TechRxiv
2021-07-20-preprint.pdf (1.36 MB)

Continuous Verification of Network Security Compliance

Download (1.36 MB)
preprint
posted on 26.07.2021, 12:11 by Claas LorenzClaas Lorenz, Vera Clemens, Max Schrötter, Bettina Schnor
Continuous verification of network security compliance is an accepted need. Especially, the analysis of stateful packet filters plays a central role for network security in practice. But the few existing tools which support the analysis of stateful packet filters show runtimes in the order of minutes to hours making them unsuitable for continuous compliance verification.
In this work, we address these challenges and present a solution which is based on the application of formal methods. First, we introduce the formal language FPL that enables a high-level human-understandable specification of the desired state of network security. Second, we demonstrate the instantiation of a compliance process using a verification framework that analyzes the configuration of complex networks and devices - including stateful firewalls - for compliance with FPL policies. Our evaluation results show the scalability of the presented approach for the well known Internet2 and Stanford benchmarks as well as for large firewall rule sets where it outscales state-of-the-art tools by a factor of over 41.

History

Email Address of Submitting Author

cllorenz@uni-potsdam.de

ORCID of Submitting Author

0000-0002-9089-6968

Submitting Author's Institution

University of Potsdam

Submitting Author's Country

Germany

Usage metrics

Licence

Exports