{"title":"A declarative approach for global network security configuration verification and evaluation","authors":"M. Rahman, E. Al-Shaer","doi":"10.1109/INM.2011.5990556","DOIUrl":null,"url":null,"abstract":"With the increasing number of security devices and rules in the network, the complexity of detecting and tracing network security configuration errors become a very challenging task. This in turn increases the potential of security breaches due to rule conflicts, requirement violations or lack of security hardening. Most of the existing tools are either limited in scope as they do not offer a global analysis of different network devices or hard to comprehensively use because these tools are not declarative. Declarative logic programming can readily express network configurations and security requirements for verification analysis. In this paper, we use Prolog to model the entire network security configurations including topology, routing, firewall and IPSec. This is implemented in a tool called ConfigAnalyzer, which was also evaluated with large network and policy sizes. The tool allows for verifying reachability and security properties in flexible and expressive manner. It also allows for evaluating security configurations in terms of accessibilities credentials and rules.","PeriodicalId":433520,"journal":{"name":"12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INM.2011.5990556","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 8
Abstract
With the increasing number of security devices and rules in the network, the complexity of detecting and tracing network security configuration errors become a very challenging task. This in turn increases the potential of security breaches due to rule conflicts, requirement violations or lack of security hardening. Most of the existing tools are either limited in scope as they do not offer a global analysis of different network devices or hard to comprehensively use because these tools are not declarative. Declarative logic programming can readily express network configurations and security requirements for verification analysis. In this paper, we use Prolog to model the entire network security configurations including topology, routing, firewall and IPSec. This is implemented in a tool called ConfigAnalyzer, which was also evaluated with large network and policy sizes. The tool allows for verifying reachability and security properties in flexible and expressive manner. It also allows for evaluating security configurations in terms of accessibilities credentials and rules.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
