Graph-Based Algorithms for Boolean Function Manipulation
IEEE Transactions on Computers
Handbook of theoretical computer science (vol. B)
Handbook of theoretical computer science (vol. B)
A machine program for theorem-proving
Communications of the ACM
Chaff: engineering an efficient SAT solver
Proceedings of the 38th annual Design Automation Conference
Firewall Security: Policies, Testing and Performance Evaluation
COMPSAC '00 24th International Computer Software and Applications Conference
Fang: A Firewall Analysis Engine
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Firewall Design: Consistency, Completeness, and Compactness
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Modeling and Verification of IPSec and VPN Security Policies
ICNP '05 Proceedings of the 13TH IEEE International Conference on Network Protocols
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A Formal Model for Network-Wide Security Analysis
ECBS '08 Proceedings of the 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems
Hi-index | 0.00 |
The use of firewalls to enforce access control policies can result in extremely complex networks. Each individual firewall may have hundreds or thousands of rules, and when combined in a network, they may result in unexpected combined behavior. To mitigate this problem, there has been recent interest in the use of model checking techniques for analyzing the behavior of firewall policy configurations, and reporting anomaltis. Existing techniques for firewall policy analysis are based on decision diagrams, most normally reduced ordered Binary Decision Diagrams (BDDs). BDDs are a rich data structure, supporting more logical operations than just solving boolean formulae. Typically, search algorithms for boolean satisfiabillty (so-called SAT-solvers) outperform BDDs. In this paper, we show that the extra structure provided by BDDs is not necessary for firewall polley analysis, and that SAT solvers are sufficient. This argument is supported both by theoretical analysis and by experimental data.