A query based formal security analysis framework for enterprise LAN

Abstract

The complex security constraints in present day enterprise networks (wired or wireless LAN) demand formal analysis of security policy configurations deployed in the network. One of the needs of a network administrator is to evaluate network service accesses through appropriate queries. The security policy is represented as set of rules for allowing/denying various service accesses through the network and may have spatio-temporal access constraints. The role-based access control (RBAC) mechanisms can also be deployed to strengthen the security perimeter. This paper presents a query based security analysis framework for enterprise networks. It evaluates various service access queries which returns the set of services allowed between specified source and destination network zones under spatio-temporal RBAC constraints. The framework includes (i) a distributed network security policy management system; (ii) a formal model for representing the network topology and STRBAC policy configurations; (iii) a query processing module for analyzing the access model with various queries. The queries are evaluated through a SAT based decision procedure. The framework is applicable for both wired and wireless networks.