Design of a high-performance ATM firewall
ACM Transactions on Information and System Security (TISSEC)
Internet packet filter management and rectangle geometry
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Protecting Networks with Satan: Internet Security for System Administrators
Protecting Networks with Satan: Internet Security for System Administrators
Fast and Scalable Conflict Detection for Packet Classifiers
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Specification-Based Testing of Firewalls
PSI '02 Revised Papers from the 4th International Andrei Ershov Memorial Conference on Perspectives of System Informatics: Akademgorodok, Novosibirsk, Russia
Algorithms for Improving the Dependability of Firewall and Filter Rule Lists
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Fang: A Firewall Analysis Engine
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
CASCON '03 Proceedings of the 2003 conference of the Centre for Advanced Studies on Collaborative research
Firewall Design: Consistency, Completeness, and Compactness
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
A framework for malicious workload generation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
A Model of Stateful Firewalls and Its Properties
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Blowtorch: a framework for firewall test automation
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
International Journal of Information Security
Computer Networks: The International Journal of Computer and Telecommunications Networking
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
IEEE Transactions on Parallel and Distributed Systems
Systematic Structural Testing of Firewall Policies
SRDS '08 Proceedings of the 2008 Symposium on Reliable Distributed Systems
TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs
IEEE/ACM Transactions on Networking (TON)
Policy segmentation for intelligent firewall testing
NPSEC'05 Proceedings of the First international conference on Secure network protocols
Complete redundancy detection in firewalls
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Assessment of E-Commerce security using AHP and evidential reasoning
Expert Systems with Applications: An International Journal
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
Hi-index | 0.00 |
Firewalls are important elements of enterprise security and have been the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall mainly depends on the quality of its policy (i.e., configuration). However, due to the lack of tools for verifying and troubleshooting firewall policies, most firewalls on the Internet have policy errors. A firewall policy can error either create security holes that will allow malicious traffic to sneak into a private network or block legitimate traffic disrupting normal traffic, which in turn could lead to diestrous consequences. We propose a firewall verification and troubleshooting tool in this paper. Our tool takes as input a firewall policy and a given property, then outputs whether the policy satisfies the property. Furthermore, in the case that a firewall policy does not satisfy the property, our tool outputs which rules cause the verification failure. This provides firewall administrators a basis for how to fix the policy errors. Despite of the importance of verifying firewall policies and finding troublesome rules, they have not been explored in previous work. Due to the complex nature of firewall policies, designing algorithms for such a verification and troubleshooting tool is challenging. In this paper, we designed and implemented a verification and troubleshooting algorithm using decision diagrams, and tested it on both real-life firewall policies and synthetic firewall policies of large sizes. The performance of the algorithm is sufficiently high that they can practically be used in the iterative process of firewall policy design, verification, and maintenance. The firewall policy troubleshooting algorithm proposed in this paper is not limited to firewalls. Rather, they can be potentially applied to other rule-based systems as well.