Misconfiguration Analysis of Network Access Control Policies
Loading...
Date
2009-02-20T14:46:05Z
Authors
Tran, Tung
Journal Title
Journal ISSN
Volume Title
Publisher
University of Waterloo
Abstract
Network access control (NAC) systems have a very important role in network security. However,
NAC policy configuration is an extremely complicated and error-prone task due to the semantic
complexity of NAC policies and the large number of rules that could exist. This significantly
increases the possibility of policy misconfigurations and network vulnerabilities. NAC policy
misconfigurations jeopardize network security and can result in a severe consequence such as
reachability and denial of service problems. In this thesis, we choose to study and analyze the NAC
policy configuration of two significant network security devices, namely, firewall and IDS/IPS.
In the first part of the thesis, a visualization technique is proposed to visualize firewall rules and
policies to efficiently enhance the understanding and inspection of firewall configuration. This is
implemented in a tool called PolicyVis. Our tool helps the user to answer general questions such as
‘‘Does this policy satisfy my connection/security requirements’’. If not, the user can detect all
misconfigurations in the firewall policy.
In the second part of the thesis, we study various policy misconfigurations of Snort, a very popular
IDS/IPS. We focus on the misconfigurations of the flowbits option which is one of the most important
features to offers a stateful signature-based NIDS. We particularly concentrate on a class of flowbits
misconfiguration that makes Snort susceptible to false negatives. We propose a method to detect the
flowbits misconfiguration, suggest practical solutions with controllable false positives to fix the
misconfiguration and formally prove that the solutions are complete and sound.
Description
Keywords
firewall, intrusion detection system