Internet packet filter management and rectangle geometry
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Fast and Scalable Conflict Detection for Packet Classifiers
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
ACLA: A framework for Access Control List (ACL) Analysis and Optimization
Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century
Firewall Design: Consistency, Completeness, and Compactness
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
On the Safety and Efficiency of Firewall Policy Deployment
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Modeling and Management of Firewall Policies
IEEE Transactions on Network and Service Management
Taxonomy of conflicts in network security policies
IEEE Communications Magazine
Algorithms for packet classification
IEEE Network: The Magazine of Global Internetworking
Symbolic analysis of network security policies using rewrite systems
Proceedings of the 13th international ACM SIGPLAN symposium on Principles and practices of declarative programming
Hi-index | 0.00 |
Firewalls are crucial equipments for protecting private networks. However by only deploying firewalls, administrators are far from securing their enterprises networks. Bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicting filtering rules lead to block legitimate traffic or to accept unwanted packets. We present in this paper a new classification method to detect overlaps between packet filters within one firewall. Our method processes a set of filtering rules that have a variable number of fields. A field has a range of values, represented by an interval or a variable length bit string, that may intersect with the corresponding field ranges of other rules. In order to detect overlaps we organize the conditions of each filtering rule in such a way that we can quickly separate non overlapping rules. This strategy allows us to avoid considering the entire rule header in many cases.