Using argumentation logic for firewall configuration management

Authors:
Arosha K. Bandara;Antonis C. Kakas;Emil C. Lupu;Alessandra Russo
Affiliations:
Centre for Research in Computing, Dept. of Computing, The Open University, Milton Keynes, UK;Department of Computing, University of Cyprus, Nicosia, Cyprus;Department of Computing, Imperial College London, London, UK;Department of Computing, Imperial College London, London, UK
Venue:
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Year:
2009

Citing 16
Cited 1

The acceptability semantics for logic programs

Proceedings of the eleventh international conference on Logic programming
Web security sourcebook

Web security sourcebook
Algorithms for Improving the Dependability of Firewall and Filter Rule Lists

DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Filtering postures: local enforcement for global policies

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Fang: A Firewall Analysis Engine

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
A Quantitative Study of Firewall Configuration Errors

Computer
Automatic analysis of firewall and network intrusion detection system configurations

Proceedings of the 2004 ACM workshop on Formal methods in security engineering
Firmato: A novel firewall management toolkit

ACM Transactions on Computer Systems (TOCS)
Dynamic rule-ordering optimization for high-speed firewall filtering

ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A tool for automated iptables firewall analysis

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Architecting the Lumeta firewall analyzer

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
An Automated Framework for Validating Firewall Policy Enforcement

POLICY '07 Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks
Inferring higher level policies from firewall rules

LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Using argumentation logic for firewall policy specification and analysis

DSOM'06 Proceedings of the 17th IFIP/IEEE international conference on Distributed Systems: operations and management
Conflict classification and analysis of distributed firewall policies

IEEE Journal on Selected Areas in Communications

Formal analysis of intrusion detection systems for high speed networks

ISPACT'10 Proceedings of the 9th WSEAS international conference on Advances in e-activities, information security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Firewalls remain the main perimeter security protection for corporate networks. However, network size and complexity make firewall configuration and maintenance notoriously difficult. Tools are needed to analyse firewall configurations for errors, to verify that they correctly implement security requirements and to generate configurations from higher-level requirements. In this paper we extend our previous work on the use of formal argumentation and preference reasoning for firewall policy analysis and develop means to automatically generate firewall policies from higher-level requirements. This permits both analysis and generation to be done within the same framework, thus accommodating a wide variety of scenarios for authoring and maintaining firewall configurations. We validate our approach by applying it to both examples from the literature and real firewall configurations of moderate size (≅ 150 rules).