An inference system for detecting firewall filtering rules anomalies

Authors:
Tarek Abbes;Adel Bouhoula;Michaël Rusinowitch
Affiliations:
ISECS, Rte Menzel Chaker, Tunisia;SUPCOM, Cité El Ghazala, Tunisia;LORIA/INRIA-Lorraine, Villers-lès-Nancy, France
Venue:
Proceedings of the 2008 ACM symposium on Applied computing
Year:
2008

Citing 10
Cited 1

Internet packet filter management and rectangle geometry

SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Fast and Scalable Conflict Detection for Packet Classifiers

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
ACLA: A framework for Access Control List (ACL) Analysis and Optimization

Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century
Firewall Design: Consistency, Completeness, and Compactness

ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
A Quantitative Study of Firewall Configuration Errors

Computer
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
On the Safety and Efficiency of Firewall Policy Deployment

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Modeling and Management of Firewall Policies

IEEE Transactions on Network and Service Management
Taxonomy of conflicts in network security policies

IEEE Communications Magazine
Algorithms for packet classification

IEEE Network: The Magazine of Global Internetworking

Symbolic analysis of network security policies using rewrite systems

Proceedings of the 13th international ACM SIGPLAN symposium on Principles and practices of declarative programming

Quantified Score

Hi-index	0.00

Visualization

Abstract

Firewalls are crucial equipments for protecting private networks. However by only deploying firewalls, administrators are far from securing their enterprises networks. Bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicting filtering rules lead to block legitimate traffic or to accept unwanted packets. We present in this paper a new classification method to detect overlaps between packet filters within one firewall. Our method processes a set of filtering rules that have a variable number of fields. A field has a range of values, represented by an interval or a variable length bit string, that may intersect with the corresponding field ranges of other rules. In order to detect overlaps we organize the conditions of each filtering rule in such a way that we can quickly separate non overlapping rules. This strategy allows us to avoid considering the entire rule header in many cases.