Towards network security policy generation for configuration analysis and testing
Proceedings of the 2nd ACM workshop on Assurable and usable security configuration
Synthetic security policy generation via network traffic clustering
Proceedings of the 3rd ACM workshop on Artificial intelligence and security
The margrave tool for firewall analysis
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Packet flow analysis in IP networks using data-flow analysis
Proceedings of the 5th India Software Engineering Conference
Formal verification of security preservation for migrating virtual machines in the cloud
SSS'12 Proceedings of the 14th international conference on Stabilization, Safety, and Security of Distributed Systems
Hi-index | 0.00 |
The use of firewalls to enforce access control policies can result in extremely complex networks. Each individual firewall may have hundreds or thousands of rules, and when combined in a network, they may result in unexpected combined behavior. To mitigate this problem, there has been recent interest in the use of model checking techniques for analyzing the behavior of firewall policy configurations, and reporting anomalies. Existing techniques for firewall policy analysis are based on decision diagrams, most normally reduced ordered Binary Decision Diagrams (BDDs). BDDs are a rich data structure, supporting more logical operations than just solving boolean formulae. Typically, search algorithms for boolean satisfiability (so-called SAT-solvers) outperform BDDs. In this paper, we show that the extra structure provided by BDDs is not necessary for firewall policy analysis, and that SAT solvers are sufficient. This argument is supported both by theoretical analysis and by experimental data.