TCP/IP network administration
Internet security: firewalls and beyond
Communications of the ACM
Conflict analysis for management policies
Proceedings of the fifth IFIP/IEEE international symposium on Integrated network management V : integrated management in a virtual world: integrated management in a virtual world
High-speed policy-based packet forwarding using efficient multi-dimensional range matching
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
AAAI '99/IAAI '99 Proceedings of the sixteenth national conference on Artificial intelligence and the eleventh Innovative applications of artificial intelligence conference innovative applications of artificial intelligence
BPF+: exploiting global data-flow optimization in a generalized packet filter architecture
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Packet classification using tuple space search
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Interoperation support for electronic business
Communications of the ACM
Evaluation and testing of internet firewalls
International Journal of Network Management
Prolog (3rd ed.): programming for artificial intelligence
Prolog (3rd ed.): programming for artificial intelligence
Internet packet filter management and rectangle geometry
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Complexity and expressive power of logic programming
ACM Computing Surveys (CSUR)
Handbook of Programming Languages (HPL), Volume 4: Functional and Logic Programming Languages
Handbook of Programming Languages (HPL), Volume 4: Functional and Logic Programming Languages
Building Internet Firewalls
Conflict Resolution Using Logic Programming
IEEE Transactions on Knowledge and Data Engineering
An Abductive Approach for Analysing Event-Based Requirements Specifications
ICLP '02 Proceedings of the 18th International Conference on Logic Programming
Abduction in Logic Programming
Computational Logic: Logic Programming and Beyond, Essays in Honour of Robert A. Kowalski, Part I
Algorithms for Improving the Dependability of Firewall and Filter Rule Lists
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
A firewall configuration strategy for the protection of computer networked labs in a college setting
Journal of Computing Sciences in Colleges
Policy-Based Management: Bridging the Gap
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
Firewall placement in a large network topology
FTDCS '97 Proceedings of the 6th IEEE Workshop on Future Trends of Distributed Computing Systems
Using Event Calculus to Formalise Policy Specification and Analysis
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Organization based access control
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Fast Firewall Implementations for Software and Hardware-Based Routers
ICNP '01 Proceedings of the Ninth International Conference on Network Protocols
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Logic in Computer Science: Modelling and Reasoning about Systems
Logic in Computer Science: Modelling and Reasoning about Systems
Firewall Design: Consistency, Completeness, and Compactness
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Concise Encyclopedia of Computer Science
Concise Encyclopedia of Computer Science
A Goal-based Approach to Policy Refinement
POLICY '04 Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks
Automatic analysis of firewall and network intrusion detection system configurations
Proceedings of the 2004 ACM workshop on Formal methods in security engineering
FACE: A Firewall Analysis and Configuration Engine
SAINT '05 Proceedings of the The 2005 Symposium on Applications and the Internet
Scalable packet classification
IEEE/ACM Transactions on Networking (TON)
Policy Conflict Analysis for Quality of Service Management
POLICY '05 Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks
A logic-programming approach to network security analysis
A logic-programming approach to network security analysis
Dynamic rule-ordering optimization for high-speed firewall filtering
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
International Journal of Information Security
Bridging the gap between web application firewalls and web applications
Proceedings of the fourth ACM workshop on Formal methods in security
Simulation Study of Firewalls to Aid Improved Performance
ANSS '06 Proceedings of the 39th annual Symposium on Simulation
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
MulVAL: a logic-based network security analyzer
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Using argumentation logic for firewall policy specification and analysis
DSOM'06 Proceedings of the 17th IFIP/IEEE international conference on Distributed Systems: operations and management
Algorithms for packet classification
IEEE Network: The Magazine of Global Internetworking
Hi-index | 0.00 |
Recent years have seen a significant increase in the usage of computers and their capabilities to communicate with each other. With this has come the need for more security and firewalls have proved themselves an important piece of the overall architecture, as the body of rules they implement actually realises the security policy of their owners. Unfortunately, there is little help for their administrators to understand the actual meaning of the firewall rules. This work shows that formal logic is an important tool in this respect, because it is particularly apt at modelling real-world situations and its formalism is conductive to reason about such a model. As a consequence, logic may be used to prove the properties of the models it represents and is a sensible way to go in order to create those models on computers to automate such activities. We describe here a prototype which includes a description of a network and the body of firewall rules applied to its components. We were able to detect a number of anomalies within the rule-set: inexistent elements (e.g. hosts or services on destination components), redundancies in rules defining the same action for a network and hosts belonging to it, irrelevance as rules would involve traffic that would not pass through a filtering device, and contradiction in actions applied to elements or to a network and its hosts. The prototype produces actual firewall rules as well, generated from the model and expressed in the syntax of IPChains and Cisco's PIX.