Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements
|
|
- John Harmon
- 6 years ago
- Views:
Transcription
1 Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements Soutaro Matsumoto 1 and Adel Bouhoula 2 1 Graduate School of System and Information Engineering University of Tsukuba Japan soutaro@score.cs.tsukuba.ac.jp 2 Higher School of Communication of Tunis (Sup'Com) University of November 7th at Carthage Tunisia adel.bouhoula@supcom.rnu.tn Abstract. Firewalls are key security components in computer networks. They filter network traffics based on an ordered list of filtering rules. Firewall configurations must be correct and complete with respect to security policies. Security policy is a set of predicates, which is a high level description of traffic controls. In this paper, we propose an automatic method to verify the correctness of firewall configuration. We have defined a boolean formula representation of security policy. With the boolean formula representations of security policy and firewall configuration, we can formulate the condition that ensures correctness of firewall configuration. We use SAT solver to check the validity of the condition. If the configuration is not correct, our method produces an example of packet to help users to correct the configuration. We have implemented a prototype verifier and had some experimental results. The first results were very promising. Keywords: Firewall Configuration, Security Policy, Automatic Verification, SAT Solver. 1 Introduction Firewalls are key security components in computer networks. They filter packets to control network traffics based on an ordered list of filtering rules. Filtering rules describe which packet should be accepted or rejected. Filtering rules consist of a pattern of packet and an action. Firewalls reject / accept packets if the first rule which matches the packet in their configurations rejects / accepts the packet. Security policies are high-level description of traffic controls. They define which connection is allowed. They are sets of predicates. Security policies reject / accept connections if the most specific predicate which matches the connection rejects / accepts the connection. Firewalls should be configured correctly with respect to security policies. Correct configurations reject / accept connections if and only if security policies reject / accept the connections. However, the correctness of firewall configurations is not obvious. Consider for example the following security policy. 1. All users in LAN can access Internet 2. All users in LAN1 cannot access youtube.com 3. All users in LAN2 can access youtube.com E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp , springerlink.com Springer-Verlag Berlin Heidelberg 2009
2 124 S. Matsumoto and A. Bouhoula Fig. 1. Structure of the Network There are three predicates. Assume that we have a network LAN, two sub networks LAN1 and LAN2, and there is a website youtube.com in the Internet. The structure of the networks is shown in figure 1. The first predicate is the most general one that allows all users in LAN to access any web site in the Internet. The Second predicate is more specific than the first predicate which prohibits users in LAN1 to access youtube.com. Third predicate allows users in LAN2 to access youtube.com. Under this security policy, users in LAN1 cannot access youtube.com. Since the second predicate is the most specific for a connection from LAN1 to youtube.com, the connection will be rejected. Consider for example the following firewall configuration in Cisco s format. access-list 101 permit tcp any eq 80 access-list 102 reject tcp eq 80 access-list 103 permit tcp eq 80 There are three rules named 101, 102, and 103. Rule 101 permits connections from *.* to any host. * is wildcard. Rule 102 rejects packets from * to Rule 103 permits packets from * to Assume that the network LAN has address *.*, LAN1 and LAN2 have * and * respectively, and youtube.com has address This configuration can read as a straightforward translation of the security policy. Unfortunately, this configuration is incorrect. Since the first rule that matches given connection will be applied, a connection from LAN1 matches the first rule and it will be accepted even if the destination is youtube.com. We propose a method to verify the correctness of firewall configurations with respect to security policies. Security policy P and firewall configuration F are translated into boolean formulae Q P and Q F. The correctness of firewall configuration is reduced to the equivalence of the two formulae. The equivalence of the two formulae is checked by satisfiability of Q P Q F. If the formula is satisfiable, Q P and Q F are not equivalent and F is not correct. A counterexample of packet will be produced such that P and F will give different answers for the packet. The counterexample will help users to find and correct mistakes in their configurations. 1.1 Related Work There are a lot of works about development of formal languages for security policy description [1, 2]. Our formalization of security policy is very abstract, but essentially
3 Automatic Verification of Firewall Configuration 125 equivalent to them. The works are so technical that we simplified the definition of security policy. There are some works for efficient testing of firewalls based on security policies [3, 4]. Their approaches generate test cases from security policy and then test networks with the test cases. Our method only verifies the correctness of the configuration of firewall. The simplification makes our method very simple and fast. The essence of our method is the definition of boolean formula representation. Other steps are applications of well-known logical operations. The fact that our method is performed on our computers makes verifications much faster and easier than testing with sending packet to real networks. This also makes possible to use SAT solvers to prove the correctness. Detecting anomalies in firewall configurations is also important issue [5]. Detection of anomalies helps to find mistakes in configuration, but it does not find mistakes by itself. Hazelhurst has presented a boolean formula representation of firewall configuration, which can be used to express filtering rule [6]. The boolean formula representation can be simplified with Binary Decision Diagram to improve the performance of filtering. In this paper, we use the boolean formula representations of firewall configuration and packets. 2 Security Policy and Firewall Configuration We present a formal definition of security policy and firewall configuration. The definitions are very abstract. We clarify the assumptions of our formalization about security policy. 2.1 Security Policy Security policy is a set of policy predicates. Policy predicates consist of action, source address, and destination address. Actions are accept or deny. The syntax of security policy is given in figure 2. policy is a set of predicate. A predicate consists of action K, source address, and destination address. Action K is accept A or deny D. A predicate A(s, d) reads Connection from s to d is accepted. A predicate D(s, d) reads Connection from s to d is denied. Network address is a set. Packets are pairs of source address and destination address. Packet p from source address s to destination address d will match with predicate K(s, d ) if and only if s s' d d' holds. We have a partial order relation on policy predicates. K(s, d) K (s, d ) s s d d If q q holds, q is more general than q' or q' is more specific than q. Packet p is accepted by Security Policy P if the action of the most specific policy predicate that matches with p is A, and p is rejected by P if the action of the most specific policy predicate which matches with p is D.
