Distributed Security Policy Analysis

Computer networks have become an important part of modern society, and computer network security is crucial for their correct and continuous operation. The security aspects of computer networks are defined by network security policies. The term policy, in general, is defined as ``a definite goal, course or method of action to guide and determine present and future decisions''. In the context of computer networks, a policy is ``a set of rules to administer, manage, and control access to network resources''. Network security policies are enforced by special network appliances, so called security controls.Different types of security policies are enforced by different types of security controls. Network security policies are hard to manage, and errors are quite common. The problem exists because network administrators do not have a good overview of the network, the defined policies and the interaction between them. Researchers have proposed different techniques for network security policy analysis, which aim to identify errors within policies so that administrators can correct them. There are three different solution approaches: anomaly analysis, reachability analysis and policy comparison. Anomaly analysis searches for potential semantic errors within policy rules, and can also be used to identify possible policy optimizations. Reachability analysis evaluates allowed communication within a computer network and can determine if a certain host can reach a service or a set of services. Policy comparison compares two or more network security policies and represents the differences between them in an intuitive way. Although research in this field has been carried out for over a decade, there is still no clear answer on how to reduce policy errors. The different analysis techniques have their pros and cons, but none of them is a sufficient solution. More precisely, they are mainly complements to each other, as one analysis technique finds policy errors which remain unknown to another. Therefore, to be able to have a complete analysis of the computer network, multiple models must be instantiated. An analysis model that can perform all types of analysis techniques is desirable and has three main advantages. Firstly, the model can cover the greatest number of possible policy errors. Secondly, the computational overhead of instantiating the model is required only once. Thirdly, research effort is reduced because improvements and extensions to the model are applied to all three analysis types at the same time. Fourthly, new algorithms can be evaluated by comparing their performance directly to each other. This work proposes a new analysis model which is capable of performing all three analysis techniques. Security policies and the network topology are represented by the so-called Geometric-Model. The Geometric-Model is a formal model based on the set theory and geometric interpretation of policy rules. Policy rules are defined according to the condition-action format: if the condition holds then the action is applied. A security policy is expressed as a set of rules, a resolution strategy which selects the action when more than one rule applies, external data used by the resolution strategy and a default action in case no rule applies. This work also introduces the concept of Equivalent-Policy, which is calculated on the network topology and the policies involved. All analysis techniques are performed on it with a much higher performance. A precomputation phase is required for two reasons. Firstly, security policies which modify the traffic must be transformed to gain linear behaviour. Secondly, there are much fewer rules required to represent the global behaviour of a set of policies than the sum of the rules in the involved policies. The analysis model can handle the most common security policies and is designed to be extensible for future security policy types. As already mentioned the Geometric-Model can represent all types of security policies, but the calculation of the Equivalent-Policy has some small dependencies on the details of different policy types. Therefore, the computation of the Equivalent-Policy must be tweaked to support new types. Since the model and the computation of the Equivalent-Policy was designed to be extendible, the effort required to introduce a new security policy type is minimal. The anomaly analysis can be performed on computer networks containing different security policies. The policy comparison can perform an Implementation-Verification among high-level security requirements and an entire computer network containing different security policies. The policy comparison can perform a ChangeImpact-Analysis of an entire network containing different security policies. The proposed model is implemented in a working prototype, and a performance evaluation has been performed. The performance of the implementation is more than sufficient for real scenarios. Although the calculation of the Equivalent-Policy requires a significant amount of time, it is still manageable and is required only once. The execution of the different analysis techniques is fast, and generally the results are calculated in real time. The implementation also exposes an API for future integration in different frameworks or software packages. Based on the API, a complete tool was implemented, with a graphical user interface and additional features

Network-Security-Policy Analysis

Computer network security is the first line of defence to accomplish information assurance. The computer network is at risk without a well-designed and flawless implemented network security policy. The main problem is that network administrators are not able to verify the network security policy. Although further research has been carried out, it mainly concerns small specific parts of the overall problem. This paper presents different approaches from literature and highlights how they are correlated and can operate together. This work summarizes the solutions proposed in literature, points out their advantages, disadvantages and limitations. To conclude, it proposes solutions for future research in this area

Network-Security-Policy Analysis

Computer network security is the first line of defence to accomplish information assurance. The computer network is at risk without a well-designed and flawless implemented network security policy. The main problem is that network administrators are not able to verify the network security policy. Although further research has been carried out, it mainly concerns small specific parts of the overall problem. This paper presents different approaches from literature and highlights how they are correlated and can operate together. This work summarizes the solutions proposed in literature, points out their advantages, disadvantages and limitations. To conclude, it proposes solutions for future research in this area

