TY - GEN
T1 - A formal framework for network security design synthesis
AU - Rahman, Mohammad Ashiqur
AU - Al-Shaer, Ehab
PY - 2013
Y1 - 2013
N2 - Due to the extensive use of Internet services and emerging security threats, most enterprise networks deploy varieties of security devices for controlling resource access based on organizational security requirements. These requirements are becoming more fine-grained, where access control depends on heterogeneous isolation patterns like access deny, trusted communication, and payload inspection. However, organizations are looking to design usable and optimal security configurations that can harden the network security within enterprise budget constraints. This requires analyzing various alternative security architectures in order to find a security design that satisfies the organizational security requirements as well as the business constraints. In this paper, we present ConfigSynth, an automated framework for synthesizing network security configurations by exploring various security design alternatives to provide an optimal solution. The main design alternatives include different kinds of isolation patterns for traffic flows in different segments of the network. ConfigSynth takes security requirements and business constraints along with the network topology as inputs. Then it synthesizes optimal and cost-effective security configurations satisfying the constraints. ConfigSynth also provides optimal placements of different security devices in the network according to the given network topology. ConfigSynth uses Satisfiability Modulo Theories (SMT) for modeling this synthesis problem. We demonstrate the scalability of the tool using simulated experiments.
AB - Due to the extensive use of Internet services and emerging security threats, most enterprise networks deploy varieties of security devices for controlling resource access based on organizational security requirements. These requirements are becoming more fine-grained, where access control depends on heterogeneous isolation patterns like access deny, trusted communication, and payload inspection. However, organizations are looking to design usable and optimal security configurations that can harden the network security within enterprise budget constraints. This requires analyzing various alternative security architectures in order to find a security design that satisfies the organizational security requirements as well as the business constraints. In this paper, we present ConfigSynth, an automated framework for synthesizing network security configurations by exploring various security design alternatives to provide an optimal solution. The main design alternatives include different kinds of isolation patterns for traffic flows in different segments of the network. ConfigSynth takes security requirements and business constraints along with the network topology as inputs. Then it synthesizes optimal and cost-effective security configurations satisfying the constraints. ConfigSynth also provides optimal placements of different security devices in the network according to the given network topology. ConfigSynth uses Satisfiability Modulo Theories (SMT) for modeling this synthesis problem. We demonstrate the scalability of the tool using simulated experiments.
KW - automatic synthesis
KW - constraints
KW - formal logic
KW - security configuration
UR - https://www.scopus.com/pages/publications/84893231120
U2 - 10.1109/ICDCS.2013.70
DO - 10.1109/ICDCS.2013.70
M3 - Conference contribution
AN - SCOPUS:84893231120
SN - 9780769550008
T3 - Proceedings - International Conference on Distributed Computing Systems
SP - 560
EP - 570
BT - Proceedings - 2013 IEEE 33rd International Conference on Distributed Computing Systems, ICDCS 2013
T2 - 2013 IEEE 33rd International Conference on Distributed Computing Systems, ICDCS 2013
Y2 - 8 July 2013 through 11 July 2013
ER -