Identifying the semantic and textual differences between two versions of a program
PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Internet packet filter management and rectangle geometry
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Fast and Scalable Conflict Detection for Packet Classifiers
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Firewall Security: Policies, Testing and Performance Evaluation
COMPSAC '00 24th International Computer Software and Applications Conference
Specification-Based Testing of Firewalls
PSI '02 Revised Papers from the 4th International Andrei Ershov Memorial Conference on Perspectives of System Informatics: Akademgorodok, Novosibirsk, Russia
Algorithms for Improving the Dependability of Firewall and Filter Rule Lists
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Fang: A Firewall Analysis Engine
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Algorithms for routing lookups and packet classification
Algorithms for routing lookups and packet classification
CASCON '03 Proceedings of the 2003 conference of the Centre for Advanced Studies on Collaborative research
DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
Blowtorch: a framework for firewall test automation
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Computer Networks: The International Journal of Computer and Telecommunications Networking
Identifying Failure Causes in Java Programs: An Application of Change Impact Analysis
IEEE Transactions on Software Engineering
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Why do internet services fail, and what can be done about it?
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Complete redundancy detection in firewalls
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Analysis of policy anomalies on distributed network security setups
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
Algorithms for packet classification
IEEE Network: The Magazine of Global Internetworking
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Safe and efficient strategies for updating firewall policies
TrustBus'10 Proceedings of the 7th international conference on Trust, privacy and security in digital business
First step towards automatic correction of firewall policy faults
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
SyFi: a systematic approach for estimating stateful firewall performance
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
First step towards automatic correction of firewall policy faults
ACM Transactions on Autonomous and Adaptive Systems (TAAS)
| Hi-index | 0.00 |
Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration). Due to the lack of tools for analyzing firewall policies, most firewalls on the Internet have been plagued with policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. A major source of policy errors stem from policy changes. Firewall policies often need to be changed as networks evolve and new threats emerge. In this paper, we first present the theory and algorithms for firewall policy change-impact analysis. Our algorithms take as input a firewall policy and a proposed change, then output the accurate impact of the change. Thus, a firewall administrator can verify a proposed change before committing it.