J., Takahashi, N.: Verifying consistency between security policy and firewall policy by using a constraint satisfaction problem server. In: Zhang, Y. (ed.) Future Wireless Networks and Information Systems. LNEE, vol. 144, pp. 135–145. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27326-1_18
Sugar: a SAT-based Constraint Solver. http://bach.istc.kobe-u.ac.jp/sugar/
Tamura, N., Banbara, M.: Sugar: a CSP to SAT translator based on order encoding. In: Proceedings of the Second International CSP Solver Competition, pp. 65–69 (2008)
The MiniSat Page. http://minisat.se/MiniSat.html
Syntax of Sugar CSP description. http://bach.istc.kobe-u.ac.jp/sugar/current/docs/syntax.html
Wool, A.: Trends in firewall configuration errors: measuring the holes in Swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)
Al-Shaer, E.: Automated Firewall Analytics-Design, Configuration and Optimization. Springer International Publishing, Basel (2014). doi:10.1007/978-3-319-10371-6
Hu, H., Ahn, G., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Secure Comput. 9(3), 318–331 (2012)
Jeffrey, A., Samak, T.: Model checking firewall policy configurations. In: IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 60–67. IEEE (2009)
Bouhoula, A., Yazidi, A.: A security policy query engine for fully automated resolution of anomalies in firewall configurations. In: IEEE 15th International Symposium on Network Computing and Applications, pp. 76–80 (2016)
Matsumoto, S., Bouhoula, A.: Automatic verification of firewall configuration with respect to security policy requirements. In: Corchado, E., Zunino, R., Gastaldo, P., Herrero, Á. (eds.) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems, pp. 123–130. Springer, Berlin (2009)
Youssef, N.B., Bouhoula, A., Jacquemard, F.: Automatic verification of conformance of firewall configurations to security policies. In: IEEE Symposium on Computers and Communications, pp. 526–531. IEEE (2009)
Dutertre, B., de Moura, L.: The YICES SMT Solver. http://gauss.ececs.uc.edu/Courses/c626/lectures/SMT/tool-paper.pdf
Ranathunga, D., Roughan, M., Kernick, P., Falkner, N.: Malachite: firewall policy comparison. In: 2016 IEEE Symposium on Computers and Communication, pp. 310–317. IEEE (2016)
Yuan, C.S., Xia, Z.H., Sun, X.M.: Coverless image steganography based on SIFT and BOF. J. Internet Technol. 18(2), 209–216 (2017)
Liu, Q., Cai, W.D., Shen, J., Fu, Z.J., Liu, X.D., Linge, N.: A speculative approach to spatial-temporal efficiency with multi-objective optimization in a heterogeneous cloud environment. Secur. Commun. Netw. 9(17), 4002–4012 (2016)
Xia, Z.H., Wang, X.H., Sun, X.M., Wang, B.W.: Steganalysis of least significant bit matching using multi-order differences. Secur. Commun. Netw. 7(8), 1283–1291 (2014)
Acknowledgments
This research was partially supported by National scholarship for studying abroad of China Scholarship Council (CSC); National Natural Science Foundation of China (No. 60973122, 61572256).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Yin, Y., Tateiwa, Y., Wang, Y., Katayama, Y., Takahashi, N. (2017). An Inconsistency Detection Method for Security Policy and Firewall Policy Based on CSP Solver. In: Sun, X., Chao, HC., You, X., Bertino, E. (eds) Cloud Computing and Security. ICCCS 2017. Lecture Notes in Computer Science(), vol 10603. Springer, Cham. https://doi.org/10.1007/978-3-319-68542-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-68542-7_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68541-0
Online ISBN: 978-3-319-68542-7
eBook Packages: Computer ScienceComputer Science (R0)