Model-Based Development of firewall rule sets: Diagnosing model inconsistencies

Pozo, S.; Ceballos, Rafael; Gasca, Rafael M.

doi:10.1016/j.infsof.2008.05.001

Cited by 13 publications

(23 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Hence, it is crucial to validate the models before transformations are executed. MDA does not provide any diagnosis stage as an integrated part of the architecture, although this idea has already presented in other studies [6] where the MDA architecture is extended with diagnosis points before model transformations.…”

Section: Framework Overviewmentioning

confidence: 99%

A Model-Driven engineering approach with diagnosis of non-conformance of security objectives in business process models

Varela-Vaca

Gasca

Ramirez

2011

2011 Fifth International Conference on Research Challenges in Information Science

View full text Add to dashboard Cite

Abstract-Several reports indicate that the highest business priorities include: business improvement, security, and IT management. The importance of security and risk management is gaining that even government statements in some cases have imposed the inclusion of security and risk management within business management. Risk assessment has become an essential mechanism for business security analysts, since it allows the identification and evaluation of any threats, vulnerabilities, and risks to which organizations maybe be exposed. In this work, a framework based on the concepts of Model-Driven Development has been proposed. The framework provides different stages which range from a high abstraction level to an executable level. The main contribution lie in the presentation of an extension of a business process meta-model which includes risk information based on standard approaches. The meta-model provides necessary characteristics for the risk assessment of business process models at an abstract level of the approach. The framework has been equipped with specific stages for the automatic validation of business processes using model-based diagnosis which permits the detection of the non-conformance of security objectives specified. The validation stages ensure that business processes are correct with regard to the objectives specified by the customer before they are transformed into executable processes.

show abstract

Section: Framework Overviewmentioning

confidence: 99%

A Model-Driven engineering approach with diagnosis of non-conformance of security objectives in business process models

Varela-Vaca

Gasca

Ramirez

2011

2011 Fifth International Conference on Research Challenges in Information Science

View full text Add to dashboard Cite

show abstract

“…Thus, the proposed diagnosis stage is in reality a (static) verification one. This diagnosis stage has been proposed in earlier works [1], and is not the focus of the paper. Fig.…”

Section: Mda For Firewall Acl Designmentioning

confidence: 99%

“…Let ACL f be a firewall ACL consisting of f+1 rules, Firewalls have to face many problems in modern networks. Two of the most important ones are the high complexity of ACL design [1] and ACL consistency diagnosis [2,3]. Networks have different access control requirements which must be translated by a network administrator into firewall ACLs.…”

Section: Introductionmentioning

confidence: 99%

MDA-Based Framework for Automatic Generation of Consistent Firewall ACLs with NAT

Pozo

Varela-Vaca

Gasca

2009

Computational Science and Its Applications – ICCSA 2009

View full text Add to dashboard Cite

Abstract. The design and management of firewall ACLs is a very hard and error-prone task. Part of this complexity comes from the fact that each firewall platform has its own low-level language with a different functionality, syntax, and development environment. Although several high-level languages have been proposed to model firewall access control policies, none of them has been widely adopted by the industry due to a combination of factors: high complexity, no support of important features of firewalls, no common development process, etc. In this paper, a development process for Firewall ACLs based on the Model Driven Architecture (MDA) framework is proposed. The framework supports the market leaders firewall platforms and is user-extensible. The most important access control policy languages are reviewed, with special focus on the development of firewall ACLs. Based on this analysis a new DSL language for firewall ACLs, AFPL2, covering most features other languages do not cover, is proposed. The language is then used as the platform independent metamodel, the first part of the MDA-based framework.

show abstract

“…An extensive analysis of the market-leader firewall languages was presented in (Pozo1, 2009). In the analysis it was shown that IP addresses can be expressed by all of them in octets with a CIDR value (IP blocks), port numbers as naturals or intervals of naturals, and protocols as a natural number.…”

Section: Inconsistency Isolation Processmentioning

confidence: 99%

“…In the following sections, a different data structure is going to be proposed for each selector, based on the analysis of the particular data set that each one can store (Pozo1, 2009). The objective is to find or design ADTs capable of doing searches in worst case time complexity better or equal than O(logm).…”

Section: Inconsistency Isolation Processmentioning

confidence: 99%

Efficient Algorithms and Abstract Data Types for Local Inconsistency Isolation in Firewall Acls

Pozo¹,

Varela-Vaca²,

Gasca³

et al. 2009

Proceedings of the International Conference on Security and Cryptography

View full text Add to dashboard Cite

Abstract:Writing and managing firewall ACLs are hard, tedious, time-consuming and error-prone tasks for a wide range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL implies in general a design fault, and indicates that the firewall is accepting traffic that should be denied or vice versa. This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not. Although many algorithms to detect and manage inconsistencies in firewall ACLs have been proposed, they have different drawbacks regarding different aspects of the consistency diagnosis problem, which can prevent their use in a wide range of real-life situations. In this paper, we review these algorithms along with their drawbacks, and propose a new divide and conquer based algorithm, which uses specialized abstract data types. The proposed algorithm returns consistency results over the original ACL. Its computational complexity is better than the current best algorithm for inconsistency isolation, as experimental results will also show.

show abstract

Model-Based Development of firewall rule sets: Diagnosing model inconsistencies

Cited by 13 publications

References 23 publications

A Model-Driven engineering approach with diagnosis of non-conformance of security objectives in business process models

A Model-Driven engineering approach with diagnosis of non-conformance of security objectives in business process models

MDA-Based Framework for Automatic Generation of Consistent Firewall ACLs with NAT

Efficient Algorithms and Abstract Data Types for Local Inconsistency Isolation in Firewall Acls

Contact Info

Product

Resources

About