Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Integrating static analysis and testing for firewall policies
Proceedings of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications
First step towards automatic correction of firewall policy faults
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
First step towards automatic correction of firewall policy faults
ACM Transactions on Autonomous and Adaptive Systems (TAAS)
Hi-index | 0.00 |
Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of security policies is important and yet difficult.To help ensure the correctness of a firewall policy, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the policy under test. Considering achieving higher structural coverage effectively, we develop three automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), and the most sophisticated one based on global constraint solving (considering multiple rules globally in a policy).We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault detection capability with the original set.