4 126 S. Matsumoto and A. Bouhoula policy ::= { predicate,, predicate } predicate ::= K(address, address) address ::= Network Address K ::= A Accept D Deny Fig. 2. Syntax of Security Policy configuration ::= rule :: configuration φ rule ::= K(address, address) address ::= Network Address K ::= A Accept D Deny Fig. 3. Syntax of firewall configuration Example. The security policy we have shown in section 1 can be represented as P = { q 1, q 2, q 3 } where q 1, q 2 and q 3 are defined as follows: 1. q 1 = A(LAN, Internet) 2. q 2 = D(LAN1, youtube.com) 3. q 3 = A(LAN2, youtube.com) We have ordering of policy predicates q 1 q 2 and q 1 q 3. Assumptions. To ensure the consistency of security policy, we assume that we can find the most specific policy predicate for any packet. We assume that the following formula holds for any two different predicates K(s, d) and K (s, d ). s d s d s d s d s d s d = φ Tree View of Security Policy. We can see security policies as trees, such that the root is the most general predicate and children of each node is set of more specific predicates. We define an auxiliary function C P (q) which maps predicate q in security policy P to the set of its children. C P (q) = { q q P q q ( q P. q q q q) } For instance, C P (q) = { q 2, q 3 } and C P (q 2 ) = C P (q 3 ) = φ for the previous example. 2.2 Firewall Configuration The syntax of firewall configuration is given in figure 3. Configurations of firewalls are ordered lists of rules. Rules consist of action, source address, and destination address. Actions are accept A or deny D.
5 Automatic Verification of Firewall Configuration 127 A packet is accepted by a firewall configuration if and only if the action of the first rule in the configuration that matches with source and destination address of packet is A. The main difference between security policies and firewall configurations is that rules in firewalls form ordered list but predicates in security policies form trees. 3 Boolean Formula Representation We present a boolean formula representation of security policy and firewall configuration in this section. This section includes also a boolean formula representation of network address and packet. In the previous section, we did not define concrete representation of network addresses and packets. 1 The boolean formula representations of network address and firewall configuration are proposed by Hazelhurst [6]. 3.1 Boolean Formula Representation of Network Addresses and Packets Network addresses are IPv4 addresses. Since IPv4 addresses are 32 bit unsigned integers, we need 32 logical variables to represent each address. IP addresses are represented as conjunction of 32 variables or their negations, so that each variable represents a bit in IP address. If the ith bit of the address is 1 then variable a i should evaluate true. For example an IP address is represented as the following. a 32 a 31 na 30 na 29 na 28 na 27 na 26 na 25 a 24 na 23 a 22 na 21 a 20 na 19 na 18 na 17 na 16 na 15 na 14 na 13 na 12 na 11 na 10 na 9 na 8 na 7 na 6 na 5 na 4 na 3 na 2 a 1 Here, a 1 is the variable for the lowest bit and a 32 is for the highest bit. «p» is an environment, which represents packet p. Packets consist of source address and destination address. We have two sets of boolean variables, s = { s 1,, s 32 } and d = { d 1,, d 32 }. They represent source address and destination address of a packet respectively. If packet p is from address , «p» s is the following. { s 32 T, s 31 T, s 30 F, s 29 F, s 28 F, s 27 F, s 26 F, s 25 F, s 24 T, s 23 F, s 22 T, s 21 F, s 20 T, s 19 F, s 18 F, s 17 F, s 16 F, s 15 F, s 14 F, s 13 F, s 12 F, s 11 F, s 10 F, s 9 F, s 8 F, s 7 F, s 6 F, s 5 F, s 4 F, s 3 F, s 2 F, s 1 T, ` «p» also includes assignments of d for destination address of p. a, b is a boolean formula such that «p» a, b holds if and only if packet p is from a to b , b is like the following boolean formula. s 32 s 31 s 30 s 29 s 28 s 27 s 26 s 25 1 Without loss of generality, we have a simplified representation of network addresses. We can easily extend this representation to support net-masks, range of ports, or other features as proposed by Hazelhurst.
