NSF Workshop on Assurable and Usable Security Configuration

Towards Global Verification of Security Configuration

Presenter
Ehab Al-Shaer, DePaul University

Abstract
The assurability of network security is dependent not only on protocols and algorithms but also on the configuration that determines the behavior of network security devices such as routers, firewalls, IPSec gateways, NAT and IDS/IPS operate based on locally configured policies. As the number of rules and polices increase, configuring these policies correctly and consistently across the network become an intractable task, causing of network unreachability and vulnerability problems. This talk will present our research results to address these challenges in the area of automated verification of global network security configuration. I will discuss our bottom-up approach to detect global conflicts in security configurations and optimize policies based on traffic statistics. I will also briefly present our FLIP system as a top-down approach to define a high-level language for network access control specification.

Presentation
Download (PPT, 0.9 MB)

About

Mailing List

Towards Global Verification of Security Configuration