A Reconfigurable Approach to Packet Filtering
FPL '01 Proceedings of the 11th International Conference on Field-Programmable Logic and Applications
Simulating Highly Dependable Applications in a Distributed Computing Environment
ANSS '03 Proceedings of the 36th annual symposium on Simulation
A Service Scheduler in a Trustworthy System
ANSS '04 Proceedings of the 37th annual symposium on Simulation
ProgME: towards programmable network measurement
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Detecting and resolving policy misconfigurations in access-control systems
Proceedings of the 13th ACM symposium on Access control models and technologies
Model-Based Development of firewall rule sets: Diagnosing model inconsistencies
Information and Software Technology
Modeling and understanding end-to-end class of service policies in operational networks
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
Using argumentation logic for firewall configuration management
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Automating security configuration and administration: an access control perspective
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Detecting and resolving policy misconfigurations in access-control systems
ACM Transactions on Information and System Security (TISSEC)
ProgME: towards programmable network measurement
IEEE/ACM Transactions on Networking (TON)
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
Complete redundancy detection in firewalls
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
| Hi-index | 0.01 |
Network firewalls and routers use a rule database to decide which packets will be allowed from one network onto another. By filtering packets, the firewalls and routers can improve security and performance. However, as the size of the rule list increases, it becomes difficult to maintain and validate the rules, and lookup latency may increase significantly. Both these factors tend to limit the ability of firewall systems to protect networks. This paper presents a new technique for representing rule databases. This representation -- based on ordered binary decision diagrams - can be used in two ways: faster lookup algorithms can allow larger rule sets to be used without sacrificing performance; and algorithms for validating rule sets and changes to rule sets can be used. Overall dependability of the system is improved by allowing larger and more sophisticated rule sets, and by having greater confidence in the rule sets' correctness.