6 128 S. Matsumoto and A. Bouhoula This is the only eight components of the formula. They are the same as the highest eight components of boolean formula representation of IP address Boolean Formula Representation of Security Policy Security Policy P can be represented as boolean formula Q P, such that p : Packet. P accept p «p» Q P holds. We define a translation B P (q, β) which maps a policy predicate q in security policy P to its boolean formula representation. B P (A(a, b), T) = a, b (T q C B P (q, T)) B P (A(a, b), F) = a, b ( q C B P (q, T)) B P (D(a, b), T) = a, b ( q C B P (q, F)) B P (D(a, b), F) = a, b (T q C B P (q, F)) where C = C P (q) We can obtain the boolean formula representation of security policy P as B P (q, F) where q is the most general predicate in P. Example. The following is an example of transformation from security policy P in section 2 to its boolean formula representation. The boolean formula representation of P is obtained by B P (q 1, F) since q 1 is the most general predicate. B P (A(LAN, Internet), F) = LAN.Internet B P (q 2, T) B P (q 3,T) B P (D(LAN1, youtube.com), T) = LAN1.youtube.com B P (A(LAN2, youtube.com), T) = LAN2.youtube.com T Finally we have the following formula after some simplifications. LAN.Internet LAN1.youtube.com Consider a packet from LAN1 to youtube.com, the first component in the formula evaluates true, but the second component evaluates false. Whole expression evaluates false, so the packet is rejected. 3.3 Boolean Formula Representation of Firewall Configuration Firewall configuration F can be represented as boolean formula Q F, such that p: Packet. F accept p «p» Q F holds. B(F) is a mapping from F to Q F. B(φ) = F B(A(a, b) :: rules) = a, b B(rules) B(D(a, b) :: rules) = a, b B(rules) 4 Experimental Results We have implemented a prototype of verifier. The verifier reads a security policy and a firewall configuration, and verifies the correctness of the configuration. It supposes
7 Automatic Verification of Firewall Configuration 129 that we have IPv4 addresses with net-masks and port numbers of 16 bit unsigned integer with range support. The verifier uses MiniSAT to solve SAT [7]. In our verifier packets consist of two network addresses and protocol. Network addresses are pair of a 32 bit unsigned integer which represents an IPv4 address and a 16 bit unsigned integer which represents a port number. The protocols are TCP, UDP, or ICMP. Thus, a formula for one packet includes up to 99 variables two variables for source and destination addresses and three variables for protocol. We have verified some firewall configurations. Our experiments were performed on an Intel Core Duo 2.16 GHz processor with 2 Gbytes of RAM. Table 1 summarizes our results. The first two columns show the size of inputs. It is the numbers of predicates in security policy and the numbers of filtering rules in firewall configuration. The third column shows the size of the input for SAT solver. The last column shows the running times of our verifier. It includes all processing time from reading the inputs to printing the results. All of the inputs were correct because it is the most time consuming case. These results show that our method verifies fast enough with not so big inputs. If configurations are not correct, then the verifier produces a counterexample packet. The following is an output of our verifier that shows a counterexample. % verifyconfig verify../samples/policy.txt../samples/rules.txt Loading policy... ok Loading configuration... ok Translating to CNF... ok MiniSAT running... ok Incorrect: for example [tcp : :80] The counterexample tells that the security policy and firewall configuration will give different answers for a packet from of port 0 to of port 80. Testing the firewall with the counterexample will help users to correct the configuration. Table 1. Experimental Results # of predicates # of rules size of SAT running time (s) Conclusion In this paper, we have defined a boolean formula representation of security policy, which can be used in a lot of applications. We have also proposed an automatic method to verify the correctness of firewall configurations with respect to security policies. The method translates both of the two inputs into boolean formulae and then verifies the equivalence by checking satisfiability. We have had experimental results with some small examples using our prototype implementation. Our method can verify the configuration of centralized firewall. We are working for generalization of our method for distributed firewalls.
