Abstract
Firewalls are important perimeter security mechanisms that imple-ment an organisation’s network security requirements and can be notoriously difficult to configure correctly. Given their widespread use, it is crucial that network administrators have tools to translate their security requirements into firewall configuration rules and ensure that these rules are consistent with each other. In this paper we propose an approach to firewall policy specification and analysis that uses a formal framework for argumentation based preference reasoning. By allowing administrators to define network abstractions (e.g. subnets, protocols etc) security requirements can be specified in a declarative manner using high-level terms. Also it is possible to specify preferences to express the importance of one requirement over another. The use of a formal framework means that the security requirements defined can be automatically analysed for inconsistencies and firewall configurations can be automatically generated. We demonstrate that the technique allows any inconsistency property, including those identified in previous research, to be specified and automatically checked and the use of an argumentation reasoning framework provides administrators with information regarding the causes of the inconsistency.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Al-Shaer, E.S., Hamed, H.H.: Firewall Policy Advisor for Anomaly Doscovery and Rule Editing. In: Proceedings of 8th IFIP/IEEE International Symposium on Integrated Network Management, Colarado Springs, CO. IEEE, Los Alamitos (2003)
Cisco. Cisco PIX Firewall Configuration White Paper (DOCID: 68815), Cisco Inc. (2006), http://www.cisco.com/warp/public/707/ezvpn-asa-svr-871-rem.pdf
Al-Shaer, E.S., Hamed, H.H.: Discovery of Policy Anomalies in Distributed Firewalls. In: Proceedings of 23rd IEEE Communications Society Conference (INFOCOM), Hong Kong. IEEE, Los Alamitos (2004)
Dung, P.M.: On the acceptability of arguments and its fundamental role in nonmonotonic reasoning, logic programming and n-person games. Artificial Intelligence (77), 321–357 (1995)
Bondarenko, A., Dung, P.M., Kowalski, R.A., Toni, F.: An abstract argumentation theoretic approach to default reasoning. Artificial Intelligence 93, 63–101 (1997)
Kakas, A., Mancerella, P., Dung, P.M.: The acceptability semantics for logic programs. In: Proceedings of 11th International Conference on Logic Programming, Santa Marherita Ligure, Italy (1994)
Prakken, H., Sartor, G.: A system for defeasible argumentation, with defeasible priorities. In: Gabbay, D.M., Ohlbach, H.J. (eds.) FAPR 1996. LNCS (LNAI), vol. 1085. Springer, Heidelberg (1996)
Gorgias. Argumentation and Abduction, http://www2.cs.ucy.ac.cy/~nkd/gorgias/
Dimopoulos, Y., Nebel, B., Toni, F.: On the Computational Complexity of Assumption-based Argumentation for Default Reasoning. Artificial Intelligence 141, 57–78 (2002)
Mayer, A., Wool, A., Ziskind, E.: Offline firewall analysis. International Journal on Information Security 5(3), 125–144 (2006)
Uribe, T.E., Cheung, S.: Automatic Analysis of Firewall and Network Intrusion Detection System Configurations. In: Proceedings of ACM Workshop on Formal Methods in Security Engineering, Washington, DC. ACM Press, New York (2004)
Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., Mohapatra, P.: FIREMAN: a toolkit for FIREwall Modeling and ANalysis. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA (May 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bandara, A.K., Kakas, A., Lupu, E.C., Russo, A. (2006). Using Argumentation Logic for Firewall Policy Specification and Analysis. In: State, R., van der Meer, S., O’Sullivan, D., Pfeifer, T. (eds) Large Scale Management of Distributed Systems. DSOM 2006. Lecture Notes in Computer Science, vol 4269. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11907466_16
Download citation
DOI: https://doi.org/10.1007/11907466_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-47659-7
Online ISBN: 978-3-540-47662-7
eBook Packages: Computer ScienceComputer Science (R0)