Diseño del Modelo de Entrevista Incorporando Elementos de la PNL 76 

ally construct the rulesets for the catalogues then populate the Semantic Threat Graphs, and this process is error-prone. The proposed model can also be used for firewall policy query analysis.

Ad˜ao et al. [3] propose a declarative policy specification language, and present Mignis (“murus ignis” (“a wall of fire” in Latin)), a tool that translates high-level access control specifications into low-level policy configurations for Netfilter. An abstract model of the Netfilter firewall is proposed, and definitions for Network Address Translation and stateful filtering are encoded. The synthesised policies consist of order-independent iptables firewall rules. However, the proposed ap- proach is tightly coupled with Netfilter.

Similar to a shortcoming of query analysis, the policy that can be synthesized using a high-level specification language is limited by the collection of filter condi- tion attributes and rule target actions expressible in the language. Additionally, work in this area in general has been focused on packet-filter firewalls.

2.4

Challenges of Policy Composition

An administrator may develop a firewall policy by specifying independent or re- lated requirements, that need to be replaced by a policy that adequately captures the requirements of the individual specifications. However, while the individual specifications may themselves be consistent with the network security policy, their composition may result in a policy that enables unauthorized traversal of the firewall. Mismanagement of composition in a distributed policy architecture may allow for an attacker to traverse the network configuration in order to reach their intended target by following possibly direct or indirect paths that occur as a result of composition.

Gong and Qian [70] considered the problem of secure interoperation in net- works of heterogeneous access control systems. A graph-based model is used to represent a secure access control system, whereby nodes are system entities and arcs specify the direction of positive/negative access. System interoperation is defined by composing graphs, and it is shown that the composition of individually secure systems does not necessarily result in a secure system. That is, an unau- thorized user may potentially gain access to a resource by following an indirect path across the individually secure but now interoperating access control systems. Gong and Qian show that in the graph-based approach, the optimal elimination of interoperation vulnerabilities occurring as a result of composition/interoperation is NP-complete. Bistarelli et at. [19] consider the problem in [70], and propose

Reasoning About Firewall Policies Through Refinement and Composition

2. Network Access Control and

Policy Management 2.4 Challenges of Policy Composition

a constraint-based model to represent a secure access control system. System reconfiguration for secure interoperation is expressed as a Constraint Satisfaction Problem [97]. The advantage of the constraint-based approach, is that trade-offs may be made over the set of all interoperation vulnerabilities that occur as a result of composing the individually secure access control systems, in reasonable time [19].

The cascade vulnerability problem [99] is concerned with secure interoperation in networks of multilevel secure systems. The interconnection may be between systems accredited with different levels of risk, and a cascade vulnerability occurs when confidentiality requirements are threatened, whereby an attacker “can take advantage of network connections to compromise information across a range of security levels that is greater than the accreditation range of any of the component systems he must defeat to do so” [99]. This is similar to the problem of security violation due to indirect paths considered in [70]. Bistarelli et at. [20] propose a constraint-based approach to model, detect and eliminate the cascade vulner- ability problem in an arbitrary multilevel secure network. Cascading network paths are detected and removed by breaking a minimum number of system links in polynomial time.

Denning [42] reported some of the earliest work on lattice-based models for secure information flow in systems. An information flow policy is concerned with the flow of information between the different security classes in a system, and the information flow policy in [42] consists of the finite set of security classes, a binary ordering between security classes in terms of a “can flow” relation, and a binary class combining (join) operator. Denning demonstrated that under certain axioms, an information flow policy forms a finite lattice structure.

Jacob [77] considered the refinement of systems. It is shown how different refinement relations can be used to capture different kinds of system properties. When one system refines another, it is said to be “no worse with respect to some property of interest” [77], corresponding to one definition of refinement from [7] as “an added development or improvement”. However in [77], the notion of re- finement does not imply one system is better than another, only no worse.

Foley [56] reinterprets the notion of refinement [77] for refinement of pol- icy. In contrast to [42], an information flow policy is defined as a reflexive rela- tion, whereby details about system entities are encoded along with their security classes. The policy ordering relation captures the property of restrictiveness, and when one policy refines another, the former is said to be “no less restric- tive” [56] than the latter. Foley demonstrated that the set of all information flow

Reasoning About Firewall Policies Through Refinement and Composition

2. Network Access Control and