8 130 S. Matsumoto and A. Bouhoula References 1. Hamdi, H., Bouhoula, A., Mosbah, M.: A declarative approach for easy specification and automated enforcement of security policy. International Journal of Computer Science and Network Security 8(2), (2008) 2. Abou El Kalam, A., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miége, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2003) (June 2003) 3. Senn, D., Basin, D.A., Caronni, G.: Firewall conformance testing. In: Khendek, F., Dssouli, R. (eds.) TestCom LNCS, vol. 3502, pp Springer, Heidelberg (2005) 4. Darmaillacq, V., Fernandez, J.C., Groz, R., Mounier, L., Richier, J.L.: Test generation for network security rules. In: Uyar, M.Ü., Duale, A.Y., Fecko, M.A. (eds.) TestCom LNCS, vol. 3964, pp Springer, Heidelberg (2006) 5. Abbes, T., Bouhoula, A., Rusinowitch, M.: Inference System for Detecting Firewall Filtering Rules Anomalies. In: Proceedings of the 23rd Annual ACM Symposium on Applied Computing, Fortaleza, Ceara, Brazil, pp (March 2008) 6. Hazelhurst, S.: Algorithms for analysing firewall and router access lists. CoRR cs.ni/ (2000) 7. Eén, N., Sörensson, N.: An extensible sat-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT LNCS, vol. 2919, pp Springer, Heidelberg (2003)
Automatic Verification of Conformance of Firewall Configurations to Security Policies
Automatic Verification of Conformance of Firewall Configurations to Security Policies Nihel Ben Youssef, Adel Bouhoula, Florent Jacquemard To cite this version: Nihel Ben Youssef, Adel Bouhoula, Florent
More informationCCNA Access List Questions
CCNA Access List Questions Here you will find answers to CCNA Access list questions Note: If you are not sure about how to use Access list, please read my Access list tutorial Question 1 Your boss is learning
More informationRelaxed Routing Problem with Constraint Satisfaction Problem
R3-18 SASIMI 2018 Proceedings Relaxed Routing Problem with Constraint Satisfaction Problem Saki Yamaguci Yasuhiro Takashima Department of Information and Media Engineering University of Kitakyushu Kitakyushu,
More informationA Formal Approach for Testing Security Rules
A Formal Approach for Testing Security Rules Wissam Mallouli, Jean-Marie Orset, Ana Cavalli GET/INT Evry, SAMOVAR, 9 rue Charles Fourier 91011 Evry Cedex, France {wissam.mallouli, jean-marie.orset, ana.cavalli}@int-evry.fr
More informationA Formal Approach for Testing Security Rules
A Formal Approach for Testing Security Rules Wissam Mallouli, Jean-Marie Orset, Ana Cavalli GET/INT Evry, SAMOVAR, 9 rue Charles Fourier 91011 Evry Cedex, France {wissam.mallouli, jean-marie.orset, ana.cavalli}@int-evry.fr
More informationTesting Security Rules with Decomposable Activities
1 Testing Security Rules with Decomposable Activities Wissam Mallouli and Ana Cavalli GET/INT, 9 rue Charles Fourier, 91011 Evry Cedex, France {wissam.mallouli,ana.cavalli}@int-edu.eu Abstract Checking
More informationEfficient Circuit to CNF Conversion
Efficient Circuit to CNF Conversion Panagiotis Manolios and Daron Vroon College of Computing, Georgia Institute of Technology, Atlanta, GA, 30332, USA http://www.cc.gatech.edu/home/{manolios,vroon} Abstract.
More informationUnderstanding Access Control Lists (ACLs) Semester 2 v3.1
1 Understanding Access Control Lists (ACLs) Access Control Lists 2 Access control lists (ACLs) are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets
More informationTowards More Effective Unsatisfiability-Based Maximum Satisfiability Algorithms
Towards More Effective Unsatisfiability-Based Maximum Satisfiability Algorithms Joao Marques-Silva and Vasco Manquinho School of Electronics and Computer Science, University of Southampton, UK IST/INESC-ID,
More informationRouter and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface
CCNA4 Chapter 5 * Router and ACL By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. *
More informationPerformance analysis of range algorithm
2009 International Conference on Machine Learning and Computing IPCSIT vol.3 (2011) (2011) IACSIT Press, Singapore Performance analysis of range algorithm Ahmed Farouk 1, Hamdy N.Agiza 2, Elsayed Radwan
More informationChoices for Using Wildcard Masks
Choices f Using Wildcard Masks 1 Wildcard masks are usually set up to do one of four things: 1. Match a specific host. 2. Match an entire subnet. 3. Match a specific range. 4. Match all addresses. 1. Matching
More informationA Firewall Application Using Binary Decision Diagram
2017 2nd International Conference on Computer, Network Security and Communication Engineering (CNSCE 2017) ISBN: 978-1-60595-439-4 A Firewall Application Using Binary Decision Diagram Jun-feng ZHAO 1,
More informationPredicting and Learning Executability of Composite Web Services
Predicting and Learning Executability of Composite Web Services Masahiro Tanaka and Toru Ishida Department of Social Informatics, Kyoto University Kyoto 606-8501 Japan mtanaka@ai.soc.i.kyoto-u.ac.jp, ishida@i.kyoto-u.ac.jp
More informationAntonio Cianfrani. Access Control List (ACL) Part I
Antonio Cianfrani Access Control List (ACL) Part I Index ACL? How to configure Standard ACL Extended ACL Named ACL Limiting the vty access ACL (1/3) Control lists applied to traffic incoming in / outgoing
More informationarxiv: v1 [cs.cr] 9 Apr 2010
Security Policy Enforcement Through Refinement Process Nicolas Stouls and Marie-Laure Potet arxiv:1004.1460v1 [cs.cr] 9 Apr 2010 Laboratoire Logiciels Systèmes Réseaux - LSR-IMAG - Grenoble, France {Nicolas.Stouls,
More informationIPv4 Firewall Rule configuration on Cisco SA540 Security Appliance
IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance Objective The objective of this document to explain how to configure IPv4 firewall rules on Cisco SA540 Security Appliance. Firewall provide
More informationLogic Programming with Satisfiability
