首页    期刊浏览 2024年12月03日 星期二
登录注册

文章基本信息

  • 标题:Formal Analysis of Security Policy Implementations in Enterprise Networks
  • 本地全文:下载
  • 作者:P Bera ; Pallab Dasgupta ; S K Ghosh
  • 期刊名称:International Journal of Computer Networks & Communications
  • 印刷版ISSN:0975-2293
  • 电子版ISSN:0974-9322
  • 出版年度:2009
  • 卷号:1
  • 期号:2
  • 出版社:Academy & Industry Research Collaboration Center (AIRCC)
  • 摘要:The management of security, operations and services in large scale enterprise networks is becoming more difficult due to complex security policies of the organizations and also due to dynamic changes in network topologies. Typically, the global security policy of an enterprise network is implemented in a distributed fashion through appropriate sets of access control rules (ACL rules) across various interface switches (layer 3 switches) in the network. In such networks, verification of the ACL implementations with respect to the security policies is a major technical challenge to the network administrators. This is difficult to achieve manually, because of the complex policy constraints (temporal access constraints) and the presence of hidden access paths in the network which may in turn violate one or more policy rules implicitly. The inconsistent hidden access paths may be formed due to transitive relationships between implemented service access paths in the network. Moreover, the complexity of the problem is compounded due to dynamic changes in network topologies. In any point of time, the failure of the network interfaces or links may change the network topology as a result alternative routing paths can be formed for forwarding various service packets. Hence, the existing security implementation (distribution of ACL rules) may not satisfy the policies. In this paper, a fault analysis module is incorporated along with the verification framework which as a whole can derive a correct ACL implementation with respect to a given security policy specification and can ensure that a correct security implementation is fault tolerant to certain number of link failures. The verification module can find the correct security implementation and the fault analysis module can find the number of link failures the existing security implementation can tolerate and still satisfy the security policy of the network.
  • 关键词:LAN; Network Security; Security Policy; Access control lists (ACL); SAT based verification.0fa1f
国家哲学社会科学文献中心版权所有