Directed Security Policies: A Stateful Network Implementation
Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, f...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Open Publishing Association
2014-05-01
|
| Series: | Electronic Proceedings in Theoretical Computer Science |
| Online Access: | http://arxiv.org/pdf/1405.1114v1 |
| _version_ | 1819242493914382336 |
|---|---|
| author | Cornelius Diekmann Lars Hupel Georg Carle |
| author_facet | Cornelius Diekmann Lars Hupel Georg Carle |
| author_sort | Cornelius Diekmann |
| collection | DOAJ |
| description | Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover. |
| first_indexed | 2024-12-23T14:40:41Z |
| format | Article |
| id | doaj.art-d900db75a9e54d0abda707fcd1d81554 |
| institution | Directory Open Access Journal |
| issn | 2075-2180 |
| language | English |
| last_indexed | 2024-12-23T14:40:41Z |
| publishDate | 2014-05-01 |
| publisher | Open Publishing Association |
| record_format | Article |
| series | Electronic Proceedings in Theoretical Computer Science |
| spelling | doaj.art-d900db75a9e54d0abda707fcd1d815542022-12-21T17:43:13ZengOpen Publishing AssociationElectronic Proceedings in Theoretical Computer Science2075-21802014-05-01150Proc. ESSS 2014203410.4204/EPTCS.150.3:1Directed Security Policies: A Stateful Network ImplementationCornelius Diekmann0Lars Hupel1Georg Carle2 Technische Universität München Technische Universität München Technische Universität München Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover.http://arxiv.org/pdf/1405.1114v1 |
| spellingShingle | Cornelius Diekmann Lars Hupel Georg Carle Directed Security Policies: A Stateful Network Implementation Electronic Proceedings in Theoretical Computer Science |
| title | Directed Security Policies: A Stateful Network Implementation |
| title_full | Directed Security Policies: A Stateful Network Implementation |
| title_fullStr | Directed Security Policies: A Stateful Network Implementation |
| title_full_unstemmed | Directed Security Policies: A Stateful Network Implementation |
| title_short | Directed Security Policies: A Stateful Network Implementation |
| title_sort | directed security policies a stateful network implementation |
| url | http://arxiv.org/pdf/1405.1114v1 |
| work_keys_str_mv | AT corneliusdiekmann directedsecuritypoliciesastatefulnetworkimplementation AT larshupel directedsecuritypoliciesastatefulnetworkimplementation AT georgcarle directedsecuritypoliciesastatefulnetworkimplementation |