Under consideration for publication in Theory and Practice of Logic Programming 1 Logic Programming with Satisfiability MICHAEL CODISH Department of Computer Science, Ben-Gurion University, Israel (e-mail:
More informationFinite Model Generation for Isabelle/HOL Using a SAT Solver
Finite Model Generation for / Using a SAT Solver Tjark Weber webertj@in.tum.de Technische Universität München Winterhütte, März 2004 Finite Model Generation for / p.1/21 is a generic proof assistant: Highly
More informationFirewall Conformance Testing
Firewall Conformance Testing Diana Senn dsenn@inf.ethz.ch http://www.infsec.inf.ethz.ch/people/dsenn Information Security ETH Zürich Switzerland 01.06.2005 joint work with David Basin & Germano Caronni
More informationAdding an Extended Access List
CHAPTER 14 This chapter describes how to configure extended access lists (also known as access control lists), and it includes the following sections: Information About Extended Access Lists, page 14-1
More informationReflexive Access List Commands
Reflexive Access List Commands This chapter describes reflexive access list commands, which are used to configure IP session filtering. IP session filtering provides the ability to filter IP packets based
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationV Commands. virtual ip, page 2 virtual ipv6, page 5 vrf, page 8. Cisco Nexus 7000 Series NX-OS Intelligent Traffic Director Command Reference 1
virtual ip, page 2 virtual ipv6, page 5 vrf, page 8 1 virtual ip virtual ip To configure the virtual IPv4 address of an Intelligent Traffic Director (ITD) service, use the virtual ip command. To remove
More informationSAT-CNF Is N P-complete
SAT-CNF Is N P-complete Rod Howell Kansas State University November 9, 2000 The purpose of this paper is to give a detailed presentation of an N P- completeness proof using the definition of N P given
More informationLocal Two-Level And-Inverter Graph Minimization without Blowup
Local Two-Level And-Inverter Graph Minimization without Blowup Robert Brummayer and Armin Biere Institute for Formal Models and Verification Johannes Kepler University Linz, Austria {robert.brummayer,
More information7 Filtering and Firewalling
7 Filtering and Firewalling 7.1 Introduction Security is becoming a major concern in IT, and A major concern in networking and the Internet, and wireless systems are probably more open to abuse than any
More informationIntegration of SMT-LIB Support into Maple
Integration of SMT-LIB Support into Maple SMT-CAS Integration Some SMT solvers presently incorporate computer algebra techniques in their theory solvers. Examples: verit [3], SMT-RAT [4] Alternate avenue
More informationAdding an IPv6 Access List
CHAPTER 19 This chapter describes how to configure IPv6 access lists to control and filter traffic through the ASA. This chapter includes the following sections: Information About IPv6 Access Lists, page
More informationAutomated Framework for Policy Optimization in Firewalls and Security Gateways
Automated Framework for Policy Optimization in Firewalls and Security Gateways Gianluca Maiolini 1, Lorenzo Cignini 1, and Andrea Baiocchi 2 1 Elsag Datamat Divisione Automazione Sicurezza e Trasporti
More informationCS 268: Route Lookup and Packet Classification
Overview CS 268: Route Lookup and Packet Classification Packet Lookup Packet Classification Ion Stoica March 3, 24 istoica@cs.berkeley.edu 2 Lookup Problem Identify the output interface to forward an incoming
More informationObject Groups for ACLs
The feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use
More informationInvariant Generation in Vampire
Invariant Generation in Vampire Kryštof Hoder 1,LauraKovács 2, and Andrei Voronkov 1 1 University of Manchester 2 TU Vienna Abstract. This paper describes a loop invariant generator implemented in the
More informationExtended ACL Configuration Mode Commands
Extended ACL Configuration Mode Commands To create and modify extended access lists on a WAAS device for controlling access to interfaces or applications, use the ip access-list extended global configuration
More informationIPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories
Table of Contents ACL Configuration 1 ACL Overview 1 IPv4 ACL Classification 1 IPv4 ACL Rule Order 1 Rule Numbering Step with IPv4 ACLs 3 Effective Time Period of an IPv4 ACL 3 IP Fragments Filtering with
More informationSecurity Policy Enforcement Through Refinement Process
Security Policy Enforcement Through Refinement Process Nicolas Stouls, Marie-Laure Potet To cite this version: Nicolas Stouls, Marie-Laure Potet. Security Policy Enforcement Through Refinement Process.
More informationACL and ABF Commands
This module describes the Cisco IOS XR software commands used to configure the ACL and ABF commands for Broadband Network Gateway (BNG) on the Cisco ASR 9000 Series Router. For details regarding the related
More informationConfiguring IPv6 ACLs
CHAPTER 37 When the Cisco ME 3400 Ethernet Access switch is running the metro IP access image, you can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them
More informationExperience with SPM in IPv6
Experience with SPM in IPv6 Mingjiang Ye, Jianping Wu, and Miao Zhang Department of Computer Science, Tsinghua University, Beijing, 100084, P.R. China yemingjiang@csnet1.cs.tsinghua.edu.cn {zm,jianping}@cernet.edu.cn
More informationThe 1st Workshop on Model-Based Verification & Validation. Directed Acyclic Graph Modeling of Security Policies for Firewall Testing
2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement The 1st Workshop on Model-Based Verification & Validation Directed Acyclic Graph Modeling of Security
More informationTree-Based Minimization of TCAM Entries for Packet Classification
Tree-Based Minimization of TCAM Entries for Packet Classification YanSunandMinSikKim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington 99164-2752, U.S.A.
