Graph-Based Algorithms for Boolean Function Manipulation
IEEE Transactions on Computers
Model checking
Implementing a distributed firewall
Proceedings of the 7th ACM conference on Computer and communications security
Authentication and Confidentiality via IPSEC
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
A Graph Theoretic Model for Hardware-based Firewalls
ICON '01 Proceedings of the 9th IEEE International Conference on Networks
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Fang: A Firewall Analysis Engine
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
| Hi-index | 0.00 |
Firewalls and network intrusion detection systems (NIDSs) are widely used to secure computer networks. Given a network that deploys multiple firewalls and NIDSs, ensuring that these security components are correctly configured is a challenging problem. Although models have been developed to reason independently about the effectiveness of firewalls and NIDSs, there is no common framework to analyze their interaction. This paper presents an integrated, constraint-based approach for modeling and reasoning about these configurations. Our approach considers the dependencies among the two types of components, and can reason automatically about their combined behavior. We have developed a tool for the specification and verification of networks that include multiple firewalls and NIDSs, based on this approach. This tool can also be used to automatically generate NIDS configurations that are optimal relative to a given cost function.