First step towards automatic correction of firewall policy faults

Authors:
Fei Chen;Alex X. Liu;Jeehyun Hwang;Tao Xie
Affiliations:
Michigan State University, East Lansing, MI;Michigan State University, East Lansing, MI;North Carolina State University, Raleigh, NC;North Carolina State University, Raleigh, NC
Venue:
ACM Transactions on Autonomous and Adaptive Systems (TAAS)
Year:
2012

Citing 16
Cited 0

Isolating cause-effect chains from computer programs

Proceedings of the 10th ACM SIGSOFT symposium on Foundations of software engineering
Fast and Scalable Conflict Detection for Packet Classifiers

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Firewall Security: Policies, Testing and Performance Evaluation

COMPSAC '00 24th International Computer Software and Applications Conference
Specification-Based Testing of Firewalls

PSI '02 Revised Papers from the 4th International Andrei Ershov Memorial Conference on Perspectives of System Informatics: Akademgorodok, Novosibirsk, Russia
A Quantitative Study of Firewall Configuration Errors

Computer
Blowtorch: a framework for firewall test automation

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Hints on Test Data Selection: Help for the Practicing Programmer

Computer
Assisted firewall policy repair using examples and history

LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Diverse Firewall Design

IEEE Transactions on Parallel and Distributed Systems
Systematic Structural Testing of Firewall Policies

SRDS '08 Proceedings of the 2008 Symposium on Reliable Distributed Systems
Fault Localization for Firewall Policies

SRDS '09 Proceedings of the 2009 28th IEEE International Symposium on Reliable Distributed Systems
Automated pseudo-live testing of firewall configuration enforcement

IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
First step towards automatic correction of firewall policy faults

LISA'10 Proceedings of the 24th international conference on Large installation system administration
Efficient fault diagnosis using incremental alarm correlation and active investigation for internet and overlay networks

IEEE Transactions on Network and Service Management
Change-impact analysis of firewall policies

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Firewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult. Automatically correcting the faults of a firewall policy is an important and challenging problem. In this article, we first propose a fault model for firewall policies including five types of faults. For each type of fault, we present an automatic correction technique. Second, we propose the first systematic approach that employs these five techniques to automatically correct all or part of the misclassified packets of a faulty firewall policy. Third, we conducted extensive experiments to evaluate the effectiveness of our approach. Experimental results show that our approach is effective to correct a faulty firewall policy with three of these types of faults.