More informationThe Maude LTL Model Checker and Its Implementation
The Maude LTL Model Checker and Its Implementation Steven Eker 1,José Meseguer 2, and Ambarish Sridharanarayanan 2 1 Computer Science Laboratory, SRI International Menlo Park, CA 94025 eker@csl.sri.com
More informationLogic Programming with Satisfiability
Under consideration for publication in Theory and Practice of Logic Programming 1 Logic Programming with Satisfiability MICHAEL CODISH Department of Computer Science, Ben-Gurion University, Israel (e-mail:
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationCommitted Access Rate
Committed Access Rate Feature Summary The Committed Access Rate (CAR) feature performs the following functions: Limits the input or output transmission rate on an interface or subinterface based on a flexible
More informationThe Barcelogic SMT Solver
The Barcelogic SMT Solver Tool Paper Miquel Bofill 1, Robert Nieuwenhuis 2, Albert Oliveras 2, Enric Rodríguez-Carbonell 2, and Albert Rubio 2 1 Universitat de Girona 2 Technical University of Catalonia,
More informationFirewall Simulation COMP620
Firewall Simulation COMP620 Firewall Simulation The simulation allows participants to configure their own simulated firewalls using Cisco-like syntax. Participants can take benign or malicious actions
More informationThis appendix contains job aids and supplementary information that cover the following topics:
2237xxc.fm Page 2 Friday, December 1, 2006 3:36 PM This appendix contains job aids and supplementary information that cover the following topics: IPv4 Addresses and Subnetting Job Aid Decimal-to-Binary
More informationLecture Notes on Liveness Analysis
Lecture Notes on Liveness Analysis 15-411: Compiler Design Frank Pfenning André Platzer Lecture 4 1 Introduction We will see different kinds of program analyses in the course, most of them for the purpose
More informationVisualizing Algorithms for the Design and Analysis of Survivable Networks
Visualizing Algorithms for the Design and Analysis of Survivable Networks Ala Eddine Barouni 1, Ali Jaoua 2, and Nejib Zaguia 3 1 University of Tunis, department of computer science, Tunisia ala.barouni@fst.rnu.tn
More informationImplementing Traffic Filtering with ACLs
Implementing Traffic Filtering with ACLs Managing Network Device Security 2013 Cisco Systems, Inc. ICND1 3-36 How can you restrict Internet access for PC2? 2013 Cisco Systems, Inc. ICND1 3-37 ACL operation
More informationObject Groups for ACLs
The feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use
More information2002, Cisco Systems, Inc. All rights reserved.
2002, Cisco Systems, Inc. All rights reserved. Configuring IP Access Lists 2002, Cisco Systems, Inc. All All rights reserved. ICND v2.0 6-2 2 Objectives Upon completing this lesson, you will be able to:
More informationExtended Finite-State Machine Induction using SAT-Solver
Extended Finite-State Machine Induction using SAT-Solver Vladimir Ulyantsev, Fedor Tsarev ulyantsev@rain.ifmo.ru, tsarev@rain.ifmo.ru St. Petersburg National Research University of IT, Mechanics and Optics
More informationObject Groups for ACLs
Object Groups for ACLs Last Updated: January 18, 2012 The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs)
More informationControl Flow Analysis with SAT Solvers
Control Flow Analysis with SAT Solvers Steven Lyde, Matthew Might University of Utah, Salt Lake City, Utah, USA Abstract. Control flow analyses statically determine the control flow of programs. This is
More informationContext Based Access Control (CBAC): Introduction and Configuration
Context Based Access Control (CBAC): Introduction and Configuration Document ID: 13814 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information What Traffic Do
More informationA FORMAL APPROACH TO SPECIFY AND DEPLOY A NETWORK SECURITY POLICY
A FORMAL APPROACH TO SPECIFY AND DEPLOY A NETWORK SECURITY POLICY F. Cuppens 1, N. Cuppens-Boulahia 1, T. Sans 1, A. Miege 1 ' 2 1 GET/ENST Bretagne, 2 rue de la Chätaigneraie, 35512 Cesson Sevigne Cedex,
More informationCRI: Symbolic Debugger for MCAPI Applications
CRI: Symbolic Debugger for MCAPI Applications Mohamed Elwakil 1, Zijiang Yang 1, and Liqiang Wang 2 1 Department of Computer Science, Western Michigan University, Kalamazoo, MI 49008 2 Department of Computer
More informationParallelizing SAT Solver With specific application on solving Sudoku Puzzles
6.338 Applied Parallel Computing Final Report Parallelizing SAT Solver With specific application on solving Sudoku Puzzles Hank Huang May 13, 2009 This project was focused on parallelizing a SAT solver
More informationA Practical Evaluation Method of Network Traffic Load for Capacity Planning
A Practical Evaluation Method of Network Traffic Load for Capacity Planning Takeshi Kitahara, Shuichi Nawata, Masaki Suzuki, Norihiro Fukumoto, Shigehiro Ano To cite this version: Takeshi Kitahara, Shuichi
More informationHOW TURBO ACL S WORK
HOW TURBO ACL S WORK Basic information to know : The normal way IOS matches traffic to ACL s is that. o When a packet is received ( in case of an input acl ), the IOS checks if there are any ACL s applied
More informationRouters use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.
