Knapsack problems: algorithms and computer implementations
Knapsack problems: algorithms and computer implementations
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Modeling and Verification of IPSec and VPN Security Policies
ICNP '05 Proceedings of the 13TH IEEE International Conference on Network Protocols
A scalable approach to attack graph generation
Proceedings of the 13th ACM conference on Computer and communications security
On the Safety and Efficiency of Firewall Policy Deployment
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Specifications of a high-level conflict-free firewall policy language for multi-domain networks
Proceedings of the 12th ACM symposium on Access control models and technologies
Optimal security hardening using multi-objective optimization on attack tree models of networks
Proceedings of the 14th ACM conference on Computer and communications security
Declarative Infrastructure Configuration Synthesis and Debugging
Journal of Network and Systems Management
Sat-solving approaches to context-aware enterprise network security management
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Towards automatic creation of usable security configuration
INFOCOM'10 Proceedings of the 29th conference on Information communications
Objective Risk Evaluation for Automated Security Management
Journal of Network and Systems Management
Conflict classification and analysis of distributed firewall policies
IEEE Journal on Selected Areas in Communications
Hi-index | 0.00 |
Firewalls are the most deployed security devices in computer networks. Nevertheless, designing and configuring distributed firewalls, which include determining access control rules and device placement in the network, is still a significantly complex task as it requires balancing between connectivity requirements and the inherent risk and cost. Formal approaches that allow for investigating distributed firewall configuration space systematically are highly needed to optimize decision support under multiple design constraints. The objective of this paper is to automatically synthesize the implementation of distributed filtering architecture and configuration that will minimize security risk while considering connectivity requirements, user usability and budget constraints. Our automatic synthesis generates not only the complete rule configuration for each firewall to satisfy risk and connectivity constraints, but also the optimal firewall placement in the networks to minimizes spurious traffic. We define fine-grain risk, usability and cost metrics tunable to match business requirements, and formalize the configuration synthesis as an optimization problem. We then show that distributed firewall synthesis is an NP-hard problem and provide heuristic approximation algorithms. We implemented our approach in a tool called FireBlanket that were rigorously evaluated under different network sizes, topologies and budget requirements. Our evaluation study shows that the results obtained by FireBlanket are close to the theoretical lower bound and the performance is scalable with the network size.