The Mathematical Foundations for Mapping Policies to Network Devices
Dinesha Ranathunga, Matthew Roughan, Phil Kernick, Nick Falkner
2016
Abstract
A common requirement in policy specification languages is the ability to map policies to the underlying network devices. Doing so, in a provably correct way, is important in a security policy context, so administrators can be confident of the level of protection provided by the policies for their networks. Existing policy languages allow policy composition but lack formal semantics to allocate policy to network devices. Our research tackles this from first principles: we ask how network policies can be described at a high-level, independent of vendor and network minutiae. We identify the algebraic requirements of the policy-mapping process and propose semantic foundations to formally verify if a policy is implemented by the correct set of policy-arbiters. We show the value of our proposed algebras in maintaining concise network-device configurations by applying them to real-world networks.
References
- Anderson, C. J., Foster, N., Guha, A., Jeannin, J.-B., Kozen, D., Schlesinger, C., and Walker, D. (2014). NetKAT: Semantic foundations for networks. ACM SIGPLAN Notices, 49(1):113-126.
- ANSI/ISA-62443-1-1 (2007). Security for industrial automation and control systems part 1-1: Terminology, concepts, and models.
- Bartal, Y., Mayer, A., Nissim, K., and Wool, A. (2004). Firmato: A novel firewall management toolkit. ACM TOCS, 22(4):381-420.
- Byres, E., Karsch, J., and Carter, J. (2005). Good practice guide on firewall deployment for SCADA and process control networks. NISCC.
- Cisco Systems Inc. (2014). Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide. San Jose, CA 95134-1706, USA.
- Dynerowicz, S. and Griffin, T. G. (2013). On the forwarding paths produced by Internet routing algorithms. In ICNP, pages 1-10.
- Foster, N., Freedman, M. J., Harrison, R., Rexford, J., Meola, M. L., and Walker, D. (2010). Frenetic: a high-level language for OpenFlow networks. In ACM PRESTO, pages 21-27.
- Guttman, J. D. and Herzog, A. L. (2005). Rigorous automated network security management. IJIS, 4:29-48.
- Heorhiadi, V., Reiter, M. K., and Sekar, V. (2016). Simplifying software-defined network optimization using SOL. In USENIX NSDI, pages 223-237.
- Howe, C. D. (1996). What's Beyond Firewalls? Forrester Research, Incorporated.
- Prakash, C., Lee, J., Turner, Y., Kang, J.-M., Akella, A., Banerjee, S., Clark, C., Ma, Y., Sharma, P., and Zhang, Y. (2015). PGA: Using graphs to express and automatically reconcile network policies. In ACM SIGCOMM, pages 29-42.
- Ranathunga, D., Roughan, M., Kernick, P., and Falkner, N. (2016a). Malachite: Firewall policy comparison. In IEEE ISCC.
- Ranathunga, D., Roughan, M., Kernick, P., and Falkner, N. (2016b). The mathematical foundations for mapping policies to network devices, http://arxiv.org/abs/1605.09115. Technical Report.
- Ranathunga, D., Roughan, M., Kernick, P., Falkner, N., and Nguyen, H. (2015). Identifying the missing aspects of the ANSI/ISA best practices for security policy. In ACM CPSS, pages 37-48.
- Reich, J., Monsanto, C., Foster, N., Rexford, J., and Walker, D. (2013). Modular SDN programming with Pyretic. USENIX login, 38(5).
- Smolka, S., Eliopoulos, S., Foster, N., and Guha, A. (2015). A fast compiler for NetKAT. In ACM SIGPLAN, pages 328-341.
- Soulé, R., Basu, S., Marandi, P. J., Pedone, F., Kleinberg, R., Sirer, E. G., and Foster, N. (2014). Merlin: A language for provisioning network resources. In ACM CoNEXT, pages 213-226.
Paper Citation
in Harvard Style
Ranathunga D., Roughan M., Kernick P. and Falkner N. (2016). The Mathematical Foundations for Mapping Policies to Network Devices . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 197-206. DOI: 10.5220/0005946201970206
in Bibtex Style
@conference{secrypt16,
author={Dinesha Ranathunga and Matthew Roughan and Phil Kernick and Nick Falkner},
title={The Mathematical Foundations for Mapping Policies to Network Devices},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={197-206},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005946201970206},
isbn={978-989-758-196-0},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - The Mathematical Foundations for Mapping Policies to Network Devices
SN - 978-989-758-196-0
AU - Ranathunga D.
AU - Roughan M.
AU - Kernick P.
AU - Falkner N.
PY - 2016
SP - 197
EP - 206
DO - 10.5220/0005946201970206