8.1. Access List Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list. Access lists describe the traffic type that will be controlled.
More informationDefining Route Maps. Information About Route Maps CHAPTER
20 CHAPTER This chapter describes route maps and includes the following sections: Information About Route Maps, page 20-1 Licensing Requirements for Route Maps, page 20-3 Guidelines and Limitations, page
More informationConfiguring IP Session Filtering (Reflexive Access Lists)
Configuring IP Session Filtering (Reflexive Access Lists) This chapter describes how to configure reflexive access lists on your router. Reflexive access lists provide the ability to filter network traffic
More informationAn Efficient XML Index Structure with Bottom-Up Query Processing
An Efficient XML Index Structure with Bottom-Up Query Processing Dong Min Seo, Jae Soo Yoo, and Ki Hyung Cho Department of Computer and Communication Engineering, Chungbuk National University, 48 Gaesin-dong,
More informationEnhancement Misconfiguration Management of Network Security Components Using Range Algorithm
280 IJCSNS International Journal of Computer Science and Network Security, VOL.9 No.6, June 2009 Enhancement Misconfiguration Management of Network Security Components Using Range Algorithm Ahmed Farouk
More informationCisco CCNA ACL Part II
Cisco CCNA ACL Part II Cisco CCNA Access List Applications This slide illustrates common uses for IP access lists. While this chapter focuses on IP access lists, the concept of access lists as mechanisms
More informationFull CNF Encoding: The Counting Constraints Case
Full CNF Encoding: The Counting Constraints Case Olivier Bailleux 1 and Yacine Boufkhad 2 1 LERSIA, Université de Bourgogne Avenue Alain Savary, BP 47870 21078 Dijon Cedex olivier.bailleux@u-bourgogne.fr
More informationGenerating Tests for Detecting Faults in Feature Models
Generating Tests for Detecting Faults in Feature Models Paolo Arcaini 1, Angelo Gargantini 2, Paolo Vavassori 2 1 Charles University in Prague, Czech Republic 2 University of Bergamo, Italy Outline Feature
More informationAction Language Verifier, Extended
Action Language Verifier, Extended Tuba Yavuz-Kahveci 1, Constantinos Bartzis 2, and Tevfik Bultan 3 1 University of Florida 2 Carnegie Mellon University 3 UC, Santa Barbara 1 Introduction Action Language
More informationSAT Solver. CS 680 Formal Methods Jeremy Johnson
SAT Solver CS 680 Formal Methods Jeremy Johnson Disjunctive Normal Form A Boolean expression is a Boolean function Any Boolean function can be written as a Boolean expression s x 0 x 1 f Disjunctive normal
More informationCNF Instances from the Software Package Installation Problem
CNF Instances from the Software Package Installation Problem Josep Argelich 1 and Inês Lynce 2 1 INESC-ID Rua Alves Redol 9, Lisboa, Portugal josep@sat.inesc-id.pt 2 INESC-ID and IST/TU Lisbon Rua Alves
More informationSAT Solver Heuristics
SAT Solver Heuristics SAT-solver History Started with David-Putnam-Logemann-Loveland (DPLL) (1962) Able to solve 10-15 variable problems Satz (Chu Min Li, 1995) Able to solve some 1000 variable problems
More informationCCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4
CCNA Exploration Network Fundamentals Chapter 06 Addressing the Network IPv4 Updated: 20/05/2008 1 6.0.1 Introduction Addressing is a key function of Network layer protocols that enables data communication
More informationLab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1
Lab 6: Access Lists Network Topology:- Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/0 192.168.0.1 255.255.255.0 ----- R1 Fa 0/1 192.168.10.1 255.255.255.0 ----- Se 0/0/0 10.0.0.1 255.255.255.252
More informationBDD-Based Software Model Checking with CPAchecker
BDD-Based Software Model Checking with CPAchecker Dirk Beyer and Andreas Stahlbauer University of Passau, Germany Abstract. In symbolic software model checking, most approaches use predicates as symbolic
More informationMinimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.
