Network access control (NAC) systems have a very important role in network security. However,NAC policy configuration is an extremely complicated and error-prone task due to the semanticcomplexity of NAC policies and the large number of rules that could exist. This significantlyincreases the possibility of policy misconfigurations and network vulnerabilities. NAC policymisconfigurations jeopardize network security and can result in a severe consequence such asreachability and denial of service problems. In this thesis, we choose to study and analyze the NACpolicy configuration of two significant network security devices, namely, firewall and IDS/IPS.In the first part of the thesis, a visualization technique is proposed to visualize firewall rules andpolicies to efficiently enhance the understanding and inspection of firewall configuration. This isimplemented in a tool called PolicyVis. Our tool helps the user to answer general questions such as;;;;Does this policy satisfy my connection/security requirements’’. If not, the user can detect allmisconfigurations in the firewall policy.In the second part of the thesis, we study various policy misconfigurations of Snort, a very popularIDS/IPS. We focus on the misconfigurations of the flowbits option which is one of the most importantfeatures to offers a stateful signature-based NIDS. We particularly concentrate on a class of flowbitsmisconfiguration that makes Snort susceptible to false negatives. We propose a method to detect theflowbits misconfiguration, suggest practical solutions with controllable false positives to fix themisconfiguration and formally prove that the solutions are complete and sound.
【 预 览 】
附件列表
Files
Size
Format
View
Misconfiguration Analysis of Network Access Control Policies