Trust: benefits, models, and mechanisms
Secure Internet programming
Security Goals: Packet Trajectories and Strand Spaces
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
A Unified Methodology for Verification and Synthesis of Firewall Configurations
ICICS '01 Proceedings of the Third International Conference on Information and Communications Security
Specification and Verification of Security Policies in Firewalls
EurAsia-ICT '02 Proceedings of the First EurAsian Conference on Information and Communication Technology
Specification-Based Testing of Firewalls
PSI '02 Revised Papers from the 4th International Andrei Ershov Memorial Conference on Perspectives of System Informatics: Akademgorodok, Novosibirsk, Russia
Automatic analysis of firewall and network intrusion detection system configurations
Proceedings of the 2004 ACM workshop on Formal methods in security engineering
A behavioral approach to worm detection
Proceedings of the 2004 ACM workshop on Rapid malcode
Firmato: A novel firewall management toolkit
ACM Transactions on Computer Systems (TOCS)
Verifying information flow goals in security-enhanced Linux
Journal of Computer Security - Special issue on WITS'03
Computer Networks: The International Journal of Computer and Telecommunications Networking
Requirements for scalable access control and security management architectures
ACM Transactions on Internet Technology (TOIT)
Anticipatory distributed packet filter configurations for carrier-grade IP networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
MulVAL: a logic-based network security analyzer
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Formal correctness of conflict detection for firewalls
Proceedings of the 2007 ACM workshop on Formal methods in security engineering
Automatic analysis of firewall and network intrusion detection system configurations
Journal of Computer Security - Formal Methods in Security Engineering Workshop (FMSE 04)
Multi-constraint Security Policies for Delegated Firewall Administration
DSOM '08 Proceedings of the 19th IFIP/IEEE international workshop on Distributed Systems: Operations and Management: Managing Large-Scale Service Deployment
Model-Based Development of firewall rule sets: Diagnosing model inconsistencies
Information and Software Technology
A Calculus for Distributed Firewall Specification and Verification
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Practical declarative network management
Proceedings of the 1st ACM workshop on Research on enterprise networking
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Formal Specification and Analysis of Firewalls
Proceedings of the 2009 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the Eighth SoMeT_09
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
Using argumentation logic for firewall configuration management
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
A Formal Approach for the Evaluation of Network Security Mechanisms Based on RBAC Policies
Electronic Notes in Theoretical Computer Science (ENTCS)
Analysis of firewall policy rules using traffic mining techniques
International Journal of Internet Protocol Technology
Network Security: Formal and Optimized Configuration
Proceedings of the 2010 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the 9th SoMeT_10
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
Aligning Semantic Web applications with network access controls
Computer Standards & Interfaces
A novel three-tiered visualization approach for firewall rule validation
Journal of Visual Languages and Computing
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
Anticipatory distributed packet filter configuration for carrier-grade IP-Networks
NETWORKING'06 Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems
Complete redundancy detection in firewalls
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Multi-constraint security policies for delegated firewall administration
International Journal of Network Management
Chimera: a declarative language for streaming network traffic analysis
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
A visualized internet firewall rule validation system
APNOMS'07 Proceedings of the 10th Asia-Pacific conference on Network Operations and Management Symposium: managing next generation networks and services
Hi-index | 0.00 |
A Abstract: When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly. We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an algorithm that, given the network topology, will compute a set of filters for the individual routers; these filters are guaranteed to enforce the policy correctly. Since these filters may not provide optimal service, a human must sometimes alter them. A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations, or to report that none exist. A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale.