Inconsistency Detecting and Resolving for Security Policy and IPv6 Firewall Policy
Authors: 
Yi Yin, Yuichiro Tateiwa, Xiaojun Qian, Qian Gao, Lingling Shen, Guoqiang ZhangAuthors Info & Claims
Yi Yin, Yuichiro Tateiwa, Xiaojun Qian, Qian Gao, Lingling Shen, Guoqiang ZhangAuthors Info & ClaimsPages 91 - 98
Abstract
Firewall is the first defense line for network security. Packet filtering is a basic function in firewall, it filter network packets according to a series of rules, which is called firewall policy. The design of firewall policy should be observe the regulations of security policy, which is a generic guideline that lists the basic requirements for network access permissions. However, even for IPv4 firewall policy, it is extremely hard to keep the consistency between firewall policy and security policy. Some inconsistency decision methods of security policy and IPv4 firewall policy were proposed. However, the address space of IPv6 address is a very large, the existing inconsistency decision methods could not be directly used to handle IPv6 firewall policy. To resolve the above problem, in this work, we use a formal technique to find and eliminate the inconsistencies between security policy and IPv6 firewall policy. We also build a prototype system and test the effectiveness of the proposed method through experiments.
References
[1]
B. Hinden, S. Deering, “Internet Protocol, Version 6 (IPv6) Specification”, RFC 2460, March 2013.
[2]
Y. Yin, Y. Tateiwa, Y. Wang, Y. Katayama, N. Takahashi, “An Inconsistency Detection Method for Security Policy and Firewall Policy Based on CSP Solver“, ICCCS2017, Part II, LNCS 10603, pp.147–161, Jun. 2017.
[3]
“Sugar: a SAT-based Constraint Solver”, https://cspsat.gitlab.io/sugar/.
[4]
Q. Sun, X. Huang, W. Yang, X. Zhou, Y. Ma, and C. Wang, “ClassBenchv6: An IPv6 Packet Classification Benchmark”, Proceedings of the Global Communications Conference 2009, pp. 1-6.
[5]
LD. Moura, N. Bjørner, “Z3: an efficient SMT solver”. TACAS 2008, pp. 337–340, 2008.
[6]
Z3 C API. https://z3prover.github.io/api/html/groupcapi.html
[7]
A. Wool, “Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese”, IEEE Internet Computing, vol. 14, no. 4, pp. 58-65 2010.
[8]
C. Togay, A. Kasif, C. Catal, B. Tekinerdogan, “A Firewall Policy Anomaly Detection Framework for Reliable Network Security”, IEEE Transcations on Reliability, pp. 1-9, July 2021.
[9]
H. Hamed, AI. Shaer, “Taxonomy of Conflicts in Network Security Policies”, IEEE Commn Magazine, vol.44, no.3, pp.134-141, 2006.
[10]
E. Al-Shaer, “Automated Firewall Analytics: Design, Configuration and Optimization”, Springer International Publishing, 2014.
[11]
H. Hu, G.-J. Ahn, K. Kulkarni, “Detecting and resolving firewall policy anomalies”, IEEE Transactions on Dependable and Secure Computing, Vol.9, No.3, pp. 318–331, May 2012.
[12]
C.Y. Lai, P.C. Wang, “Fast and complete conflict detection for packet classifiers”, IEEE Systems Journal, Vol.11, No.2, pp. 1137-1148, Dec. 2014.
[13]
C. Lorenz, B. Schnor, "Policy Anomaly Detection for Distributed IPv6 Firewalls", SECRYPT 2015.
[14]
CS. Chao, SJH. Yang, “A Bit Vector-Based Diagnosis Mechanism for Firewall Rule Anomalies in IPv6 Networking Environment”, Journal of Internet Technology, Vol. 22, pp. 867-876, 2021.
[15]
Y. Yin, Y. Tataiwa, Y. Katayama, N. Takahashi, Y. Wang, C. Zhang, “An Analysis Method for IPv6 Firewall Policy”, 2019 HPCC, pp. 1757-1762, Zhangjiajie, China, 2019.
[16]
A. Bouhoula, A. Yazidi, “A security policy query engine for fully automated resolution of anomalies in firewall configurations”. 2016 NCA, pp. 76–80.
[17]
S. Matsumoto, A. Bouhoula, “Automatic verification of firewall configuration with respect to security policy requirements”. Proceedings of the International Work shop on Computational Intelligence in Security for Information Systems, pp. 123–130 (2008)
[18]
N.B.Youssef, A. Bouhoula, F. Jacquemard, “Automatic Verification of Conformance of Firewall Configurations to Security Policies”, IEEE Symposium on Computers and Communications, pp.526-531, 2009.
[19]
N.B.Youssef, A. Bouhoula, F. Jacquemard, “Automatic Conformance Verification of Distributed Firewalls to Security Requirements”, 2010 IEEE Second International Conference on Social Computing, pp. 834-841, 2010.
[20]
Dutertre, B., Moura, L.D.: The YICES SMT solver. http://gauss.ececs.uc.edu/Courses/c626/lectures/SMT/tool-paper.pdf
Index Terms
- Inconsistency Detecting and Resolving for Security Policy and IPv6 Firewall Policy
Recommendations
Inconsistency Detection System for Security Policy and Firewall Policy
ICNC '10: Proceedings of the 2010 First International Conference on Networking and ComputingPacket filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document ...
Detecting and Resolving Firewall Policy Anomalies
The advent of emerging computing technologies such as service-oriented architecture and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by ...
Firewall policy change-impact analysis
Firewalls are the cornerstones of the security infrastructure for most enterprises. They have been widely deployed for protecting private networks. The quality of the protection provided by a firewall directly depends on the quality of its policy (i.e., ...
Comments
Information & Contributors
Information
Published In
December 2023
563 pages
ISBN:9798400708688
DOI:10.1145/3638584
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 14 March 2024
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Jiangsu Provincial Water Conservancy Science and Technology Plan
- National Natural Science Foundation of China
Conference
CSAI 2023
CSAI 2023: 2023 7th International Conference on Computer Science and Artificial Intelligence
December 8 - 10, 2023
Beijing, China
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 30Total Downloads
- Downloads (Last 12 months)30
- Downloads (Last 6 weeks)2
Reflects downloads up to 08 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format