Minimum Satisfying Assignments for SMT Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U. 1 / 20 Satisfiability Modulo Theories (SMT) Today, SMT solvers
More informationConfiguring Logging for Access Lists
CHAPTER 17 This chapter describes how to configure access list logging for extended access lists and Webytpe access lists, and it describes how to manage deny flows. This section includes the following
More informationSpecifying and Solving Constraint Satisfaction Problems in B
Specifying and Solving Constraint Satisfaction Problems in B Michael Leuschel and Daniel Plagge Institut für Informatik, Universität Düsseldorf Universitätsstr. 1, D-40225 Düsseldorf { leuschel, plagge
More informationKUPF: 2-Phase Selection Model of Classification Records
KUPF: 2-Phase Selection Model of Classification Records KAKIUCHI Masatoshi Nara Institute of Science and Technology Background Many Internet services classify the data to be handled according to rules
More informationCisco IOS Firewall Intrusion Detection System Commands
Cisco IOS Firewall Intrusion Detection System Commands This chapter describes the commands used to configure the integrated Intrusion Detection System (IDS) features in Cisco IOS Firewall. Intrusion detection
More informationVerification of Distributed Firewalls
Verification of Distributed Firewalls Mohamed G. Gouda Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712-0233, U.S.A. gouda@cs.utexas.edu Alex X. Liu Department of Computer
More informationA Rule-Based Intrusion Alert Correlation System for Integrated Security Management *
A Rule-Based Intrusion Correlation System for Integrated Security Management * Seong-Ho Lee 1, Hyung-Hyo Lee 2, and Bong-Nam Noh 1 1 Department of Computer Science, Chonnam National University, Gwangju,
More informationConfiguring WCCPv2. Information About WCCPv2. Send document comments to CHAPTER
CHAPTER 5 This chapter describes how to configure the Web Cache Communication Protocol version 2 (WCCPv2) on Cisco NX-OS devices. This chapter includes the following sections: Information About WCCPv2,
More informationTurbo-Charging Lemmas on Demand with Don t Care Reasoning
Turbo-Charging Lemmas on Demand with Don t Care Reasoning Aina Niemetz, Mathias Preiner and Armin Biere Institute for Formal Models and Verification (FMV) Johannes Kepler University, Linz, Austria http://fmv.jku.at/
More informationLearning Techniques for Pseudo-Boolean Solving and Optimization
Learning Techniques for Pseudo-Boolean Solving and Optimization José Faustino Fragoso Fremenin dos Santos September 29, 2008 Abstract The extension of conflict-based learning from Propositional Satisfiability
More informationConfiguring IP Services
CHAPTER 8 Configuring IP Services This chapter describes how to configure optional IP services supported by the Cisco Optical Networking System (ONS) 15304. For a complete description of the commands in
More informationA New Platform NIDS Based On WEMA
I.J. Information Technology and Computer Science, 2015, 06, 52-58 Published Online May 2015 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijitcs.2015.06.07 A New Platform NIDS Based On WEMA Adnan A.
More informationCSP- and SAT-based Inference Techniques Applied to Gnomine
CSP- and SAT-based Inference Techniques Applied to Gnomine Bachelor Thesis Faculty of Science, University of Basel Department of Computer Science Artificial Intelligence ai.cs.unibas.ch Examiner: Prof.
More informationNAT Support for Multiple Pools Using Route Maps
NAT Support for Multiple Pools Using Route Maps Document ID: 13739 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Access List Approach Host 1 to Host
More informationCCNA Course Access Control Lists
CCNA Course Access Control Lists Access Control Lists (ACL) Traffic Filtering Permit or deny packets moving through router Permit or deny (VTY) access to or from a router Traffic Identifying for special
More informationDiscrete Optimization. Lecture Notes 2
Discrete Optimization. Lecture Notes 2 Disjunctive Constraints Defining variables and formulating linear constraints can be straightforward or more sophisticated, depending on the problem structure. The
More informationAn Approach to Information Security Policy Modeling for Enterprise Networks
An Approach to Information Security Policy Modeling for Enterprise Networks Dmitry Chernyavskiy and Natalia Miloslavskaya Information Security of Banking Systems Department National Research Nuclear University
More informationConfiguring Logging for Access Lists
CHAPTER 20 This chapter describes how to configure access list logging for extended access lists and Webytpe access lists, and it describes how to manage deny flows. This chapter includes the following
More informationLab 8 (IP Addressing)
Islamic University of Gaza Faculty of engineering Computer Department. Computer Network Lab ECOM 4121 Prepared by : Eng. Eman Al- Kurdi Lab 8 (IP Addressing) Introduction: Each device on a network must
More informationMultihoming with BGP and NAT
Eliminating ISP as a single point of failure www.noction.com Table of Contents Introduction 1. R-NAT Configuration 1.1 NAT Configuration 5. ISPs Routers Configuration 3 15 7 7 5.1 ISP-A Configuration 5.2
More informationConfiguring Management Access
37 CHAPTER This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how
More informationCCNA Discovery 3 Chapter 8 Reading Organizer
Name Date Chapter 8 Reading Organizer After completion of this chapter, you should be able to: Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces.
More informationCCNA Security Official Cert Guide First Edition. Copyright 2015 Cisco Systems, Inc. ISBN-10: ISBN-13:
CCNA Security 210-260 Official Cert Guide First Edition Copyright 2015 Cisco Systems, Inc. ISBN-10: 1-58720-566-1 ISBN-13: 978-1-58720-566-8 Warning and Disclaimer Every effort has been made to make this
More information