First step towards automatic correction of firewall policy faults

Authors:
Fei Chen;Alex X. Liu;JeeHyun Hwang;Tao Xie
Affiliations:
Dept. of Computer Science and Engineering, Michigan State University, East Lansing, Michigan;Dept. of Computer Science and Engineering, Michigan State University, East Lansing, Michigan;Dept. of Computer Science, North Carolina State University, Raleigh, North Carolina;Dept. of Computer Science, North Carolina State University, Raleigh, North Carolina
Venue:
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Year:
2010

Citing 14
Cited 1

Dynamic program slicing

PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Isolating cause-effect chains from computer programs

Proceedings of the 10th ACM SIGSOFT symposium on Foundations of software engineering
Fast and Scalable Conflict Detection for Packet Classifiers

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Firewall Security: Policies, Testing and Performance Evaluation

COMPSAC '00 24th International Computer Software and Applications Conference
Specification-Based Testing of Firewalls

PSI '02 Revised Papers from the 4th International Andrei Ershov Memorial Conference on Perspectives of System Informatics: Akademgorodok, Novosibirsk, Russia
A Quantitative Study of Firewall Configuration Errors

Computer
Empirical evaluation of the tarantula automatic fault-localization technique

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Hints on Test Data Selection: Help for the Practicing Programmer

Computer
Assisted firewall policy repair using examples and history

LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Diverse Firewall Design

IEEE Transactions on Parallel and Distributed Systems
Systematic Structural Testing of Firewall Policies

SRDS '08 Proceedings of the 2008 Symposium on Reliable Distributed Systems
Fault Localization for Firewall Policies

SRDS '09 Proceedings of the 2009 28th IEEE International Symposium on Reliable Distributed Systems
Change-impact analysis of firewall policies

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security

First step towards automatic correction of firewall policy faults

ACM Transactions on Autonomous and Adaptive Systems (TAAS)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Firewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult. Automatically correcting the faults of a firewall policy is an important and challenging problem. In this paper, we make three major contributions. First, we propose the first comprehensive fault model for firewall policies including five types of faults. For each type of fault, we present an automatic correction technique. Second, we propose the first systematic approach that employs these five techniques to automatically correct all or part of the misclassified packets of a faulty firewall policy. Third, we conducted extensive experiments to evaluate the effectiveness of our approach. Experimental results show that our approach is effective to correct a faulty firewall policy with three of these types of faults.