A Specification Method for Analyzing Fine Grained Network Security Mechanism Configurations El Khoury Hicham, Laborde Romain, Barrère François, Benzekri Abdelmalek IRIT University Paul Sabatier Toulouse, France hkhoury@ul.edu.lb, Romain.Laborde@irit.fr, Francois.Barrere@irit.fr, Abdelmalek.Benzekri@irit.fr Chamoun Maroun Saint Joseph University Beirut, Lebanon maroun.chamoun@usj.edu.lb Abstract—Networks have largely resisted analysis using formal techniques. Quick evolution, heterogeneity, interdependence between equipment, and many other factors induce more complexity to this field. Although several approaches have proposed different analysis tools, achieving this task requires experienced and proficient security administrators who can handle all these parameters. The challenge is not to propose a temporarily solution but to offer a building block for this large domain, though no approach can be optimal for all tasks. In previous papers, we have proposed a novel formal model of equipment configuration built on data flow attribute-based approach to detect network security conflicts. In this paper, we have extended that the previous proposed model is not only generic, but also is microscopic (from a usability perspective) to offer a foundation for the wide task. Based on this hypothesis, we define a formal analysis method for network security mechanisms. Therefore, we specify our approach in Colored Petri Networks to automate the conflicts analysis and test it on firewall-iptables scenario. Keywords—security conflict detection, security configurations, formal specification, Colored Petri Nets. I. INTRODUCTION Basically, configuring network equipment may consist of rules referring to configuration items. All these rules are jointly responsible for the implementation of a behavior in terms of network (security) policy and must guarantee the administrator’s (security) objectives. However, each configuration rule also affects the global network security. If a rule is poorly defined, the global security might be compromised (principle of the weakest link in the security chain). These configuration rules follow a syntax and an order of configuration that are specific to each type of equipment. Whatever this syntax and this order are, whether configuration items are defined but never applied, or they are used without being defined, or whether the rules are redundant or contradictory [1], the configuration of the network equipment is inconsistent and may lead to abnormal or unexpected behavior. This results in inconsistency problem. Network security management is inherently a distributed function that involves the coordination of a set of devices, each device providing its specific capacity and security services. Therefore, it is essential to define new tools for specifying and validating network security policies. To ensure the compliance to a security policy, two approaches are generally used for protecting data:  The Top/Down approach: is followed by network management practitioners, consists in using different abstraction levels of management information that help administrators refining configuration from objectives. For example, policy based network management uses this approach to automate the management task [18,19]. Nevertheless, the refinement process is incomplete and not mastered yet. Proving the correctness and the consistency of a security policy deployment, i.e. the step that consists in transforming a security policy into the devices’ configurations, is still a big challenge. Thus, the automation of this type of solution is still theoretical [6].  Whereas the Bottom/Up approach: consists in analyzing existing configurations on security devices and deducing the correctness and the consistency of these configurations on the network equipment. This approach is mainly employed when something goes wrong in an existing network, and people have to find where the issue is. This activity requires suitable tools to allow security analysts to understand the global interactions of all the configurations. Fig. 1. Two network security management approaches However, experience shows that these two approaches are often hard tasks. We are interested in building a formal analysis network security framework (Fig. 1) that provides the right level of abstraction in order to be, at the same time, independent of the security mechanisms, and representative of the reality. The right level aims at ensuring both confidentiality and integrity of data flows that could be interpreted as information-flow policies. Some papers provide a partial solution considering only one kind of devices, such as firewalls [1] or filtering IPsec gateways [3, 4]. However, we want our theory to be independent from specific security technologies (IPsec, firewalls, etc).