【作者】 邓文俊；

【导师】 梁意文；

【作者基本信息】 武汉大学 ， 计算机软件与理论， 2010， 博士

【摘要】 防火墙是最常用的安全技术产品之一,其作用是阻断外部攻击进入内部网络。使用防火墙,最重要的是正确配置防火墙策略。可是,防火墙策略的语义不明问题,导致配置防火墙策略是一项既繁琐又易出错的工作。人为配置错误造成安全隐患,留下安全漏洞。针对配置防火墙策略的语义不明问题,本文提出了防火墙策略分析方法,包括：策略查询方法、策略比较方法和策略验证方法。本文总结了策略理解难的两个原因：规则次序敏感和使用环境复杂。对此,本文提出使用答案集程序查询防火墙策略的方法。首先,答案集程序支持非单调推理,能处理规则次序敏感问题；其次,答案集程序有很强的知识表达能力,能描述防火墙的使用环境。策略查询方法将防火墙策略和网络拓扑表示为答案集程序,并计算其语义。然后,将语义中的谓词转化为关系模型,存入数据库供管理员查询。该方法不仅能查询单防火墙策略,也能查询分级防火墙策略；不仅能查询单规则链策略,也能查询多规则链策略；不仅能单数据包查询,也能全局查询。本文论述了比较防火墙策略的三个目的：检测一致性、学习、检查更新效果,并提出了两个比较问题：单防火墙策略比较和路由路径比较。前者比较两个或多个防火墙策略的异同；后者比较两个网络节点间所有路由路径上访问控制策略的异同。在策略查询方法基础上,策略比较方法增加比较策略和路由路径的推理规则。通过该规则,策略比较方法不仅能查找策略不同,而且能定位造成不同的规则；不仅能查找路由路径的不同,而且能依次列出路径上的节点。防火墙策略与安全策略的关系是代码与设计的关系,因此,它们之间的一致性问题是管理员最关心的问题。本文指出该问题的本质是语义等价问题,即防火墙策略和网络拓扑共同作用的访问控制语义是否等于安全策略的访问控制语义。在策略查询方法和策略比较方法的基础上,本文提出了策略验证方法。该方法将安全策略、防火墙策略和网络拓扑都用答案集程序表示,通过推理规则,比较两者访问控制策略语义的区别,验证两者的一致性。最后,本文总结了分析方法的缺陷和需要改进的地方,展望了将来的研究。更多还原

【Abstract】 Firewall is one of the most widely adopted technology which are designed to block unauthorized access. The single most important factor of firewall’s security is how to configure firewall policies. However, it’s a tedious and error-prone job to config-ure firewall policies, because the semantics of firewall policies is hard to judge. Any configuration flaw causes security problems.In this paper, I propose three approaches to analyze firewall policies:an approach to query firewall policies, an approach to compare firewall policies and an approach to verify firewall policies.First of all, I present two reasons why firewall policies are difficult to understand. One is that rules of firewall policies are sensitive to rule order, and the other is that the environment that firewalls are deployed is complex. According to two reasons, I propose an approach to query firewall policies based on answer set programming(ASP). Firstly, ASP is a non-monotonic logic which can reason about rule order. Secondly, Asp is capable of representing all kinds of knowledge which means ASP can describe firewall environment. I represent firewall polices and network topology with answer set programs, and compute semantics of them. Further more, I transform the predicates of the semantics into relation models which can be queried by means of SQL. This approach can not only query single firewall, but also diverse firewall; not only simple chain, but also multiple chains; not only query a single packet, but also query overall access control policies.Secondly, I present three purposes of comparing firewall policies:verifying consis-tency, learning from experts, checking policies update. And then, I present two com-paring problems:the simple firewall policies comparing problem and the routing paths comparing problem The former one is to find the differences between the semantics of firewall policies, and the later one is to find the differences between access control policies of different routing paths from source to destination. In this paper, I propose a comparing approach which is based on the querying approach and adds rules about comparing firewall policies and routing paths to the answer set programs. The approach not only can find differences between the semantics of firewall policies, but also can lo-cate the rules which cause the differences; not only can find the differences between access control policies of different routing paths, but also can list the net nodes in the routing paths.Thirdly, firewall policies are codes compared to security polices which are designs, so verifying the consistency between them is the most concerned problem for adminis-trators. In this paper, I point out that the kernel of consistency is the consistency of access control policies’semantics between firewall policies and security polices. I pro-pose a approach to verify the semantics consistency based on the comparing approach. First of all, I use answer set programs to represent security policies, firewall policies and network topology. Then, I compute the semantics of both and verify the consistency by comparing the semantics of them.At last, I sum the whole article and propose the future research direction.更多还原