Model-Driven Extraction and Analysis of Network Security Policies

Abstract: Abstract. Firewalls are a key element in network security. They are in charge of filtering the traffic of the network in compliance with a number of access-control rules that enforce a given security policy. In an always-evolving context, where security policies must often be updated to respond to new security requirements, knowing with precision the policy being enforced by a network system is a critical information. Otherwise, we risk to hamper the proper evolution of the system and compromise its security. … Show more

“…Martínez et al [20] propose a model-driven reverse engineering approach to obtain a Platform-Independent Model (PIM) of the global AC policy in a network. The approach uses the firewalls configuration files in the system to extract all AC rules.…”

“…MDE is an emerging and promising paradigm having the potential to overcome such issues (e.g., platforms heterogeneity, inconsistent security specification). All the more so that recently MDE has successfully been applied to adaptive and distributed systems, by the model@runtime approach [2] as well as in model-driven security [1,20]. MDE can help in designing correct communications and secure systems by abstracting network and security features.…”

Towards Model-Based Communication Control for the Internet of Things

“…Martínez et al [20] propose a model-driven reverse engineering approach to obtain a Platform-Independent Model (PIM) of the global AC policy in a network. The approach uses the firewalls configuration files in the system to extract all AC rules.…”

“…MDE is an emerging and promising paradigm having the potential to overcome such issues (e.g., platforms heterogeneity, inconsistent security specification). All the more so that recently MDE has successfully been applied to adaptive and distributed systems, by the model@runtime approach [2] as well as in model-driven security [1,20]. MDE can help in designing correct communications and secure systems by abstracting network and security features.…”

Towards Model-Based Communication Control for the Internet of Things

“…As a preliminary step for our approach we require the policies of each component to be represented in the form of abstract models, from where the complexity arising from the specificities of a given vendor or implementation technology is eliminated and only the AC information is present. This requirement is met by several previous work that investigate the recovery of accesscontrol policies from diverse components [11,13,12]. The outputs of those works are to be the inputs of our approach.…”

“…Concretely, for the CMS we will define attributes extending the core concepts of XACML following the types defined in [13] and then combining its use with the use of the RBAC profile. As for the firewalls, several mappings to use as a basis for the profile exists, including the use of roles [4] or not [12]. We decide to extend the latter to include domain concepts (as host, zone, protocol, etc), discarding the discovery/creation of implicit roles.…”

“…Conversely, recovering these implemented policies and representing them in form of higher-level, more abstract models reduces the complexity and enables the reusability of a plethora of proved model-driven tools and techniques. We rely on state of the art recovery approaches [11,13,12] for this task.…”

Model-Driven Integration and Analysis of Access-control Policies in Multi-layer Information Systems

A feature-based survey of model view approaches