Graph-Based Algorithms for Boolean Function Manipulation
IEEE Transactions on Computers
Identifying the semantic and textual differences between two versions of a program
PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Internet packet filter management and rectangle geometry
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Fast and Scalable Conflict Detection for Packet Classifiers
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Change Impact Identification in Object Oriented Software Maintenance
ICSM '94 Proceedings of the International Conference on Software Maintenance
Firewall Security: Policies, Testing and Performance Evaluation
COMPSAC '00 24th International Computer Software and Applications Conference
Specification-Based Testing of Firewalls
PSI '02 Revised Papers from the 4th International Andrei Ershov Memorial Conference on Perspectives of System Informatics: Akademgorodok, Novosibirsk, Russia
Algorithms for Improving the Dependability of Firewall and Filter Rule Lists
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Algorithmic Analysis of the Impacts of Changes to Object-Oriented Software
TOOLS '00 Proceedings of the Technology of Object-Oriented Languages and Systems (TOOLS 34'00)
Using a Concept Lattice of Decomposition Slices for Program Understanding and Impact Analysis
IEEE Transactions on Software Engineering
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Algorithms for routing lookups and packet classification
Algorithms for routing lookups and packet classification
CASCON '03 Proceedings of the 2003 conference of the Centre for Advanced Studies on Collaborative research
Incremental Change in Object-Oriented Programming
IEEE Software
DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
A Model of Stateful Firewalls and Its Properties
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Blowtorch: a framework for firewall test automation
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Computer Networks: The International Journal of Computer and Telecommunications Networking
Identifying Failure Causes in Java Programs: An Application of Change Impact Analysis
IEEE Transactions on Software Engineering
Why do internet services fail, and what can be done about it?
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
IEEE Transactions on Parallel and Distributed Systems
Systematic Structural Testing of Firewall Policies
SRDS '08 Proceedings of the 2008 Symposium on Reliable Distributed Systems
IEEE Transactions on Parallel and Distributed Systems
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Complete Redundancy Removal for Packet Classifiers in TCAMs
IEEE Transactions on Parallel and Distributed Systems
Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese
IEEE Internet Computing
Quantifying and Querying Network Reachability
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
Complete redundancy detection in firewalls
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Algorithms for packet classification
IEEE Network: The Magazine of Global Internetworking
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
| Hi-index | 0.00 |
Firewalls are the cornerstones of the security infrastructure for most enterprises. They have been widely deployed for protecting private networks. The quality of the protection provided by a firewall directly depends on the quality of its policy (i.e., configuration). Due to the lack of tools for analyzing firewall policies, many firewalls used today have policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. A major cause of policy errors are policy changes. Firewall policies often need to be changed as networks evolve and new threats emerge. Users behind a firewall often request the firewall administrator to modify rules to allow or protect the operation of some services. In this article, we first present the theory and algorithms for firewall policy change-impact analysis. Our algorithms take as input a firewall policy and a proposed change, then output the accurate impact of the change. Thus, a firewall administrator can verify a proposed change before committing it. We implemented our firewall change-impact analysis algorithms, and tested them on both real-life and synthetic firewall policies. The experimental results show that our algorithms are effective in terms of ensuring firewall policy correctness and efficient in terms of computing the impact of policy changes. Thus, our tool can be practically used in the iterative process of firewall policy design and maintenance. Although the focus of this article is on firewalls, the change-impact analysis algorithms proposed in this article are not limited to firewalls. Rather, they can be applied to other rule-based systems, such as router access control lists (ACLs), as well.