Dr. William M. Fitzgerald (B.Sc (Hons), M.Sc, Ph.D.)
Postdoctoral Researcher
Cork Constraint Computation Centre,
Department of Computer Science,
University College Cork,
Cork, Ireland.
Research
Research areas include:- Systems Security
- Network Access Control
- Firewalls
- Policy Configuration
- Semantic Web
- Ontology Modelling
- Applications of Description Logic and SWRL Rules to Security Configuration
- Formal Modelling
- Router Performance
Ph.D. Title: An Ontology Engineering Approach to Network Access Control Configuration
Ph.D. Abstract:
Network access controls, such as firewalls and VPNs, are intended to reflect the business-level security policies of an enterprise. Running to many thousands of access-control rules, and potentially involving multiple subnets, their configuration is complex and error-prone. This can result in misconfigurations that are not compliant with the business-level security policies, resulting in unapproved access, or the denial of approved access, to network resources. Avoiding misconfiguration can largely be dependent on the expert-knowledge of a security administrator and drawing upon best practice.
The thesis of this dissertation is that this security knowledge can be modeled in terms of an ontology. This approach enables knowledge related to detailed network access control configurations, business-level security policies, and their relationships, to be represented and reasoned about within a common framework. An advantage of an ontology-based approach is the Open World Assumption, whereby reasoning over an existing security ontology is easily extended to include further security ontologies. OWL-DL ontologies are developed for Linux iptables, TCP-Wrapper and threat-graph based business-level security policies.
Security administrators use firewall query and structural analysis techniques to help avoid misconfiguration. The security ontology permits the entire firewall rule to be used in this analysis, unlike many existing tools, which rely on a firewall model centered around a five-tuple rule of IP addresses, ports and protocols. For example, a structural analysis that considers stateful inspection can detect the presence or absence of shadowing that is not detected by the conventional five-tuple based model. The dissertation explores the effectiveness of ontology-based firewall analysis that considers stateful inspection, TCP flags, and logging actions, in addition to the conventional five-tuple.
The approach is evaluated by considering its effectiveness at modelling existing best practice for network access control configuration. Best practice approaches, including PCI-DSS for systems that process credit card information, NIST for secure Web-servers and Internet RFC’s for anti-bogon are considered. These are encoded as an ontology of threat graph based catalogues which enable firewall configuration recommendations to be generated for given threats.
Network access controls, such as firewalls and VPNs, are intended to reflect the business-level security policies of an enterprise. Running to many thousands of access-control rules, and potentially involving multiple subnets, their configuration is complex and error-prone. This can result in misconfigurations that are not compliant with the business-level security policies, resulting in unapproved access, or the denial of approved access, to network resources. Avoiding misconfiguration can largely be dependent on the expert-knowledge of a security administrator and drawing upon best practice.
The thesis of this dissertation is that this security knowledge can be modeled in terms of an ontology. This approach enables knowledge related to detailed network access control configurations, business-level security policies, and their relationships, to be represented and reasoned about within a common framework. An advantage of an ontology-based approach is the Open World Assumption, whereby reasoning over an existing security ontology is easily extended to include further security ontologies. OWL-DL ontologies are developed for Linux iptables, TCP-Wrapper and threat-graph based business-level security policies.
Security administrators use firewall query and structural analysis techniques to help avoid misconfiguration. The security ontology permits the entire firewall rule to be used in this analysis, unlike many existing tools, which rely on a firewall model centered around a five-tuple rule of IP addresses, ports and protocols. For example, a structural analysis that considers stateful inspection can detect the presence or absence of shadowing that is not detected by the conventional five-tuple based model. The dissertation explores the effectiveness of ontology-based firewall analysis that considers stateful inspection, TCP flags, and logging actions, in addition to the conventional five-tuple.
The approach is evaluated by considering its effectiveness at modelling existing best practice for network access control configuration. Best practice approaches, including PCI-DSS for systems that process credit card information, NIST for secure Web-servers and Internet RFC’s for anti-bogon are considered. These are encoded as an ontology of threat graph based catalogues which enable firewall configuration recommendations to be generated for given threats.