Authors: Hicham El-Khoury; Romain Laborde; François Barrère; Abdelmalek Benzekri; Maroun Chamoun
Addresses: IRIT University Paul Sabatier, Toulouse, France ' IRIT University Paul Sabatier, Toulouse, France ' IRIT University Paul Sabatier, Toulouse, France ' IRIT University Paul Sabatier, Toulouse, France ' Saint Joseph University, Beirut, Lebanon
Abstract: The implementation of a network security policy requires the configuration of heterogeneous and complex security mechanisms (IPsec gateways, ACLs on routers, statefull firewalls, proxies, etc.). The complexity of this task resides in the number, the nature, and the interdependence of these mechanisms. Although several researchers have proposed different analysis tools, achieving this task requires experienced and proficient security administrators who can handle all these parameters. A generic formal theory that allows to reason about network data flows and security mechanisms is missing. In previous articles, we have proposed a formal data-flow-oriented model to detect network security conflicts. In this article, we supplement it with a generic model of equipment configuration constructed on our attribute-based approach. Network security services will be represented by specific atomic abstract functions called 'basic commands' that can modify the data flow. Based on this representation, we define an abstract model of configuration. Therefore, we specify our approach in coloured Petri networks to automate the conflicts detection analysis and test it on NAPT/IPsec scenario.
Keywords: data flow; specification method; network security configurations; network security policy; security conflict detection; attribute-based approach; configuration abstract model; coloured Petri nets; CPNs; modelling; equipment configuration.
International Journal of Internet Protocol Technology, 2014 Vol.8 No.2/3, pp.58 - 76
Published online: 17 Dec 2014 *Full-text access for editors Access for subscribers Purchase this article Comment on this article