Verifying consistency between security policy and firewall policy by using a constraint satisfaction problem server

Abstract

Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document that outlines the needs for network access permissions. And it determines how firewall filters are designed. If inconsistencies exist between security policy and firewall policy, firewall policy could not filter packets exactly, and the network protected by the firewall will be affected. To resolve this problem, we propose a method mat represents security policy and firewall policy as Constraint Satisfaction Problem and constructs a consistency verification model, then uses a CSP solver to verify their consistency. We did some experiments to verify our proposed method, experimental results showed the effectiveness. © Springer-Verlag 2012.