A declarative approach for global network security configuration verification and evaluation

12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops Pub Date : 2011-05-23 DOI:10.1109/INM.2011.5990556

M. Rahman, E. Al-Shaer

{"title":"A declarative approach for global network security configuration verification and evaluation","authors":"M. Rahman, E. Al-Shaer","doi":"10.1109/INM.2011.5990556","DOIUrl":null,"url":null,"abstract":"With the increasing number of security devices and rules in the network, the complexity of detecting and tracing network security configuration errors become a very challenging task. This in turn increases the potential of security breaches due to rule conflicts, requirement violations or lack of security hardening. Most of the existing tools are either limited in scope as they do not offer a global analysis of different network devices or hard to comprehensively use because these tools are not declarative. Declarative logic programming can readily express network configurations and security requirements for verification analysis. In this paper, we use Prolog to model the entire network security configurations including topology, routing, firewall and IPSec. This is implemented in a tool called ConfigAnalyzer, which was also evaluated with large network and policy sizes. The tool allows for verifying reachability and security properties in flexible and expressive manner. It also allows for evaluating security configurations in terms of accessibilities credentials and rules.","PeriodicalId":433520,"journal":{"name":"12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INM.2011.5990556","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

With the increasing number of security devices and rules in the network, the complexity of detecting and tracing network security configuration errors become a very challenging task. This in turn increases the potential of security breaches due to rule conflicts, requirement violations or lack of security hardening. Most of the existing tools are either limited in scope as they do not offer a global analysis of different network devices or hard to comprehensively use because these tools are not declarative. Declarative logic programming can readily express network configurations and security requirements for verification analysis. In this paper, we use Prolog to model the entire network security configurations including topology, routing, firewall and IPSec. This is implemented in a tool called ConfigAnalyzer, which was also evaluated with large network and policy sizes. The tool allows for verifying reachability and security properties in flexible and expressive manner. It also allows for evaluating security configurations in terms of accessibilities credentials and rules.

查看原文本刊更多论文

用于全局网络安全配置验证和评估的声明性方法

随着网络中安全设备和安全规则的不断增加，检测和跟踪网络安全配置错误的复杂性成为一项非常具有挑战性的任务。这反过来又增加了由于规则冲突、需求违反或缺乏安全强化而导致的安全破坏的可能性。大多数现有的工具要么范围有限，因为它们不提供不同网络设备的全局分析，要么难以全面使用，因为这些工具不是声明性的。声明性逻辑编程可以很容易地表达验证分析的网络配置和安全需求。在本文中，我们使用Prolog对整个网络的安全配置进行建模，包括拓扑、路由、防火墙和IPSec。这是在一个名为ConfigAnalyzer的工具中实现的，该工具也在大型网络和策略大小下进行了评估。该工具允许以灵活和富有表现力的方式验证可达性和安全属性。它还允许根据可访问性、凭据和规则评估安全配置。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops

自引率

0.00%

发文量