Reasoning about firewall policies through refinement and composition

Simple item page
dc.check.embargoformatNot applicableen
dc.check.infoNo embargo requireden
dc.check.opt-outNot applicableen
dc.check.reasonNo embargo requireden
dc.check.typeNo Embargo Required
dc.contributor.advisorFoley, Simonen
dc.contributor.authorNeville, Ultan James
dc.date.accessioned2017-09-29T11:57:02Z
dc.date.available2017-09-29T11:57:02Z
dc.date.issued2017
dc.date.submitted2017
dc.description.abstractNetwork and host-based access controls, for example, firewall systems, are important points of security-demarcation, operating as a front-line defence for networks and networked systems. A firewall policy is conventionally defined as a sequence of order-dependant rules, and when a network packet matches with two or more policy rules, the policy is anomalous. Policies for access-control mechanisms may consist of thousands of access-control rules, and correct management is complex and error-prone. Policies may need to be reconfigured for highly dynamic environments, as threats to, and access requirements for, resources behind a firewall do not usually remain static. Misconfiguration is common, and correct policy management is often reliant on the expert-knowledge of security administrators, and drawing from best practice. The thesis of this dissertation is that a firewall policy should be anomaly-free by construction, and as such, there is a need for a firewall policy language that allows for constructing, comparing, and composing anomaly-free policies. An algebra is proposed for constructing and reasoning about anomaly-free firewall policies. Based on the notion of refinement as safe replacement, the algebra provides operators for sequential composition, union and intersection of policies. The algebra allows a policy specifier to compose policies in such a way, that the result of the composition upholds the access requirements of each policy involved, and allows one to reason as to whether some policy is a safe (secure) replacement for another policy. This approach enables a common framework, whereby knowledge related to detailed access control configurations and standards-based firewall policies can be represented and reasoned about. This dissertation explores the effectiveness of firewall policy specification and analysis, that extends the conventional fivetuple rule to include stateful inspection, TCP flags, ICMP Types/Codes, and additional filter condition attributes. The effectiveness of the algebra is demonstrated by its application to anomaly detection, and standards compliance. The effectiveness of the approach in practice is evaluated through a mapping to/from iptables. The evaluation shows that the approach is practical for large policies. The effectiveness is also evaluated through a mapping to OpenStack network and host-based access controls, and the development of a policy management framework for the Android OS.en
dc.description.statusNot peer revieweden
dc.description.versionAccepted Version
dc.format.mimetypeapplication/pdfen
dc.identifier.citationNeville, U. J. 2017. Reasoning about firewall policies through refinement and composition. PhD Thesis, University College Cork.en
dc.identifier.endpage194en
dc.identifier.urihttps://hdl.handle.net/10468/4820
dc.language.isoenen
dc.publisherUniversity College Corken
dc.rights© 2017, Ultan James Neville.en
dc.rights.urihttp://creativecommons.org/licenses/by-nc-nd/3.0/en
dc.subjectFirewallsen
dc.subjectAlgebraen
dc.subjectiptablesen
dc.subjectAnomaliesen
dc.subjectPolicy-compositionen
dc.thesis.opt-outfalse
dc.titleReasoning about firewall policies through refinement and compositionen
dc.typeDoctoral thesisen
dc.type.qualificationlevelDoctoral Degree (Structured)en
dc.type.qualificationnamePhD (Science)en
ucc.workflow.supervisors.foley@cs.ucc.ie
Files
Original bundle
Now showing 1 - 2 of 2
Thumbnail Image
Name:
NevilleUJ_PhD2017.pdf
Size:
2.22 MB
Format:
Adobe Portable Document Format
Description:
Full Text E-Thesis
Download
Thumbnail Image
Name:
NevilleUJ_PhD2017_Abstract.pdf
Size:
31.2 KB
Format:
Adobe Portable Document Format
Description:
Abstract
License bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
license.txt
Size:
5.62 KB
Format:
Item-specific license agreed upon to submission
Description:
Download
Collections
Doctoral Theses
College of Science, Engineering and Food Science - Doctoral Theses
Computer Science - Doctoral Theses