{"title":"Inconsistency Detection System for Security Policy and Firewall Policy","authors":"Yi Yin, Xiaodong Xu, Y. Katayama, N. Takahashi","doi":"10.1109/IC-NC.2010.45","DOIUrl":null,"url":null,"abstract":"Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document that outlines the needs for computer network access permissions. And it determines how firewall filters are designed. If inconsistencies, such as redundant filters, insufficient filters or contradict filters, exist between security policy and firewall policy, firewall policy could not filter packets exactly, and the network protected by the firewall will be affected. To resolve this problem, we propose an inconsistency detection system to detect the inconsistencies between the security policy and firewall policy. When the administrator could not get host IP addresses, port number and other specific values, according to the network configurations, our proposed system could transform the network security policy and firewall policy to the same range value, represent and analyze their spatial relationships to detect their inconsistencies. The proposed system has been successfully implemented in a prototype system. We have been confirmed the effectiveness of the proposed system.","PeriodicalId":375145,"journal":{"name":"2010 First International Conference on Networking and Computing","volume":"84 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 First International Conference on Networking and Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC-NC.2010.45","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 4
Abstract
Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document that outlines the needs for computer network access permissions. And it determines how firewall filters are designed. If inconsistencies, such as redundant filters, insufficient filters or contradict filters, exist between security policy and firewall policy, firewall policy could not filter packets exactly, and the network protected by the firewall will be affected. To resolve this problem, we propose an inconsistency detection system to detect the inconsistencies between the security policy and firewall policy. When the administrator could not get host IP addresses, port number and other specific values, according to the network configurations, our proposed system could transform the network security policy and firewall policy to the same range value, represent and analyze their spatial relationships to detect their inconsistencies. The proposed system has been successfully implemented in a prototype system. We have been confirmed the effectiveness of the proposed system.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
