A model for specification and validation of security policies in communication networks: the firewall case

A security policy constitutes one of the major actors in the protection of communication networks. For this, and in order to manage the access grants in accordance with the security constraints, a security policy has to be validated before its deployment. Unfortunately, in the literature, there is no well established validation mechanisms ensuring the well founded of such security policies. This paper proposes a validation framework for security policies where: (1) executable specifications are used to build an 'Executable Security Policy, (2) a validation model is proposed to support the validation activity, and (3) a validation of the executable security policy is performed The main contributions provided by this paper concerns the adaptation of some concepts and mechanisms traditionally used in software engineering for validation aims, such as specification, executable specification or reachability graph. All the definitions made in this paper have been proposed in accordance with the firewall case.