{"title":"安全策略与防火墙策略不一致检测系统","authors":"Yi Yin, Xiaodong Xu, Y. Katayama, N. Takahashi","doi":"10.1109/IC-NC.2010.45","DOIUrl":null,"url":null,"abstract":"Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document that outlines the needs for computer network access permissions. And it determines how firewall filters are designed. If inconsistencies, such as redundant filters, insufficient filters or contradict filters, exist between security policy and firewall policy, firewall policy could not filter packets exactly, and the network protected by the firewall will be affected. To resolve this problem, we propose an inconsistency detection system to detect the inconsistencies between the security policy and firewall policy. When the administrator could not get host IP addresses, port number and other specific values, according to the network configurations, our proposed system could transform the network security policy and firewall policy to the same range value, represent and analyze their spatial relationships to detect their inconsistencies. The proposed system has been successfully implemented in a prototype system. We have been confirmed the effectiveness of the proposed system.","PeriodicalId":375145,"journal":{"name":"2010 First International Conference on Networking and Computing","volume":"84 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"Inconsistency Detection System for Security Policy and Firewall Policy\",\"authors\":\"Yi Yin, Xiaodong Xu, Y. Katayama, N. Takahashi\",\"doi\":\"10.1109/IC-NC.2010.45\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document that outlines the needs for computer network access permissions. And it determines how firewall filters are designed. If inconsistencies, such as redundant filters, insufficient filters or contradict filters, exist between security policy and firewall policy, firewall policy could not filter packets exactly, and the network protected by the firewall will be affected. To resolve this problem, we propose an inconsistency detection system to detect the inconsistencies between the security policy and firewall policy. When the administrator could not get host IP addresses, port number and other specific values, according to the network configurations, our proposed system could transform the network security policy and firewall policy to the same range value, represent and analyze their spatial relationships to detect their inconsistencies. The proposed system has been successfully implemented in a prototype system. We have been confirmed the effectiveness of the proposed system.\",\"PeriodicalId\":375145,\"journal\":{\"name\":\"2010 First International Conference on Networking and Computing\",\"volume\":\"84 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-11-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2010 First International Conference on Networking and Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IC-NC.2010.45\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 First International Conference on Networking and Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC-NC.2010.45","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Inconsistency Detection System for Security Policy and Firewall Policy
Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document that outlines the needs for computer network access permissions. And it determines how firewall filters are designed. If inconsistencies, such as redundant filters, insufficient filters or contradict filters, exist between security policy and firewall policy, firewall policy could not filter packets exactly, and the network protected by the firewall will be affected. To resolve this problem, we propose an inconsistency detection system to detect the inconsistencies between the security policy and firewall policy. When the administrator could not get host IP addresses, port number and other specific values, according to the network configurations, our proposed system could transform the network security policy and firewall policy to the same range value, represent and analyze their spatial relationships to detect their inconsistencies. The proposed system has been successfully implemented in a prototype system. We have been confirmed the effectiveness of the proposed system.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