Network-Security-Policy Analysis

Computer network security is the first line of defence to accomplish information assurance. The computer network is at risk without a well-designed and flawless implemented network security policy. The main problem is that network administrators are not able to verify the network security policy. Although further research has been carried out, it mainly concerns small specific parts of the overall problem. This paper presents different approaches from literature and highlights how they are correlated and can operate together. This work summarizes the solutions proposed in literature, points out their advantages, disadvantages and limitations. To conclude, it proposes solutions for future research in this area

Network-Security-Policy Analysis

Computer network security is the first line of defence to accomplish information assurance. The computer network is at risk without a well-designed and flawless implemented network security policy. The main problem is that network administrators are not able to verify the network security policy. Although further research has been carried out, it mainly concerns small specific parts of the overall problem. This paper presents different approaches from literature and highlights how they are correlated and can operate together. This work summarizes the solutions proposed in literature, points out their advantages, disadvantages and limitations. To conclude, it proposes solutions for future research in this area

A formal model of policy reconciliation

This paper proposes a novel approach to perform the reconciliation of security policies by means of user-defined reconciliation strategies. The proposed policy reconciliation model allows several degrees of freedom when specifying reconciliation strategies, that can be based not only on rule actions, like most of the works in literature, but also on other rule data (e.g. the conditions) and other external data (e.g. rule priorities, policy priorities). Additionally, it can be applied to reconcile policies at runtime and off-line, that is, it allows the generation of a reconciled policy. Moreover, the reconciliation process generates a detailed report on all the decisions taken. Given its expressiveness, the approach can be also applied to simplify the policy specification process. The model has been validated against a practical example, the definition of the application layer filtering policy in a corporate scenario, and its performance has been tested with synthetic policies. Both validation and performance analysis gave promising results for application in practical case

Assessing network authorization policies via reachability analysis

Evaluating if a computer network only permits allowed business operations without transmitting unwanted or malicious traffic is a crucial security task. Reachability analysis - the process that evaluates allowed communications - is a tool useful not only to discover security issues but also to identify network misconfigurations. This paper presents a novel approach to quantify network reachability based on the concept of equivalent firewall - a fictitious device, ideally connected directly to the communicating peers and whose policy summarizes the network behaviour between them - that can be queried to derive reachability information. We build equivalent firewalls by using a mathematical model that supports a large variety of network security controls (like NAT, NAPT, tunnels and filters up to the application layer) and allows an accurate analysis. The presented approach is efficient and highly scalable, as confirmed by tests with a large corporate network as well as synthetic networks

Inter-function anomaly analysis for correct SDN/NFV deployment

Implementing the security of a network consists in individually configuring several network functions. Network functions are configured by means of a policy composed of a set of rules but their actual behaviour is influenced by the policies implemented by all the other network functions around them. This paper proposes a formal model that can be used to detect inter-function anomalies, that are defined as interference between two or more functions deployed in the same network. We have proved with experiments that the proposed model is fast and scalabl

A novel approach for integrating security policy enforcement with dynamic network virtualization

Network function virtualization (NFV) is a new networking paradigm that virtualizes single network functions. NFV introduces several advantages compared to classical approaches, such as the dynamic provisioning of functionality or the implementation of scalable and reliable services (e.g. adding a new instance to support demands). NFV also allows the deployment of security controls, like firewalls or VPN gateways, as virtualized network functions. However, currently there is not an automatic way to select the security functions to enable and to configure the selected ones according to a set of user's security requirements. This paper presents a first approach towards the integration of network and security policy management into the NFV framework. By adding to the NFV architecture a new software component, the Policy Manager, we provide NFV with an easy and effective way for users to specify their security requirements and a process that hides all the details of the correct deployment and configuration of security functions. To perform its tasks, the Policy Manager uses policy refinement techniques

Towards the Dynamic Provision of Virtualized Security Services

Network operators face several limitations in terms of infrastructure management and costs when trying to offer security services to a large number of customers with current technologies. Network Functions Virtualization and Software-Defined Networks paradigms try to overcome these limitations by allowing more flexibility, configurability and agility. Unfortunately, the problem of deciding which security services to use, where to place and how to configure them is a multidimensional problem that has no easy solution. This paper provides a model that can be used to determine the best allocation for the security applications needed to satisfy the user requirements while minimizing the cost for the network operator, subject to the different constraints expressed by the involved actors. This model can be exploited to pursue an initial dimensioning and set-up of the system infrastructure or to dynamically adapt it to support the user security policies. Initial validation shows that allocations generated with our model have considerable advantages in terms of costs and performance compared to traditional approache