Formal correctness of conflict detection for firewalls
Proceedings of the 2007 ACM workshop on Formal methods in security engineering
An inference system for detecting firewall filtering rules anomalies
Proceedings of the 2008 ACM symposium on Applied computing
The policy continuum-Policy authoring and conflict analysis
Computer Communications
Multiprimary Support for the Availability of Cluster-Based Stateful Firewalls Using FT-FW
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Model-Based Development of firewall rule sets: Diagnosing model inconsistencies
Information and Software Technology
On harnessing information models and ontologies for policy conflict analysis
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Misconfigurations discovery between distributed security components using the mobile agent approach
Proceedings of the 11th International Conference on Information Integration and Web-based Applications & Services
MIRAGE: a management tool for the analysis and deployment of network security policies
DPM'10/SETOP'10 Proceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security
Towards automated identification of security zone classification in enterprise networks
Hot-ICE'11 Proceedings of the 11th USENIX conference on Hot topics in management of internet, cloud, and enterprise networks and services
Symbolic analysis of network security policies using rewrite systems
Proceedings of the 13th international ACM SIGPLAN symposium on Principles and practices of declarative programming
Journal of Systems and Software
Detection and resolution of anomalies in firewall policy rules
DBSEC'06 Proceedings of the 20th IFIP WG 11.3 working conference on Data and Applications Security
Analysis of policy anomalies on distributed network security setups
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
Network-level access control policy analysis and transformation
IEEE/ACM Transactions on Networking (TON)
Limitation of listed-rule firewall and the design of tree-rule firewall
IDCS'12 Proceedings of the 5th international conference on Internet and Distributed Computing Systems
Improving cloud network security using the Tree-Rule firewall
Future Generation Computer Systems
| Hi-index | 0.25 |
Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners.