Web security sourcebook
Fang: A Firewall Analysis Engine
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Firewall Design: Consistency, Completeness, and Compactness
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A tool for automated iptables firewall analysis
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Firewall analysis with policy-based host classification
LISA '06 Proceedings of the 20th conference on Large Installation System Administration
AutoISES: automatically inferring security specifications and detecting violations
SS'08 Proceedings of the 17th conference on Security symposium
Working set-based access control for network file systems
Proceedings of the 14th ACM symposium on Access control models and technologies
Dynamic security policy learning
Proceedings of the first ACM workshop on Information security governance
Using argumentation logic for firewall configuration management
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Packet flow analysis in IP networks using data-flow analysis
Proceedings of the 5th India Software Engineering Conference
A model-driven approach for the extraction of network access-control policies
Proceedings of the Workshop on Model-Driven Security
Hi-index | 0.00 |
Packet filtering firewall is one of the most important mechanisms used by corporations to enforce their security policy. Recent years have seen a lot of research in the area of firewall management. Typically, firewalls use a large number of low-level filtering rules which are configured using vendor-specific tools. System administrators start off by writing rules which implement the security policy of the organization. They add/delete/change order of rules as the requirements change. For example, when a new machine is added to the network, new rules might be added to the firewall to enable certain services to/from that machine. Making such changes to the low-level rules is complicated by the fact that the effect of a rule is dependent on its priority (usually determined by the position of the rule in the rule set). As the size and complexity of a rule set increases, it becomes difficult to understand the impact of a rule on the rule set. This makes management of rule sets more error prone. This is a very serious problem as errors in firewall configuration mean that the desired security policy is not enforced. Previous research in this area has focused on either building tools that generate low-level firewall rules from a given security policy or finding anomalies in the rules, i.e., verifying that the rules implement the given security policy correctly. We propose a technique that aims to infer the high-level security policy from low-level representation. The first step in our approach is that of generating flattened rules, i.e., rules without priorities, which are equivalent to the given firewall rule set. Removal of priorities from a rule set enables us to merge a number of rules that have a similar effect. Our rule merging algorithm reduces the size and complexity of the rule set significantly by grouping the services, hosts, and protocols present in these rules into various (possibly overlapping) classes. We have built a prototype implementation of our approach for iptables firewall rules. Our preliminary experiments indicate that the technique infers security policy that is at a sufficiently high level of abstraction to make it understandable and debuggable.