TY - GEN
T1 - Build and test your own network configuration
AU - Al-Haj, Saeed
AU - Bera, Padmalochan
AU - Al-Shaer, Ehab
PY - 2012
Y1 - 2012
N2 - Access control policies play a critical role in the security of enterprise networks deployed with variety of policy-based devices (e.g., routers, firewalls, and IPSec). Usually, the security policies are configured in the network devices in a distributed fashion through sets of access control lists (ACL). However, the increasing complexity of access control configurations due to larger networks and longer policies makes configuration errors inevitable. Incorrect policy configuration makes the network vulnerable to different attacks and security breaches. In this paper, we present an imperative framework, namely, ConfigLEGO, that provides an open programming platform for building the network security configuration globally and analyzing it systematically. The ConfigLEGO engine uses Binary Decision Diagram (BDD) to build a Boolean model that represents the global system behaviors including all possible interaction between various components in extensible and scalable manner. Our tool also provides a C/C++ API as a software wrapper on top of the BDD engine to allow users in defining topology, configurations, and reachability, and then analyzing in various abstraction levels, without requiring knowledge of BDD representation or operations.
AB - Access control policies play a critical role in the security of enterprise networks deployed with variety of policy-based devices (e.g., routers, firewalls, and IPSec). Usually, the security policies are configured in the network devices in a distributed fashion through sets of access control lists (ACL). However, the increasing complexity of access control configurations due to larger networks and longer policies makes configuration errors inevitable. Incorrect policy configuration makes the network vulnerable to different attacks and security breaches. In this paper, we present an imperative framework, namely, ConfigLEGO, that provides an open programming platform for building the network security configuration globally and analyzing it systematically. The ConfigLEGO engine uses Binary Decision Diagram (BDD) to build a Boolean model that represents the global system behaviors including all possible interaction between various components in extensible and scalable manner. Our tool also provides a C/C++ API as a software wrapper on top of the BDD engine to allow users in defining topology, configurations, and reachability, and then analyzing in various abstraction levels, without requiring knowledge of BDD representation or operations.
KW - BDDs
KW - Formal methods
KW - Imperative analysis
KW - Network configuration
UR - https://www.scopus.com/pages/publications/84869598321
U2 - 10.1007/978-3-642-31909-9_33
DO - 10.1007/978-3-642-31909-9_33
M3 - Conference contribution
AN - SCOPUS:84869598321
SN - 9783642319082
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
SP - 522
EP - 532
BT - Security and Privacy in Communication Networks - 7th International ICST Conference, SecureComm 2011, Revised Selected Papers
T2 - 7th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2011
Y2 - 7 September 2011 through 9 September 2011
ER -