A
formal approach for network security policy validation
1Politecnico
di Torino, Dip. di Automatica e Informatica,
Torino, Italy 2CNR-IEIIT, c.so Duca degli Abruzzi 24, Torino I-10129, Italy {first.last}@polito.it Abstract Network security is a crucial aspect for administrators
due to increasing network size and number of functions and controls (e.g.
firewall, DPI, parental control). Errors in configuring security controls may
result in serious security breaches and vulnerabilities (e.g. blocking
legitimate traffic or permitting unwanted traffic) that must be absolutely
detected and addressed. This work proposes a novel approach for validating
network policy enforcement, by checking the network status and configuration,
and detection of the possible causes in case of misconfiguration or software
attacks. Our contribution exploits formal methods to model and validate the
packet processing and forwarding behaviour of
security controls, and to validate the trustworthiness of the controls by
using remote attestation. A prototype implementation of this approach is
proposed to validate different scenarios. Keywords: network security policy, policy
conflict analysis, policy validation, remote attestation. +: Corresponding author: Fulvio
Valenza Journal
of Wireless Mobile Networks, Ubiquitous Computing, and Dependable
Applications (JoWUA) |